Cyber security in 2035

As we stand in 2024, peering into the cybersecurity crystal ball, what might we see in 2035? This article will explore this question in three sections: how the threats we face might evolve, how human progress will open new vulnerabilities, and ways defenders will up our game.

Evolving threats: progress we’d rather forego

The last ten years has seen significant change in how threat actors organise themselves, interoperate, and act. By 2035, the cybercrime landscape is likely to make similarly significant shifts. Here's how that might look:

1. Democratised cybercrime: The barrier to entry for cybercrime will likely be lower than ever. With the increased availability and commoditization of malware and offensive techniques, even those with limited technical skills could become threat actors. This democratisation of cybercrime tools could lead to a surge in low-level attacks. This may attract some scammers to either shift to cybercrime or shift their tactics to incorporate cybercrime techniques. 
2. Increased regional diversity of cybercrime: Russia and parts of Eastern Europe with limited law enforcement have been a source of more organised cybercrime for some time. We see proliferation of this lucrative activity to parts of Asia and Africa that may become hotbeds for cyber criminals with law enforcement needing to play catch up. 
3. State actor evolution: State actor cyber activity should continue to intensify. State cyber activity (espionage, pre-positioning, or more aggressive action) have generally prompted limited or no response, encouraging states to use cyber methods as a foreign policy tool. We might also see smaller nations developing or contracting more sophisticated cyber capabilities to level the playing field against larger powers (which may have more vulnerability).
4. AI-powered threats: Widely discussed over the last couple of years has been the potential for AI, particularly advanced code generation models, to be weaponised. AI could be used to create more sophisticated malware, automate attack processes, or even generate convincing deepfakes for social engineering attacks. It is also likely to be a method to further the other items on this list.

Emerging vulnerabilities: the price of innovation

As humankind innovates, develops new industries, integrates more deeply with each other, and adopts new technology, we increase the attack surface of vulnerabilities: both inherent and unrecognised:

1. Persistent and pervasive digitisation: By 2035, even more aspects of our lives will be digitised. From citizen identity, self-driving cars, to smart city infrastructure, our attack surface will expand significantly. Each new digital service or product represents a potential entry point for cyber attackers - either through subverted legitimate means or through flaws in the enabling software or implementation.
2. AI integration: The widespread adoption of AI assistants and other AI technologies in workplace workflows will introduce new logical and technical vulnerabilities. As AI systems become more integral to decision-making processes, they could become prime targets for manipulation or exploitation. Because the input these systems take is necessarily very broad, preventing successful attacks will be challenging, putting more emphasis on detection and response.
3. Robotic revolution: In the early 2020s, demos of humanoid household robots have sometimes turned out to be people in spandex suits, but we hold some hope for where this technology will go. The proliferation of robots and drones in various sectors – from manufacturing to healthcare to the home – will create new security challenges. Each robot may present both a new vector and a new end target to create physical effects or even more debilitating downtime. Compromised robots and drones could even pose physical safety risks.‍
4. IoT Ecosystem complexity: The Internet of Things (IoT) and Operational Technology (OT) population will continue to grow apace. This increased connectivity will allow data to be aggregated from disparate sources, potentially exposing sensitive information if not properly secured. At the same time, the supply chain for these technologies and the software that powers them will continue to grow more complex and potentially more opaque, leaving us to choose between adopting new, potentially crucial technologies, and finding a way to secure them.

Evolving defences: staying ahead of the curve

The good news is that to combat these emerging threats and vulnerabilities, our cybersecurity defences will evolve too:

1. Increased scrutiny and onus on software makers: The US Government’s Cybersecurity and Infrastructure Security Agency (CISA) has been campaigning for increased responsibility from software makers for the security of their products, many of which are based in the US and whose largest market is the US. This, alongside initiatives like DARPA’s AI Cyber Challenge which aims to identify and automatically remediate vulnerabilities in software, could make our software safer and mean that the challenge we face doesn’t scale at the rate of new technology adoption. Realistically, it’s hard to see a similar level of zeal applied to the security of software embedded in new technology manufactured at scale by all countries, but we hope we’re wrong.
2. Platform-centric security: Greater concentration at securing key hyperscale productivity platforms (like Microsoft 365, Google Workspace, etc.) and the identity infrastructure around them may give us a level of resilience and ability to centrally fix problems quickly compared to our history of wildly varying environments or applications to achieve the same outcomes. 
3. Better human focus: More traditional machine-learning techniques have been used in security products for many years, so the potential for transformational change in some core detection engines themselves may not be as great as greenfield areas. However, we may see significant improvements in the orchestration, interconnectivity, and reasoning capabilities that surround these core engines. This should result in better signal-to-noise focus for security teams over time.
4. Evolving SOC roles: Traditional Security Operations Centre (SOC) analyst roles (of any sourcing model) must be transformed. Spending the amount of human and financial resources that we do on human analysts doing basic triage is unsustainable. We should see smaller teams of AI supervisors, overseeing and directing highly capable AI systems that handle the bulk of day-to-day security operations, with human oversight handling truly important edge cases, potential larger-scale issues, and validation that the systems are acting as they should.
5. Regulatory expansion: A larger percentage of the economy may come under cybersecurity regulations of increasing alignment to the threat we face. This could lead to improved baseline security across various sectors, though it will likely introduce compliance challenges with it.

As we look towards 2035, it's clear that the cybersecurity landscape will continue to evolve rapidly. While new threats and vulnerabilities will certainly emerge, so too will new defensive capabilities. We face a fascinating decade ahead where practitioners will need to be adaptable, continuously learning, and proactively working to embrace new technologies while understanding their security implications.

We plan to revisit this topic to consider how our view from here shifts over the next few years - and to keep ourselves honest about our predictions!