Last year’s cybersecurity predictions for 2020 never saw the pandemic coming. This expert sorts out the hits and misses …

In the world of cybersecurity, ’tis the season for speculation. Every year around this time, experts dust off their crystal balls and tell us what to expect in the coming year. Their forecasts flood tech websites from November until January.

This ritual can be both useful and entertaining, but they can also be tricky: not every year plays out as experts expect. Sometimes the late, great Yogi Berra’s (the baseball legend, not the cartoon bear) homespun wisdom prevails: “Predictions are hard, especially about the future.”

Especially about this year.

Indeed. I spent several hours combing through November 2019’s avalanche of 2020 cyber security prediction pitches from industry experts, and as you might guess, not a single one mentioned the biggest, most consequential event of the year— the coronavirus pandemic and its cybersecurity implications.

No expert predicted that, after this year’s RSA conference in late February, every other security conference would either be canceled or made virtual. Not one predicted that WFH would become the Acronym of the year. Not one predicted that the travel budget of most security vendors (and that of just about every other company) would plunge to something close to zero. 

But of course, who could have imagined, let alone predicted, any of that? Sometimes the unexpected upends everything. There is a reason that the “Hindsight is always 20/20” cliché does not refer to foresight.

Cybersec predictions that fell short

Other than the predictions that everybody missed, some did not age all that well either. One expert confidently declared that “a Western government will be forced to quell looting and rioting when a cyberattack disrupts its electric grid.”

That could still happen: there are another six weeks to go in the year that everyone would like to forget. And there are widely-reported vulnerabilities in the USA’s critical infrastructure. But so far, the civil unrest of 2020 was mostly due to Black Lives Matter protests, not a cyberattack.

  • Ransomware
    Another prediction declared that the ‘ransomware window’ would be closing in 2020. Uhhh, not so much. Multiple news outlets have reported in the last couple of months that ransomware attacks have not only increased seven-fold since last year, but are evolving.

    Instead of simply encrypting files and demanding a ransom for a decryption key, attackers are adding blackmail/extortion for more leverage, threatening to post the stolen data on open forums if the victims do not pay up. In those cases, having a backup does not do much good.

    Not everybody was seeing the ransomware window closing, however. Some other experts correctly predicted it would be a banner year for that kind of attack.
  • 5G
    Yet another expert declared that 2020 would be ‘the year of 5G’, which seems to be partially right. It is the year of 5G advertising—the big telcos are relentlessly touting it, and more devices are built to take advantage of it. But the ‘next big thing’ in cellular remains a long way from mainstream. It was recently reported that even by 2023, the share of 5G networks in North America will be just 17%—better than any other region in the world but not even close to a universal standard.

    And yet another prediction declared that the REAL ID deadline would create “real chaos.” Well, maybe next year. But not this year, since the pandemic prompted a delay of the deadline by a year.

Predictions that held up

Some predictions did hold up reasonably well, perhaps in part because they simply pointed to trends that were already under way and were not going to collapse even amid a pandemic. Among them:

  • The skills gap
    It was bad last year. Most experts predicted it would get worse this year. It did. It will likely be even worse next year. According to a report released in July by ESG and ISSA, the worldwide shortage of qualified applicants for cybersecurity jobs is in the 4 million range, due to “a continuous lack of training, career development, and long-term planning.”

    To close that gap, the cybersecurity workforce in the US would have to increase by 62%.
  • Privacy priorities
    People have been slowly awakening to the reality of the long-time slogan “If you aren’t paying for a product, you are the product.” And as many predicted, privacy legislation is gaining traction.

    It was not just that California’s Proposition 24, the Consumer Personal Information Law and Agency Initiative, aimed plugging loopholes and strengthening the landmark California Consumer Privacy Act, passed easily on Election Day. It is that more than 30 states considered new privacy laws. Few of them passed, given the disruption of both the pandemic and a national election. But almost 75% of Massachusetts voters went for an updated Right to Repair law that gives vehicle owners and independent repair shops access to connected-car telematics data. Put more simply, once people buy a car, they have some control over the data it generates.

    While that is just one state, analysts said it could generate a national standard, since automakers and dealers would have to create that infrastructure to sell their products in Massachusetts.
  • AI bias
    AI was all the rage last year. It is even more so this year but it is also generating some actual rage: a trend that multiple experts predicted correctly would continue and expand on multiple levels.

    First, when intelligence is artificial it reflects, or can even amplify, the biases of those who create it. Critics have been saying for some time that AI can lead to discrimination in everything from hiring to housing. Which means the algorithm can make things worse instead of better.

    Second, as is the case with any technology, bad guys can use it too—and they do. AI is helping cybercriminals to be more effective at social engineering, spoofing, impersonation, defeating Captchas, cracking passwords, and discovering vulnerabilities.

    AI also enables deepfakes—fraudulent audio and/or video that is alarmingly realistic. It was labeled this past August by the journal Crime Science as “the most worrying use of AI for crime or terrorism.”

IoT: bigger but not much better

Everybody predicted the Internet of Things would grow by the billions. And they were right. They were also correct that IoT security would remain mediocre to lousy.

If awareness of that reality is progress, then there is progress. Experts everywhere have for years been calling for vendors to “build security into” their products, and it is a constant theme at security conferences. But so far, consumers remain much more dazzled by cool features and user experience than by privacy and security protection. And vendors continue to respond to those priorities. So, the need for security conferences continues, greater than ever.

Predictions are hard

It was easy to predict a year ago that in 2020 more and more organizations would be moving, all or in part, to the Cloud. It was trickier to forecast how many of those organizations would know what they were getting, or not getting.

Cloud computing is gaining mainstream traction for good reasons. But security in the cloud is not a guarantee. As one security report put it: “cloud providers are 100% responsible for providing security software for organizations to use, but the organizations are 100% responsible for software security.”

This is not an exhaustive list, of course. And the fact that some of the best minds in the industry missed or got some big things wrong about this year does not mean predictions are worthless. It always makes sense to plan ahead. And 2021 predictions are already pouring in.

Just keep in mind that nothing is guaranteed. Because predictions are hard …

(Editor’s note: Don’t get us started on the tons of studies, surveys and reports constantly trying to achieve even 6/9 foresight. Readers are reminded to exercise their own discretion as to the worthiness and credibility of any report quoted in the news. We have a commitment to constantly tone down the sometimes-strained conclusions of studies and reports in and, but the rest of the believing is up to each of you.)