3tau LLC

Home of the Exquisite Challenges of Cyber Security Project

VIEWPOINT

50 Years to Daylight
The future of information security

2013 3tau LLC. All rights reserved.

Society will get information security under control but it will take time

nformation securitythe security of information in cyberspaceis everyones problem today. From the text-messaging teenager to the manager of the largest hedge fund, we are all affected by the security risks inherent in electronic networking. It is an issue that has emerged with full force only since the mid-1990s when the rise of the World Wide Web brought the Internet into our daily lives. Yet information security and privacy risks are so pervasive today that we may justifiably wonder if they will ever come to an end. Hackers are interested in stealing our information, disrupting or corrupting the systems that move, store, and process it, exploiting IT vulnerabilities for financial gain, and using our computers as launch pads for other malicious attacks. Cyber crime is costing the U.S. economy tens of billions of dollars per year. Online identity theft has affected millions of Americans, and national leaders openly fret about electronic threats to critical infrastructures such as financial services, energy, and transportation. Something has got to give, we may say. We cannot go on like this, with everything from bank accounts to national security at risk and hackers attacking everything with impunity despite elaborate defenses. We must get information security risks off the table. When will the benighted world of cyber security see daylight? This 3tau Viewpoint offers the opinion that it will take many years before information security gets to a place where it is a bearable burdensome fifty years in fact. Fifty years to daylight.1

What does daylight look like?

At a top level, securing electronic information will always remain what it is today, an unsolvable challenge, a move and countermove contest in which personal and corporate information and resources are continually at risk and need to be safeguarded. Yet we already live with other unsolvable problems. In-person bank robberies, for example, still occurabout 6000 every year in the United States for some $60 million, but they are not the sensational news they were in the 1920s and 1930s. They are a bearable burden, part of every banks risk calculations and every police forces remit. And most people do not have to worry much about them.

Note: This white paper is a conceptual thought piece not intended as rigorous analysis. Because its subject is the future, it is necessarily speculative.
1

Fifty years may not be the best estimate. Perhaps 30 is better. Or 70. But it will not be 10, and it will not be 100. Some time after mid-century we can expect that information security will reach daylight. www.3-tau.com Page 1

3tau LLC

For problems that cannot be solved once and for all, the goal must be to get the problem to manageable proportions. That is the case with information securityreaching daylight means getting information security to the point where the consensus pain level is tolerable across society. What does that look like? Here are five primary characteristics of this daylight vision state: 1. The Rule of Law. Laws relating to computer intrusions, hacking, and cyber crime encompass all cyber activity that is commonly recognized as illicit, and are sufficiently clear to be effectively enforced. Most cyber crimes are detected and reported. Law enforcement has adequate capability (human and technological) to investigate cases and present them for prosecution. Rational and consistent sentencing guidelines are in effect for cyber crimes, and for most perpetrators cyber crime does not pay. The rule of law also has a deterrent effect on would-be cyber criminals.

What Daylight Looks Like

The Rule of Law A Consistent Global Legal Framework Effective Enterprise Security Limited Risks and Adequate Protections for Private Users Cyber Breaches Bounded in Scale and Impact

2. A Consistent Global Legal Framework. Laws and legal practices relating to cyberspace are sufficiently uniform across most countries of the world to enable effective investigation of hacking and cyber-related crime and prosecution of suspected cyber criminals; as a result, threat actors are less able to find sanctuary. There is adequate clarity in public and private international law as well as customary law where applicable to cyber crime to resolve jurisdictional questions and questions of what is legal and what is illegal. Most countries of the world cooperate in the investigation and preservation of evidence of cyber-related crimes, as well as in the extradition of alleged offenders. International legal instrumentalities are in place that provide enough clarityand enough ambiguityon questions of cyber warfare and cyber espionage. Internet governance has reached a delicate equilibrium with reasonably effective institutional approaches for resolving continuing international issues related to the security of the global infrastructure. 3. Effective Enterprise Security. Improvements in technology, the evolution of cultural norms, the Darwinian selection of information security practices, and a greater number of cybercompetent people in the workforce combine to make information security well understood and practiced in most organizations. Most enterprises are able to protect their intellectual property, Personally Identifiable Information, and network resources, and reduce risks to tolerable levels with acceptableand predictableamounts of investment. In-place security controls thwart most attacks automatically. Only the most sophisticated attacks are able to breach defensive mechanisms and do damage. Detection and mitigation capabilities along with robust business continuity programs help minimize impact. 4. Limited Risks and Adequate Protections for Private Users. Private users are able to operate on global networks without having to manage detailed security setups, parameters, and accessories but with confidence that they have met appropriate standards of care for protecting themselves and others from online threats. The protections come with the package, just as seatbelts, anti-lock brakes, and airbags come with cars. Within this safety framework, users have control and granular choices in matters such as confidentiality and anonymity when online. Privacy policies of online services are codified more simply using accepted standards, and users have options for selective acceptance of certain terms and conditions. 5. Cyber Breaches Bounded in Scale and Impact. Information security risks to enterprises are bounded in scale and impact through better technology, the emergence of industry-specific and generally accepted standards of due care, more precise information valuation, and better business continuity and event response plans. A flourishing cyber risk insurance industry serves most enterprises. The dollar cost of cyber attacks to the national economy is reduced from the peak levels of the 2010s and has settled to a fairly constant annual figure.
3tau LLC www.3-tau.com Page 2

These five characteristics, only broadly outlined here, are the key elements of information security once daylight has been reached.

Bringing About Change

Information security risks appear to be getting worse all the time by almost any measure: more attacks, more vulnerabilities, increasing sophistication of attacks, a higher percentage of successful attacks, greater cost per attack. If this is true, first the rate of growth must be slowed and reversed that is, the pain curve must be bent downward towards reduced levels of attack and lower impact and then it needs to keep heading downward for many years into the future. This idea is illustrated in the figure below.
!"#$%&'($)*$+(*),-&.)($/#01,'23$45#,$!'-#$

Notional
,7@(AB5"C1'7>/4(;>/" */?/>"76"0(-1" :/'5"9745/";/674/"-'" </'5";/=/4"

0(-1"
Daylight!
,7>/4(;>/" */?/>"76"0(-1"

,-./"

,7@(A"

2$"3/(45"647."879"
!"#$%&"&'()"**+"

Though bringing the pain curve down may seem all but impossible from todays vantage point, such a trajectory would not be unprecedented. Consider the automobile in our society. In the 1960s, there were about 50 deaths per billion miles traveled each year. By the 1980s, that figure was down below 30 deaths per billion miles traveled and it has continued to fall, to around 10 in 2012. What changed? Although the fundamental fact that deaths occur as a result of driving accidents has not changed, many parts of the transportation system have contributed to improved safety. Roads got safer; cars got safer; people became more aware of driving dangers; accident response and emergency medical care improved. Analysis of the data shows that the number of deaths per billion miles traveled has been cut in half about every 20 years since 1922quite a remarkable achievement.2 Can information security follow a similar trajectory of continuous improvement over the next 100 years? Or even 50, 40, or 20 years? Will it really take 50 years to sort out? It is tempting to think that some major occurrence could dramatically bend the pain curve. Two ideas are often proposed: Some view a hacker-induced cyber event, such as a collapse of the financial system or some other part of our national infrastructurethe power grid, air traffic control system, or natural gas pipelines, for exampleto be not only inevitable but necessary to drive change. Indeed, such a grave incident could at least contribute to a downturn in the pain curve by focusing urgent attention and energy on the problem, but the price would be shockingly high for such scant progress.

Nonetheless, there are still too many serious accidents. Despite steady improvement in safety, reflected in the continuously declining deaths per billion miles traveled metric, the total number of miles traveled has increased apace. The result is that the total number of highway deaths per year in the United States hovered between 40,000 and 45,000 for decades. Encouragingly, recent data indicate that it has declined to the low 30,000s over the last few years. www.3-tau.com Page 3

3tau LLC

 In the same vein, perhaps a truly disruptive technological innovation could come along that would dramatically improve security in cyberspace. Hypothetically, this could also bend the curve downward, though it is difficult to even conceive of a technology that could have this effect. And deployment of the new technology would probably take many years. Even then, because the information security challenge arises largely from the human element, technology alone cannot fully solve it in the long run. Either of these hypothetical events might help bend the pain curve down, dramatically or not. But we cannot and should not depend on some extraordinary stimulus to bend the curve. And a downturn is only the beginningmoving to daylight will still depend on the dynamic characteristics of many different factors. We need to be prepared for sustained natural forces to drive towards daylight over a long period of years. A quick turnaround is doubtful. There is also a possibility that the curve will never turn down, that todays level of information security pain will endure or even worsen. The premise of this paper, however, is that daylight will happen though it will take a long timebecause the majority of people want it to. Information security is in the interest of virtually everyone in society, and gradually social mechanisms, cultural forces, the profit motive, the creative destruction of innovation, economic imperatives, and the forces of globalization will bring it about.3

Factors Influencing Evolution

A great many forces pull in different directions at all times in the social environment. Some of the key factors that influence the evolution of information security are identified below, each with its own dynamics. It is the net result of these and other influences that will eventually bring us to daylight in information security. The Threat. In recent years, hacking has evolved into big business, with the main components of the cyber attack process commoditized, commercialized, packaged, and marketed. Outsourcing of hacking services not only exists, it flourishes. There is a strong black market for products and services for such hacking essentials as zero-day exploits, malware, target network mapping, botnet capabilities, and many others. Advanced hacking toolkits are openly available on the World Wide Web for anyone to download, and other resources and services can be acquired online in the cyber underground. The cyber attack enterprise is big business, and money is being made in every segment. The most serious cyber threat actors from now on will be organized professionals such as crime syndicates, hacker collectives, governments, militaries, or clandestine state-sponsored actors. The impact of the still-present threat of the lone hacker manually hacking into random computers and websites, even with advanced tools, pales in comparison and will fade further over time. The future of computer hacking belongs to sophisticated, well organized, well resourced professionals. The threat never remains stagnant, always changing, moving, and adapting. It will be a constant forcing function in information security. Some basics are likely to remain the same, however, including: the transnational nature of cyber crime; the use of multiple coordinated attack platforms (often in botnets) and multiple IP addresses; obfuscation techniques to avoid detection; and the use of offshore payment venues for accumulating and laundering the funds acquired through cyber attacks.

Having most people generally in favor of roughly the same thing is not a prescription for action, and there is a wide range of perspectives on both the problem and the solution space. Even the things that can accelerate the shaping of opinions and agendas for collective actionpublic debate, shared experience, popular culture, and leadershipall take time to have their effect. www.3-tau.com Page 4

3tau LLC

The most sophisticated and potentially damaging attacks will be targeted with pinpoint accuracy as they are today, but with an expanded toolset. Broader intelligence gathering by adversaries about specific people in the enterprise (including the CEO and members of the leadership team) will be made easier due to the mining and synthesis of the ever-growing quantity of online personal information across multiple platforms, much of it ostensibly private. The dossiers that attackers are able to build on targeted individuals will grow in depth and detail, and the attackers will seek to exploit this knowledge to gain access to network resources through new innovations on social engineering techniques. Similarly with the right tools and enough persistence and effort, hackers can develop highly detailed maps of target networks, and may know more about the as-is architecture than the enterprise IT leadership! Technology. Technological advances will influence online security both directly and indirectly in the coming years. Some of these advances will see rapid adoption, but most, driven by economics and technology refresh cycles, will require many years for full deployment. IPv6, for example, was released in 1996 and has yet to see significant adoption in the United States and worldwide despite its evident advantages over IPv4. The technology of the Internet itself will change considerably over the next 50 years to accommodate more users, more diverse uses, more end nodes, and new data types. Cyberspace as we know it today could even become fractionated with multiple internets serving different purposes (perhaps within national boundaries).4 Vendors will increasingly provide improved security features in their hardware and software products as security becomes a more important differentiating feature. We can also expect security-driven changes to be made in familiar Internet services such as messaging and web browsing, as well as the architecture of the Internet itself. Privacy concerns will fuel growth in anonymization technologies, persona management, and other measures to obscure the association of online data with the human person. Network security appliances themselves will continue to incorporate technological advances that will significantly improve enterprise security posture. Cyber threat intelligence, and more generally the maturing of real-time automated threat information sharing and event correlation across the broad frontier of cyberspace, represents a significant revision of the go it alone paradigm that has held sway for enterprise security since the beginning of networking. Over the coming decades, this approach is likely to be not only a best practice but a practical requirement for any online enterprise. It is likely to be a game-changer because it tackles one of the hackers basic techniques: multiple coordinated small-signature forays from seemingly independent sources. Related to event correlation technology will be the growing use of datamining and supercomputing (High Performance Computing) in support of enterprise security, probably as outsourced services. Developments in threat intelligence sharing and analysis will bring law enforcement into a closer relationship with IT and IT security service providers, which is itself an area of some controversy today. Voluntary partnerships between technology companies and Internet Service Providers with the FBI will become an ever-more significant factor in fighting cyber crime.5

The much-debated topic of Balkanization of the Internet usually centers on the apparent desire of some sovereign nations to control their populations access to information. This debate includes the information wants to be free and all the peoples of the world should have access to all of it believers, the we must protect the security of our people authoritarians, and the the United States has too much control of the Internet partisans. It is worth monitoring this debateit could either die out or strengthen over the next decades. Either way it will be an influence on the trajectory towards daylight in information security. An example of success in this area is the 2012-2013 joint effort between Microsoft and the FBI to disrupt Citadel spyware botnets. www.3-tau.com Page 5

3tau LLC

The Internet of Things and the Internet of People will become realities, and the proper functioning of both will require greater security than exists today. The long-anticipated Internet of Things will bring a vast increase in autonomous machine-to-machine communications and new types of data being collected, moved, and processed. It will also lead to Internet-in-theloop automatic closed-loop control systems. The word smart that today we pre-pend to any number of concepts (-cars, -highways, -power grid, -home energy management, transportation, -homes) will fall out of use as smart becomes the norm for these things. All of the smartness is aimed at optimizing performance, efficiency, or user convenience. IoT cannot work without security. We are also moving rapidly to the Internet of People, or what can be called TIL, Totally Instrumented Life. We can anticipate a future in which there is a much tighter relationship between the human body and technology. Always on has more meaning when we realize we are moving from smartphones carried in pockets, purses, and backpacks to wearable computers to actual body-embedded computers and communications devices. Early examples can be found in assistive medical technologypacemakers, glucose monitors, cochlear and retinal implants, and deep brain stimulation devicesalready in wide use today. Future developments may include bionic body parts, brain control of external devices, new ways of getting information into the brain, and other physical and cognitive augmentation applications. Many of these devices will connect to the Internet or follow-on global networks, and they will require greater attention to security. A wild-card is the event being called The Singularity.6 The Singularitythat point at which computers exceed the intelligence of humansis predicted by some to be just a few decades in the future. If The Singularity comes about, information security may become a battle waged by autonomous super-smart computers, with outcomes that are not predictable today. Generational Change . Generational change is one of the fundamental driving forces in any society, and it will continue to exert a major influence on behavioral norms and expectations related to information security and privacy in the coming years. We see this today in the enthusiasm and aptitude that young people have for social networking in contrast to the more sluggish response of their parents and grandparents, to cite just one example. Generational change is also not just about age. As the United States becomes more multi-cultural, it will involve a broad set of demographic and social factors. Attitudes about privacy and security will have much to do with the trajectory that information security takes. To an extent, how we perceive the pain of information security is a matter of choice, depending heavily on our attitudes, our priorities, and our decisions about what is acceptable and what is not. This kind of pain is a very fuzzy concept when looked at across generationswhat is intolerable to one may be tolerable to another. We often call the three generations that are most active in todays society by the names Baby Boomers, Generation X, and Generation Y (or Millennials), and we tend to view each generation as having a distinctive personality. Not only are these personalities important in shaping the culture, but also their impact varies in both type and degree as time goes on. The manifestations of the Boomer personality, for example, were different when that cohort was coming of age in the 1960s than they are today as that cohort ages out. The same is true of the follow-on generations.7

The most visible champion of The Singularity idea is inventor and visionary Ray Kurzweil. There is a vast amount of published material on this subject. In their well-known 1993 book Generations: The History of America's Future, 1584 to 2069, Neil Howe and William Strauss took this idea a step further. They identified four generational archetypes (Idealist, Reactive, Civic, and Adaptive) throughout American history, and observed that these archetypes recur in a fixed sequence. According to their thesis, how the cohort archetypes are arrayed in age at any given time is central to how they influence events. www.3-tau.com Page 6

3tau LLC

The time scale of generational change is measured in decades, and it is one of the most powerful mechanisms in society governing the pace of change in behavioral norms. It is clear that generational change will have an influence on information security in the years ahead, but not at all clear what that influence will be. Workplace Dynamics. The impacts of many of the major changes in the workplace of the recent pastthe shift to the knowledge economy, globalization, bring your own device, offshore outsourcing of IT services, and new information and communication technologies have had many security implications. As the impacts of these changes continue to play out, several other factors will directly affect information security: Increasing turnover rates. White-collar employees, particularly in the younger cohorts, change jobs much more frequently than those of previous generations. This turnover increases the chances of intellectual property walking out the door with the departing employee, who may not even perceive it as unethical or malicious. Off-site workers. As companies strive to use technology to cut costs, many are adopting work at home or work wherever policies that allow them to reduce investment in facilities. This increases the reliance of the employee on remote access and puts further stress on enterprise architectures. Blending of work and private life online. Todays culture seems to encourage the melding of personal and professional pursuits. People have become so accustomed to online life being always connected, using multiple computing platforms, mixing personal and professional data on a single smartphone, or posting photos and personal information on social websitesthat it appears many have become unconcerned about the associated security and privacy risks. The insider threat. Insiders represent one of the gravest threats to information security in the entire enterprise. With access to enterprise facilities and computer resources, they have tremendous capacity to do harm. There are two distinct types of insider threat actor: the malicious and the unwitting. The risks posed by the unwitting threat actor are difficult to overstate. Just about any insider could be an unwitting threat actor, including senior executives. The unwitting insider is the person who unintentionally and unknowingly makes security blunders that expose the enterprise to serious cyber risks. Hackers often exploit the unwitting insider as the initial entry point for their most impactful cyber attacks. The malicious insider threat, though relatively small in numbers, also has tremendous potential to do damage. Malicious insiders use their legitimate access to a companys information resources to deliberately harm the organization in any number of ways deliberately leaking valuable information, inserting malware into network resources, releasing email addresses, stealing intellectual property, serving as an agent of an external threat actor such as organized crime. Manufacturers of computer, electronic, and networking products are a special case with regard to rogue insiders. Employees of these companies might be in a position to insert secret back doors in system software that would allow remote access to all of the systems installed by customers. The information security workforce. The challenge of developing and managing the information security workforce will continue. From todays vantage point, we can never have enough information security people. Educational institutions of all kinds from kindergarten through post-graduate levels are responding by creating educational
3tau LLC www.3-tau.com Page 7

curriculums and continuing education in this area. It is too early to tell if there might actually be a surplus of qualified information security people in a decade or more, or whether the market will continue to demand still more. In either case, the challenge of finding and hiring people with the right skills will continue for years as the whole system normalizes. Law. The oft-quoted assertion by Hobbes that the law is the public conscience certainly applies to cyberspace, and it appears that the public has not yet decided its conscience on some of the details.8 We see this in the very public debates about the boundaries between security and individual privacy, the sharing of cyber threat information between government and the private sector, the Constitutional limits on government surveillance, the validity of government secrets, and the individuals freedom of speech online. However, all law is evolutionary, and these debates are likely to be among the pacing items for the evolution of laws governing security in cyberspace. Many statutes are already in place, both state and federal, that are used to prosecute cyber crime.9 The public holds a diversity of strong views on all aspects of whether these are the right laws and whether we have too many or too few laws in this area. There is also a generally poor (though improving) record of successful prosecutions for cyber crime and hacking, as well as a history of uneven sentencing for those cases that are concluded with guilty verdicts. These issues derive in part from two ever-present challenges: The fact that cyberspace is not bound to geography creates jurisdictional and transnational legal questions that can permit hackers to evade law enforcement. The Convention on Cybercrime, to which the United States is a signatory (ratified by the Senate in 2006) along with 39 other countries where it has entered into force, sets forth a legislative agenda aimed at providing consistent legal policy on cyber-related crime worldwide. In the U.S., the convention and subsequent legislation associated with it have been controversial. As with all such international conventions, it can be decades before there is unity among most countries on the issues it addresses, but it will remain a catalyst for the development of harmonized legal structures worldwide. The fact that evidence in the cyber law arena is generally based on computer forensics and is typically not human-readable creates the need for technical talent and resources for investigations. Cyber investigative capabilities at the federal level have been growing strong in recent years, though challenges remain. Investigative capability at the state and local levels is more limited. Ultimately, the buildup of case law and legal precedent over time will clarify cyber law, but the transnational dimension of cyber crime and the technical nature of investigations are frequently stumbling blocks to law enforcement today and are likely to remain so for many years. Economics. Market forces will gradually cause developers to produce hardware and software that is more secure. Concerns about the security of the supply chain for IT and software products and services will bring pressure on suppliers to claim transparency of provenance

Thomas Hobbes, Leviathan, 1651, Chapter 29. His point was to contrast fallible private conscience with the agreed-upon guidance of the public as constituted in law. In the United States cyber crime is often prosecuted under the Computer Fraud and Abuse Act of 1984 (18 U.S.C. 1030(a)) which makes it a federal crime to trespass in, damage, or commit fraud through unauthorized access to protected computer systems. These include computer systems of the U.S. government, those used exclusively for or by financial institutions, as well as those used in interstate or foreign commerce or communications. It also has provisions addressing computer espionage, trafficking in computer access, and extortion. Many states have similar laws, and other fraud statutes are also applicable in many cyber crime cases. www.3-tau.com Page 8

3tau LLC

and assert the security and correctness of the design and the product as a selling point. This has grown in importance as supply chains have become global and hardware and software products increasingly come from indigenous international sources. Economics will continue to drive adoption of outsourced IT services, particularly cloud computing services. Although security is currently one of the obstacles to even more rapid adoption of the cloud, in the long run cloud services will offer stronger security at lower cost than todays enterprise model. Market forces also favor making cyber risk insurance into a profitable industry once there is enough science, actuarial data, and understanding to meaningfully determine valuation and risks so that viable business models can be defined. Today this industry is beyond nascent though still small. Cyber risk insurance policies would be designed to address situations where cost can be quantified and bounded, like breach-disclosure costs, costs of customer credit rating checks, and perhaps costs for continuity and restoration measures. Some of the greatest costs, however, such as loss of intellectual property and brand reputation damage, are less likely to be addressed with cyber risk insurance. Daylight for information securitywhere the pain is reduced to a tolerable levelis a state that has multiple dimensions. The factors discussed here are central to the evolution of information security, and they exert influence on its trajectory in different ways and at different rates. The figure on the following page summarizes these factors and indicates their main areas of influence on the elements that define daylight for information security.

Summary
The path to daylight in information security is one that will take decades to traverse. But it is a path that society will inevitably take because the daylight state is the result of the normalizing forces and influences that naturally arise in the social system. The strongest influencesthe threat, technology, generational change, workplace dynamics, and laware all intertwined yet work at their own characteristic rates. If you are considering how evolutionary changes will affect information security in your enterprise, 3tau may be able to help. We can aid you in understanding the changing legal landscape, thinking through your information security strategies and policies, and developing technology investment plans, and we can help position your enterprise for success in this dynamic environment.

3tau LLC

www.3-tau.com Page 9

The Move to Daylight in Information Security !

Selected Factors Inuencing the Evolution of Information Security!
The Threat! Hacking and cyber-related crime will increasingly belong to sophisticated and wellresourced professionalscrime syndicates, hacker collectives, governments, militaries, or other state-sponsored actors. Some attributes of cyber attack will remain the same but with more advanced techniques and tools. This includes taking advantage of differing legal frameworks for cybercrime, the use of multiple coordinated attack platforms, multiple IP addresses, obfuscation techniques, and the use of offshore payment venues. There will be continuing increases in the precision of targeted attacks.

What Daylight Looks Like!

Technology!
Technology advances will enable manufacturers to improve the security features of their hardware and software products. Increasingly, companies in the tech industry will cooperate with law enforcement to investigate hacking and cyber crime incidents. Changes will be made in Internet services (such as messaging) and the Internet architecture itself, driven by security concerns. The Internet of Things and the Internet of People will become realities, and the proper functioning of each will require greater security than exists today. Technologies such as online persona management and anonymization will grow in capability and usage. Real-time automated threat information sharing and event correlation across the entire cyber landscape will be a game-changer for defenders. The Singularity, if it occurs as predicted will change information security in unknown but probably signicant ways.

The Rule of Law!

A Global Legal Framework!

Cost-Effective Enterprise Security!

Generational Change!
Rising generational cohorts will develop their own attitudes and expectations about security and privacy which may differ from those of their predecessors. Generally there will be sharper denition of their expectations about security and privacy. Limited Risks and Adequate Protections for Private Users!

Workplace Dynamics!
High turnover rates among white collar employees will be the norm and will increase the risk of data leaks and focus attention on protecting data. The continuing need for information security-qualied workers in the labor force will drive workforce education and training. Within 20 years the workforce supply may have caught up with the demand, and production will gradually shift to sustainment. The blending of personal and professional activity online and the rise of Work from Anywhere will of necessity drive increased attention on information security practices.

Cyber Breaches Bounded in Scale and Impact!

Law!
Buildup of case law and precedent-setting rulings will continue to clarify legal interpretations of statutes and other laws. Slowly emerging unity among the nations of the world regarding cybercrime will gradually strengthen the ability to investigate cybercrime, apprehend suspects, and present cases for prosecution, though concerns about the protection of individual liberties will endure.

Economics!
Market forces will continue to drive vendors to deliver products with fewer exploitable security vulnerabilities. Cyber risk insurance will develop into a ourishing industry and will become an important part of enterprise risk management. Continued internationalization of IT products and services will raise supply chain concerns and there will be increased emphasis on transparency of provenance to validate the security of IT and software products. Note: The arrows indicate what the factors inuence, though this inuence is felt over time according to the dynamics of the specic factor.

3tau LLC

www.3-tau.com Page 10

Contact Information
To discuss these ideas please contact: Thomas Fuhrman Founder & President 3tau LLC fuhrman_thomas@3-tau.com 703-731-8540

About 3tau LLC

3tau is a specialized consulting firm providing information security and technology advisory, analysis, and strategy services to senior clients in commercial industry and government, both in the United States and internationally.