Cybersecurity just isn’t what it used to be. In the good ol’ days, hackers were just out for a little fun and notoriety, wanting to prove that they were smarter than the people who built the systems they were breaking into. Then it got to where people were actually trying to profit from cybercrime. Today, there’s cyber espionage, cyber warfare, motivations ranging from military to economic to hacktivism.
“There’s more bad actors with more motivations than ever before,” says Tim Rains, chief security advisor for Microsoft’s Worldwide Cybersecurity and Data Protection team.
Presenting key insights from a Microsoft study called Cyberspace 2025, Rains spoke at ABB’s Automation & Power World in Houston about the changing face of the Internet and cybersecurity, and about how the public policy decisions we’re making today about cybersecurity will impact us in the future.
As we talk about the Internet of Things (IoT), we hear the oft-repeated prediction of 50 billion connected devices by 2020. “If we don’t do security right around the Internet of Things,” Rains says, the next generation will have untrustworthy devices with unreliable connections.
Rains also quoted some other staggering numbers, like the 2 billion new Internet users that are expected to come online in the next 10 years, bringing the total to 4.7 billion. Broadband connections will increase from 650 million to almost 3 billion by 2025.
Have you thought about the global picture of that massive growth? We tend to think of the impact of the Internet in the U.S., but in fact the number of Internet users in western countries is finite, Rains contends. “Countries like China and India will eclipse the United States in terms of users and broadband penetration.”
Of the 4.7 billion users expected by 2025, 75 percent of will be in emerging economies. India will see a 3,000 percent increase in broadband penetration by then, Rains adds.
The picture is similar for students studying science, technology, engineering and math (STEM) subjects. By 2025, according to the Microsoft study, emerging economies will be producing 16 million STEM graduates annually—almost five times more than the 3.3 million a year from developed countries. The countries with the strongest growth in STEM graduates are expected to be Morocco, Saudi Arabia, Kenya, Peru and Guatemala.
What all of this means, in part, is how our technological and cybersecurity future is shaped depends a great deal on how well we cooperate with other nations around the world. Rains talked about three possible scenarios: peak, plateau or canyon. With the way things are going today, technology could plateau, where it’s stable, but stalled by organizations struggling to keep up with cybersecurity. The peak scenario describes a situation in which countries are more connected and cooperative, providing for more technological growth. On the other end of the spectrum, the canyon is one of deepening isolation and stunted technological innovation. Whatever the outcome 10 years from now, it will be shaped by today’s decisions, Rains argues.
Computing paradigms like the Internet of Things “only work if we have trust,” Rains says. “We have to have some level of transparency, collaboration and cooperation.”
Reaching peak levels also depends on governance based on best practices and standards, and a focus on talent. “Do you have a public policy around immigration and education?” Rains asks.
More than likely, we will need to get STEM students here from other countries to help us tackle cybersecurity issues. “We need to put something in place today so that when we need them 10 years from now, we have a streamlined process to bring them into the country,” Rains says.
Cybersecurity is already a huge issue, with an impact of as much as $3 trillion in lost productivity and growth, Rains says. As we learn more about cybersecurity, it’s not getting better, but worse. It’s costing companies an average of $3.5 million for each data breach—a 15 percent increase year over year.
“The bad guys are not slowing down. They are not static,” Rains warns. “They’re constantly trying to find new ways to compromise organizations.”
On average, organizations are compromised for 243 days before the bad guys are even detected. “If you assume that you will be breached, and that’s what we do at Microsoft….you give yourself permission to think about what will I do when we’re breached? How will I know? How will I isolate the bad guys? How do I make it hard for them to move around my organization once they’ve penetrated that hard shell?”
What you need are repeatable processes and tools that will help people do security, at scale, Gains said. “How can we take 36,000 developers at Microsoft and turn them all into security experts? We tried. You can’t.”