How cybersecurity forecasts got 2018 wrong

One safe prediction you can make about technology forecasts: Many of their authors won’t want to talk much about them a year later.

That’s understandable. The tech field in general, and the cybersecurity end of it in particular, contain enough moving parts for any forecast to get upended by reality. But a look back at the predictions of 12 months ago can still be educational—because some of them will wind up coming true, just not on the expected schedule.

In the case of 2018’s cybersecurity forecasts, three patterns surface from a look at those that went wrong: We got lucky, we expected too much, or we were looking in the wrong direction.

We got lucky

Having a prophecy of doom not come to pass is the best kind of forecast failure—even if it may only be a temporary error.

That seems to have been the case with predictions of widespread hacking of high-end smart-home gadgets like Amazon’s Echo, as seen in Symantec’s assessment that “Expensive Home Devices Will Be Held To Ransom” and the forecast of Zscaler’s then-chief information security officer, Michael Sutton, that “We will see targeted attacks on digital assistants.”

Although we heard of exploits against smart-home devices such as Amazon’s Alexa, these devices seem to have remained secure in practice.

The two major instances of Alexa data leaking involved technological mistakes rather than hacks: an Echo misinterpreting background conversation to send a recording to an acquaintance of its owner, and Amazon sending an archive of Alexa recordings to somebody who was not the owner who had requested the download.

Many 2018 forecasts invoked darker scenarios involving human harm from remote sabotage of connected systems. “We also expect cases of biohacking, via wearables and medical devices, to materialize in 2018,” Trend Micro predicted. “People will be injured or killed in 2018 due to a cyberattack/cyberterrorism,” Webroot chief technology officer Hal Lonas wrote.

But they were not followed by headlines reporting the same. Instead, the costs of industrial-hardware hacking seem to have been only economic. To cite one example from the past week, current and former Tribune Publishing newspapers couldn’t get papers printed on time after a hack of their printing systems.

We expected too much

Forecasts of government action also proved false—and not just in Washington, D.C., which has a history of taking its time to address security issues.

Across the Atlantic, the advent of the European Union’s General Data Protection Regulation led to understandable predictions that U.S. firms would get leveled by fines that can hit 4 percent of an offending firm’s worldwide revenue. According to an Experian white paper, “Failure to comply with new EU regulations will result in large penalties for U.S. companies.”

But we’re still waiting to see the EU drop the hammer on anybody—even Facebook.

Back in Washington, expectations of Congressional action on Internet of Things security (“Legislation will require IoT manufacturers to be responsible for producing products without known defects,” Gary Hayslip, Webroot’s chief information security officer, predicted in November) and data breaches (“Legislation to curb the use of stolen data will move closer to reality,” IBM’s X-Force team predicted in December) got a thumbs-down from reality.

A bipartisan bill to require that the federal government purchase only IoT gear meeting security standards went ignored. And another year of data breaches, culminating in the theft of some 500 million guests’ records related to stays at Starwood Hotels and Resorts properties, couldn’t spook Congress into making meaningful progress on data breach laws.

Fortunately, we also did not see legislation mandating backdoors in device and communications encryption, another forecast by Zscaler’s Sutton. Instead, the United States wound up letting Australia take the lead in that pastime.

We were looking in the wrong direction

Multiple cybersecurity firms expected Google’s Android to have an awful year for malware—as . Sophos warned, “An explosion of Android malware on Google Play and elsewhere.”

But Google’s Play Store has done remarkably well at keeping malware out—well, besides the lesser annoyance of adware apps built to serve ad fraud operations. Meanwhile, some of 2018’s biggest problems with mobile-app misbehavior involved iOS apps that preyed on human weaknesses—including, it seems, those of the people involved in Apple’s vaunted app review process.

December saw the discovery of health apps that conned users into OKing a steep in-app purchase through their iPhones’ Touch ID security and a fake Alexa setup app with unclear intentions. Apple should have caught these con jobs in its review process.

Much the same thing appears to have happened after forecasts of election hacking from Webroot (“Discoveries of election meddling and social-media tweaking will be an economic drag on some of the biggest tech giants in the industry”) and Forrester (“A hacker doesn’t need the voting machine to alter results”).

The one documented case of altered election results in the 2018 midterms featured the thoroughly old-school mechanism of intercepting paper absentee ballots. That’s the method reportedly used by longtime North Carolina political operative (and convicted felon) Leslie McCrae Dowless to tip a House race that Republican Mark Harris won by only 905 votes. The state has yet to certify that election, and the incoming Democratic majority in the House thus far has refused to seat Harris.  

That episode should offer a reminder to anybody writing or reading cybersecurity forecasts for 2019: Crime is often method-agnostic, so don’t let a focus on digital fears lead you to ignore analog threats.