Hocus-pocus! The stupidity of cybersecurity predictions

Every year, some publication asks me to come up with a list of my top 10 predictions for the security field, and every year I tell them they might as well just dust off an article I wrote a year earlier, with maybe a couple of buzzwords and a new technology added on. What you can generally expect in any given year is more of the same, with some slight variations.

That doesn’t stop people from making predictions, though. Vendors and supposed experts can’t seem to control the urge, but when I read their predictions, I just have to shake my head at the uselessness and gross ignorance of most of the comments. Predictions are useless when they are obvious, which many of them are, and they show gross ignorance when they predict things that have already happened. Surprisingly, predictions of past events are fairly common on these end-of-year lists; the prognosticators don’t know enough about the security industry to know that what they are predicting has already happened.

What is important to know about the year ahead is that it will resemble the years behind us. All technologies can and will be hacked, and likely already have been. If a new technology becomes especially pervasive, hackers (perhaps terrorist hackers) will try to compromise it. There is no genius in predicting that many hackers, including those affiliated with terrorists and nation-states, will try to compromise IoT devices.

Prognosticators on occasion make truly sensational predictions. Unfortunately, those rarely come to pass. Back at the turn of the millennium, one analyst firm predicted a $1 billion theft as criminals took advantage of Y2K-related issues. People still pay that firm tens of millions of dollars a year for its advice. Another analyst firm predicted a Cyber Pearl Harbor in 2003. As you know, neither of those predictions, which garnered major headlines, came true. The people who make such predictions hope that people won’t remember them when they fail to come true, and of course, most people don’t.

I don’t know why people let prognosticators get away with including obvious things on their lists of predictions. This year we were told that in 2016 there will be an increase in mobile device hacking. Security spending will continue to grow. There will be security problems with IoT devices and Apple products. I would just like to add that the sun will rise 366 times.

This year was also not lacking in predictions of things that have already happened. For example, “The power grid will be successfully attacked.” Are you worried Well, keep in mind that Russia, China and Iran have already been directly identified as having compromised the U.S. power grid. And it is likely that other power grids around the world are thoroughly compromised. Brazil’s power grid reportedly suffered an intention outage due to hackers as early as 2005. Claimed hacks against power grids were noted by President Obama in a speech in May 2009. So “predictions” about successful hacks against the power grid are about 10 years too late.

Ah, but this year, say some prognosticators, we can expect terrorists to target the power grid and other critical infrastructure components. Sure, we can, but that doesn’t make this much of a prediction. In 2008, CBS News reported that terrorists were using one of my old presentations for training on how to take down the power grid. It is also old news that terrorists will use the Internet to communicate with one another. Terrorists began using click fraud as a form of fundraising soon after Google Ads became available.

Trend Micro stated that “a customer-grade smart device failure will be lethal.” That is upsetting, but not news. Various failures have already resulted in deaths, and it can be argued that faulty directions in GPS devices have led to incidents causing deaths. In any event, more people will die from texting while driving. It is of course possible that someone will hack a medical device, such as an insulin pump, causing deaths, but that has been considered a possibility for more than a decade, with a proof of concept performed at the Black Hat conference in 2011. While there has not been a realized case of a medical device being hacked in the real world, I guess if you keep repeating it, it will eventually happen.

Repeating predictions seems to be safe, because nobody remembers failed predictions. And should one of those perennial forecasts ever actually come true, you can bet that the prognosticators will be crowing like roosters.

Why do these trite and useless lists proliferate The media shares much of the blame. Columnists have to write stories, even during those end-of-year holidays when little in the way of actual tech news is being generated. Meanwhile, vendors’ PR people scramble to get their executives to come up with something, package the crap they come up with, and pitch it to any publication they can think of.

But little of it would get published if readers weren’t fascinated by predictions. Whatever readers click on, we will be given more of. Apparently, people just like to read lists.

But I have a proposal for readers. The next time you see a list of predictions for the coming year, do a search and find an article from a year earlier predicting what would happen in the year just ending. Do that a few times, and you will begin to see just how inane this exercise is, and more important, how much you should really trust these supposed experts and vendors.

For example, here’s one from a year ago in which Kaspersky stated that mobile payment systems would come under attack in 2015. Although there is little doubt that attackers are thinking about such attacks, there were no known attacks against this technology over the last year. If you had read that a year ago, you might have thought it a bold prediction. Reading it now, it’s just lame.

You’re never going to do anything with the predictions you read anyway, so you might as well use last year’s predictions to see just how useful and insightful vendors can be.


By Ira Winkler

Zur Startseite