Cybersecurity futures: scenarios and good practice

What can we forecast about upcoming cybersecurity threats? And how can we best conduct futures work? How can we learn from scenarios?

Berkeley’s Steven Weber recently published a useful and bracing essay that I can commend to you all. It’s about his research team‘s scenarios for cyber threats envisioning the far-of year of… 2020, published in 2015.

To begin with, the five scenarios are fascinating. They include future cybersecurity worlds including behavior modification tech and a contested internet of things rollout.

Weber then identifies what the report missed. This takes some cold eyed self-examination, and isn’t an easy thing for many to do, especially in academia, but it’s a classic futures practice. Weber finds the report overestimated the pace of change, which is always a risk. It overstates how much data is worth in the market, which sounds counterintuitive, but links up with the hype around big data. And the document wasn’t conservative enough in another area:

We also understated the stubborn robustness of existing institutions in the digital security world. In the private and public sectors, the big, powerful institutional actors of 2015 — Apple and the NSA, Alibaba and the Cyberspace Administration of China — are for the most part still the big powerful institutional actors at the dawn of 2020. For all the talk about disruptive innovation, the incumbents have proven themselves stickier and more capable of absorbing innovation than expected.

Weber goes on to identify what the report accurately forecast, or at least got more or less in the ballpark. This isn’t for self-praise, I think, so much as to more closely identify the report’s underlying worldview. Again, this is good futures practice.