A look into my secret crystal ball: The security industry by 2025
Disclaimer: A personal comment by Peter Kleissner. Views are my own. These predictions come with absolutely no warranty. First published in Czech Republic on 11/25/2015.
Foreword: I want to make predictions on how the IT security market will look like in 10 years. If anyone disagrees with my predictions, my assessments or finds flaws in my logic, I would like to invite anyone to counter me via mail to email@example.com. My personal background is that I'm a programmer and entrepreneur. I started the IT security company Kleissner & Associates in 2013 which was acquired a few months ago. Previously I worked at an international bank and at an anti-virus company. I am also a frequent speaker at security conferences.
3. Attacks in general get more targeted (that is happening already right now, but will further evolve). The headlines where we read "2 million botnet dismantled" will disappear (as a matter of fact, they are already much rare than few years ago). Rather we will have smaller but more effective botnets carrying out attacks. For example MultiBanker which just targets German users and even checks if you are a customer of a certain bank which they "support". Gone are the times of huge botnets like Conficker, ZeroAccess and ZeuS Gameover. 4. In general everything (operating system, browser, hardware platform) gets more secure, but the user. Therefore, we'll see more phishing and social engineering attacks. Writing a rootkit for example is today very difficult, there are all kinds of mechanisms that will harden it (TPM, code signing in general, other 64-bit security features, ...). On the technical level we see already the drift from hard core rootkits and Trojans to user level viruses that run on the same access level as the user. 5. The exploit market will grow. There will be more people making their living by selling exploits. Not only the "professional" market but also bug bounty programs. The bigger share will be the one which has higher payouts, which is and will remain to be the professional exploit development/sale/resale market. Exploit kits will diversify to also deliver exploits to mobile and other devices. New features will include built in remote access trojans and other simple bot functionality which will make it even easier (and more attractive) to use them. By 2025 exploit packs will be multi-purpose.
6. A bank or stock exchange will be under fire. I wonder why it didn't happen more already, so my conclusion is that it has to happen at some point. Ddos attacks are "dumb" but they can be very effective if you find the bottleneck, which is often on application level. For example if the bank server is reachable, but the login is not working, because someone attacks the logon server (by exhausting the maximum of available SSL sessions for example), it will be still successful. Attacks carried out on application level will be on the rise. 7. There will be attacks on entire countries. The technical capability exists today already (take the Sality botnet with millions of infections, or the Chinese firewall which was allegedly used for orchestrating attacks) but currently it is not popular (I think that is, because there is right now nothing to gain unless you are a government). By attacks on entire countries I mean: Attacking national banks (see previous point), the stock exchange or core ISPs or internet relay points. Most people think that future attacks mean they will magically hack the power grid or some traffic systems, which I personally think is nonsense and definitely not the low hanging fruit. 8. We will read more movie-alike stories of hackers who work for governments (/intelligence services), some of which might work for the government in exchange for their freedom after they were caught. 9. We will see a rise in propaganda through digital channels, again state sponsored. Russia is currently pushing the hybrid war both on the non-digital field and digital one. I personally observe many comments in the comment section of news sites (for example on SPIEGEL ONLINE) which are clearly paid Russian propaganda against western believes. Other countries will copy this digital psychological warfare as it is effective in catching the dumb. 10. Big countries will realize that defense in IT security DOES NOT work by pushing out military threats. Attribution of attacks is the toughest part when it comes to analysis, and therefore any threats of physical military interventions in response digital attacks are effectless. Once countries realize that, they will increase the budget for actual IT security. 11. Even though many people believe it, terrorist groups like IS or Al Qaeda will not be capable of carrying out any strong attacks on foreign IT infrastructure. First, I believe they will have a difficult time of recruiting anyone with substantial skills, and then second there are big intelligence agencies just waiting to jump on anyone carrying out any attacks in the name of such terrorist groups. However, they will continue to abuse social media for their propaganda and recruitments. 12. The United Nations will address IT security and there will be a new global Convention on Cybercrime. Certain countries will, however, not ratify it due to their own geopolitical interests. 13. While there will not be laws to force companies to implement "active" backdoors (which would force them to have an active "bug" or "agent" running on your device), there will be laws to force companies to give governments access to customer data on-site if presented a warrant. Such a legislation will be the result of blind short sighted pseudo-activism propagandistic politicians, and will eventually lead into global diplomatic disputes - as other countries will start to enforce similar laws, which will ironically contradict the interest of the local national security.