2018 In Review
[Note: this piece was originally supposed to run in an industry journal, but the legal department killed it, even though the editors enjoyed it.]
Making written predictions about anything is a fool’s errand; there are so many, many ways to be wrong. This is what happened to me when I last wrote for this esteemed publication, in 2014; the publishers were so put off by my wildly inaccurate prognostications that I’ve not been allowed back for three years. In fact, it’s only because of the recurrence of Mike Chapple’s painful campground-related scurvy that this piece appears here (and I am sure I am not alone in wishing Mike a speedy recovery, and that we are all eagerly awaiting what will be sure to be his definitive take on “Kitten Posters -- Raising Security Awareness....and Brightening Your Day!”).
Because of the ugliness and general scoffing that have been the mainstay of my email inbox for the past 36 months, I have decided not to make predictions: I am going to cheat. While this may cost me both my good standing in several professional organizations and my freedom (I will be violating several international agreements in this process), I think it’s worth my pride.
I am making use of the tachyon-based communication system to send this message backward in time, from the year 2027, giving me a pretty good perspective on what is about to happen to your industry. This method of communication was itself developed in-- well, never mind....you’ll see, and I’ve broken enough laws already. So here it is: the big goings-on in the INFOSEC field, circa 2018:
-- The public executions of the Equifax security staff went off without a hitch, and also carried the highest per-home viewership share since the final episode of M*A*S*H was broadcast. It was seen as a just outcome, not because the transgressors were incompetent (though that argument was definitely made), but because of their cavalier acts of last-minute profiteering before announcing the breach, which were so callous and calculating. Of course, the executions only mollified the citizenry, who were only too glad to move on to the next news cycle tidbit, and did nothing to either modify behavior by security practitioners, nor have any substantial effect on the legal system, or, indeed, even change the hiring practices of organizations looking for security personnel. And Equifax, as you’ll soon see, was able to Arthur Accenture itself into a new incarnation and suffer absolutely no ill effects to its market share or profitability.
I mean-- come ON: we know that security and IT people are, by far, the worst violators and insider threats, both in term of frequency and scale...and nothing ever changes. Mainly because everyone wants to pretend otherwise. That doesn’t change in the next decade, either, so all our phony-baloney jobs are safe.
-- The Chinese stunt of spooky entanglement in orbit (and no, that’s not me using florid prose: that’s actual terminology from the domain of quantum computing, proving that physicists can party as hard as anyone else) in 2017 led to some rather fast progression in that field in the following year. Quantum computing came faster than most predicted...and, with it, quantum cryptography...and then became pretty much a non-event. The machines got faster, and the way to break crypto became easier, then the crypto got more complex, all in quick succession, so it was pretty much business as usual, albeit with much bigger numbers.
-- It was the tail end of 2018 and the beginning of 2019 when organizations started moving out of the cloud. Well, not so much out of the cloud, but away from the cloud as a managed service. When legislation started appearing in different countries, putting legal liability for malicious/negligent behavior leading to data breaches on the provider instead of the customer, prices for cloud services shot through the roof...and somebody smart (I won’t say who-- wait for it, you’ll be surprised) pointed out that having cloud managed services wasn’t really revolutionary, it was just two steps backward into the old timesharing/process waiting mainframe model (okay, screw it: it was Bruce Schneier....and yes, nobody was surprised). Managers who had created c.v. bullet points for moving their enterprise IT into the cloud suddenly realized they could create even more bullet points by moving the enterprise out, and investors did as investors always do: ignored the stupid management decisions that happened before, and lauded the new management decisions as the best thing EVAR, which would surely lead to golden streets and free cotton candy for everyone.
-- It wasn’t quite 2018 when it happened, but that was the year the seeds were sown for the end of privacy...which would eventually lead to real security and topple some of the elements that had historically been viewed as fundamental to the nation-state. It was a politician in Wyoming that figured it out: she realized that we only need privacy for things we’re not proud of. She was also running against a three-term incumbent, representing a third party, and fighting a combined doom of indolent, bored voters and an unimaginative media machine that hasn’t done the public any favors since inventing coupons. Maybe that’s why she did it...but it was the first handful of snow in the avalanche. She donned a wearable streaming camera and uploaded all of her interactions, work, meetings, and discussions to the Web, allowing every member of the public to view her actions and conversations, giving them both a direct feed into her true character and beliefs as well as a prurient voyeuristic opportunity that couldn’t be beat (she did turn off the camera when she went into the bathroom or bedroom, but that was only because of her 20th-century hangups; after she won, every subsequent candidate stepped over each other trying to out-transparent the other, and released everything they did to public review, including a great deal more snoring as a result of deviated septums than anyone ever expected). She not only made politics interesting again, but put the first nail in the coffin for privacy: people realized that safety did not come through obscurity, but by ownership of their own behavior, and there was no shame where there is mutual repugnance and commonality of banal wrongdoings.
Of course, without the excuse, “we need secrecy to keep you safe, and we can’t tell you why,” governments lost a great deal of power as well, so many resisted, but it was a losing fight: individuals ended up with more power, freedom, wealth, and safety than they had when governments had primacy. This openness also ended the illusion of widespread monogamy, but by 2018 nobody was really buying into that canard anyway, and it’s not germane to INFOSEC, so I won’t address it here.
-- The Data Slip was unusual. There had been doomsday predictions about the Y2K bug, but nobody saw the Slip coming, and it was weird that entire swaths of data were just gone, for no reason anyone could quite determine (I could tell you, but that would spoil things, so I won’t). Suffice it to say, after the initial freakouts, and some panicky hyperbole from the media and eckspurts, the most interesting thing about the Slip was that everyone was able to just go back three days and resume life with slightly-older numbers (bank accounts, bills, grades, etc.) without nearly as much fuss as anyone would have guessed. It proved that systems are resilient, even when other systems, on which they’re dependent, fail. It also demonstrated that Resetting could basically serve as a giant “do-over” for entrenched and failing systems...it was proposed that the same be done for systems where data had become stagnant and beyond rescue, like Social Security, markets on the precipice of collapse, and Major League Baseball. However, I won’t tell you which were chosen for reboot, and which just went away because they were awful (like Major League Baseball).
Anyway, that’s what you have to look forward to. Don’t be alarmed: everything keps getting better and better. If not...well, come find me in the future, and help me fix my tachyon transponder.