It’s that time of year for all the predictions of what to expect for the next year, and now - the next decade. I’m generally not a fan of these - they’re either too obvious or too obviously written to sell some angle.
But, there’s a set I like to look back to. It was written nearly 20 years ago at a CERIAS event where I first met Gene Spafford, Dan Geer, Whit Diffie, Howard Schmidt, Becky Bace & others. Sadly, some are no longer with us.
The summary of the write-up is still on-line here and despite bits being a bit dated it has survived the test of time more than most of the predictions I’ve read over the years. Here are the Top 10 trends we identified:
The EverNet: Billions of devices proliferate that are always on and always connected. Yup, this was right, but likely off by an order of magnitude when projecting this out further from today.
Virtual Business: Complex outsourcing relationships extend trust boundaries beyond recognition. Again, spot on, but this has turned out even more dramatically so than we imagined.
Rules of the Game: Government regulation increases as lawmakers react to real losses that hurt. Yes, although we imagined this would be a lot more and a lot quicker than it was and more focused solely on security than the current mix of regulations including privacy.
Wild Wild West: International criminals exploit lack of cooperation and compatibility in international laws. Check, but kudos to law enforcement's response over the years.
No More Secrets: Privacy concerns will continue to compete with convenience and desire for features. Yes, but the extent of what has and is happening on social media and other aspects of privacy erosion in our lives was beyond our comprehension in 2001.
Haste Makes Waste: “Time to Market” increases pressure to sacrifice security and quality of software. Again, largely correct, but I recall we imagined this to be more of a conscious decision than an inadvertent outcome.
Talent Wars: Lack of security skills will compound weaknesses of delivered solutions. True, despite this being a somewhat simplistic statement of the problem.
Yours, Mine or Ours: Identifying intellectual property and information ownership will become key areas of debate. This turned out mostly correct, though I don’t think we really conceived all the angles of this one in the context of platforms, cloud and open source.
Web of Trust: Standard security architectures/improved trust will spur eCommerce growth. This is more positive than the other points. While there are gaps and flaws, it's true that standards (from encryption to auth and beyond) have spurred commercial growth.
Information Pollution: Information exploitation becomes more lucrative than hacking. This was most hotly debated - it was more about criminals manipulating news, data sources and other information for financial gain, think pump and dump schemes. We touched on the notion of fake news and other social manipulation but did not envisage the scale of opportunity created by social platforms. Of course, whether you think this has played out depends on the interpretation of “lucrative”.
The recommendations that followed the predictions are, nearly 20 years on, quite unremarkable but no less important. While there is much still to do, much has in fact been done in all of these areas:
Improve Software Quality
Invest in Training and Awareness
Implement Best Practices
Initiate Public Debate
Advocate Holistic Approach
Package Security Architectures
Bottom line : some predictions stand the test of time, but even the most well thought through can miss significant dislocations. As Dan Geer likes to end many of his talks : “There is never enough time.”