Hocus-pocus! The stupidity of cybersecurity predictions

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.computerworld.com/article/3019063/security/hocus-pocus-the-stupidity-of-cybersecurity-predictions.html

Every year, some publication asks me to come up with a list of my top 10
predictions for the security field, and every year I tell them they might
as well just dust off an article I wrote a year earlier, with maybe a
couple of buzzwords and a new technology added on. What you can generally
expect in any given year is more of the same, with some slight variations.

That doesn’t stop people from making predictions, though. Vendors and
supposed experts can’t seem to control the urge, but when I read their
predictions, I just have to shake my head at the uselessness and gross
ignorance of most of the comments. Predictions are useless when they are
obvious, which many of them are, and they show gross ignorance when they
predict things that have already happened. Surprisingly, predictions of
past events are fairly common on these end-of-year lists; the
prognosticators don’t know enough about the security industry to know that
what they are predicting has already happened.

What is important to know about the year ahead is that it will resemble the
years behind us. All technologies can and will be hacked, and likely
already have been. If a new technology becomes especially pervasive,
hackers (perhaps terrorist hackers) will try to compromise it. There is no
genius in predicting that many hackers, including those affiliated with
terrorists and nation-states, will try to compromise IoT devices.

Prognosticators on occasion make truly sensational predictions.
Unfortunately, those rarely come to pass. Back at the turn of the
millennium, one analyst firm predicted a $1 billion theft as criminals took
advantage of Y2K-related issues. People still pay that firm tens of
millions of dollars a year for its advice. Another analyst firm predicted a
Cyber Pearl Harbor in 2003. As you know, neither of those predictions,
which garnered major headlines, came true. The people who make such
predictions hope that people won’t remember them when they fail to come
true, and of course, most people don’t.

I don’t know why people let prognosticators get away with including obvious
things on their lists of predictions. This year we were told that in 2016
there will be an increase in mobile device hacking. Security spending will
continue to grow. There will be security problems with IoT devices and
Apple products. I would just like to add that the sun will rise 366 times.

This year was also not lacking in predictions of things that have already
happened. For example, “The power grid will be successfully attacked.” Are
you worried? Well, keep in mind that Russia, China and Iran have already
been directly identified as having compromised the U.S. power grid. And it
is likely that other power grids around the world are thoroughly
compromised. Brazil’s power grid reportedly suffered an intention outage
due to hackers as early as 2005. Claimed hacks against power grids were
noted by President Obama in a speech in May 2009. So “predictions” about
successful hacks against the power grid are about 10 years too late.

Ah, but this year, say some prognosticators, we can expect terrorists to
target the power grid and other critical infrastructure components. Sure,
we can, but that doesn’t make this much of a prediction. In 2008, CBS News
reported that terrorists were using one of my old presentations for
training on how to take down the power grid. It is also old news that
terrorists will use the Internet to communicate with one another.
Terrorists began using click fraud as a form of fundraising soon after
Google Ads became available.

Trend Micro stated that “a customer-grade smart device failure will be
lethal.” That is upsetting, but not news. Various failures have already
resulted in deaths, and it can be argued that faulty directions in GPS
devices have led to incidents causing deaths. In any event, more people
will die from texting while driving. It is of course possible that someone
will hack a medical device, such as an insulin pump, causing deaths, but
that has been considered a possibility for more than a decade, with a proof
of concept performed at the Black Hat conference in 2011. While there has
not been a realized case of a medical device being hacked in the real
world, I guess if you keep repeating it, it will eventually happen.

Repeating predictions seems to be safe, because nobody remembers failed
predictions. And should one of those perennial forecasts ever actually come
true, you can bet that the prognosticators will be crowing like roosters.

Why do these trite and useless lists proliferate? The media shares much of
the blame. Columnists have to write stories, even during those end-of-year
holidays when little in the way of actual tech news is being generated.
Meanwhile, vendors’ PR people scramble to get their executives to come up
with something, package the crap they come up with, and pitch it to any
publication they can think of.

But little of it would get published if readers weren’t fascinated by
predictions. Whatever readers click on, we will be given more of.
Apparently, people just like to read lists.

But I have a proposal for readers. The next time you see a list of
predictions for the coming year, do a search and find an article from a
year earlier predicting what would happen in the year just ending. Do that
a few times, and you will begin to see just how inane this exercise is, and
more important, how much you should really trust these supposed experts and
vendors.

For example, here’s one from a year ago in which Kaspersky stated that
mobile payment systems would come under attack in 2015. Although there is
little doubt that attackers are thinking about such attacks, there were no
known attacks against this technology over the last year. If you had read
that a year ago, you might have thought it a bold prediction. Reading it
now, it’s just lame.

You’re never going to do anything with the predictions you read anyway, so
you might as well use last year’s predictions to see just how useful and
insightful vendors can be.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.