Project 2020 is an initiative of the International Cyber Security Protection Alliance (ICSPA). Its aim is to anticipate the future of cybercrime, enabling governments, businesses and citizens to prepare themselves for the challenges and opportunities of the coming decade. It comprises a range of activities, including common threat reporting, scenario exercises, policy guidance and capacity building.
The scenarios in this document are not predictions of a single future. Rather, they are descriptions of a possible future, which focuses on the impact of cybercrime from the perspectives of an ordinary Internet user, a manufacturer, a communications service
provider and a government. The events and developments described are designed to be plausible in some parts of the world, as opposed to inevitable in all. They take their inspiration from analysis of the current threat landscape, the expert opinion of ICSPA members and extensive horizon scanning, particularly of emerging technologies.
The European Cybercrime Centre (EC3) at Europol and the ICSPA would like to express their heartfelt thanks to the Global Review Panel of experts from governments, international organisations, industry and academia who took the time to validate the scenarios. This document is undoubtedly the better for it.
Implications for Cybersecurity Stakeholders
The scenarios presented in Section 5 raise a number of questions to be answered by today’s stakeholders and decision makers. These include:
• Who owns the data in networked systems, and for how long?
• Who will distinguish between data misuse and legitimate use, and will we achieve consistency? What data will the authorities be able to access and use for the purposes of preventing and disrupting criminal activity?
• Who covers (and recovers) the losses, both financial and in terms of data recovery? • Who secures the joins between services, applications and networks? And how
can objects that use different technologies operate safely in the same environment?
• Do we want local or global governance and security solutions?
• Will we be able to transit to new governance and business models without causing global shocks, schisms and significant financial damage?
If these questions remain unanswered, or the responses are uncoordinated, we risk imposing significant barriers to the technological advantages promised by the future described in the scenarios. We are already at decision points for some issues including:
Intellectual Property
The absolute application of intellectual property rights has resulted in a “locked down” approach, prompting illegal copying and a market for counterfeit products, and arguably stifling some aspects of creativity. With due consideration for the fact that under the current business model compromise of costly Research and Technology (R&T) potentially entails direct financial losses, loss of competitive advantage and reduced investment, nevertheless the collaborative and (mostly) open nature of Internet connectivity, and the emergence of new “commons” models for licensing, are challenging the way ideas are monetised.
Increasingly, even large corporations are looking to extract value not from their ownership
of intellectual property but from the access and usage rights of others. A major transition from absolute to conditional intellectual property is possible, but will be highly disruptive to traditional business models in the short- to mid-term, and could well provoke strikingly diverging policies from governments, depending on their global standing, economic growth and political systems. The majority of larger enterprises will quite possibly continue
to hedge their bets in 2020.
Data Protection and Privacy
Data protection is already a challenge in relation to the Internet. The future reality of large scale Radio Frequency Identification (RFID) deployment, global sensor proliferation, aggregation of data and highly personalised, augmented services will require the legal frameworks for privacy and security to further adapt. Existing national differences in viewpoints regarding the privacy rights of citizens could signal the adoption of a variety of approaches to these issues in future. In some countries, misuse of sensor and augmented reality data could become a criminal offence. Likewise, countries may exercise their sovereignty to set their own rules about when such data can be processed and stored by the authorities “for legitimate purposes”. Lack of international approximation will inevitably result in lack of clarity,
and asymmetry in national capabilities for fighting cybercrime.
Identity and Reputation
Reputation will be everything, for governments, businesses and citizens alike.
Damage will be instantaneous and increasingly difficult to repair. As indicated in
the narratives, the widespread use of multiple identities with varying levels of verification, pseudonymity and anonymity is likely to give rise to new identity management services and tools. An emerging market for outsourced corporate online reputation management is a current signal for this. Any future lack of consensus on the circumstances under which citizens and the authorities can be legitimately anonymous is likely to result in exploitation of these differences, including jurisdiction shopping by criminals.
Internet Governance
Lack of unity in Internet governance means lack of unity in cybersecurity.
Regardless of the precise number of governance authorities operating in 2020, there will need to be broad consensus on standards, not least to ensure interoperability of emerging Internet mediated technologies, including augmented reality and the Internet of Things.
The rise of hacktivism in recent years serves as a current signal for increasing civil society engagement in issues of Internet governance and data protection. It is anticipated that citizens will require greater transparency and accountability from their service providers and governments, and autonomy over their data. Given the pace of expected technological developments such as augmented reality and global sensor proliferation, additional efforts will need to be made to convince Internet users of the trustworthiness of emerging technologies, and their own agency as regards Internet governance.
A truly multi-stakeholder security environment
The scenarios highlight new tensions and oppositions in the global cybersecurity environment. Internet connectivity has already fostered the creation of new global networks of citizens, some of which have challenged corporate and government interests. By 2020, civil society networks like these could well be a powerful force in cybersecurity. Equally, effective cybersecurity will require active risk management by all stakeholders. But the next seven to eight years could also see increasing tensions between corporate entities and governments, particularly in regions where Internet filtering and local intellectual property regimes are deemed to run counter to business interests.
Risk or control? A key tension for the future
The world depicted in the narratives is to a large extent divided into risk-based and control-based cybersecurity models. Control models are associated with security through lock-down, heavy reliance on technical prevention, Internet filtering, absolute protection for intellectual property, and sub-optimal interoperability. Risk models, on the other hand, are associated with an open and generative Internet, conditional intellectual property regimes, and exposure to the full range of threats to be found on truly converged networks.
2020 is perhaps most likely to exhibit a combination of these two models.
Based on current signals, however, it is possible that their distribution will be rather patchy, with some regions or states exhibiting a large risk appetite and early adoption of new business models, and others doggedly seeking to maintain the status quo or even adopting regressive strategies in order to exert territorial control and serve the perceived interests of national sovereignty.
Countries and corporations opting for more of a risk-based model are going to need more lawyers, more insurance and more cybercrime specialists. All three will be very big business in such an environment. But it may also foster new innovation, investment and employment opportunities in collaborative design and manufacturing, identity and reputation management, risk management and new approaches to cybersecurity.
Cybercriminal Threats
At the most simplistic level, the cybercriminal threats envisaged in the narratives can be broken down into the following categories:
• Intrusion for monetary or other benefit
• Interception for espionage
• Manipulation of information or networks • Data destruction
• Misuse of processing power
• Counterfeit items
• Evasion tools and techniques
The vast majority of these threats were already present to some degree in 2012. Targets will range from individuals, small and medium-sized enterprises (SMEs) and corporations to critical infrastructure and defence systems, motivations from sheer amusement (lulz) to profit to commercial and technological advantage and national security. In these respects, at least, some cybercrimes in 2020 will be adaptations of existing crimes to the technological developments of the next seven to eight years.
In addition, new challenges will emerge. Evolved threats to critical infrastructure and human implants will increasingly blur the distinction between cyber and physical attack, resulting in offline destruction and physical injury. Moreover, increasing incorporation of augmented and virtual reality technologies into daily life has the potential to result in cybercrimes which entail psychological harm to individuals.
In a truly converged 2020, the following cyber-related activities may be more apparent:
• A market for scramblers of mood recognition, remote presence and Near Field Communication technologies
• Highly distributed denial of service attacks using Cloud processing
• A move from device-based to Cloud-based botnets, hijacking distributed processing power
• A mature illicit market for virtual items, both stolen and counterfeit
• Distributed bulletproof and criminal processing
• Physical attacks against data centres and Internet exchanges
• Electronic attacks on critical infrastructure, including power supply, transport and data services
• Micro-criminality, including theft and fraudulent generation of micro payments
• Bio-hacks for multi-factor authentication components
• Cyber-enabled violence against individuals, and malware for humans
• Cyber gang wars
• Advanced criminal intelligence gathering, including exploitation of big and intelligent data • High impact, targeted identity theft and avatar hijack
• Sophisticated reputation manipulation
• Misuse of augmented reality for attacks and frauds based on social engineering
• Interference with, and criminal misuse of, unmanned vehicles and robotic devices
• Hacks against connected devices with direct physical impact (car-to-car communications, heads-up display and other wearable technology, etc.)
The above list begs the question of exactly who will be empowered and capable to investigate and combat such threats. There is already some overlap between investigations conducted by the authorities and those conducted by communications and financial service providers, and Internet security companies. The capacities of law enforcement and the criminal justice system will need to be significantly enhanced in order to meet the challenges of cybercrime in 2020. Moreover, the authorities will be required to develop more creative and flexible responses to criminality, following the example of existing quasi-judicial sanctions such as asset recovery and crime prevention orders.
The distinction between legitimate and illegal activity may also become increasingly blurred, since practices such as data harvesting and interception, and reputation manipulation will be even more closely associated with profit generation. Current proximity between criminal spamming and legitimate marketing techniques such as behavioural advertising already serves as an indicator for this. The challenge for legislators will be to delineate the circumstances under which these activities may legitimately be conducted, and to ensure that as far as possible these measures are harmonised internationally. Criminalisation will naturally also require sufficient capacity to investigate, disrupt and prosecute.
Finally, expansion in the use of unmanned vehicles, robotic devices and automation will inevitably raise the issue of whether computers are intelligent agents. This could be a game changer for criminal law, which historically exists to regulate interactions between human beings.
The View from 2012
Systematic review of Internet security industry reporting revealed the following as key features on the 2012 cyber threat landscape:
Cloud/Virtualisation Consumerisation/Bring Your Own Device (BYOD)
Crime as a Service
Cyber Weapons
Data-Stealing Trojans
Embedded Hardware
Hacktivism
High Profile Data Loss
Industrial Control Systems (SCADA) Legislation working against security Malware outside the Operating System
Mobile
New threat actors
New ways to hide
Online Financial Service Attacks
Rogue Certificates
Social Engineering
Social Networking/Media
Spam goes legitimate
Secure Sockets Layer (SSL) & Transport Layer Security (TLS) Attacks
Targeted Attacks
Web Exploits
These not only serve as a general set of current indicators for the evolution of cybercrime, but also enable the identification of a number of horizontal trends to be played out in the future. These include:
• Outsourcing of data storage and processing, and compromise of virtual machines • Third party access to and protection of data vs. personal control
• Aggregation of data as attractive to criminals
• Apps as dominant delivery mechanisms
• Distributed computing as a criminal tool
• Closer links between digital and physical disruptions
• A redefinition of privacy at the hands of digital natives
• Too much information
• An increase in economic cyber espionage via targeted attacks
• A large pool of unmanaged devices and services in enterprise environments
• Next generation of employees do not feel responsible for security
• Attacks focused on convenience payments and digital currency (Near Field Communication, mobile payments and banking apps, etc.)
• Legislation fails to keep pace with technology and even hinders attempts to improve security
• Distinction between criminal and legitimate methods blurs: criminals monetise legitimate services, while legitimate companies spam
These undercurrents all appear in some form in the scenario narratives in Section 5 of this document. These focus intentionally on the criminal and economic aspects of cybersecurity in 2020, drawing out the dependencies between various technologies and different actors in society, and identifying barriers to progress and effective security.