¶ Future Trends in Cybersecurity
Technology is evolving at a pace most of us can barely keep up with . We're moving towards a world where the number of connected devices far outweighs the number of people alive . By 2030 , it's estimated there will be more than 50 billion connected devices globally , and each one of these is a target for cyber criminals .
So just what does the future hold in cybersecurity ?
It is the Japanese high-speed train of consequences compared to the locomotive . That was the internet for the last 30 years .
AI , deepfakes , quantum computing All of these offer new possibilities for criminals , but also new ways to fight back . This very modern battleground is constantly evolving .
This is the last episode of this season of what's Up With the Internet , and we're going to close with a look at what the future trends are in cybersecurity and how new emerging technologies are going to impact this space .
Moving forward , I'm Takara Small , and this podcast is brought to you by CIRA , the Canadian Internet Registration Authority , which is a nonprofit building a trusted internet for Canadians , which is a non-profit building a trusted internet for Canadians . Okay , so , to break down all this , we got Jon Ferguson from the team here at CIRA .
John is the VP of Cybersecurity and DNS . We asked him to look into his crystal ball and predict what future trends he sees in cybersecurity over the next few years .
Certainly AI is the big one that everyone really hears about the most in the news , and that's really because , if you consider sort of the nature of the cybersecurity threats , there's really two big things that tend to be generating all these big breaches or attacks that we see . Generating all these big breaches or attacks that we see .
One is phishing or impersonation of people or businesses . So you get an email , you get an SMS and it purports to be somebody or something that you should care about .
We all get mysterious packages from a long lost uncle or king of a nation that we apparently are an heir to a throne of , and if you accidentally click on something like that , it may expose your organization , your network , your systems to a bad actor getting in , and that's a phishing attempt .
And then the other side is sort of ransomware , which often happens after that . Once a bad actor gets in , what are they going to do with the data or the system which they have compromised ? Well , usually they block it , they shut it down or they threaten to give away your information for ransom .
And more and more those things are being exercised by vulnerabilities in software . So every piece of software that ends up being created or run no-transcript , because AI is looking at the code and finding these problems or being much more clever at finding the mistakes at a much faster pace . So the speed of all of these attacks is definitely going up .
The sophistication of the attacks are going up , even though sort of the mechanisms are very much the same as they have been for quite a long time .
So does that mean AI can help fight back against hackers and online criminals ?
Oh , 100 percent . I mean , this is one of the great challenges of , I think , any technology . Good and bad things will result from anything that comes along , and quite often , I think , there's an adoption curve that is very different for the bad actors than it and grab an AI algorithm or a system or a quantum crypto breaking tool and try it right .
What's the worst case ? That thing that's going to happen to them ? Well , they're already doing something illegal . So worst case scenario for them , I suppose , is it doesn't work and nobody ever knows about it .
But if you're a corporate entity , you're an individual person and you use an AI tool and it does something bad or wrong or gives you the wrong information , you can be li regulation , where there isn't a sort of best practices developed yet , can take longer for us to see some of the real benefit from it .
But we're already seeing AI and this capability test better , test faster , having what they call co-pilot services , where an AI can help a developer create their code , so it can even help them do that work faster .
So we're seeing that adoption happen , but it's just not quite the same rapid pace as some of the free-reeling malicious folks can take advantage of it .
So are there any other technologies , then , or tools that are also going to impact this space , kind of like AI ?
Yeah , I mean , I think the other big one you hear about is quantum computing , right , and the shift away from what we've sort of classical computing that we've known about to these you know , essentially by definition day as sort of super computer , capable uh devices which can and do tasks that we're used to taking very long periods of time , uh be very quick ,
very uh easy for them to uh to do these types of sort of interactions . And the big one is really on encryption resistance , so being very quick to break an encryption key . One thing we've always been told about security if it's secure data you're looking for , we'll encrypt it and protect it .
Well , that's because it used to take days , hours , years longer to to break a security key . Now we're talking about seconds in some cases , and so encryption is the first use case everyone's really worried about with quantum computing .
But just having this massive increase in computing power and very specialized capabilities , it's going to mean a lot of sort of our traditional thoughts on how we secure things have to change .
So I think the big challenge around all of this thinking about the future of technology it's not just one technology that we can prepare for the thing that we can count on is that there's going to continue to be more innovation and change and we're going to need to be agile and adapt .
And if you take some examples that are out there , don't think about what's happened in the last 10 or 15 years just as a microcosm in , say , our cell phone world , now we go out and want to buy a new cell phone every two or three years , partly because there's a promise of new , bigger speeds . Right , we went from 2G to 3G to 4G , now we're on 5G .
Well , the period of time between each one of those transitions from one network to another , it's gotten shorter and shorter and shorter every time , and so the innovation cycle , the ability to create new , more powerful tools , is happening at a much higher frequency . And the chat , gpt versions I think we're on version four now .
The first version was blows , blew us all the way and what it could do , and now that's been maybe two years since that's been out and it's doing these amazing things more .
So we all have to kind of get into this world of adapting for the next thing , because it's certainly going to come , and the question is whether or not we've sort of created this ability to be adaptable and change to deal with whatever comes next , because there will be good things that come too , but it's easy to focus in on the bad things .
Yeah , sorry , I didn't mean to laugh , but I mean obviously a lot of it's like a lot of doom and gloom . So the good things is it okay for me to ask , like , what are those potential good things ?
well , certainly , I mean there's . There's what depends on your perspective on everything , right , yeah , there's a lot of uh opportunity to create these , uh , these connection points . I mean , if you look at some of how the language models are being used , or ai are being used for instantaneous translation , for example , is that a good thing ?
I think , for a lot of people who struggle with languages , that's awesome . You can communicate with , with everybody and anybody . Maybe , if you really love learning languages , you're you're not so happy about the fact that that's no longer a thing , but just the , that ability to universally communicate with everybody or anybody .
That seems really exciting and powerful yeah , it's definitely futuristic .
I'm thinking star trek right now , the universal communicators that's the promise , right ?
hey , you know if I can bury it in my sunglasses or uh , or something else even better , right ?
okay . So , speaking of how fast things are changing , one of the really big trends over the last couple of years has just been the number of attacks on major Canadian institutions . I'm thinking the Toronto Public Library , toronto Transit Commission , I mean even Newfoundland's healthcare system .
It just seems like there are so many big organizations that are falling victim to online criminals . Is this a trend likely to continue ? I mean , can we expect this to continue happening , or will organizations , regardless of where they're located in Canada , just get a little bit better ?
Yeah , I guess you said you wanted to avoid the doom and gloom , but I don't think you set up a question that lets us do that , did you ? Yeah , it's , I mean those are . I mean , frankly , those are the ones you've heard about , right , right , and that's the unfortunate part of the scenario is that we hear about a very small percentage of them .
I think that's one thing that is changing . People are organizations are waking up to the fact that if they don't sunshine these issues , it makes it far easier for others to be compromised as well . I think we are moving towards a point where I mean , we've been saying this for years . I get back to the doom and gloom world of cybersecurity , the conversation .
The cliche is it's not if it's when . Um and there's there's a fair degree of truth to that right you need to be prepared to deal with recovery of your systems . You know where your data is . You need to know what you're doing in terms of exposing your organization to , you know threats .
Whether or not you really need to do certain things online is a question . There isn't any one solution that is going to come in and secure your entire organization . It's about defense in depth right , having multiple security layers and capabilities . Those things need to happen , but that still doesn't make you foolproof , if you will , from a breach .
¶ Challenges and Solutions in Cybersecurity
Some of the most sophisticated organizations are getting breached because they have very valuable information and , despite these massive budgets , it makes it very hard to keep on top of it because the bad actor only has to succeed once . Right , this is the hard thing . You see all these things in the news and all the sound clips and the sound bites about .
Are these technical people doing enough ? Why didn't they do it ? Well , they have to be 100 for 100 . Well , for the one time they get breached , you're on the news for a huge amount of time . And that's , I think , one of the biggest challenges we've got as a sector right now in cybersecurity is how do we keep the professionals from burning out ?
You can't always be perfect and it's hard to hold people to that bar , because for the , you know entire career . If you know the one day that they had that they got breached , that be what is remembered , not the 99.9 of other days where they kept the place secure .
And I think that's a real challenge to continuing to attract , uh , the biggest and the brightest to the the job , because often it's a thankless task , um , and we're seeing a lot of change in the , in the in the landscape right now . You seeing a lot of change in the landscape right now .
You see a lot of legislation coming in , certainly in the US they've changed the rules on disclosure , so there's an obligation for organizations to disclose certain types of breaches . So , in turn , you're seeing more of that in the news cycle , because now they are obligated to disclose .
Now they are obligated to disclose , and there are certainly situations now where people are being held individually accountable in the executive suite for cybersecurity . So I think , at a high level , some of that stuff's great and good that we need to make cybersecurity a very definable , very important part of every business strategy .
Right , if you're equivalent to your CISO , if you're a smaller organization , your IT person who's responsible for security , if they are not sitting at the table with your overall business strategy , then you are missing the message right now .
Right , it security and cybersecurity has to be part of your business strategy just as much as marketing and product and everything else .
You know , one of the other really big challenges associated with improving cybersecurity is also educating the general public Right and then asking them to implement steps as well . I'm thinking multi-factor authentication to implement steps as well . I'm thinking multi-factor authentication . How , you know , does someone in your role get Canadians to ?
care and actually put in place those types of defensive mechanisms . Yeah , I mean , one of the great things about working for CIRA is just our focus as a not-for-profit and a focus as a Canadian entity on the Canadian market .
That's one of the things that I love about this job is being able to speak to my country and be focused in on what we can do to make people more aware here .
I do think there is this baseline level of cybersecurity which we're trying to get everybody aware of right , and we had our antivirus moment , I guess in the 90s right , where you used to buy a computer and go online and maybe you installed antivirus .
Then we got to that point where you had to have it or else you're yeah , you're going to have a problem to a point now where you can't buy a computer without it having antivirus baked into it , and so we're getting there . I think , in terms of educating the younger crowd , educating a lot more people , there's a ton of free resources out there .
If you look at something like the Canadian Shield that CIRA provides ourselves . It's a protected DNS you can put on your phone and put on your router at home and that'll block a lot of bad websites that might infect your computer . It's a free service . The Canadian Center for Cybersecurity offers a whole ton of resources on how to identify malicious stuff .
It's got to be part of our professional training and our school education to . Frankly , in my opinion , it is one of those things right now which is , you know , just as important as teaching your kid how to cross the street . You know , look both ways .
Well , don't go on the internet without some basic security has to be part of that education and it's going to be a challenge when you think of , you know , the whole world of deep fakes and and all these things that are hitting us right now .
No doubt there will be ways to better detect these things as the technology catches up on the on the good side , but I think there's a large degree of skepticism or curiosity that we need to bring to things .
You know , if I'm getting emails from places I don't recognize , or for getting asked for lots of personal information , is it really worth my personal information to be able to get a 10% discount coupon code for something I'm buying ?
Yeah , we have to start to consider what's being done with that data and that information that we've been freely handing out , because a lot of cases . A little bit of restraint , a little bit of extra criticism or a critical eye on information , and people will protect themselves from a lot of the dangerous things that they're running into .
Is there anything at CIRA that your team and the organization is advocating for supporting to help create a safer online space ? And I'm , you know , immediately thinking of Bill C-26 .
Yeah , so you already answered your own question . C26 is definitely one of them . So again , maybe I guess a quick rundown on what C26 might make sense for some of the listeners
¶ Improving Cybersecurity Oversight and Collaboration
. But it's really you know this focus . I mean the act is an act for respecting cybersecurity . Um , you know it's been in the legislative process for quite a while now and we have been part of a number of working groups and consultations . We actually submitted some recommendations to improve the bill .
Now we're generally supportive because the goal of the bill is to improve internet security and a primary focus really on critical infrastructure . Right , how do we protect things like waterworks , utilities , you know all that type of thing . But really we've been focused in on just improving oversight .
Right , if you're going to put new regulation in , who's going to make sure that it's implemented properly , that privacy is respected , that there is safeguards around the data that's collected ? You know we've heard in the past . You know , at one point , you know , metadata became a big news phrase .
No one cared about metadata for like the first 15 years of the internet and then , all of a sudden , when we figured out that you could put all this little tidbits of tags of information together and you could , could actually build a real compelling picture of somebody or an organization . Then , all of a sudden , we cared about that .
So there's these nitty gritty details around how . Then , all of a sudden , we cared about that . So there's these nitty gritty details around how the wording gets framed that allows data to be shared , not shared , and improving the transparency so people can better understand it . Those are all things that we advocate for , I know .
Generally speaking , a safer internet everyone would benefit from , but understanding how that's being done is very much important as well . So we're definitely excited to see how it will shape , because it's still uh , it's still going through the process . It still has to go through the senate . No doubt there'll still be some more changes .
So we'll we'll be following up there . But , um , but there's more than c26 going on . I already mentioned there's a whole bunch of international initiatives going on right now that are looking at how do , how do the network .
The internet is actually a series of smaller networks that all interconnect , and some of those could be looked at as national infrastructures that interconnect , and so a lot of that relationship , in terms of cross-border relationship , is going through a whole bunch of transformation and ideation and new technologies .
You know we've , we've gone through the bitcoin uh evolution or revolution , or however you want to phrase it , but that same underpinning technology that's under bitcoin ledger technology and it's it's permeating in other areas of the internet .
And so , uh , there are new , new internets out there , which , which are very niche services that are going on out there , but they're becoming more mainstream , not just cryptocurrency , so those are going to potentially hit your browser at some point in the not too distant future and it'll be interesting to see how those things sort of come together .
The one surefire thing is there's a million things going on related to the internet , as there always is , and it continues to be really a place of amazing innovation , so that definitely keeps it interesting on a day-to-day basis .
One of the things you mentioned that kind of stuck with me was the burnout comment , and it's interesting because it's rarely talked about and there has been a very coordinated push in Canada to train and educate more Canadians to take on cybersecurity roles , because there is a dearth of them . There aren't enough of them .
So I'm just wondering , like , how do you deal with that and how does the industry come to terms ? Because all you really need is for there to be one time where maybe you don't have the capacity to protect your org or your company from a million different threats and you're hacked . But there's only a finite number of cyber security specialists in Canada .
So I mean I mean that must mean people are completely working 100% all the time .
Well , I like to think people are busy , but , yeah , there's just a couple of elements to that question . I think Takara One is the whole Canadian landscape in itself .
¶ Rising Challenges in Cybersecurity
It's not unlike a lot of countries where we're highly dependent on businesses , countries that are not Canadian and so I think there's a big need and a drive to build up this national capacity . The digital world is a bit of a new frontier , right ? You look at what happens these days in terms of conflict .
There's clearly a whole lot of cyber threat that's being generated by nation state activity , and so having our own domestic experts and capabilities is just good for the country , and we do have a lot of brilliant people really in the AI and quantum space .
Canada in many respects , are world leaders already , but , you're right , as a general practitioner or role , there are more roles than there are people , and that's where you see this real hard push to automation , to sort of centralizing some of these services with managed services .
So cloud is an example of trying to create the ability to do bigger things with less people not necessarily less resources , but less people and those things will continue to happen .
I think partly where you get the AI conversation gets to is you can turn some more mundane or people intensive processes that we have now into more automated processes and you hopefully redirect people into to more high valued work . But it's also about building up these skill sets right .
We you know , 20 years ago a software engineer would not have been coming out of universities or college programs at the same rate they have been for the last five to 10 . And we probably will see a shift again as we move forward . Cybersecurity , I think , is starting to have a moment .
I've been lucky enough to have some good interactions with some folks here in Ottawa at some of the universities who are building up more multidisciplinary training , education programs at the post-secondary level , but even talking to secondary school curriculum folks who are trying to build in this idea of cybersecurity .
I've got two young boys , I've got an eight year old who's learning about passwords in his elementary school class .
I mean , we're pulling that stuff down to kids so they start to learn about it earlier and I think that is just going to probably proliferate the fact that your average kid or student who comes out of school you know we don't ask on a resume right now you know how fast can you type . I remember when I started applying for jobs .
No , microsoft Word was a skill you put on your resume . We don't do that anymore because it's just a basic digital literacy skill that everyone who comes out of an education system now has . Quote unquote cyber skills , or knowledge that we today have to train on , they're going to become second nature to everybody .
Right now that we all have cell phones , we don't think as much about a two-factor authentication , right ? If you get a text message to log into a webpage after you put your password in , most people now don't think twice about that .
But that was a huge friction , you know , five , ten years ago to get people to consider that as not being a massive inconvenience . So we're getting places where the user experiences around cyber security are becoming easier , better , so we're able to adopt things better .
Skill are are changing so that people are more aware of some of this stuff , and I think that's it's a lot of this is about us keeping , um , that idea of that , that knowledge , forward front of mind , right , everyone's part of the cyber defense of their organization and your home , for that matter . Um .
So what are you doing to make sure that you don't do the wrong thing when you're online because we bring all those bugs and issues and challenges with us , especially now that we work so much from home . There's really a big blurring of the lines between the secure work networks quote unquote and your home network . So lots to think about .
Unfortunately , some days it's too much to think about , but there is an evolution going on and that's the one thing we can count on . It's going to keep moving forward and keep changing .
That was John Ferguson from CIRA . So , as a nation , are we slowly waking up to the magnitude of this problem ? Well , cira has just published its cybersecurity survey for 2024 , and the results showed that 76% of organizations have increased their staff devoted to IT system management and cybersecurity in the past 12 months .
System management and cybersecurity in the past 12 months . So that's moving in the right direction , but there's a long , long way to go .
David Shipley has some big concerns about the future . We are so radically unprepared for the negative consequences of this technology , and it is the Japanese high-speed train of consequences compared to the locomotive that was the internet for the last 30 years . What do I mean by that ?
Let's start with deepfake video technologies that can be run on an old Dell laptop . That can now be used to create non-consensual intimate images , synthetic intimate images of individuals , and it is being done .
There are telegram channels where you can drop pictures of someone you want to target and within minutes it's going to send you back pretty awful , realistic pornographic images featuring that individual .
So how does that play into this awful narrative that we've already seen , where the internet disproportionately impacts women or people who identify as women , and so that's just going to get worse ?
How do we deal with this awful story of misinformation and interference in a world where every possible news outlet is getting polluted with AI generated garbage , and social media is completely irresponsible as its AI becomes more sophisticated and it's harmful algorithms , as we mentioned Francis Hogan's testimony , continues to go unregulated in this country and in others .
And then how do we deal with increasingly sophisticated fraud and cyber attacks that the stakes are increasing . The , the first generation of ransomware , the dumb criminality that made billions of dollars , is coming to an end as consequences emerge as the global counter ransomware initiative takes hold . That doesn't mean it's over .
It just means that the first chapter is over and now we're seeing nastier , more consequential attacks . London drugs I mean this is the first major retail outage we've seen in this country . That went on for nearly a week . How many millions of dollars ? How much harm did that cause ?
And that's just the taste of what's to come for the healthcare sector in Canada . That is woefully unprepared . So it's going to get meaner , it's going to get harder and honestly , I wish I had better news on that side .
I have tried for years , since Newfoundland's attack , to raise the alarm , but I feel like one of those Old Testament hair shirt wearing prophets . These weren't very popular people back in the Old Testament . They're not popular today . There's a reason why some would rather get swallowed by a whale than go to the town and say repent .
And what I'm saying is invest and prepare . And it's not about being hacked anymore . It's about resilience to hacking and building a better , more fair society that better protects our most vulnerable while we are increasingly digital .
I have to ask why even try , then you know , for people who are listening small business owners , maybe you know tech leaders , you know CEOs of major corporations and down to the individual . They may think , okay , so we don't have enough funding nationally . There is an ever increasing threat .
There are criminals who are getting faster , smarter and better at hacking . Should I even try ? Is there even any reason to attempt to protect myself ?
There is hope , basic measures and steps . Microsoft has shown that even doing something like turning multi-factor authentication on can cut your risk by 99.9% to that digital lock picking that I mentioned earlier that got CRA . So there are some basic steps you can take that can actually dramatically reduce risk .
So there is proven , there's strong evidence doing something can pay off . Planning and preparedness are always worth it . But I'd say this I want the next 30 years to be a better story for the next generation than this 30 years of the internet has been . And the journey starts small . It starts with all of us doing a little bit better .
But this challenge of cybersecurity , it's one of those wicked problems like climate change . It's one of those things where we have to act individually and collectively and we have to have hope . I believe in the power of the human spirit . I believe in our ingenuity . I believe in our innate goodness as individuals in the society to want to do the right thing .
We will rise to the occasion we have in every previous civilizational challenge . But we got to wake up , and the part of that unfortunately means making people uncomfortable . It means taking away that last 70 years of comfort that we've lived under and realizing we're in a whole new world and we all have to step up .
And I wonder what your thoughts are on innovative privacy protecting technologies that can be used for good or bad . So we kind of mentioned Onion , tor . There's obviously Signal as well , and these are , you know , programs , services , apps that are designed to protect an individual particularly .
You know , sometimes people in certain countries are not allowed or even able to share their thoughts or political leanings , but they can also be used for nefarious reasons . So is there a way to balance them , or is it just , you know , it is what it is .
I think it's exactly what you said . It's balance .
Right now we're in the next version of the encryption wars , where end-to-end encryption is under assault in the Western world and certainly in authoritarian regimes , to break it for all kinds of reasons that make a lot of sense when police articulate we want to break up crimes in action , we want to go after the perpetrators of heinous crimes like child sex abuse
material , etc .
The problem is that police themselves , empowered with this , this tool , then become the targets , and if the NSA and the CIA can keep their hacking tools safe and punchline they didn't so far then no , you can't have the global keys to the kingdom on the nature of relationships when it comes to data ownership , and Tim Berners-Lee , the father of the modern World
Wide Web , is leading a movement that I find intriguing .
It's this idea of privacy , data pods that , instead of having elements of my personal data replicated throughout the world in various pieces and forms that can then be lost , stolen and recombined , that can then be lost , stolen and recombined that there would be a single , controlled instance of my personal data that folks would seek my permission to access to .
That would be far easier for me to withdraw my consent and access to and that would somehow , in digitally or physical form , be under my control , and I love that idea . And this is a return to that decentralized web , to shaking up some of the power of big tech and other things .
Whether or not that plays out or not , I don't know , but it's the most fantastical and best thought out idea to counter some of these big challenges I've heard . Yet we often hold organizations to account , particularly public sector organizations , municipalities , healthcare and we wag our finger how dare you get hacked ?
But yet when politicians show up at our doorstep , are we talking about how important we think it is that they invest time and laws and infrastructure and spending to protect ourselves online ? No , so politicians follow us . So if there is blame for the lack of security in this country , it's . We all own our piece of it .
And that's David Shipley from Beauceron Security Inc . So where does all this leave us ? The future of cybersecurity is going to be both challenging and exciting . Emerging technologies will transform how we protect ourselves , but they'll also introduce new risks . The growing threat landscape means that businesses and individuals will need to be more vigilant than ever before .
As we wrap up this season , one thing is certain Cybersecurity is no longer an afterthought . It's a critical component of our digital lives and will only become more important . But rather than scaring you too much , we wanted our last guest of the season to offer some perspective .
Bruce Schneier is a leading expert on cybersecurity , and we first heard from him in episode one .
You know my thoughts about the future have nothing to do with computers . They involve climate change , they involve democracy . They involve some really serious problems that our society and species has to solve pretty soon . I mean , cybersecurity probably doesn't hit the top 10 . But if you want to talk about cybersecurity , I think we're doing okay .
You know we mess up around the edges and we as a culture tend to get things wrong before we get things right . But we eventually get things right , and I think we will in this case as well . I mean , I don't think society will collapse because of a cybersecurity problem .
It's the other things . Climate change it's the other things .
Right , you know , and we're not going to solve climate change until we fix democracy , and we're not going to fix democracy until we fix capitalism .
Right , ok . So then I mean , how do you stay positive ? I mean , those are pretty big issues we're facing , you know .
I think a positive outlook is more internal than external , and even in the years we were losing policy battles left and right , you know the goal was to lose them slower or to lose them less . So I think you can maintain positivity even if things are going bad . You know , it's really how you interpret it .
I think that's like the best way to answer to end our interview .
It's funny . And even if you don't have hope , you need to project hope , because otherwise , if you're hopeless , you're definitely going to lose . If you have hope , even if things are bad , you're definitely going to lose . Right , if you have hope , even if things are bad , you might win .
It's your only shot . A big thanks to Bruce and all our guests throughout this series for being so generous with their time and talking to us . If you're feeling inspired and you want to learn more about cybersecurity in Canada , you can , of course , check out siraca slash cybersecurity and have a look through their social channels as well .
There's loads of great stuff going on right now for Cybersecurity Awareness Month , including that survey I mentioned earlier , and if you haven't already listened to season one of the show , why not have a listen back to that as well ? Thank you so much for listening . Bye , guys .