ISF Threat Horizon 2024 Report

THREAT HORIZON 2024
The disintegration of trust

THE DISINTEGRATION
OF TRUST
January 2022
Published by
Information Security Forum
+44 (0)20 3875 6868
info@securityforum.org
securityforum.org
Project Team
Mark Ward – Author
Paul Watts – Co-author
Review and
quality assurance
Eleanor Thrower
Emma Bickerstaffe
Richard Absalom
Paul Holland
Max Brook
Design
Jenna Lord
Abigail Palmer
Charlie Payne
Warning
This document is confidential and is intended for the attention of, and use by, either organisations that are
Members of the Information Security Forum (ISF) or by persons who have purchased it from the ISF directly.
If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF
on info@securityforum.org. Any storage or use of this document by organisations which are not Members of the
ISF or who have not validly acquired the report directly from the ISF is not permitted and strictly prohibited.
This document has been produced with care and to the best of our ability. However, both the Information
Security Forum and the Information Security Forum Limited accept no responsibility for any problems or
incidents arising from its use.
Classification
Restricted to ISF Members, ISF Service Providers and non-Members who have acquired the report from the ISF.
CONTENTS
Introduction 5
The world in 2024 6
1 Well-intentioned regulations have 9

unintended consequences
Ransomware evolves into triple extortion 10
Regulators inhibit data-driven innovation 14
Attackers undermine central cryptocurrencies 18
2 Technology choices diminish control 23

The cloud risk bubble bursts 24
Activists pivot to cyber space 28
Misplaced confidence disguises low-code risks 32
3 Dirty data disrupts business 37

Attackers poison the data well 38
Misleading signals subvert cyber fusion centres 42
Digital twins double the attack surface 48
Conclusion 50
Appendices
A: Methodology 51
B: Assessing predictions from Threat Horizon 2021 52
C: Assessing predictions from Threat Horizon 2022 56
D: Assessing predictions from Threat Horizon 2023 60
E: ISF Threat Radar 64
F: Making the most of Threat Horizon 2024 67
G: References 70
Feedback 82
Acknowledgements 83
Technology choices
diminish control
Well-intentioned regulations Dirty data
have unintended consequences disrupts business
2024 Machines seize

control
T H R E A T
2023
Identity is
HORIZON weaponised
2022 – 2024
Security fails in a
brave new world
2022
A crisis of trust Invasive technology

undermines disrupts the everyday
digital business
Neglected
infrastructure
cripples operations
Threat Horizon 2022 Threat Horizon 2023 Threat Horizon 2024

Digital and physical worlds collide Security at a tipping point The disintegration of trust
1.1 Augmented attacks 1.1 Artificial intelligence industrialises 1.1 Ransomware evolves into
distort reality high-impact attacks triple extortion
1.2 Behavioural analytics trigger 1.2 Automated defences 1.2 Regulators inhibit data-driven
a consumer backlash backfire innovation
1.3 Robo-helpers help 1.3 Layered security causes 1.3 Attackers undermine central
themselves to data complacency and confusion cryptocurrencies
2.1 Edge computing pushes 2.1 Digital doppelgängers 2.1 The cloud risk
security to the brink undermine identity bubble bursts
2.2 Extreme weather wreaks havoc 2.2 Biological data drives a 2.2 Activists pivot to
on infrastructure rash of breaches cyber space
2.3 The internet of forgotten 2.3 Gamed algorithms cause 2.3 Misplaced confidence disguises
things bites back commercial confusion low-code risks
3.1 Deepfakes tell 3.1 Smart grids succumb to an 3.1 Attackers poison the
true lies attack surge data well
3.2 The digital generation become the 3.2 Isolationism creates a 3.2 Misleading signals subvert cyber
scammer’s dream security disconnect fusion centres
3.3 Activists expose 3.3 Security struggles to adjust to 3.3 Digital twins double the
digital ethics abuse the never normal attack surface
CONTENTS THE WORLD IN 2024 ONE TWO THREE CONCLUSION APPENDICES COLLABORATION
Introduction
Trust is imperative for any business to be agile and maintain its competitive edge. However, that
trust will crumble over the coming years as organisations learn that regulators can introduce new
risks, technology does not always achieve all desired outcomes, and data itself is more susceptible
than ever to manipulation and inaccuracy. In a world of perpetual change, magnified by the global
pandemic, this disintegration of trust will create the perfect conditions for potential adversaries to
hide and thrive.
New regulations and laws will be enacted to set parameters for disruptive innovations, such
as artificial intelligence and crypto cash. Some of these may inadvertently cause adverse
consequences, forcing organisations to dedicate significantly more time and resources to adhere
to obligations while still facing volatile levels of risk.
Organisations that look to accelerate digital transformation without fully appreciating the
long‑term implications of their technology choices will find themselves losing control over
business inputs and outputs. The appeal of technological advancements, such as cloud services
and easy-to-use coding tools, will leave organisations unwittingly exposed to an expanding array
of threats.
In an era when data is processed and consumed in real-time to conduct business operations, the
historic trust that organisations place in the integrity of data – and the way in which it is used – will
prove to be misguided. The inability for organisations to assure the accuracy and purity of data at
high speed will provide unique opportunities for attackers to subtly spread misinformation and
disrupt business.
Those days when organisations felt in control of their strategy will be a distant memory. As trust
becomes a scarce commodity, organisations will need to find other ways of safely staying agile
and competitive.
How this report helps

This report provides organisations’ leaders with an early insight into the changes they may expect
over the coming years and some of the key actions they should consider now. Threat Horizon 2024
presents a high-level view of the world in 2024, before describing nine specific possible future
threats to information, grouped into three broad themes:
Well-intentioned regulations Technology choices Dirty data

have unintended consequences diminish control disrupts business
Each of the nine threats includes:

– an explanation of the potential impact
– a fictitious scenario illustrating how the threat may manifest
– justification for the threat prediction
– short and long-term recommendations on how organisations should prepare
– references to applicable ISF reports and tools that can help mitigation activities.
Making the most of Threat Horizon 2024

See Appendix F for recommended actions on how to use this report within your organisation,
relevant parties to involve and related ISF reports and tools.
Threat Horizon 2024: The disintegration of trust

CONTENTS INTRODUCTION THE WORLD IN 2024 ONE TWO THREE CONCLUSION APPENDICES COLLABORATION
The world in 2024

This synopsis of what the world will look like in 2024 provides context and background to the nine threats
in this report. It is set out using the PESTLE model to provide a balanced picture, and provoke thought
and debate.
Throughout this report

Each of the nine threats includes a high-level illustration showing which of the PESTLE factors will drive
or influence the threat. These can act as an indicator to help the reader validate or prioritise each threat.
Before studying the predicted threats in this report, the reader is encouraged to assess the forecasts
presented in this section and to consider them in the context of their own organisation. While these
forecasts build on input from ISF Members, the ISF Global Team and external experts, every organisation
will have its own view. Are these predictions reasonable? Do some underestimate the severity of certain
scenarios? Do others go too far? How might the forecasts be adapted in the context of your organisation?
What additional material (e.g. relating to specific industries or geographies) would be needed to support an
organisational review of the predicted threats in this report?
Tailoring these threats to your own organisation can help to develop a proactive approach to risk management.
A world view
As novel ways of living and working are established, efforts to maintain stability will be undermined by
ongoing conflict and turbulence in many sectors.
ITICA
OL In an era when regional organisations, such as NATO and the EU, are struggling to define their
purpose, elections across the globe in 2024 will have the potential to further strain the fabric of
P
societies and challenge international relations.1,2,3 Campaigns in the US, Russia, and the UK will
continue to divide, whilst Chinese support for Sinophile candidates in the Taiwanese election could
cause international disputes.4,5 The EU will face its first European Parliament elections since the
withdrawal of the UK, facing pressure from populist and disruptive agendas.6 The next generation of
fake news will plague political campaigns and polarise voters, eroding trust at all political levels.7
NOMI Despite a mix of rosy forecasts and the warnings of economies sleepwalking into recession, the
CO economic outlook in 2024 will be defined by uncertainty as a result of the pandemic.8,9 Organisations
C
E
must be pragmatic in their responses to shifting economic prospects.
Decentralised finance (de-fi) will evolve alongside a cashless society, loosening central banks’ grip
over taxation and regulation. The rapid rise of novel forms of money will cause a bitter battle over
fiscal controls.10 States will wrestle for ownership of these new currencies as they look to define their
policies and approach. Trust will decrease in institutions and governments due to these clumsy
battles to take control.11
Supply chain disruption is expected to continue because of labour and equipment shortages.12 The
interconnected nature of contemporary markets and their associated fragility was exposed in the
East by the instability of debt-riddled, housing giant Evergrande in China.13 The potential time bomb
of a Chinese recession would cause global economic, political and social shockwaves.
6 INFORMATION SECURITY FORUM

CIAL The long shadow of the pandemic will continue to fall over all aspects of society.14 Whilst the primary
SO
effects, such as loneliness, family separation and undisputed health impacts are well documented
secondary effects are brewing. The outfall of the pandemic will cement division between those who
prospered and those who suffered.15 Social disillusionment will be high, and decreasing trust and
support of government policies will whip up support for political violence.16
Ethical considerations will be a driving factor in all aspects of social life. As Generation Z’s influence
becomes more apparent, their emphasis on ethical and moral business practices, both internal
and external, will lead to ground up changes to organisational operations. Organisations will face
difficulties incorporating differing expectations across generations.17 To ensure this new approach
translates across relationships between technology and people, global spending on data protection
and compliance technology is expected to reach $15bn by 2024.18
NOLOG Nations will explore deeper into cyber space, competing for technological and scientific supremacy
H as it becomes a key metric for international power.19 A quantum computer able to hack a 2048-bit
IC
TEC
AL
RSA public-key cryptosystem could come as early as 2024.20 In response, the strategic advantage
for the nation to first harness quantum computing will be extraordinary.21 Though, as instances of
deliberate, state-backed cyber attacks increase, the potential for a physical response will rise.
Beyond Earth, a technological arms race is brewing as the space race shifts from being a matter
of national pride to a way to exhibit genuine strategic advantage. For example, private space
endeavours will be key to NASA’s plan to return humans to the moon by 2024.22 As all nations race
to establish themselves off-planet, the emergence of low orbital debris will begin to impact further
advancements as humans risk trashing a new arena for exploration and exploitation.23,24
LEGAL
The constant rate of change in technology continues to create a game of cat and mouse between
innovation and legislation. By 2024, however, technological advancements will have expanded
this disparity even more.25 Governments will extend the scope of legal obligations and constraints
affecting how organisations use and process data to protect individual human rights.26 Having
realised the pervasive power of data, there will be a concerted effort for legislative reform that goes
beyond data privacy. These efforts will reassess the use of artificial intelligence (AI) techniques and
Internet of Things (IoT) devices to reduce the exponential growth of cyber attacks.27
Laws and regulations will become a tool of political negotiation and power struggles.28 Officials will
seek to build upon existing data-sharing pacts, and to repair broken legal mechanisms to enable
cross-border data transfers,29 advancing existing relations and excluding political challengers.30
Collaboration too will emerge in the wake of ransomware sanctions, as allies enforce legal sanctions
on nefarious actors – indirectly taking aim at these actors’ state-sponsors.31
NME The pandemic will be eclipsed by environmental challenges. By 2024 the world is expected to have
RO
breached the 1.5°C limit set out in the 2015 Paris Agreement32 causing widespread disruption and an
N
I
ENV
TAL
alarming loss of biodiversity.33 Yet, inciting widespread frustration, reform to tackle environmental
change will remain a political talking point rather than concrete action.
Environmental change will become a motivating factor as organisations demonstrate their

environmentally safe behaviours34 to appease customers and to remain attractive to investors.35
As extreme weather events increase, it will become essential to ensure that the potential for
environmental disaster is woven into organisational strategy. Organisations will look to acquire
the trust citizens no longer hold in governmental legislation – which is deemed inconsequential
compared to the action required to restrict the harshest climate changes.36
Threat Horizon 2024: The disintegration of trust 7

1 Well-intentioned regulations
have unintended
consequences
Efforts by governments, regulators and other official bodies to mitigate pressing cyber threats, and assert
control over the ways in which some emerging technological and financial innovations are used, will give
rise to many new policies and regulations. As these legislative changes take hold, it will become apparent
that they are not removing dangers but are forcing evolutions that risk redirecting the threats as well as
burden organisations with a raft of hard-to-meet demands that still leave them open to attack, disruption
and harm.
1.1 Ransomware evolves into triple extortion

Ongoing and far-reaching political, diplomatic and legal action against ransomware gangs and the
underground financial systems that support them may do more harm than good. Ransomware gangs will
initially suffer some inconvenience, then adapt to new restrictions by broadcasting the fruits of attacks more
widely, and including customers of victims and other stakeholders in ransom demands.
1.2 Regulators inhibit data-driven innovation

Organisations keen to reap the rewards of creating and using AI-based algorithms to run their business
are forced to delay as regulators demand that these tools be approved for use before they are deployed.
Organisations risk being stuck in a development spiral as they make sure algorithms do not fall foul of
ambiguous legal demands that they operate fairly.
1.3 Attackers undermine central cryptocurrencies

Cyber thieves will seek to cash in on central bank crypto cash schemes that let consumers and organisations
buy and sell goods and services with these virtual currencies. At the same time, organisations engaging with
these central systems and with existing, established private crypto networks will struggle to comply with a
raft of regulations that were not drafted in concert.
Start preparing now

Organisations need to generate a comprehensive view of their compliance responsibilities to
remain on the right side of this rapid expansion of laws and regulations. That scrutiny will reveal
whether their actions match the compliance demands. Audit and assurance will be key functions to
bolster, and engagements with regulators will need to be improved to stay abreast of and influence
new developments.

What is the impact of this threat?

Ransomware actors will shift their business models to expand from double TRIPLE EXTORTION
to triple extortion techniques. These highly researched and targeted attacks In addition to encrypting
will represent an evolution of ransomware models as the revenue streams data and making
born from more traditional campaigns, such as ‘spray and pray ’, encrypt then it unavailable, this
ransom’, become problematic and less lucrative to enact. three‑pronged approach
threatens the victim
Actors will be challenged by increased cross-border law enforcement activity organisation with public
against their operations. They will shift to a more progressive and persistent disclosure and directly
attack approach, stealing data slowly and staying under the radar of security threatens the affected
teams to encrypt selectively (and in some cases, not at all). The extortionists data subjects.
will focus on intimidating the subjects of stolen data privately and publicly,
as well as the victim organisation, with the intention of applying direct and
indirect pressures upon both groups to pay. They will threaten – and not
hesitate – to auction intellectual property to the highest bidder. They will
also continue to leak small fragments of sensitive information into the public
domain to create further tension and angst.
Victim organisations will become constrained by nation states imposing sanctions that inhibit the payment
of ransoms to certain actors. As insurance providers discontinue or limit ransom payment coverage,
the financial and reputational brunt of these attacks will be amplified, with weak operational resiliency
increasing the time and cost to recover from such attacks. Additionally, legal obligations to immediately
disclose attacks (and near misses) will compel organisations to go public very quickly, hindering response
efforts and risking significant reputational damage. Attacks will become increasingly difficult to bounce back
from as customers become impatient with organisations that suffer either disruption or loss – especially
when their rights and freedoms are directly impinged.
2024 Imagine this happens…

A large health and wellbeing organisation suffers a triple extortion ransomware attack in
which data pertaining to the mental health status of some of the UK’s top CEOs is taken. The
ransomware gang starts cold calling those affected, threatening to release the data to national
newspapers. The board approves payment of the ransom but the company secretary vetoes
this given the state sanctions in place. The organisation is also obliged to make a statement to
the UK regulator, which will imminently expose the breach to the entire customer base.
How will you placate the CEOs whose data has been stolen? How will you rebuild confidence in
your brand?

THE
1989 2011 2013 2017 2020 FUTURE
NE
NE Re
W
NE NE
:S
W PA EMale
W
!J
W
Re
AIL
Us
EM
:o Re
YU
Re tK
:K
EM
Op :o idin
EM
si Op no g,
ck
AIL P
tt’ si ST
AIL GO O
sr tt’ kN !ll
AIL
@n se oC ra
UN U
nn
R
k it
ILL UN
so ve so
HA NEN CO AFT WE
mW nm ’s mw
sti1
EG LO
ar or l ra ar
E
e.! e@ e!
HA NCR NT ER Y WI
ns
AL C
ns
om
RD CR
om
mw
PA K FIL
DE AC RE DRI YPT AC O LL
Wa ar
RD YP
re.! e!
TE TIV
TU VE PA TS T UR
CT IT
ED Y YN ES PA DRI T R A YN O
OW Y N VE PA N FIL ND OW O
OW Y N ES
OW
AIDS Metropolitan Maze, REvil,

information Police screen Conti and
diskette locker scam Cryptolocker Wannacry more What’s next?
The first notable One of a wave The first The first nation Double extortion: Triple extortion:
ransomware of screen modern-day state sponsored exfiltrate and exfiltrate,
campaign locking industrialised ransomware encrypt encrypt and
ransomware ransomware threaten
campaign subjects
FIGURE 1: A brief history of ransomware

Justification for the threat

Ransomware persists as a threat, orchestrated by a range of adversarial actors ranging from state-sponsored
actors to small-time ‘as-a-service’ customers. Originating in the late 1980s, the nature and potency of
attacks has evolved over the last 30 years and is predicted to continue to do so. The rise of cryptocurrencies
has supported the proliferation of the threat with $5.2bn in Bitcoin transactions alone attributed to
ransomware payments over the last decade.37,38 2021 was a watershed year for ransomware, with over $590m
in ransomware payments observed in the first half of 2021 compared to $416m for the whole of 2020.39 The
threat of double-extortion – publicly shaming victims who refuse to pay – has piled on the pressure to pay to
protect reputations and livelihoods.
As organisations and technologies become more adept at detecting tell-tale signs of conventional
ransomware techniques, such actors are adjusting their tactics to stay under the radar for longer and protect
their revenues. Attack methods are shifting from easier-to-detect, widely dispersed techniques to a more
crafted, hands-on approach. Targets are selected based on factors such as strength of defence, levels of
insurance cover and likely appetite for paying as well as their profile and prominence, with both large and
small/medium organisations under scrutiny. The more researched approach requires up-front effort (and
in some cases the initial heavy lifting is outsourced or bought as-a-service through intermediaries such as
Initial Access Brokers),40 but the potential prize for threat actors is larger returns from a smaller number of
targeted organisations.
Whilst double extortion attacks generally conclude with widespread data encryption after data has been
stolen, evolving triple extortion techniques see ransomware gangs encrypt the victim’s data selectively,
sporadically, or in some cases not at all. This leaves a smaller footprint that potentially allows longer
dwell time within a penetrated organisation. One growing trend is the rise in theft and extortion without
encryption, which has doubled from affecting 3% of victims in 2020 to 7% in 2021.41 With early signs of
triple‑extortion emerging, it is clear the brazenness of ransomware gangs has no limits.
As ransomware actors continue to be paid by their poorly protected victims, governments are considering
policy and legislative changes to cut off the flow of revenue to such groups. These measures could limit the
options for victim organisations to recover and resume business operations. This attempt to break the cycle
could be accompanied by mandatory reporting of successful and failed attacks. The US, UK and Australia
are three regions where regulators are introducing such requirements with others likely to follow, meaning
that organisations will need to rethink their approach to stakeholder communications within their incident
response plans. However, with ransom payments cut off, the stolen data itself becomes the monetisation
opportunity of future attacks.42
“...organizations that have the most valuable and easily monetizable

data will be the bigger target if ransom payments are successfully
disrupted.” — Dave Meltzer, Tripwire CTO 43
The proliferation of ransomware attacks has caused a spike in claims that has forced insurers to reassess
how they underwrite the risk to limit their exposure. Policies are increasing in cost and reducing in coverage,
not only placing products out of reach of some organisations but also potentially reducing the ability for
others to pay the ransom in the first place.
Positively, there has been recent success with cross-border law enforcement collaboration in historically
‘safe haven’ regions. Most recently, the US and Russia collaborated to dismantle the remnants of the
Russia‑based ‘REvil’ group in January 2022.44 It is too early to say whether this type of collaboration will be
enduring or not. However, it does send a message to these actors that perceived safe havens may in fact be a
façade, increasing the possibility of operations becoming more clandestine in future.
Opportunistic ransomware may be taking a back seat but this does not signify the end of the threat. As
long as there is money to be made, ransomware actors will continue to innovate to maintain those revenue
streams. Organisations will need to adapt quickly to stay on top of the changing dynamics of the ransomware
threat. Boards will need to continue to recognise the clear and constant danger their organisations face from
this evolving threat. If this does not happen, the consequences could be dire.

How should your PESTLE

organisation prepare? PESTLE factors that will drive the threat:
Organisations that do not regularly evaluate their ability ITICA NOMI CIAL
OL CO SO
to detect and respond to extortion attacks such as
C
E
ransomware should now consider a strategic approach
to managing such an enduring threat to their business.
A re-evaluation of what business-critical data assets
exist in the organisation and where they reside will
NOLOG LEGAL NME
further support this objective. H RO
N
I
IC
ENV
TEC
TAL
AL
Actions for now
– Ensure the subject of extortion and ransomware
threat has been socialised with the board.
– Understand your level of cyber hygiene versus the Key information attribute affected
threat, and understand and risk-assess any gaps.
Confidentiality
– Review existing organisational cyber incident and Integrity
crisis response protocols, and complete simulation Availability
exercises to test efficacy.
– Identify data sources most likely to be hit by targeted Source of threat
extortion attacks (e.g. mission critical data assets,
Adversarial
intellectual property). Nation states, organised criminal group,
hacking groups
Longer-term actions
Potential business impact
– Prepare, implement and actively maintain
an organisational playbook for responding to Financial
extortion attacks. Operational
– Review the resilience of the organisation’s supply Legal and Regulatory Compliance
chain in the context of an organisation’s inherent Reputational
ransomware risk. Health and Safety
– Revisit security architecture to ensure appropriate

network segmentation to protect mission-critical ISF resources
data assets, such as considering a strategy of
Extinction Level Attacks:
zero trust. A survival guide
Delivering an Effective Cyber Security Exercise
Security Architecture:
Navigating complexity
Protecting the Crown Jewels:

How to secure mission‑critical information assets
Demystifying Zero Trust

Briefing Paper
Cyber Insurance:
Is it worth the risk?
Briefing Paper
Securing the Supply Chain:

Preventing your suppliers vulnerabilities
from becoming your own


Data-driven algorithms will fail to realise their full potential as organisations DATA-DRIVEN
are forced to make them adhere to a mass of poorly defined and, in some ALGORITHMS
cases, contradictory rules that define how to use these systems whilst Systems that use machine
attempting to reduce their potential for bias. Some markets will remain closed learning to steadily get
because organisations will be unable to make algorithms compliant with better at performing
contrasting local rules and policies. a specific task over
time. They learn from
Organisations will be required to commit increasing amounts of resources
huge amounts of data
to ensure the sources feeding algorithmic systems stay compliant as data is
about, or derived from,
ingested, moved and combined. Growing reliance on third parties to design,
given sources.
develop and deploy algorithms will put organisations at risk of significant data
breaches, stretch their assurance systems to the limit and raise the risk that
these potent trade secrets will be compromised.
Business transformation will be slowed as organisations seek ‘pure’ data sources and struggle to develop
algorithms that stay within the parameters demanded by an expanded list of regulators. Efforts by
organisations to maintain a single view of their security arrangements will fail as algorithms and the
data that feeds them need to be kept separate and monitored for biases in both sources and outcomes.
Organisations will be forced to account for and justify the actions and decisions of automated systems over
which they have limited control.

A global training company rolls out an algorithm that samples biometric markers (faces, voices
and body language) to help spot when students are struggling with ideas or exercises so more
help can be offered by tutors. Deployment is delayed as regulators in different regions compel the
company to demonstrate that inputs, algorithms and outcomes are fair. The training company
is forced to split its database, seek extra data sources, appoint an ethics overseer and regularly
report results to demonstrate the algorithm’s fairness and reliability. One region clamps down on
biometric data, forcing a further rethink. Take-up is slow and stuttered.
Can you demonstrate that your algorithm-based services comply with regulations in every
region in which the business operates?

********
AI-based
algorithm
development
lifecycle
********
Develop algorithmic model Ingest data Deploy algorithm
1 Create and test model 1 Confirm design and 1 Respond to regulators,

data sources align with anti-trust bodies, activist
2 Ensure algorithms meet ethical principles groups and consumers
disparate regional probing outcomes for bias
definitions 2 Verify that combined
data sources abide by 2 Monitor algorithms to
3 Seek regulatory approval data protection laws ensure they continue to
of models meet ethical and
regulatory demands
3 Gain assurances regarding

third-party algorithm
development
3 Scrutinise data feeds
for signs of poisoning
or drifting
FIGURE 2: Potential restrictions surrounding the use of algorithms developed via machine learning


Algorithms have been used for commercial purposes for decades. However, advances in processing
power, AI and data science coupled with the availability of huge amounts of data, have combined to make
algorithms a must-have business tool. The largest tech firms, such as Facebook, Google and Amazon, are
centred around algorithms; multi-national enterprises increasingly develop and deploy them, and many
smaller firms now buy off-the-shelf, machine learning based services.45
The power of these algorithms to adversely affect society or erect monopolies has led governments and
regulators to seek ways to limit any negative impact. This action tries to ensure the sources of data used by
algorithms and the outcomes they produce are unbiased.
Satisfying regulators can involve retraining algorithms,46 legal action, significant fines47 or implementing
changes to ensure they meet desired outcomes.48 In some cases, organisations have been unable to
redevelop the algorithm to meet demands, forcing the system to be scrapped49 or withdrawn from particular
regions because local requirements are too hard to meet.50
Ongoing investigations into combatting discriminatory and anti-competitive effects of algorithms by

governments, competition authorities and data regulators will make oversight more stringent. Figure 2
illustrates some steps organisations may have to take when designing, developing and deploying algorithms.
The OECD estimates that 60 nations have either drawn up or are working on laws and other administrative
instruments to govern how algorithms are deployed.51 Activist groups such as the Algorithmic Justice League
are mounting campaigns to name and shame organisations failing to constrain the effects of the algorithms
they deploy.
In some instances, the regulations will tighten existing rules governing the collection and use of data –
such as the EU’s GDPR. Other jurisdictions are making more stringent demands: for example, Chinese draft
regulations require prior government approval to use algorithms, and mandate that machine learning
systems have a positive influence on Chinese society. The criteria used to judge influence remains opaque
and is likely to contrast with EU or US efforts to oversee the outcomes of algorithms. Similar questions
remain about how to define the fairness that Western regulators expect algorithms to produce.52
“To understand how AI is fundamentally political, we need to go

beyond neural nets and statistical pattern recognition to instead ask
what is being optimised, and for whom, and who gets to decide.”
— Kate Crawford, Senior Principal Researcher, Microsoft53
Early studies suggest that it can be difficult to ensure algorithms do not drift from a strong starting point to
become unfair over time. Bias can emerge when algorithms work in concert to tackle complicated problems.
An emergent issue is ‘proxy discrimination’ which arises when algorithms use categories that turn out to
define groups despite those labels initially appearing to be neutral.54
The complexity inherent in the creation of machine learning systems brings other risks. One study suggests
algorithms typically involve more than 900,000 lines of code and call on 137 external dependencies.55 Add to
this the oversight demands of regulators and there is a significant risk that these core business systems and
the data they use will go astray.
AI-powered algorithms, and by implication the intellectual property at the heart of many businesses, are
coming under greater scrutiny than ever. Organisations will be forced to expose and justify their algorithms,
demonstrate trustworthiness and ensure outcomes do not unfairly disadvantage any group. If this ongoing
and difficult task is neglected it will leave organisations open to fines, reputational damage or regulatory
demands to slow the engines that keep an enterprise operating.


Handling the complicated set of tasks related to
ITICA NOMI CIAL
data-driven business will be a responsibility for many OL CO SO
C
E
functions within an organisation. Information security
practitioners should actively participate in this work
and act as advisor and guide.
NOLOG LEGAL NME

Actions for now H RO
N
I
IC
ENV
TEC
TAL
– Discover which algorithms are in use across
AL
the organisation and the manner in which they
were developed.
– Find ways to assure the integrity of the data sources
that algorithms use. Key information attribute affected
– Review regulatory landscape to determine which
Confidentiality
laws and regulations apply to algorithms.
Integrity
– Review internal governance structures and policies
Availability
to understand if they cover algorithms.
Source of threat
Longer-term actions
Accidental
– Understand the organisation’s strategy for the use Supplier/vendor/partner customer
of algorithms.
Regulator
– Develop a plan to improve governance of algorithms
(e.g. via policies). Potential business impact
– Create a process to measure outcomes and expose
Financial
potential bias on an ongoing basis.
Operational
– Engage with regulators to find out how rules
Legal and Regulatory Compliance
are changing.
Reputational
Health and Safety
ISF resources
Demystifying Artificial Intelligence
in information security
Briefing Paper
Legal and Regulatory Implications for

Information Security
Interactive Guide
Human-Centred Security:
Addressing psychological vulnerabilities
Briefing Paper
Data Analytics for Information Security:

From hindsight to insight
Briefing Paper
Continuous Supply Chain Assurance:

Monitoring supplier security

1.3 Attackers undermine central

cryptocurrencies

CENTRAL BANK
Financial organisations mandated to join central bank digital currencies
DIGITAL CURRENCY
(CBDCs) will become a primary target for cyber thieves who have already
made billions stealing virtual cash.56 They will target online wallets holding CBDCs are minted and
digital money and con naïve consumers into handing over their virtual coins. distributed by a nation’s
Organisations will come under attack because the networks supporting central bank and remain
CBDCs are relatively untested compared to existing payment systems and under its control: unlike
demand close technical integration with official ledgers. decentralised, private
cryptocurrencies such
Those organisations mandated to join CBDC systems will have to take on as Bitcoin, which are
the task of integrating many technologies that may be incompatible with created by the scheme’s
existing financial systems. CBDCs bring additional risks in terms of real-time participants. CBDCs can
data management and trust because the cash is programmable and can take many forms but
have its properties changed in line with government or central bank policy will be administered to
aims. This would allow banks to immediately enact interest rate changes, reflect a nation’s broader
place conditions around when and where money can be spent, or execute financial and foreign
provisions in smart contracts to which crypto cash is tied. policy goals.
Organisations will find themselves caught in a tight technological race between central banks starting to
distribute digital cash, established de-fi systems (e.g. Bitcoin and Ethereum) and even newer networks set up
by tech giants, game firms and social networks. Attack surfaces will multiply as connections are established
to handle potentially thousands of crypto coins, each with their own quirks.

The roll-out of a nation’s central bank cryptocurrency is conducted with great fanfare after
months of work by organisations to develop and test the ledger technology underpinning
it. The initial take-up is healthy and seems to be satisfying its goal of reaching those at the
margins of the finance system. It then emerges that the digital wallet for the CBDC has
been cloned, had malware inserted and then spammed out as a fake update. Thousands
who installed the fake update lose all the virtual cash they had. The criminals get away with
millions. The project is paused and the government is forced to reimburse the victims with
old‑fashioned money.
Do you have mechanisms in place to spot theft of digital cash?

How stable is cryptocurrency?
RANSOM
DEMAND
≈ 13,000 ≈ 70 % $ 5.2bn
cryptocurrencies of the total cryptocurrency paid out in
in operation market value held Bitcoin ransoms
with more created by 5 cryptocurrencies
every day (01 Jan 2011–30 June 2021)
Countries whose 32% 21% 16% 7% 6%

populations use
or own the
highest amount
of crypto cash Nigeria Vietnam Peru China USA
Next largest cryptocurrency thefts
Coincheck
$547m
$ 611m MT Gox
$480m
lost by PolyNetwork in largest
KuCoin
known cryptocurrency
exchange theft $285m
(2021) (estimated losses, 2014–2020)
Bitcoin mining can consume as much energy as a country
124.3 124.5 125.6 149.1 149.5
(Estimated TWh per year)
Norway Ukraine Bitcoin Egypt Poland
(Estimated consumption, TWh per year)
FIGURE 3: Global cryptocurrency consumption in numbers


Cash is undergoing a profound change, heralded by Bitcoin’s arrival in 2009 and accelerated by the
development of Ethereum, which transformed a stable container of value into volatile computer code.
This has created a massive, decentralised finance ecosystem of crypto assets (see Figure 3) that tops $2tn
in value.57 The growth of de-fi has attracted cyber thieves in large numbers who, in the last decade, have
inflicted losses of more than $12bn on users and investors with the majority of these losses incurred
since 2019.58
This chaotic ecosystem will be expanded and complicated by the arrival of CBDCs. As of January 2022, central
banks in nine nations have launched digital currencies and 14 more are running pilots. Feasibility studies
and consultation exercises are being carried out in 14 other nations, and by regional bodies such as the EU,
who are keen to follow these early adopters. The tests and trials include both retail (consumer) and wholesale
(corporate) CBDCs. The nations involved in these launches, tests and exercises represent about 90% of the
world’s GDP.59
Organisations will be caught in the middle of changes imposed by regulated financial institutions setting up
CBDCs, as well as by growing interaction and trade with potentially thousands of de-fi ecosystems. Risks will
emerge in the following categories:
Villainy: Cyber thieves will target CBDC exchanges, wallets and ledgers as they already do with other crypto
systems. Attacks include exploiting weaknesses in code, abusing loose specifications in smart contracts or
tricking people into handing over their holdings. Money launderers will seek to wash dirty cash by converting
it into a CBDC after it has been swapped several times via de-fi exchanges or ‘tumbler’ services. Insiders with
admin rights over CBDC ledgers or who oversee pools of official digital cash could be tempted to steal the
virtual money.60
Variety: CBDCs will be far more diverse than existing currencies. This will create a significant oversight
requirement for organisations holding any of these coins or tokens – different national banks will require
their individual CBDCs to respond to policy and other changes they enact.61 A distributed ledger will support
many CBDCs, bringing with it the usual issues involved with maintaining a large computer system that stores
and processes high value data.62
Velocity: CBDCs could remove many of the inefficiencies inherent in existing cross-border financial
transfers and accelerate activity in the banking sector.63 This increase in speed makes CBDCs susceptible
to denial of service attacks that could scuttle the reconciliation demands that are fundamental to
cryptocurrencies. The delays could allow scammers to double spend or profit by introducing delays. One
attack on de-fi platform dZx, which exploited the speed of settlement, saw an attacker profit by $630,000
from just 60 seconds of work.64
Vulnerability: Cryptocurrency systems are relatively new and have been shown to suffer bugs and other
loopholes. Sometimes these lead to large-scale theft from exchanges or wallets while other vulnerabilities,
such as spelling errors on smart contracts, allow criminals to make off with significant sums.65 CBDCs, which
are even newer innovations, will be hit by similar issues.
Verification: The regulatory demands of CBDCs will be formidable. These financial instruments will prompt
a realignment of laws and regulations relating to the holding of financial reserves and money management,
as well as more specific statutes on fraud, money laundering and terrorist financing.66 Privacy and other
know-your-customer controls could also be overhauled as central banks are unlikely to adopt entirely
anonymous systems.67
“You should be taking this technology as seriously as you should have

been taking the development of the Internet in the early 1990s.”
— Blythe Masters, Motive Capital68
The arrival of CBDCs will signal a massive shift as banks and regulators seek to regain some control of
the financial ecosystem they have ceded to de-fi networks and others involved in the crypto revolution.
Information security practitioners will be forced to take action on several fronts to enable their organisations
to work securely with central crypto networks, meet the associated regulatory demands, and manage the
inherent volatility of fast-moving de-fi instruments and products.


The gradual adoption of digital cash will test the ITICA NOMI CIAL
OL CO SO
security arrangements of many organisations as they
C
E
accommodate the different schemes and cash types.
Implementing controls around the processing of
payments is a first step in avoiding costly mistakes.
NOLOG LEGAL NME

RO
Actions for now H
N
I
IC
ENV
TEC
TAL
AL
– Identify or recruit subject matter experts in
cryptocurrencies and assess the organisation’s
readiness for securely adopting cryptocurrencies
and CBDCs.
– Reach out to central bank experts for guidance on the Key information attribute affected
status of local CBDCs.
Confidentiality
– Audit existing financial systems to expose weak Integrity
points and gauge operational readiness for Availability
cryptocurrency commerce.
– Make sure security operations are familiar with Source of threat
proposed changes.
Adversarial
Nation states, organised criminal group, hacking groups
Longer-term actions
Accidental
– Advise on the creation of a testbed for Privileged employee, customer
cryptocurrency transactions. Regulator
– Talk to regulators about the effect of increased crypto
trading on existing anti-money laundering and
know-your-customer regulations. Financial
Operational
– Harden payment platforms against denial of service
and subversion attacks.
Reputational
– Draw up and rehearse incident response plans to
Health and Safety
handle cryptocurrency
ISF resources
Blockchain and Security:
Safety in numbers
Briefing Paper

Preventing your suppliers’ vulnerabilities
Legal and Regulatory Implications for

Information Security
Interactive Guide
Threat Intelligence:
React and prepare

2 Technology choices
diminish control
The technologies that organisations have adopted to accelerate their digital transformation, manage the
move to hybrid working and engage with customers will slowly transpire to be a dead end. Enterprises will
be forced to protect seemingly smart technology choices with a variety of defences and work-arounds just to
avoid a series of unforeseen attacks and threats – some of which will strike from unexpected directions.
2.1 The cloud risk bubble bursts

The benefits bestowed by moving more and more operational and business infrastructure to the cloud will
be seen to have a hidden and rising cost as this strategy begins to stifle the flexibility organisations need to
innovate and respond to incidents. Organisations will find their technology choices stunted and their options
for switching supplier limited by their reliance on particular cloud platforms and their partners.
2.2 Activists pivot to cyber space

Highly motivated activists will seek to use established cyber criminal attack patterns to score political points
and halt what they regard as unethical or unnecessary corporate behaviour. Their attempts at sabotage will
be aided by moves towards remote management of operational systems, factories, plants, and industrial
installations via edge, 5G and IoT technologies.
2.3 Misplaced confidence disguises low-code risks

The hard work of ensuring developers follow secure guidelines when creating apps and code will
be undermined as easy-to-use coding tools permeate organisations. Enthusiastic users keen to get
their projects running will turn to these tools beyond the oversight of the IT and information security
departments, creating a shadow development community that is ignorant of compliance demands, security
standards and data protection requirements.
Start preparing now

To avoid being blindsided by the unforeseen dependencies and consequences of reasonable technology
choices, organisations should investigate their estate and determine available options for change and
growth. Early work to understand the constraints an organisation is working under, and what can be
done about it, will reap rewards as digital transformation rolls on.


An over-reliance on cloud infrastructure, services and applications that can INTERNET ENTROPY
never be fully controlled nor understood by consuming organisations will The concept that the
create a hidden risk ‘bubble’ that expands, unforeseen, until it bursts. internet and its life-
Failures in the underlying infrastructure behind core services will inflict supporting services
costly consequences. comprise many servers
traditionally found in a
The cloud provider market will continue to be dominated by big tech
variety of physical and
companies whose large ecosystems become all-encompassing. These
logical locations.
companies have little interest in cross-service portability and organisations
will become locked into their ecosystems by prioritising short-term
cost‑benefits and operational efficiency over resiliency and portability.
Cloud concentration will reduce internet entropy, increasing the likelihood of
regional and global internet service outages that impact organisations with a
growing dependency on the cloud.
The business impact of disruption to cloud services will be exaggerated in severity and protracted in
longevity due to interdependencies with business outcomes. Mitigation via contingency or reversal will
become near impossible if legacy environments are hastily decommissioned and data processing sites
closed during initial migration to the cloud. With limited options available to prevent disruption, the board
will start to question the cost and operational efficiency promises driving their cloud-centric strategies. This
will cause rifts in the relationship between the board and CTO or CIO about who should bear the burden of
accountability for the disruption to the business.

A global e-commerce brand launches a brand-new online shopping experience, powered by
an emerging bespoke cloud service provider based solely in Western Europe. This provider is
not prepared for the success of the e-commerce brand’s marketing campaign and is unable to
meet customer demand, failing to provide a stable service and suffering numerous outages
and performance incidents during the launch month. This results in lost revenue, poor
customer satisfaction and ultimately low customer retention. Resolving the underlying issues
is out of the e-commerce brand’s direct control. It has no easy method of migrating to an
alternate cloud service provider without considerable time and expenditure.
How could this have been prevented and how will you restore customer confidence in
the brand?

Microsoft Azure Cloudflare

March 2020 July 2020
Cooling system failure Misconfiguration
US cloud services offline Multiple websites offline
Google Cloud
December 2020
Misconfiguration
All Google services offline including
Gmail, YouTube and Workspace
OVH Fastly
March 2021 June 2021
Data centre fire Software bug
Multiple businesses offline Multiple websites offline
Akamai
July 2021
DNS failure
>30,000 websites offline
Meta AWS
October 2021 December 2021
Misconfiguration Network failure
All Meta services offline including Multiple websites offline
Facebook, Whatsapp and Instagram
FIGURE 4: Notable examples of disruptions to cloud services and infrastructure


Migration to the cloud continues apace. A combination of robust sales and marketing efforts by cloud
providers and the global pandemic have encouraged many organisations to accelerate their plans, often in
a rushed and haphazard way. This has amplified the risk of exposure to accidental threat opportunities and
obfuscated the longer-term implications around the availability of systems and data.
Cloud computing is promoted as a way to fulfil dynamic business needs by reducing capital technology
overheads while driving flexible, scalable and adaptable technology solutions. However, the negligible
portability of infrastructure, applications and data within a single cloud environment can create the
potential to lock in the organisation and impede its attempts to find alternative providers.
Reliance on external cloud service providers is being compounded by continued consolidation of core
internet services69 creating single points of failure and instilling fragility beyond an organisation’s control
and influence.70 For example, an assessment of the top 10 million websites globally found that 42% leverage
DNS from just five cloud service providers.71 Similarly, 23% of the top 10 million websites are hosted by just
five cloud hosting providers.72
“...Organizations that rely on consistent website uptime should look

for ways to hedge against the failure of the cloud service providers
they rely on, including by building redundancy into their systems and
developing contingency plans that account for provider failure...”
— Samantha Bates et al, Journal of Quantitative Description73
As reliance on cloud providers intensifies, so do the opportunities for disruption when use of those cloud
services is poorly understood. There were several high-profile instances of disruption over a 22 month
period between March 2020 and December 2021.74,75,76,77,78,79,80,81 Commercial cloud providers and operators
accounted for almost 75% of all outages in 2020.82 This is a significant increase on the five-year average
of 53%.83 Now, 56% of all organisations using third-party data centre services have experienced moderate
or serious outages during the last three years caused by the provider.84 While the high number of outages
in 2020 can in part be attributed to the unusual circumstances of the global pandemic, it is a trend that is
expected to continue.
The root cause of outages in the cloud do not fundamentally differ from those experienced in traditional
on‑premise environments. The key differentiator is the organisation’s level of control over those potential
failure modes when using cloud providers.
Managing cloud environments is becoming ever more complex in terms of ownership, knowledge and
operation, exacerbated by an ongoing skills gap. This not only presents obstacles to adoption but also creates
weaknesses if an organisation’s rate of adoption exceeds the expertise and resource base required to sustain
the management of those environments. 88% of organisations identify an internal lack of cloud-related
experience that requires strategic redress as their reliance on these technologies deepens.85
Organisations that race to the cloud but fail to consider portability, resiliency and contingency measures
may find those benefits evaporate when the risk bubble eventually bursts. An outage event or change in
commercial circumstance may leave them with a crippled and captive environment, spiralling costs and
little ability to break free from their captors and re-assert control.


Organisations should take a proactive and joined-up
ITICA NOMI CIAL
approach to ensure that risk and opportunity are OL CO SO
C
E
balanced in cloud strategy before a point of no-return is
reached, and control is lost.
Actions for now

NOLOG LEGAL NME
– Enumerate the organisation’s cloud footprint to H RO
N
I
IC
ENV
TEC
TAL
determine current levels of integration and to
AL
highlight any potential lock-in.
– Establish appropriate governance around cloud
orchestration to ensure understanding of the
footprint, and control of its sprawl, is maintained. Key information attribute affected
– Seek clarity regarding cloud strategy, ensuring that
Confidentiality
it unifies business and technology desired outcomes
Integrity
including business resiliency.
Availability
Longer-term actions Source of threat

– Maintain appropriate in-house or third-party teams
Adversarial
to oversee the development of the cloud footprint both
Nation states, organised criminal groups,
from a supplier management standpoint and from a hacking groups
technical architecture and operations perspective.
– Identify and understand single points of failure. Accidental
– Mitigate against single points of failure by building in Supplier, customer
redundancy and parallel processing.
Financial
Operational
Reputational
Health and Safety
ISF resources
Using Cloud Services Securely:

Harnessing core controls
Cyber Insurance:
Is it worth the risk?
Briefing Paper
Continuous Supply Chain Assurance:

Monitoring supplier security

How to secure mission-critical information assets

2.2 Activists pivot to cyber space

Highly motivated individuals and small groups of activists, hacktivists LONE WOLF ACTIVIST
and whistle-blowers will use a variety of tools and techniques, including A highly motivated
open‑source intelligence, cybercriminal tactics and internal admin activist who plans
privileges to expose or curtail corporate behaviour they decry. and commits attacks
alone and has only an
These threat actors will be motivated by calls to act from influential leaders ideological connection to
as well as the societal pressures emphasised by the growing impact of other groups dedicated
climate change, social unrest, generational change and the lingering to the same goal
pandemic. Some individual or ‘lone wolf’ threat actors will seek to expose or philosophy.
behaviour by organisations that they condemn, using cyber-enhanced
methods to penetrate enterprises or combing through huge corpuses of
information to build up dossiers on their activities. If these information-led
attacks and disclosures fail, attackers will resort to disabling information or
operational systems seen as abetting ‘damaging’ activity. The most serious
attempts at wide-scale disruption will be aided by the growth of 5G, IoT
and industrial IoT equipment that expose the weak attack surface of these
technologies, making them susceptible to sabotage.
Growing social conflict means many organisations are liable to fall victim to this type of attack. However,
those enterprises believed to be explicitly aiding governments, conducting surveillance and repression, or
withholding strong support from the causes favoured by activists will suffer disproportionately. Attackers
will seek out vulnerable operational systems to inflict significant damage and then publicise the way targets
operate, where they do business and with whom they do it.

An oil company helps drivers use less fuel with an app that decides when it is best to fill up
based on driving history and provides directions to the nearest petrol station. The app calls
on data gathered by sensors on tanks in forecourts and tanker movements to ensure petrol
is available when vehicles low on fuel turn up. A climate activist discovers a vulnerability in
the station sensor and exploits it to manipulate fuel readings, leaving thousands of drivers
stranded without fuel and a delivery fleet in chaos.
Do you know how vulnerable your operational technology systems are?

Cyber Partisans Whistleblower at

Source code stolen hack state media car manufacturer
from Twitch 77 5G masts and broadcast releases documents
streaming service attacked footage of police showing safety tests
and published during 2020/21 attacking protestors were doctored
RedHack leak
Turkish military Adalat Ali leak
Epik hosting deployment videos showing
service hacked information abuse in Evin prison
Facebook Database Moses Staff group Attack knocks

whistleblowers of military use data leaks to out ATMs and
leak hundreds personnel target companies banking apps
of internal details leaked helping Israeli
documents government in
occupied territories
Train signalling BlueLeaks steal Mahan Air Early details

systems and publicly airline DDoSed of COVID-19
sabotaged release 270GB for connection pandemic
of police data to Iran military leaked
Data Breach Physical Damage Whistleblower Web Attack
FIGURE 5: World map of significant activist/hacktivist attacks


The pandemic, successive climate-induced disasters, and polarised debate on social media86 have combined
to generate a rising tide of social and political unrest that will sweep across the world87 up to and beyond
2024. This will give rise to huge amounts of civil unrest, vandalism, occupations and other direct action,
which are coming to represent the main political risk to which organisations are exposed.88 Many politically
motivated or campaigning groups are expected to take direct harmful action to further their aims and
make their demands clear.89 One example of this is the 77 attacks mounted in the UK on 5G masts by
conspiracy‑minded activists, who believe mobile phone towers play a role in the spread of COVID-19.90
Extreme action, including digital activism or hacktivism, is becoming a common method for furthering
a cause. Groups in Belarus91, Iran and other nations have used hacking techniques typically employed by
criminals to penetrate government agencies, steal information and publicise abuse.92
Leaders of some high-profile groups and their key sympathisers, especially those concerned with climate
change, have called for sabotage against industrial installations and other polluting assets.93 Organisations
moving towards remote management of their industrial sites94 are prime targets of such attacks, with a spike
in attempted attacks already apparent.95
Anticipating these direct attacks is hard if they are mounted by lone wolf attackers or closed cells of activists.
These solo operators are unlikely to feature in the threat intelligence feeds that organisations regularly
consult and exhibit few of the signals that betray the plans of larger groups.96 They are also free of the
inhibitions that prevent larger groups taking extreme action and can contemplate more wide-reaching acts
of sabotage.97
“The current state of the world – Covid-19, the economic downturn, a

general rise towards nationalism, authoritarianism and separatism,
declining multi-lateral problem-solving approaches, erosion of
democratic core values, the emergence of ‘post-factual’ world views
and intensifying distrust between China and the West – represent a
perfect storm.” — Bjoern Reusswig, Head of Global Political Violence and Hostile Environment Solutions, Allianz
98
Tension and conflict will be the backdrop to business and domestic life over the next few years. As climate
change inflicts successive disasters and politics fractures, some activists will become desperate and, keen
to make their voice heard, will want to demonstrate that dramatic change can happen. Organisations will
face attacks both internally and externally, and they will be forced to improve defences around physical
infrastructure and important internal resources to guard against the actions of groups or individuals that
can strike at a wide variety of targets.


Information security practitioners should take a broad
ITICA NOMI CIAL
view of the way their organisation works to assess the OL CO SO
C
E
likelihood of its operations being targeted. Ethical and
geopolitical motivations should be considered when
drawing up a list of potential adversaries.
NOLOG LEGAL NME

N
I
IC
ENV
TEC
TAL
– Engage with threat intelligence teams to verify
AL
whether early warning indicators of a potential attack
are being observed.
– Conduct purple team exercises on remote
installations to determine whether they can Key information attribute affected
withstand attacks.
Confidentiality
– Assess resilience of remote equipment to direct attack
Integrity
in consultation with physical security managers.
Availability

– Review business processes and larger commercial
Adversarial
relationships to see if any could make the
Nation states, organised activist group, hacking groups,
organisation a target for activist groups. hacktivists, terrorists
– Develop relationships with other departments to
combat multi-vector attacks. Accidental
– Manage and monitor access to mission-critical Supplier/vendor/partner, employee, customer
information assets to deter insiders keen to harm
the organisation. Potential business impact
Financial
Operational
Reputational
Health and Safety
ISF resources

A survival guide
Building a Successful SOC

Detect earlier, respond faster
Industrial Control Systems:

Securing the systems that control
physical environments
Securing the IoT:

Taming the connected world
Briefing Paper
React and prepare
Information Security in Mergers

and Acquisitions
Briefing Paper

2.3 Misplaced confidence disguises

low‑code risks

Wide adoption of easy-to-use and AI-enabled coding tools will drive the use of NO-CODE/LOW-CODE
large numbers of insecure and untested applications. Organisations will find No-code tools are aimed at
themselves repeatedly exposed to attacks and data leaks from vulnerabilities non-developers, enabling
in third-party tools and platforms. Their information security arrangements them to build apps by
will be undermined by the poorly-written programs that emerge from dragging and dropping
third‑party services and code generated by AI-driven development aids. blocks for different parts
of a program. Low-code
Users outside IT departments will enthusiastically use these no-code
tools use a similar
and low‑code tools, creating a sprawling shadow software development
approach but also have
landscape that organisations will struggle to oversee. Organisations that
a scripting element so
have committed strongly to digital transformation will find themselves more
experienced developers
exposed as coding becomes commonplace among workers. As these tools
can customise the
grow in sophistication they will be adopted into existing and formalised
resulting program.
development lifecycles, threatening to undermine the levels of quality
assurance expected of professional, production-grade code.
Compliance problems will start to surface as it is discovered that developed applications call on reference
data and resources, such as shared drives or spreadsheets, that organisations can neither control nor assure.
Growing use of no-code and low-code tools will encourage attackers to probe ‘cookie cutter’ coding systems
looking for exploitable vulnerabilities and, once discovered, mount large-scale campaigns against all users
of those tools to penetrate organisations, steal information and disrupt operations.

A warehouse worker at a rapidly growing online clothing company uses a DIY coding app
to develop software for their own phone that helps them plot the fastest route around the
warehouse to speed up stock picking. Recognising the efficiencies, the organisation copies the
app and rolls it out to all workers in its warehouses. Soon after, customers start complaining
about orders not turning up. An investigation reveals the stock picking app has a backdoor that
attackers have found and are using to re-route and steal thousands of orders.
Can you keep track of the shadow apps appearing in your organisation?

1 2
Intern uses DIY coding app Recognising the increased
to create their own software efficiency, the organisation
that helps plot the fastest copies the app and rolls it out it
stock picking route around to all workers in the warehouse.
the warehouse.
SECURITY ISSUES
SECURITY ISSUES App is developed outside the IT
App maker is unknown and department without a secure
could be insecure development process
App calls on libraries and Permissions inside the app

APIs that are hard to test and are copied without
rely on adequate checking
3 4
Soon after, customers start An investigation reveals the
complaining about not app has a backdoor that
receiving their orders. attackers are using to re-route
and steal thousands of orders.
SECURITY ISSUE
Early mistakes in the app’s BUSINESS ISSUES
development allows it to Loss of revenue after refunding
access data and permission’s stolen orders
without control
Loss of customers due to
unreliability
FIGURE 6: Anatomy of security issues created by low-code tools


No-code and low-code development tools are being adopted rapidly, with the market for these services
and platforms expected to quadruple in size from $12.85bn in 2020 to $47.31bn in 2025.99 The pandemic
prompted more and more basic IT infrastructure to be commodified, accelerating the take-up of these tools.
As organisations turn away from on-premise data centres and look to ready-to-use cloud services, the trend
of plumbing together ready-made elements is here to stay.100 By 2025, more than half of all low-code users
will work in functions outside IT.101
All major cloud platforms (e.g. Amazon, Google, and Microsoft) as well as more dedicated business software
firms (e.g. Salesforce, Oracle and SAP) already have a suite of low-code tools available for customers and are
working on ways to make them more intuitive. Start-ups have found success with kits and drag-and-drop
interfaces, which let people build apps by linking discrete functions built from ready-made blocks.102 This can
introduce risks by hiding the intricacies of code and concealing potential security flaws. It also standardises
program development so an attack that is successful against one target could be generalised to work against
many others.
AI-based tools for code creation can automate the tedious elements of programming work and therefore
will become part of professional developer workflows. These systems can be relied on to import, and reliably
execute, obscure functions that developers rarely use. Coding tools that depend on machine learning
software, such as GitHub’s Copilot and OpenAI’s Codex engine, will also acquire the ability to solve more
difficult programming problems as the neural network underpinning them grows in size and depth.103
This reliance on ‘black box’ autocompleting tools could undermine secure development efforts. Greater
automation could bypass important checks, use unmonitored libraries and external connections, and even
introduce errors made by human programmers, who created the code used to train the AI-based systems.104
There has already been an example of organisations being caught out by the adoption of these easy-to-use
coding systems. In August 2021, Microsoft revealed that more than 38 million records were exposed by flaws
in the portals used to access its low-code PowerApps platform.105
“AI-assisted software development can rapidly and inadvertently

create new attack surfaces and vulnerabilities that outpace our
ability to discover and harden them.” — Chris Rohlf, Council on Foreign Relations 106
Allowing experienced developers to translate business knowledge into reusable code, and leverage
automation and fabrication tools to meet unforgiving deadlines, undoubtedly has its advantages. However,
there are downsides to consider too; the creation of loopholes, vulnerabilities and disclosure challenges
could lead to significant harm but give organisations few ways to spot the damage before it is done.


Investigations will be required to uncover applications
ITICA NOMI CIAL
produced by no-code, low-code tools as many OL CO SO
C
E
employees will not be aware that that they are using
them or fail to declare their existence. Training,
awareness and monitoring can help keep track of
applications as they are deployed.
NOLOG LEGAL NME
H RO
N
I
IC
Actions for now
ENV
TEC
TAL
AL
– Define then assess the organisation’s use of no‑code,
low-code tools and discover which applications have
been created with them.
– Investigate data use by applications to see if business Key information attribute affected
data and information is being accessed by these tools
or resulting programmes. Confidentiality
Integrity
– Perform high-level risk assessment of no-code,
low-code tools and provide DevSecOps teams (or Availability
equivalent) with quick guidance on that basis.
Source of threat
Longer-term actions Adversarial

Organised criminal group, individual hacker,
– Establish some guidelines for how no-code, low-code competitors
tools should be used as part of the DevSecOps or
equivalent process. Accidental
– Require security reports from suppliers to determine Supplier/vendor/partner, employee, customer
how they safeguard their tools.
– Understand whether no-code, low-code tool Potential business impact
settings undermine internal information security Financial
requirements and modify any that do. Operational
– Provide access to materials on the safe use Legal and Regulatory Compliance
of easy‑to-use programming tools into the Reputational
organisation’s security training efforts. Health and Safety
ISF resources
Human-Centred Security:
Positively influencing security behaviour
Briefing Paper
Managing the Insider Threat:

Improving trustworthiness
Briefing Paper
Deploying Open Source Software:

Challenges and rewards
Briefing Paper
Application Security:
Bringing order to chaos
Embedding Security into Agile Development:

Ten principles for rapid improvement
Securing containers:
Keeping pace with change
Briefing Paper

3 Dirty data disrupts business

As more and more enterprises become data-driven they will become increasingly dependent on the integrity
and quality of multiple sources of data both privately and publicly owned – but will lack the capability to
assure its quality in real-time. Attackers will take advantage of this situation, manipulating those data
repositories to cause operational mistakes, undermine internal planning and execution, and increase
business disruption.
3.1 Attackers poison the data well

Threat actors will shift their attention towards illicit data manipulation as more traditional attacks on
availability and confidentiality are subverted by increased investments in people and technology following
the ransomware epidemic. Adversaries’ actions will become harder to detect, compromising the accuracy
and credibility of the information, and puncturing the integrity of the data that organisations leverage to
drive their businesses forward.
3.2 Misleading signals subvert cyber fusion centres

Attackers will exploit the increased influence that cyber fusion centres have over normal business
operations by using misinformation and misdirection techniques to cause security teams to chase and react
to false events and intelligence data, inadvertently disrupting the businesses they are there to protect. This
will cause the autonomy model of the fusion centre to be challenged by business leaders at a critical stage of
its development and adoption.
3.3 Digital twins double the attack surface

The challenges of keeping digital twins secure will become apparent as attackers are attracted to what will
become an increasingly broad attack surface. Their efforts will be assisted by poor defence in depth, internal
network issues and inherent weaknesses in IoT hardware. This will cause prolonged manufacturing and
supply chain downtime through a broad range of attack techniques including data subversion.
START PREPARING NOW

As data stores grow ever larger and organisations struggle to gain an over arching view of the quality of
the information they accumulate, it will become essential to develop ways to ensure this foundational
data is trustworthy. It will become mandatory for organisations to probe gathered information for
biases, watch to ensure it has not been tampered with, and carry out in-depth analysis that can
investigate the ultimate sources of data to log its reliability.


Adversarial actors will shift their theft and extortion campaigns toward ZETTABYTE
damaging data integrity, manipulating trusted sources and information A digital unit of
relied upon by organisations for use in business processes. Organisations’ measurement.
own assets as well as data sourced from suppliers and other parties will be One zettabyte is equal to a
targeted, causing potentially erroneous business outcomes and making it trillion gigabytes.
practically impossible to know which are trustworthy.
This threat will exploit the growing significance of integrity in a society that is dependent upon trusted
sources of data. As data is consumed at higher speed and volume, it will become increasingly challenging
for organisations to manually assure each source. Attackers will leverage subtle tactics that make early
detection difficult, resulting in organisations struggling to adapt security and data governance postures.
Business processes and outcomes will be compromised with serious consequences, particularly if data
processing is centred around machine learning and AI technologies that depend on high-integrity data.
Those bound by strict regulatory requirements to protect the integrity of their data, such as those in
the finance and life science industries, will find themselves particularly exposed to regulatory scrutiny
in addition to direct financial impact. Consumer confidence and organisational reputation will also be
damaged and difficult to salvage from an increasingly well-regulated and data-savvy society.

The press team at a pharmaceutical company receives an anonymous call from an individual
claiming to have penetrated the organisation’s network and manipulated data relating to a new
influenza vaccine under development. They won’t reveal exactly what they have altered and for
how long, threatening to go public unless their demands are met. The vaccine is in production
and is already being shipped to market. Thus far, there have been no identified events of concern
identified by the company’s security operations centre and it is unable to offer any evidence
supporting the claims being made.
How can you tell if data integrity is compromised and what the true impact is? What would do
you do next?

Corporate espionage Lone wolf Nation states

Kill off or destabilise Satisfies personal Cause destabilisation
the competition curiosities, committing to further their own
acts of vandalism, ambitions, or to
following a personal generate funding
activist agenda in defiance of
international sanctions
DOW
N
THIS WITH
**!$ EFUL
S
OF T ORT !!!!
CAR W
NO
HING
!!
Activists Criminal groups

Pursue agendas Extort money from the
against particular public/private sector,
organisations, vertical damaging credibility
sectors or countries and reputation
DOW
N
THIS WITH
**!$ FUL
SO
OF TH RT !!!!
CARE W
NO
ING !!
FIGURE 7: Who would be motivated to poison the ‘data well’?


Organisations have become fundamentally data-driven, through digital transformation or desire, gaining
more value and insight from the vast amounts of data generated by today’s digital society through analytics,
artificial intelligence and machine learning. In late 2018 IDC predicted that the collective sum of the world’s
created or replicated data would grow from 33 zettabytes in 2018 to 175 zettabytes in 2025;107 in a 2021 update
2020’s number was noted to be 64.2 zettabytes.108 Sources of data have expanded too; it is believed that 90
zettabytes of data will be created by IoT devices alone by 2025, making it the fastest growing segment.109 The
speed at which data is generated and consumed has increased for a multitude of different reasons, but most
striking is the prediction that nearly 30% of all data generated will be consumed in real-time by 2025.110
Organisations overwhelmed by the amount of data they now accrue have taken advantage of low-cost
storage options to help process and store their data, with 49% of data expected to be housed in public cloud
environments by 2025.111 This accumulation and sprawl of information across a hybrid technical architecture
further increases the challenges associated with its governance and control. Business efforts to protect the
confidentiality and availability of data have matured but there remain some contradictory views amongst
executive leadership. Only a third of executives have a high level of trust in how data is being used in their
organisations, yet over 90% are concerned about the negative impact of data to their reputation.112
Adversaries who would wish to stage attacks on data integrity have similar hallmarks to those leveraging
ransomware. These attacks will be conducted by similar groups looking to diversify their tactics
and techniques, although other groups may also have an interest in such an approach for slightly
different motives.
Data poisoning is an effective attack against machine learning and threatens model integrity by introducing
misleading data into the training dataset.113 There are documented case studies of machine learning systems
being warped this way, either at the training stage or once in place, to generate skewed, biased or prejudiced
behaviours. Examples include the notorious Microsoft ‘Tay’ incident in 2016114 and in January 2021,
researchers were able to demonstrate that deep learning modules in mobile apps are vulnerable to ‘neural
payload injection’ attacks.115
“Even if data is collected with uncompromised equipment and stored

securely, what is represented in the data itself may have been
manipulated by an adversary in order to poison downstream AI
systems. This is the classic misinformation campaign updated for the
AI age.” — Marcus Comiter, Belfer Center for Science and International Affairs
116
Legislative changes, law enforcement activities and enhanced detection capabilities are disrupting
traditional cyber-crime revenues that focus on confidentiality and availability, forcing attackers to draw new
battlelines around integrity. As the need for robust integrity becomes a critical dependency for leveraging
data at scale, organisations will need to adapt their information assurance practices to ensure that all
three aspects of the information risk management triad are given equal attention. Boards must continue
to be educated and supported in their understanding of all three and share the collective burden and
responsibility for managing the risk.


As the volumes of data created and consumed by
ITICA NOMI CIAL
organisations increases, steps must be taken to assure OL CO SO
C
E
that the quality of data is always fully understood, and
the business takes accountability for inherent risks
associated with poor data quality.
NOLOG LEGAL NME

N
I
IC
ENV
TEC
TAL
– Enumerate mission-critical information
AL
assets; where are they, who has access, how are
they protected?
– Review external sources of data to determine their
inherent levels of quality assurance. Key information attribute affected
– Review existing controls that assure integrity,
Confidentiality
particularly around mission-critical data sets.
Integrity
Availability
Longer-term actions
– Prepare, implement and actively maintain an Source of threat
organisational playbook for responding to detected
Adversarial
instances of data poisoning. Nation states, organised criminal group, hacking groups,
– Expand offensive security testing to cover individual hacker, terrorists, activists
machine learning platforms; this should cover
infrastructure, applications and the data inputs and Potential business impact
outputs themselves. Financial
– Implement pan-organisational platforms with Operational
built-in capabilities for data governance and Legal and Regulatory Compliance
data stewardship, as they include measures for Reputational
troubleshooting and monitoring all aspects of data Health and Safety
management including data integrity.
ISF resources
Demystifying Artificial Intelligence
in information security
Briefing Paper

How to secure mission‑critical information assets

3.2 Misleading signals subvert cyber

fusion centres

Attackers will mislead automation, orchestration and response platforms CYBER FUSION CENTRE
within cyber fusion centres to trigger erroneous and disruptive responses. A collaborative function
Those responses will disorientate organisations and damage their operations. that combines business
Productivity will stall, causing financial loss and reputational damage. and security operations
with other teams
The power and influence that cyber fusion centres wield over mainstream
including threat hunting
business operations creates a vector for direct and indirect attacks. Any such
and intelligence, enabling
attack could be orchestrated by highly motivated actors who have conducted
fast, coordinated,
in-depth reconnaissance, such as activists or nation state groups.
proportionate responses
The erosion of trust in event data, alerts and supporting intelligence will to threats and incidents.
lengthen detection and response times, creating further opportunities for
exploitation. Such attacks may also be staged as an obfuscation or distraction
technique that diverts attention away from the attacker’s true motive. These
attacks – particularly if regularly repeated – will cause business leaders
to question the efficacy and reliability of trusted security staff, technology
and processes. This will damage business-security relations at a time when
cementing good communication is critically important.

It is business as usual at a national stock exchange, during a period of global financial
instability. Event data and intelligence suggest a potential attack on the trading platforms,
prompting a pre-emptive countermeasure by the cyber fusion centre that suppresses certain
network traffic and shuts down key trading platforms from the outside world. As the hours
pass, the response teams become increasingly confused as their data does not indicate a
compromise, bringing the original intelligence into doubt. In the meantime, stock exchange
trading is at a standstill and the government starts to put pressure on the exchange’s executive
management team for updates. The multimillion-dollar fusion centre was chasing shadows
and is now at the centre of a financial and political storm.
How will you justify the response, your trust in the data and the resulting business consequences?

Threat actor injects fake signals to

give the impression of an attack in
1 progress on the trading platforms.
The fusion centre responds to this
BUY SELL BUY SELL
BUY SELL BUY SELL
The fusion centre proactively

shuts down the affected platforms.
2
Traders are unable to trade
BUY SELL BUY SELL
BUYERROR
SELL BUYERROR
SELL
The fusion centre reviews its

internal data and can see
3 no indication of compromise.
It reverses the shutdown
but the damage is done BUY SELL BUY SELL
BUY SELL BUY SELL
FIGURE 8: How a subversion attack could cause a cyber fusion centre to inadvertently disrupt an organisation


Digitally transformed organisations will increasingly rely on traditional Security Operations Centre (SOC)
staff for moment-by-moment operational direction and oversight. SOCs will evolve to become cyber fusion
centres, intimately tied to business operations with the power to shut off systems and services believed to
be compromised or under attack. The function will increasingly be asked to make decisions that impact
the whole organisation in real-time. This transfer of power will make organisations more susceptible to
accidental and deliberate contamination of the varied signals used to detect threats, such as logs, event data
and threat intelligence.
Over the years SOCs have matured their people, processes and technology to become adept at identifying
signals that could indicate an attack upon the confidentiality or availability of their organisation’s interests.
However, many SOCs are ill-equipped for an era in which the signals they monitor and trust become the very
weapon employed against them.
Misinformation and misdirection events have increased in notoriety in recent years as the information
economy has captivated society. Recent notable examples of deliberately spreading misinformation for
nefarious purposes include the nation state interference during the US Presidential ‘Pandemic Election’117
and disinformation campaigns regarding COVID-19 vaccinations in the US.118 As digital transformation
further connects and automates, misinformation techniques will be attempted on digital platforms to
achieve similar outcomes. Such approaches are likely to be based upon techniques such as the False
Data Injection attack methodology first observed to be used against sensors within cyber-physical
environments,119 120 or attacks on more modern machine learning based malware detection platforms
through model poisoning.121
This converged approach to security operations and the increased reliance on automated responses requires
data inputs that are reliable and trustworthy. It also demands that cyber fusion centres are empowered
to act decisively and swiftly. As the volume of data inputs scale up, the opportunity for human validation
diminishes and integrity must be assumed. Malicious actors can take advantage and negatively influence
the integrity of those data streams by falsification or manipulation. This confuses detection and real-time
response capabilities by giving the impression that an attack is being prepared or in progress. Security
testers have been known to utilise similar poisoning tactics as a method of misdirecting security incident
and event monitoring platforms during blue team exercises.122
“Trust is a significant prerequisite in highly automated security

operations centres. If you can’t or don’t trust the signals, you’re in a
real bad place.” — ISF Member
A highly digital organisation could be destabilised by a cyber fusion centre chasing ghosts around its
network. Paranoia caused by false indicators of compromise could see whole areas of an organisation placed
into containment for fear of an imminent attack, particularly if the targeted organisation is an operator of
critical services. A threat actor seeking to deflect attention away from their real target could also mount an
illusionary attack as an effective decoy.
Such attacks could prompt business leaders to reduce the operating autonomy of the cyber fusion centre.
Security leaders may have to apply additional checks and balances to weed out false or inaccurate signals,
while bridges between business, technology and security teams will need to be rebuilt. This adds complexity,
demanding an injection of resource and budget that can diminish the fusion centre’s return on investment.


As the cyber fusion centre evolves, particular attention
ITICA NOMI CIAL
should be paid to the integrity of the data and OL CO SO
C
E
intelligence inputs. There should be regular scrutiny of
the levels to which their automation systems can freely
operate across the business versus their potential to
cause operational disruption.
NOLOG LEGAL NME
H RO
N
I
IC
Actions for now
ENV
TEC
TAL
AL
– Understand all intelligence inputs, particularly
OSINT feeds, and identify methods of assuring them.
– Baseline the accuracy of existing automated security
operations tooling and agree how to maintain it. Key information attribute affected
– Ensure override procedures are in place in the event
Confidentiality
of automation system malfunction or loss of integrity
Integrity
in any individual data feed.
Availability

– Set thresholds for automation that do not conflict
Adversarial
with safety and reliability requirements.
Nation states, organised criminal group, hacking groups,
– Categorise, develop and rehearse response plans individual hacker, competitors
for a sudden data integrity issue in the cyber
fusion centre. Accidental
– Implement data sanitisation techniques to further Supplier/vendor/partner, employee, customer
assure the integrity of telemetry and intelligence
feeding the cyber fusion centre. Potential business impact
– Establish measures that enable the business and Financial
technology teams to collaboratively optimise the Operational
cyber fusion centre’s accuracy and efficiency. Legal and Regulatory Compliance
Reputational
ISF resources
Building a Successful SOC

Detect earlier, respond faster
Establishing a Business-Focused Security

Assurance Programme:
Confidence in controls
React and prepare

Preventing your suppliers’ vulnerabilities

A survival guide


Organisations using digital twins to monitor and manage production lines, DIGITAL TWINS
plants and machinery or critical infrastructure will find themselves under A physical system, such
attack from multiple angles. Attackers will infiltrate installations, exploit as a manufacturing plant,
weaknesses in IoT hardware to gain control of central control systems, or city or jet engine, tightly
target software simulations to damage downstream production. As well as coupled to a detailed
direct attacks, threat actors will seek to disrupt production schedules by digital simulation of that
corrupting real-world data gathering systems that feed information back entity. Information flows
to simulations. from the real world to
the simulation and back
Compromised manufacturing systems will suffer prolonged downtime as
again. This helps model
affected systems suffer such extensive damage that it will become impossible
and catch problems, and
to repair them. Even in environments where protections are put in place,
aids diagnostics and
production hiccups will become lengthy as compromised firmware and
change management.
hardware is cleaned and hardened against future attacks, all while disaster
recovery plans are enacted. Supply chain problems will multiply due to this
downtime, extending production and maintenance schedules. Simulations
run on digital systems without integrity checks will be unable to ensure the
veracity of data, raising the possibility of physical damage to the real-world
systems to which they are intimately linked.
Manufacturers, operators of critical infrastructure, heavy engineering firms, and transport and logistics
providers that use edge and 5G technologies to transport data will be on the front line of attacks. As well as
seeking to disrupt production, attackers will also extort cash from victims by claiming to have infiltrated
control systems, forcing organisations to react, even if the threats are hollow.

A companion app that reports on the performance of a popular electric car starts sending data
warning that batteries in the vehicles are running out of charge faster than expected. Analysis
via digital simulations models the problem and retools robots on production lines to improve
battery quality. The change demands that the car maker buys much more lithium, driving up
production costs and putting strain on global supply chains. Physical tests reveal there is no
issue with the batteries; it later emerges that a nationstate with a significant stake in lithium
mines tainted the app to inflate profits.
How can you be sure the data that informs your digital twins is trustworthy?

Production system
Attackers Attackers
Data flows
Attackers poison external compromise
between factory
gain control data feed to IoT sensors
and digital twin
of digital twin force changes to halt
are corrupted
in production production
Digital double
FIGURE 9: Threats emerging from connections between digital twins, manufacturing and their real-world counterparts


Digital twins are becoming a valuable tool in many industrial sectors where organisations are keen to extend
the control that SCADA systems have given them over remote installations. Organisations that oversee
physical installations (e.g. manufacturing plants or wind farms) or complicated engineering systems (e.g. jet
engines or Formula 1 racing cars) have been among the pioneers of digital twinning. Now other entities such
as cities,123 healthcare providers124 and nation states125 are adopting the technology to model, forecast and fix
many different issues.
Many different technologies, including 5G, edge computing and IoT, as well as growing familiarity with data
analytics techniques, have driven interest in digital twins. By combining IoT, IIoT, big data analytics, cyber-
physical systems and cloud computing, digital twins can create a connected, coherent entity that allows
real-time data to create and maintain a sophisticated virtual model of a physical system.126 Gartner estimates
that one million digital twin instances will be deployed by large enterprises by 2025.127 IoT deployments will
similarly see a massive rise, with the number of devices in use expected to reach almost 17 billion by 2025.128
Trends in automated manufacturing, creating ‘lights out’ production lines devoid of humans, have also
driven adoption as these robot-only installations demand that information be gathered and analysed
constantly to sustain productivity. The steady mothballing of legacy technologies, such as 3G phone
networks,129 is also forcing organisations to move to use newer technologies. Attackers are actively targeting
interconnected industrial, manufacturing and infrastructure installations,130 triggering warnings that
by 2025, attackers will be extorting organisations by threatening to disrupt operational technologies and
cause loss of life.131 Some ransomware groups, such as the operators of the Ryuk malware, are now actively
targeting industrial firms and their OT installations.132
“The increase in attacks on operational technology environments

causes risks to the environment and to human life. Security and risk
management leaders should not worry about information theft, but
about real-world hazards…” — Wam Voster, senior director of research, Gartner 133
As the management of factories and critical infrastructure matures, digital twins will become a key part of
ensuring these installations run efficiently and securely. The increased insight into production comes at a
cost, opening up attack surfaces that are a tempting target, ripe for disruption and extortion by specialist
groups of attackers. Organisational change will be pivotal to ensure the advantages offered by digital twins
do not come at too high a price.


Digital twins represent a commercial advantage for
ITICA NOMI CIAL
many organisations but also present information OL CO SO
C
E
security practitioners with a significant monitoring and
management task. Familiarity with these innovations
and their connections to the wider enterprise will help
lighten this load.
NOLOG LEGAL NME
H RO
N
I
IC
Actions for now
ENV
TEC
TAL
AL
– Draw up and maintain an asset register of ICS, OT and
IoT systems.
– Build relationships with suppliers of digital twins to
assess their security stance. Key information attribute affected
– Look for vulnerabilities in the software linkages
Confidentiality
between digital twins and real-world counterparts.
Integrity
– Segment networks to keep operational systems
Availability
separate and implement verification and
validation processes.
Source of threat
Adversarial
Longer-term actions Nation states, organised criminal group, hacking groups,
– Improve relationships between OT and IT teams individual hacker, competitors
to build trust in digital twins and to help resolve
security issues. Potential business impact
– Track operational and information risks against Financial
industrial control systems. Operational
– Set up and run rapid response system Legal and Regulatory Compliance
overseeing interaction between digital twins Reputational
and their counterparts. Health and Safety
ISF resources
Industrial Control Systems:
Securing the systems that control
physical environments
Securing the IoT:

Taming the connected world
Briefing Paper
Supply Chain security suite

A survival guide
React and prepare

Conclusion
With digital economies evolving faster than previously envisaged, the nine threats described in Threat
Horizon 2024 forecast a tough predicament: if trust is now a façade and control an enigma, how do
organisations stay resilient, competitive and confident in business outcomes?
Legislative efforts to keep up with the changing landscape will stifle innovation, or simply redirect
existing threats, rather than providing much-needed clarity. Advancements in architectural and software
development technologies will offer enticing short-term benefits but incubate long-term challenges as
organisations cede control and influence through their technology choices. Misguided confidence in data
integrity will provide a new battleground for adversaries who will pollute and subvert data to introduce
geopolitical, socia and economic risks never before encountered.
The global pandemic has taught society a critical lesson: no one can ever exert full control over events. This
has manifested in the digital realm, where organisations are finding that they no longer control data, but in
fact the data controls them. A threat landscape will emerge that many organisations will not be equipped to
interpret, let alone manage.
Data has become the new superpower; a force for good but also a force for evil that can be wielded by
conspiracy theorists, criminal gangs, manipulative states and a host of other actors. It will be near impossible
to discern what data to trust.
Misuse of information, malicious sabotage of data and wilful ignorance will provoke a complete
disintegration of trust. Attackers will exploit the resulting disarray, displaying brazen ingenuity to protect
their own interests. Business and security leaders therefore need to support each other now more than ever,
building upon relationships forged in a time of crisis to build resilience. There is a fundamental choice they
need to make collectively: attempt to rebuild trust, or accept that it has disintegrated entirely and
adapt accordingly?
Further reading
Members will gain most value from this report if they question, challenge and revise the proposed
threats in the context of their own organisation using the ISF Threat Radar, which can be found in
Appendix E. A rich set of related reading is included in Appendix G, which supports the threats within
the report. Members are invited to review the references used to create their own view of Threat
Horizon 2024.

Appendix A: Methodology
Threat Horizon is the ISF’s flagship publication and has been released every year for over a decade. The
report predicts the top cyber security threats that will emerge over the next two to three years. The PESTLE
model is used to provide context and background to these threats. Researchers draw upon materials from
a variety of sources. Of particular value is the structured input from Members at ISF Chapter meetings,
ISF Annual World Congress and on ISF Live.
PO
LITICAL
Chapter
Ongoing
meetings and
E N TA L
research and
ISF Annual World
analysis
ECON
Congress
NM
RO M
O
E N VI IC
Academics
and subject THREAT
matter experts HORIZON Blogs and
discussions
L
AL
EG
I
S OC
A L
Business leaders Advisory Council

across industry and Member
sectors interviews
NOLOGI
CH
CA
TE

Appendix B: Assessing
predictions from 2021
The original Threat Horizon 2021 predictions are summarised below and on the proceeding pages,
together with:
– a scale indicating the accuracy of the predictions
– a rating showing the degree to which the threat merits continued consideration moving forward
– supporting evidence.
These threats should be assessed and prioritised to reflect an organisation’s specific circumstances.
Threat Horizon 2021

The digital illusion shatters
Digital connectivity exposes Digital cold war Digital competitors

hidden dangers engulfs business rip up the rulebook
Threat Horizon 2021 prediction Supporting evidence
1.1 5G technologies broaden The impact of this threat has been dulled as the rollout of 5G technology in
attack surfaces 2021 has been slowed by two factors – politics and the pandemic. US concerns
about Chinese State-influence on mobile network equipment made by Huawei
5G networks and technologies will led to much of its installed infrastructure being removed and replaced in many
provide a game-changing platform nations.134 Lengthened deployment timetables have had a downstream impact
for businesses and consumers alike, on the number of deployed devices that use 5G networks, especially services
but also broaden attack surfaces. that rely on them and attacks which exploit them.135
Millions of previously unconnected
devices will be added to the mix, At the same time, security researchers have looked into 5G vulnerabilities and
with telecommunications masts uncovered issues with its virtualised network feature.136 Other issues have
that have varying levels of security. been found with its susceptibility to the insertion of fake base stations, the
Attackers will exploit a range of new lack of co-operation on standards and policies137 and its reliance on older 4G
attack vectors. networks.138 Theoretical problems have also been found in 5G protocols and
warnings have been issued about physical security vulnerabilities in the small,
Accuracy level: local data centres that 5G networks may deploy.139
Generally, 5G networks have helped scammers reach victims, rather than

be the direct target of attack. Given this and the delays in its development,
Ongoing threat rating: the accuracy of the threat is relatively low, but the discovery of theoretical
weaknesses, means that it does remain a potentially serious threat.

1.2 Manipulated machine The enthusiasm with which organisations have adopted machine learning
learning sows confusion has not been matched by a similar level of interest by attackers seeking to
use the technology to compromise or subvert AI systems. Broad attacks that
Organisations will become more attempt to skew the ML systems on social networks, video and music platforms
reliant upon machine learning, are well established.140 However, attacks aimed at ML-based systems run by
and as humans are taken out of the organisations remain rare.
knowledge loop, it will become a
prime target for attackers. Confusion, Even when attacks are recorded, such as the successful penetration of an
obfuscation, and deception will be open-source ML framework called Kubeflow, the motivation is to use the
used by attackers to manipulate computational power to mine crypto cash rather than poison the database.141
machine learning systems, either for
financial gain or to cause as much In anticipation of future attacks, cross-industry efforts are now underway
disruption as possible. to spread information about potential problems.142 In addition, tools such as
Microsoft’s ‘Counterfit’ are emerging to help organisations harden their ML
Accuracy level: resources against subversion and attack.143
The rarity of attacks and upsurge of effort being put into defences and
research render it less prominent than initially expected.
Ongoing threat rating:
1.3 Parasitic malware feasts on Critical infrastructure has continued to be a primary target of cyberattacks
critical infrastructure over the past year, rising by 300% in the US alone.144 However, these have been
largely ransomware attacks, focusing on disrupting services and withholding
Attackers will turn their attention data rather than using the processing power for nefarious activities.
to the vast interconnectivity and
power consumption of Industrial Parasitic malware has been used by attackers to target cloud-based services
Control Systems (ICS), IoT devices rather than critical infrastructure. Crypto mining code has been found on tens
and other critical infrastructure, of millions of Docker images,145 millions of Qnap NAS boxes146 and free cloud
which offer an enticing environment computing services.147
for parasitic malware to thrive. All
organisations will be threatened as The threat of parasitic malware targeting critical infrastructure has not
this form of malware sucks the life out dissipated, with one estimate suggesting it has more than doubled over the
of systems, degrading performance past year and is targeting larger organisations. OT vulnerabilities have also
and potentially shutting down been increasing at a rate of 68% year on year.148 A coordinated response will
critical services. be needed from the public and private sectors due to critical infrastructure
spanning the two spheres. Considering this, and the continued presence of
Accuracy level: parasitic malware and crypto jacking, the threat level remains high.
2.1 State-backed espionage The high tempo of state-sponsored attacks against organisations has
targets next gen tech continued. In 2021 Google sent more than 50,000 warnings to customers
about this type of attack – a figure up 33% on 2020.149 High, profile, large-scale
Organisations developing attacks, such as the Microsoft Exchange150 and SolarWinds incidents151 were
technologies such as AI, 5G, robotics also recorded. The number of organisations compromised in these campaigns
and quantum computing, will find suggests that attackers gained access to high-tech secrets even though the
their intellectual property (IP) initial attack simply sought to breach as many enterprises as possible.
systematically targeted by nation
state-backed actors. Other targeted attacks have come to light over the last 12 months: the
notorious North Korean Lazarus hacking group152 has targeted defence firms
Accuracy level: across the world, while the US defence industry has been targeted by China
through flaws in the Pulse secure VPN system.153 Japan’s space agency154 and
many high-performance computing facilities155 are also known to have been
hit by attackers seeking to gain access and steal industrial secrets.
At the same time, the US is moving to impose further restrictions on Chinese
technology firms, especially with regard to quantum computing, prompting
a diplomatic exchange over who has access to innovation.156 This increased
tension could be a catalyst for further attacks and this factor, allied to the high
number of successful attacks and the pressure that global supply chain issues
are putting on technology-dependent businesses, suggests the level of this
threat should remain high.

2.2 Sabotaged cloud services Demand for cloud services has remained strong as the pandemic lingers and
freeze operations hybrid working patterns become embedded. Innovations such as edge computing,
serverless architectures and containerisation have driven specialisation in this
Attackers will aim to sabotage cloud sector – adding to its rapid growth.157 These developments have put organisations
service providers, causing disruption in thrall to the larger cloud service providers and at risk of becoming collateral
to critical national infrastructure damage when attackers take direct aim at the services. This concentration has led
(CNI), crippling supply chains and regulators, particularly those overseeing finance firms, to look at dependencies
compromising vast quantities of data. and ask organisations to test their resilience to attacks.158
Organisations and supply chains
that are reliant on cloud services Attacks on cloud services are persistent and growing in volume. Records for
will become collateral damage when the biggest attacks on cloud services were broken twice in the span of a few
cloud services go down for extended days in October 2021 when Azure and Russian cloud provider Yandex fended
periods of time. off massive DDoS attempts.159 Attacks and breaches across many other cloud
services have occurred regularly over the last 12 months, causing the release
Accuracy level: of gigabytes of data and affecting thousands of companies.160 Attackers are
becoming more savvy and are now starting to target high-availability services,
such as VPN providers, in a bid to force quick payment of extortion demands.161
Ongoing threat rating: Concerted action by a growing roster of threat actors, including nation states,
reinforces the notion that this threat should be kept at its high level.
2.3 Drones become both Nation states, insurgent groups and terrorists are increasingly deploying drones
predator and prey during armed conflicts, underscoring their role in surveillance and enforcing
air dominance as a method of disruption. During 2021 destructive drone-borne
Drones will become predators attacks were recorded in India,162 Iraq,163 Saudi Arabia,164 Iran165 and Turkey.166 In
controlled by malicious actors to addition, details emerged in 2021 of an incident involving US Navy destroyers
carry out more targeted attacks on engaged in exercises off the California coast which were regularly monitored by
business. Conversely, drones used ‘swarms’ of drones.167 In all cases, the aircraft remained under human control but
for commercial benefit will be preyed there is worrying evidence that, in at least one case in Libya,168 drones were used to
upon, hijacked and spoofed, with autonomously attack people.
organisations facing disruption and
loss of sensitive data. By contrast, the use of drones in business appears to have stalled as Amazon
and other tech firms delay plans to use autonomous craft for delivery and other
Accuracy level: purposes. Amazon laid off 100 staff in its Prime Air division169 and the growth
of the sector remains sluggish despite some small-scale successes during the
pandemic to deliver medical supplies and food to house-bound families.170
Established drone delivery services are growing slowly, typically expanding into
specific towns or campuses rather than across entire regions or nations. While
there are a few examples of drones being attacked by birds171 and some Starship
drones have been vandalised, there is little evidence that these autonomous craft
are being preyed upon.172
The diverging use of drones and the diminishing danger they represent to
organisations who do not operate in conflict zones has reduced the rating of
this threat.
3.1 Digital vigilantes weaponise The flood of ransomware seen in 2021 has ridden high on the back of
vulnerability disclosure exploitable vulnerabilities, suggesting that finding and fixing these loopholes
would be a useful tactic for ethical hackers keen to nudge organisations
Ethical vulnerability disclosure will into improving their security stance. While some disclosures have caused
descend into digital vigilantism. reputational damage to organisations, examples of where this exposure has
Attackers will weaponise vulnerability been ethically weaponised are rare.173
disclosure to undercut organisations,
destroy corporate reputations or even Instead, the main users of these vulnerabilities are organised criminal groups
manipulate stock prices. with the financial muscle to buy them when they go on sale.174 A market has
also emerged for Initial Access Brokers, who gather information regarding
Accuracy level: vulnerable targets and sell this to highest bidder, who then goes on to mount
the attack.175 The bought vulnerabilities are often used to steal and leak data
but for profit rather than in the service of ethics.
Ongoing threat rating: The potential for organisations to be embarrassed by the vulnerabilities
they do not fix is undercut by the fact that most often attackers use known
vulnerabilities to infiltrate organisations. In addition, almost two-thirds
of those vulnerabilities actively being targeted are more than three years
old and many already have a patch released to fix them,176 limiting the
chance for weaponisation by ethical hackers. According to the Verizon Data
Breach Investigation Report only about 5% of breaches involved unpatched
vulnerabilities.177 Given this, and against a background of growing official
mandates to tackle vulnerabilities, this threat poses much less of a danger.178

3.2 Big tech break up fractures No big tech giant has been broken up by the end of 2021 despite mounting
business models evidence that they are continuing to cause harm to society and business.
Facebook has been hit by a series of revelations by whistleblowers who
By 2021, at least one of the big tech demonstrated how it maximised its survival at the expense of meaningful
giants will be broken up, significantly action to limit the effect its algorithms have on users.179
disrupting the availability of the
products and services they provide More broadly, other actions against tech giants include the levying of large
to dependent organisations. From fines against Facebook,180,181 WhatsApp,182 Google,183 Apple184 and Amazon185
email to search engines, advertising, across many jurisdictions. In the UK, Facebook’s acquisition of gif creator
logistics and delivery, the entire Giphy has been scotched by a market regulator. Other regulatory action is
operating environment will change. pending. In the US186 and Europe187 work is continuing on more long-lasting
legislative efforts to rein in the tech giants.
Accuracy level:
China has enacted a series of restrictions including massive fines for anti-
competitive activity and increasing regulatory scrutiny, so they are aligned
with official goals to maintain social cohesion. In one case this regulatory
Ongoing threat rating: action led to the partial break-up of the Ant group.188
Despite this effort tech firms have prospered during and after the worst of
the pandemic.
3.3 Rushed digital The pandemic has helped organisations cram several years of digital
transformations destroy trust transformation into a few short months. Many aspects of business operations,
including working patterns, supply chains and customer interactions, have all
Organisations will deploy been re-engineered to cope with lockdown conditions and the changes that
technologies such as blockchain, have persisted.189 Spending on these projects will top $1.73tn in 2022, offsetting
AI and robotics, expecting them to the slowing investment in technology and change programmes seen during
seamlessly integrate with ageing the earlier days of lockdown in 2020.190 Digital transformations centred around
systems. They will face significant other innovations, such as blockchain, AI and robotics, have been paused to
disruption to services, as well as ensure the business keeps on running.
compromised data when digital
transformations go wrong. The costs of these workplace changes have also become apparent with one
estimate suggesting 19% of all projects stumble or fail during execution.191
Accuracy level:
Threat actors have also adapted their response to the pandemic. Law
enforcement agencies report192 that the shift to home working and greater
use of digital channels for communication has opened up avenues for attack,
Ongoing threat rating: widening the pool of victims that can be targeted.193

Appendix C: Assessing
The original Threat Horizon 2022 predictions are summarised below and on the following pages, together
with the level of confidence in the threat materialising and supporting evidence for the confidence rating.
Threat Horizon 2022

Digital and physical worlds collide
Invasive technology Neglected infrastructure A crisis of trust

disrupts the everyday cripples operations undermines digital business
1.1 Augmented attacks Augmented Reality (AR) has been widely adopted in many manufacturing
distort reality and engineering businesses but few attacks against the technology have been
recorded. One well-known example saw a plan by the Williams F1 team to use
The development and acceptance of an immersive AR app to introduce its re-designed Formula 1 race car foiled by
Augmented Reality technologies will an attack that sought to subvert the application prior to the launch.194
usher in new immersive opportunities
for businesses and consumers alike. Whilst industrial businesses have taken to AR, there is little suggestion
However, organisations leveraging of non‑commercial adoption – many research and development deals to
this immature and poorly secured create AR are yet to be successful or viable commercially. This is despite the
technology will provide attackers technology’s potential to introduce new ways of gathering more intimate and
with the chance to compromise the useable data about users such as eye movement and response to stimuli.195
privacy and safety of individuals when
systems and devices are exploited. Targeting of AR may be limited, but the technology does still pose some
risks. The physically compromising nature of AR amplifies the risk of virtual
Confidence level: intrusion in which attackers look through headsets to reconnoitre potential
targets. In addition, because user attention is divided between two worlds, AR
can distract users from real dangers.
Despite expectations that hybrid working patterns will boost AR uptake, the
lack of significant attacks conducted via AR suggest confidence in the danger
this threat poses has reduced.196

1.2 Behavioural analytics trigger Public awareness of unfettered data collection has grown during the
a consumer backlash pandemic, but this has not prompted a massive rejection of social media
platforms or other organisations known to be stockpiling personal
Organisations that have invested information. The widespread adoption of apps to monitor movements
in a highly connected nexus of and trace contacts during the pandemic has led to a greater tolerance of
sensors, cameras and mobile apps confidential data gathering for public welfare.
to develop behavioural analytics will
find themselves under intensifying This is set against growing use of behavioural analytics that can lead to false
scrutiny from consumers and conclusions about consumers. Reliance on algorithms that use incomplete
regulators alike as the practice is data sets can bring about unfair discrimination. At least one lawsuit has been
deemed invasive and unethical. filed because of wrongful identification by a facial recognition program.197
The treasure trove of information There is some evidence that consumers will reject companies if they feel
harvested and sold will become a key mistreated by algorithms198 but the reaction is short-lived and has not resulted
target for attackers aiming to steal in large-scale protests.
consumer secrets, with organisations
facing severe financial penalties and It is likely that governments will increase regulations on large-scale data
reputational damage for failing to gathering and start to oversee algorithms.199 The EU, China, California, and
secure their information and systems. South Korea are all seeking to reform the data harvesting practices of tech
giants, dismantle intrusive systems such as online ad-tracking and ensure
Confidence level: algorithms operate transparently. This evidence suggests the dynamics of this
threat have shifted from consumer to official concern leading to a reduction in
confidence in it materialising.
1.3 Robo-helpers help themselves The pandemic has accelerated the use of robots in many sectors of industry,
to data particularly healthcare, but there is little evidence that these helpful machines
are being compromised by attackers. For instance, Spot the robot dog created
Poorly secured robo-helpers will be by Boston Robotics is being tested in several US states in a variety of roles –
weaponised by attackers, committing notably in law enforcement. The American Civil Liberties Union, however, has
acts of corporate espionage and highlighted the different dangers this robot posed to civil liberties rather than
stealing intellectual property. its potential for attackers to use it to infiltrate organisations.200
Attackers will exploit robo-helpers to
target the most vulnerable members Ongoing laboratory research projects are logging the vulnerabilities in
of society, such as the elderly or the software controlling robots that attackers could exploit for gain.201
sick at home, in care homes or Vulnerabilities have been found in both industrial and domestic machines.202
hospitals, resulting in reputational The reluctance of attackers to exploit these avenues leads to a significant
damage for both manufacturers and reduction in the level of confidence in the danger this threat poses.
corporate users.
Confidence level:
2.1 Edge computing pushes The global market for edge computing has grown fast with estimates
security to the brink predicting it will grow at a compound rate of 38.4% over the next three
years.203 This suggests organisations are becoming enthusiastic users of this
In a bid to deal with ever- technology as they adopt 5G networks and build exceptionally large cloud
increasing volumes of data and networks.204
process information in real time,
organisations will adopt edge The steady deployment of edge technologies brings a significant degree of
computing – an architectural information risk, especially if attackers can gain access to hardware.205 This
approach that reduces latency physical access could allow attackers to insert malicious nodes into an edge
between devices and increases network – these camouflaged nodes can act as a trojan, observing and stealing
speed – in addition to, or in place of, data from within the network.
cloud services. Edge computing will
become a key target for attackers, Attacks on specific edge systems, however, remain theoretical. While attacks
creating numerous points of failure. on IT systems at the edge of networks have been recorded, these attacks have
Security benefits provided by cloud primarily focused on 5G and IoT devices connected via this perimeter.
service providers, such as oversight of
particular IT assets, will also be lost.
Confidence level:

2.2 Extreme weather wreaks Climate change poses unprecedented challenges to infrastructure
havoc on infrastructure worldwide.206 One estimate suggests 10% of total economic value is set to be
lost by mid-21st century if climate change stays on trajectory and the Paris
Extreme weather events will Agreement net-zero emissions targets for 2050 are not met.207
increase in frequency and severity
year‑on‑year, with organisations Texas is a stark example of the chaos that extreme weather can inflict. It
suffering damage to their digital suffered a prolonged and severe power crisis in response to a rare burst of
and physical estates. Floodplains Arctic air spread across the central US. As temperatures dropped to single
will expand; coastal areas will be digits, the power grid collapsed. The failures in natural gas and electricity
impacted by rising sea levels and systems left four million Texans without power for days. The effect on
storms; extreme heat and droughts infrastructure was widespread and its impact on businesses, especially
will become more damaging; and semi‑conductor makers, was profound.208
wildfires will sweep across even
greater areas. Critical infrastructure Global supply chains will continue to be impacted by extreme weather. For
and data centres will be particularly example, Taiwan, which leads semiconductor production globally, is currently
susceptible to extreme weather facing its worst drought for 56 years, receiving only one typhoon in 2020
conditions, with business continuity compared to the annual average of between 7–9 every year. Additionally, the
and disaster recovery plans pushed to previous winter and spring were also deficient in rainfall, leading to a water
breaking point. shortage209 – a crucial part of the chip making process.
Confidence level: A surge in the frequency of extreme weather events that are more intense and
more unpredictable than ever before led the World Economic Forum to rate
this threat as the top risk by likelihood in 2021.210
2.3 The internet of forgotten As IoT devices proliferate, many regions and nations are moving to regulate
things bites back the way these potentially insecure devices are built and sold. The UK, EU and
US are all enacting rules that seek to ensure that manufacturers follow basic
The risks posed by multiple forgotten security steps.211
or abandoned IoT devices will
emerge across all areas of business. These regulations come in the wake of a pandemic-induced increase in
Unsecured and unsupported devices privacy breaches related to IoT devices. Millions of devices have been exposed
will be increasingly vulnerable as by weak security credentials212 and specific vulnerabilities, such as the
manufacturers go out of business, operating system level Urgent/11 and CDPwn vulnerabilities, have left millions
discontinue support or fail to deliver of unpatched and unprotected systems open to attack.213 These vulnerabilities
the necessary patches to devices. allow attackers to take over network equipment, move laterally across the
Opportunistic attackers will discover network, and gain access to mission-critical devices such as infusion pumps
poorly secured, network-connected and PLCs.214
devices, exploiting organisations in
the process. Strong competition in the IoT space means many manufacturers have
gone bust and abandoned gadgets that have already been installed and
Confidence level: activated215,216,217 but will no longer be updated by any security fixes.
Chinese hackers are reportedly stealing substantial amounts of data from IoT
devices, such as home recordings being sold on illegal dark web platforms.
Criminals claim that these recordings were taken from security cameras in
hotels, dressing rooms, houses and parks.218
The vast attack surface revealed by these trends suggests this threat will
continue to pose a significant risk.
3.1 Deepfakes tell true lies Deepfakes have caught the attention of cyber thieves with many security
firms reporting that they are seeing increasing ‘chatter’ on dark web forums
Highly plausible digital clones will about tools and technologies to create convincing fakes.219 The FBI has issued a
cause organisations and customers similar warning suggesting hostile nations will use ‘synthetic content’ in their
to lose trust in many forms of ongoing propaganda and disinformation campaigns.220
communication. Social engineering
attacks will be amplified and credible So far, there has been little use of these tools to create deepfakes that are
fake news and misinformation will then used in frauds and social engineering attacks but high-profile examples
spread, with unwary organisations demonstrate the potential of this attack vector. Adversa.ai developed a
experiencing defamation and successful black-box attack that tricked the PimEyes facial recognition system
reputational damage. into believing a company CEO was Elon Musk.221
Confidence level: This is an attack type that may grow in popularity as office work via video
meetings becomes more common.222 Gangs that specialise in business email
compromise attacks seem most interested as deepfakes could lend credibility
to their attempts to trick finance staff by posing as a senior executive.

3.2 The digital generation Generation Z now makes up about 10% of the global workforce223 and has
becomes the begun shaping culture inside many organisations. This step change has
scammer’s dream already caused security problems – for instance, the SolarWinds breach was
blamed on lax password use by a Gen Z age employee.224
Generation Z will start to enter
the workplace, introducing new There are signs that adversarial threat actors are actively targeting the
information security concerns to platforms favoured by Gen Z including Discord, Slack, and social media
organisations. Attitudes, behaviours, networks.225 At least one high profile hack was carried out by abusing a Discord
characteristics and values exhibited cookie bought online.226
by the newest generation will
transcend their working lives. Despite this evidence, it is difficult to claim that an entire generation’s attitude
Reckless approaches to security, towards information security will bring about a flood of attacks or other
privacy and consumption of content breaches. These digital natives do regard online friends as part of an inclusive
will make them obvious targets for community with whom they share almost everything they experience, known
scammers, consequently threatening as ‘radical inclusion’. Some of their behaviour sets them apart from their older
the information security of colleagues227 and does lend some weight to the threat. This ongoing clash of
their employers. ideologies will become a pinch point in many organisations in the
near future.
Confidence level:
3.3 Activists expose digital Glitches in software that unduly lengthen prison sentences,228 racial biases in
ethics abuse facial recognition systems229 and crude monitoring of employee productivity
via IT-based evaluation systems,230 are notable examples of the unethical
Activists will begin targeting ramifications of using technology. Although these incidents are contributing
organisations that they deem to greater public awareness of how data can be used and abused, unethical
immoral, exposing unethical or practices do not seem to motivate attacks against those responsible.
exploitative practices surrounding
the technologies they develop and Protests are being staged when crude technology tools are used to solve
who they are sold to. Employees complicated business and workplace issues,231 and whistleblowers are
motivated by ethical concerns will regularly exposing activity within organisations, such as Facebook, to prompt
leak intellectual property, becoming regulators and legislators to probe these practices.232 However, activists are not
whistle-blowers or withdrawing exploiting inappropriate usage as much as expected.
labour entirely. Brand reputations will
suffer, as organisations that ignore
their ethical responsibilities are
placed under mounting pressure.
Confidence level:

Appendix D: Assessing
The original Threat Horizon 2023 predictions are summarised below and on the following pages, together
with the level of confidence in the threat materialising and supporting evidence for the confidence rating.
Threat Horizon 2023

Security at a tipping point
Machines seize Identity is Security fails in a

control weaponised brave new world
1.1 AI industrialises high AI is becoming a transformative force in mainstream business with estimates
impact attacks suggesting that by 2030, the technology will contribute $11.7tn to global GDP233
and global investment in the sector is forecast to reach $97.9bn by 2023.234
The malicious use of AI will lead Following this trend, it is likely that AI will feature prominently in the activities
to the industrialisation of tailored, of cyber criminal groups, who will continue to harness the capability of AI to
high‑volume, high-impact cyber continuously learn and adapt to changing information. Human-mimicking
attacks, leaving organisations attacks will become more personalised and increasingly scalable.235
overwhelmed and unable to
operate effectively. Evidence is emerging that AI tools are being used for less sophisticated
tasks such as automating aspects of existing attacks236 and to mount specific
Confidence level: campaigns, such as stealing gift cards.237
Despite the above trends, AI does not seem to have caught on among cyber
crime groups as an attack enabler – despite many of those groups operating in
a very similar manner to modern e-commerce companies238 that are making
good use of machine learning and other AI-enabled techniques. Instead, as
cyber crime businesses have sought to expand, industrialisation has led to an
upsurge in established attack types,239 such as ransomware, rather than an
exploration of new techniques that utilise AI.

1.2 Automated defences backfire The foremost risk associated with the rise of automated defence technologies
is their susceptibility to hacking by cyber criminals. Advanced technologies are
Organisations will discover the pitfalls usually built around ‘black box’ models which mean organisations are often
of relying heavily on automated unaware when systems have been compromised.240 Already cyber criminals
defences. Ineffective implementation have been targeting systems by feeding in corrupt or unrepresentative
of security controls and a lack of data injecting bias into ML algorithms. These attacks can have devastating
human oversight will prove costly. consequences, initially appearing as legitimate data traffic, but causing harm
over longer periods.
Confidence level:
At the same time laboratory work is unearthing innovative ways to attack
automated systems.241 For some of these approaches attackers are not required
to trick the system, they only need to overload it, causing networks to fail.242
Organisations may be turning more to automation243 and academics may

be discovering new attack types but outages caused by the over-reaction
of AI defences remain scant, lessening the threat posed by adoption of
this innovation.
1.3 Layered security causes Nefarious actors have begun to exploit the numerous layers of policies and
complacency and confusion processes within organisations to launch their attacks. For instance, CISA
reported several cases244 which exploited failings in authentication systems for
The ever-expanding array of policies, cloud services that had adopted MFA to collapse some of their security layers.
processes and technologies forming
an organisation’s security eco- The burden on security analysts is increasing with some required to handle
system will clash and contradict, more than 11,000 alerts a day on average.245 According to one study, 75% of
degrading security. analysts believed most of their time was wasted chasing false positives.246
This combination of too many alerts, too few staff and growing automation
Confidence level: is problematic because it can mean security analysts take shortcuts around
established policies to get work done and automation can punch holes in
layered defences as they are given permission to act independently. Defence
systems such as Endpoint Detection & Response (EDR) and Cloud Access
Security Brokers (CASB) could add to this burden and cause ‘tool sprawl’, which
could facilitate a feeling of complacency.247
2.1 Digital doppelgängers Next-generation deepfakes, or synthetic beings exhibiting human-like

undermine identity characteristics, are appearing in small but significant numbers. Start-ups,248
venture capital cash,249 academic research250 and development efforts inside
Adversarial actors will use advanced large organisations251 are all preparing these avatars for a variety of online
techniques to create digital roles – typically representing or acting on behalf of a person. Additionally,
doppelgängers, harvesting increasing development has begun to use social media posts of deceased individuals into
levels of highly personal and chatbots252 and to make late pop stars perform again.253
intimate information.
Impersonation attacks are expected to increase as cyber criminals target
Confidence level: a progressively remote and distracted workforce. Since the outset of the
COVID-19 pandemic, more than 7,000 CEOs have been impersonated254 with
attackers hoaxing users into clicking links, downloading malware, providing
banking details or revealing sensitive information. Crude bots, who mimic
human behaviours online in rudimentary ways have started to show usage
in low-level attacks – suggesting cyber criminals are adopting these types of
mimicking systems.255
Work trends continue to be reliant on remote working but this has yet to evolve
into a more encompassing technological change that would involve avatars
standing in for people in virtual offices or meeting spaces. While much work
is going into the creation of these metaverse systems, the long development
cycle of these technologies merits a low threat rating.

2.2 Biological data drives a rash The global pandemic has prompted greater interest in healthier lifestyles and
of breaches an increase in apps that offer services in monitoring and tracking biological
data to help people avoid hotspots, book vaccines or just keep fit.256 Apple’s
Attackers will relentlessly flagship watch, for example, tracks numerous health indicators and can be
target organisations that gather found on almost 100 million wrists – demonstrating the rising interest in
biological data recognising its high health data.257
value and utility.
The biological data gathered by individuals, stored by organisations and
Confidence level: shared with healthcare providers is a type of personal information that
attracts high demand on the black market. Attackers have mounted numerous
campaigns against healthcare providers to secure this valuable resource.258
Those exposed to biological data theft are at risk of financial fraud, identity
theft, and account takeovers.
Attacks on health-care organisations grew by 470% in 2020 and the global

pandemic has nudged cyber thieves towards this category of data. As the
pandemic continues this focus will doubtless be prolonged raising the threat
posed by this attack type.
2.3 Gamed algorithms cause The use of bots to game algorithms, secure limited supplies of goods, exploit
commercial confusion loopholes in poorly written algorithms and mount creative attacks has
undergone a swift industrialisation in the last 12 months.259
As organisations power
interaction with customers So-called ‘grinch’ bots are being used to distort the market value of some
via algorithms, attackers will goods so prices exceed the manufacturer’s recommended retail price.260
manipulate these systems to Doordash drivers successfully gamed algorithms261 to improve their pay and
undermine digital experiences and Uber moved to limit use of bots that worked out if drivers were being paid
commercial advantages. correctly.262 Bot attacks on social media services are now commonplace263
and are beginning to be seen securing pitches at campsites and vaccination
Confidence level: appointments.264
An overview of the growth of the bot ecosystem suggests about 24% of

global net traffic is generated by bots – many of which are trying to exploit
consumers and abuse algorithms.265 Lawmakers in some regions are drafting
legislation to tackle the growth of bot abuse266 but these efforts will take a long
time to enact. The surging growth of abusive bots and lack of effective policy
controls leads us to rate this threat highly.
3.1 Smart grids succumb to an The move to smart grids has begun, with more organisations willing to swap
attack surge fossil fuel sources for sustainable energy supplies. The market for smart grid
technology is set to triple by 2023267 and that growth is expected to run in
Adversarial actors will take advantage excess of 10% per year up to 2028.268
of vulnerable and poorly secured
components in smart grids. Blackouts Energy firms are already regularly under attack with both domestic suppliers
that disrupt operations will result. (register) and infrastructure operators in India,269 Brazil,270 and the US271
suffering breaches. In addition, vulnerabilities have been found in several
Confidence level: types of hardware, including smart meters, used to build smart grids272,273
highlighting the susceptibility of this technology to hack attacks. This led the
US to issue a mandate urging all operators of critical infrastructure, which
includes power generators and distributors, to take part in a program to secure
the new and old ICS systems involved in this sector.274
The ongoing focus of attack groups on the energy sector, technology

transitions and official efforts to shore up defences gives this threat a
medium rating.

3.2 Isolationism creates a A rapid increase in the number of short-term and region-specific regulations
security disconnect governing internet use is threatening to turn the internet into a collection of
disparate networks. This ‘splinternet’,275 as some have called it, would force
Global operations will be hit by a raft organisations to operate under very different regimes and potentially force
of social, legal and political changes them to hold and process data locally rather than centrally.
confronting organisations with an
increasingly costly and fragmented China276 and India277 have been enthusiastic enactors of rules and regulations
operating environment. governing the use of the internet and technology. Other nations to follow
suit include Cambodia, Iran, Nigeria, Russia, Turkey, Uganda, Israel and
Confidence level: Myanmar. Many of the restrictions are aimed at encryption, VPNs, apps, and
data processing, potentially making it hard for multinational organisations
to operate in these regions with the freedom they used to enjoy. The US and
China continue to spar over advanced technologies with many restrictions
now placed on who US firms can trade with and on what technologies they
can collaborate.278
These widespread localised restrictions could be exacerbated by the prolonged

impact on global supply chains due to the ongoing pandemic.279 For instance,
semi-conductor shortages280 are being widely felt, and likely to slow digital
transformations and other tech-based innovations.281
These factors and the ongoing trading and operating difficulties they thrust
onto organisations give this threat a high rating.
3.3 Security struggles to adjust to The global shift to remote working driven by the pandemic has left many
the never normal organisations struggling to re-erect the shell of security controls and practices
they used to rely on. Zoom, Teams, other video messaging services and many
A constantly shifting security cloud services all have default settings that have the potential to upend
landscape will leave organisations in policies that were designed to govern information management unless they
the world of the ‘never normal’ where are customised.282
technologies, policies and processes
are not fit for purpose. At the same time, attackers have been swift to mount attacks on the
technologies and services used to support remote working – including
Confidence level: VPNs, Slack, Discord and other messaging services283,284 – to capitalise on the
unfamiliarity of workers with these systems.
Some organisations have turned to tools, such as cameras and keyboard

loggers, to monitor staff and customers285 and help to adjust to the never
normal. However, some of these attempts to monitor productivity, such as
Xsolla’s firing of 150 workers it deemed inattentive, have been heavy-handed
and bred resentment rather than loyalty.286
Culturally, organisations still have some way to go to cope with the shift in
working patterns, the security debt they incur, and the effect they have had on
their information security activities.287

Appendix E: ISF Threat Radar

Threat priority: High Medium Low
The ISF Threat Radar (the Radar) is a visual aid created to accompany
Very high
Threat Horizon reports.
The Radar (see Figure 10) is designed to help: C Threat C
A BILITY TO MA NA G E
– record relevant future threats to information presented in
Threat Horizon reports or those that are identified as specific to
B Threat B
the organisation
– assess the potential impact of these threats
– determine the organisation’s ability to manage these threats A Threat A
Very low
– prioritise plans and the investment needed to remediate threats.
Very high Very low
Each threat is shown as a red, amber or green circle denoting the I M P AC T
priority the threat has been assigned. The closer a threat is to the
bottom left of the Radar, the more attention it merits.
FIGURE 10: Example ISF Threat Radar
A customisable, interactive Microsoft PowerPoint version of the Radar

can be found in the Threat Horizon community on ISF Live.
The Radar is not a traditional risk matrix or heatmap and should therefore not be treated as such:
it does not consider likelihood, probability or frequency.
Using the radar in practice

To populate the Radar, information security and risk specialists should:
– review threats in Threat Horizon reports and determine their applicability to the organisation
– identify additional threats that are specific to the organisation
– assess the potential impact of each threat to the organisation and its ability to manage them
– plot these threats on the Radar, adding colours and arrows as required.
Once populated, the completed Radar can be used to:

– brainstorm factors that might affect threats over time with IT and business representatives
– explain the threats to business leaders
– workshop the threat placements with business leaders to gain buy-in
– determine how threats can be addressed
– create remediation plans.
The Radar can facilitate engagement with the board, offering a way to visualise the extent of impending
threats to the organisation and to identify areas that require investment or further development to
support the business in the future.

An example radar
An example of how a fictitious organisation might assess the nine threats in this report, and plot them on the
Radar, is presented below and on the following page.
In this example, France Digital Electronics (FDE) is a global organisation operating in the competitive
market of consumer electronics, creating innovative products that are ahead of general trends and have a
competitive advantage over Chinese imports. This has been achieved by outsourcing many core services
through expansive supply chains. The main customer centre is based in India, outsourced to a local company,
whilst the production facilities are primarily outsourced to a Chinese manufacturer. The company HQ is
based in Paris, with product development operating via a vast network of suppliers in Asia. The IT capabilities
are mainly outsourced with a preferred cloud service provider offering nearly all the IT and analytics
services. The cloud datacentre resides in Dublin, Ireland to assist with compliance to the GDPR.
How the fictitious organisation has plotted the nine threats in this report on the Radar is illustrated in Figure
11, with its reasoning presented on page 66.
Threat priority: High Medium Low

Very high
Attackers poison 3.1

the data well
Misleading signals subvert

3.2
cyber fusion centres
Activists pivot to
2.2
cyber space
AB ILI TY T O MAN AGE
Digital twins double the

3.3
attack surface
Attackers undermine
1.3
central cryptocurrencies
The cloud
2.1
risk bubble bursts
Misplaced confidence
2.3
disguises low-code risks
Ransomware evolves into

1.1
triple extortion
Regulators inhibit
Very low
1.2
data-driven innovation
Very high Very low

I MPACT
FIGURE 11: Example ISF Threat Radar

1 Well-intentioned regulations have unintended consequences
Ransomware evolves into Regulators inhibit Attackers undermine

1.1 1.2 1.3
triple extortion data‑driven innovation central cryptocurrencies
Impact: High Impact: Very Low Impact: Medium

Ability to manage: Low Ability to manage: Very Low Ability to manage: Medium
With the disparate nature of our At present we do not use either AI As we are a manufacturer CBDCs
network, ransomware could take or algorithms driven by machine are not a current concern as
hold quickly as the network traffic learning, therefore regulation in they will impact others before
travels much quicker than our this area is of little concern due to demanding changes to our
communications could do on limited impact. finance processing systems.
spotting the problem. This is a This gives us time to assess
problem that is not unique to us and understand the risks of
but one we are concerned about, implementing changes to our
with many outsourced providers financial systems.
connected to our infrastructure
there are many entry points that
we do not control.
2 Technology choices diminish control
The cloud risk Activists pivot to Misplaced confidence

2.1 2.2 2.3
bubble bursts cyber space disguises low-code risks
Impact: High Impact: Low Impact: High

Ability to manage: Medium Ability to manage: High Ability to manage: Low
As we have focused on one cloud Although we do have OT The chance of programs created by
provider it leaves us open to being environments they are to produce no-code or low-code tools being
held hostage to changes in costs, consumer electronics and used in our environment is high.
technology or outages at that therefore we are unlikely to be This could be by internal staff
supplier. As we are so ingrained in the target of activists. However, it trying to quickly fix a problem or
the setup it would be a large costly would be worth scrutinising our an outsourced partner trying to
project to move our infrastructure supply chain to reveal how key save time and money to produce
over to a new provider. components and materials are applications. This will be hard to
sourced in case these could open uncover and control, having a
us up to censure or attack. severe impact on our systems.
Attackers poison the Misleading signals subvert Digital twins double the
3.1 3.2 3.3
data well cyber fusion centres attack surface
Impact: Very low Impact: Low Impact: Very high

Ability to manage: Very high Ability to manage: High Ability to manage: Medium
We currently do not use machine As we outsource all our IT Our OT operations, as part of our
learning, but we do collect data services including the SOC there manufacturing processes, include
for analytical purposes to provide are some concerns about the several digital twins. The need to
a better service to our customers. impact that this could cause. protect our OT systems is one of
The impact of maliciously However, as the majority of our our biggest concerns and a breach
manipulated data would be infrastructure is in the cloud this here could be crippling, so this is
minimal to us and mitigating the mitigates some of the concerns a high priority for us to mitigate
risk would be relatively simple for and potential impacts but it would and resolve. Information security
us to achieve with solutions such be sensible to assess the integrity practice in this area is evolving
as MFA. of our threat intelligence and and we are actively engaged in
data feeds. improving our understanding of
these threats.

Appendix F: Making the most

of Threat Horizon 2024
This appendix provides three suggested steps for using Threat Horizon 2024 and previous Threat Horizon
reports to help protect the organisation against future threats.
Threat Horizon helps senior business leaders to:
Understand future threats Assess the potential financial, Influence research and
to information. operational, legal and regulatory development of new products
compliance, reputational and or services, transformation
health and safety impacts on programmes or M&A plans.
the organisation.
Threat Horizon helps security leaders to:
Discuss and report Define information Build secure IT Implement plans and
information risk with security strategy and infrastructure coordinate responses
the board. set budgets. and architecture. across various functions
affected by the threats.

THREE STEPS FOR MAKING THE MOST OF THREAT HORIZON 2024

Each of these three steps is presented with specific actions to consider, parties who may need to be involved
and ISF reports or tools that may provide value.
Step 1
Validate the predictions in Threat Horizon 2024 in the

context of your organisation
Actions to consider:
– Share the Threat Horizon 2024 report (as well as the separate executive summary) with relevant parties
across your organisation.
– Become familiar with ‘The World in 2024’ forecast, the nine threats and the previous threat predictions.
– Discuss the potential impact of each threat on your organisation, and your organisation’s ability to
manage them.
Parties to involve:
CISO, information risk management team, IT managers, senior business leaders.
Related ISF reports and tools:
Information
Previous issues of Risk Assessment
ISF Threat Radar
Threat Horizon Methodology 2
(IRAM2)
Step 2
Create a list of future threats that are specific to

your organisation
– Gather relevant parties to review findings from Step 1 and tailor Threat Horizon 2024 (and other
Threat Horizon reports) for your organisation. This may involve developing, adapting, modifying or
removing threats.
– Prioritise all threats leveraging your organisation’s existing risk management tools and methodologies.
– Use the ISF Threat Radar as a visualiser to present the customised threat list in a clear and
compelling manner.
– Present the customised list of threats to board members in order to shape decisions over
remediation plans.
Parties to involve:
Risk committee, senior business leaders, board members, CISO, IT managers
Information Industrial Control

Previous issues of Risk Assessment Systems
ISF Threat Radar
Threat Horizon Methodology 2 Threat Reference
(IRAM2) Guide
Securing the IoT: Protecting the

Threat Intelligence: Taming the Crown Jewels:
React and prepare connected world How to secure
Briefing Paper mission‑critical
information assets

Step 3
Develop and implement remediation plans specific to

your organisation
– Prepare to address emerging threats, for example by:
• updating your organisation’s information security strategy
• collaborating across your organisation to rethink and rehearse business continuity and disaster
recovery plans
• identifying changes required to infrastructure and architecture.
– Create plans to remediate each threat, assigning responsibilities to named individuals and setting target
dates for specific actions.
– Align actions with your organisation’s information risk management approaches, structures
and frameworks.
Parties to involve:
Risk committee, senior business leaders, board members, CISO, IT managers.
Delivering an Standard of Good Protecting the Information

Effective Cyber Practice Crown Jewels: Risk Assessment
Security Exercise for Information How to secure Methodology 2
Security 2020 mission‑critical (IRAM2)
(SOGP) information assets
Industrial Control Using Cloud Human-Centred Human-Centred

Systems: Services Securely: Security: Security:
Securing the Harnessing core Addressing Positively
systems that control controls psychological influencing security
physical vulnerabilities behaviour
environments Briefing Paper Briefing Paper
Securing the IoT: Demystifying Establishing a Legal and Regulatory

Taming the Artificial Business-Focused Implications for
connected world Intelligence in Security Assurance Information Security
Briefing Paper information Programme: Interactive Guide
security Confidence in
Briefing Paper controls
Becoming a Next- Deploying Open Continuous Supply Extinction Level

Generation CISO Source Software: Chain Assurance: Attacks:
Briefing Paper Challenges and Monitoring supplier A survival guide
rewards security
Briefing Paper
Securing Security Cyber Insurance: Demystifying Zero

Containers: Architecture: Is it worth the risk? Trust
Keeping pace with Navigating complexity Briefing Paper
change complexity Briefing Paper
Briefing Paper Briefing Paper
Information Securing the Supply

Security in Mergers Chain: Preventing
and Acquisitions your supplier’s
Briefing Paper vulnerabilities from
becoming your own

Appendix G: References
This appendix lists resources that readers may find useful for further research and reading around each
section of the report.
These references are accurate and available as of the date of publication.
The world in 2024
Political
1 Wylie, C., “Donald Trump predicts ‘big’ 2024 as he declares love for the US”, The Independent, 1 December 2021,
https://www.independent.co.uk/news/uk/donald-trump-nigel-farage-boris-johnson-gb-news-brexit-b1968056.html
2 “Global Trends 2040: A more contested world”, US National Intelligence Council, March 2021,
https://www.dni.gov/files/ODNI/documents/assessments/GlobalTrends_2040.pdf
3 Quinn, J., “Beijing’s Taiwan Invasion Timeline: Two Predictions”, National Review, 8 November 2021,
https://www.nationalreview.com/corner/beijings-taiwan-invasion-timeline-two-predictions/
4 Ellis, S. and Lin, M., “Taiwan’s Pro-China KMT Reelects Old Hand in Bid to Reclaim Power”, Bloomberg, 25 September 2021,
https://www.bloomberg.com/news/articles/2021-09-25/taiwan-s-pro-china-kmt-reelects-old-hand-in-bid-to-reclaim-power
5 “Taiwan opposition party’s new leader pledges renewed talks with China”, Euronews, 26 September 2021,
https://www.euronews.com/2021/09/26/uk-taiwan-politics
6 Millman, N., “Europe is becoming a right-wing continent”, The Week, 7 July 2021,
https://theweek.com/politics/1002381/europe-is-becoming-a-right-wing-continent
7 “Understanding the Threat of Truth Decay”, Rand, 16 January 2018,
https://www.rand.org/research/projects/truth-decay.html
Economic
8 “The Global Economy: on Track for Strong but Uneven Growth as COVID-19 Still Weighs”, World Bank, 8 June 2021,
https://www.worldbank.org/en/news/feature/2021/06/08/the-global-economy-on-track-for-strong-but-uneven-growth-as-covid-19-
still-weighs
9 Nabarro, B., “UK economic outlook: the future isn’t what it used to be”, Institute for Fiscal Studies, 12 October 2021,
https://ifs.org.uk/publications/15691
10 “Govt to change laws in Budget to tax cryptocurrency gains: FinMin official”, Business Standard, 19 November 2021,
https://www.business-standard.com/article/markets/govt-to-change-tax-laws-in-budget-to-tax-crypto-gains-finmin-
official-121111900699_1.html
11 Ballentine, C., et al., “The Fight to Control the $2 Trillion Crypto Market Is Heating Up”, Bloomberg, 25 September 2021,
https://www.bloomberg.com/news/articles/2021-09-25/who-will-control-crypto-and-bitcoin-btc-us-china-fight-rattles-investors
12 “Lisa Anderson, Predicts Supply Chain Disruptions Beyond 2024”, Supply Chain Quarterly, 5 November 2021,
https://www.supplychainquarterly.com/articles/5793-lisa-anderson-predicts-supply-chain-disruptions-beyond-2024
13 Stevenson, A. and Li, C., “What to Know About China Evergrande, the Troubled Property Giant”, New York Times, 9 December 2021,
https://www.nytimes.com/article/evergrande-debt-crisis.html
Social
14 Christakis, N., “The Long Shadow of the Pandemic: 2024 and Beyond”, Wall Street Journal, 16 October 2020,
https://www.wsj.com/articles/the-long-shadow-of-the-pandemic-2024-and-beyond-11602860214
15 Kluth, A., “Social Unrest Is the Inevitable Legacy of the Covid Pandemic”, Bloomberg, 14 November 2020,
https://www.bloombergquint.com/gadfly/2020-s-covid-protests-are-a-sign-of-the-social-unrest-to-come
16 Petersen, M. B., Twitter, 13 November 2021,
https://twitter.com/M_B_Petersen/status/1459462822719537156
17 Goldberg, E., “The 37-Year-Olds Are Afraid of the 23-Year-Olds Who Work for Them”, New York Times, 28 October 2021,
https://www.nytimes.com/2021/10/28/business/gen-z-workplace-culture.html
18 “Gartner Says Digital Ethics is at the Peak of Inflated Expectations in the 2021 Gartner Hype Cycle for Privacy”, Gartner, 30 September 2021,
https://www.gartner.com/en/newsroom/press-releases/2021-09-30-gartner-says-digital-ethics-is-at-the-peak-of-inflate

Technological
19 “Global Britain in a competitive age”, UK Government, March 2021,
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/975077/Global_Britain_in_a_
Competitive_Age-_the_Integrated_Review_of_Security__Defence__Development_and_Foreign_Policy.pdf
20 Wieland, K., “BT warns “Quantum Apocalypse” might happen in 2024”, Telco Titans, 6 May 2021,
https://www.telcotitans.com/btwatch/bt-warns-quantum-apocalypse-might-happen-in-2024/3176.article
21 Sengupta, K., “MI6 must harness new technologies to combat hostile states, security service chief warns”, The Independent, 30 November
2021, https://www.independent.co.uk/news/uk/home-news/mi6-technology-spying-digital-age-b1966747.html
22 Grush, L., “NASA’s Moon landing will likely be delayed ‘several years’ beyond 2024, auditors say”, The Verge, 16 November 2021,
https://www.theverge.com/2021/11/16/22783149/nasa-artemis-moon-landing-2026-office-inspector-general-report
23 Wall, M., “Kessler Syndrome and the space debris problem”, Space.com, 15 November 2021,
https://www.space.com/kessler-syndrome-space-debris
24 “Russian anti-satellite missile test draws condemnation”, BBC News, 16 November 2021,
https://www.bbc.co.uk/news/science-environment-59299101
Legal
25 “Global Britain in a competitive age”, UK Government, March 2021,
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/975077/Global_Britain_in_a_
Competitive_Age-_the_Integrated_Review_of_Security__Defence__Development_and_Foreign_Policy.pdf
26 “AI and automation: how can the UK prepare for the future of work?”, New Statesman, 4 November 2021,
https://www.newstatesman.com/spotlight/2021/11/ai-and-automation-how-can-the-uk-prepare-for-the-future-of-work
27 Cooper, D., et al., “The UK Government Publishes its AI Strategy”, Covington Inside Privacy, 4 October 2021,
https://www.insideprivacy.com/artificial-intelligence/the-uk-government-publishes-its-ai-strategy/
28 Franke, U., and Torreblanca, T. I., “Geo-tech politics: Why technology shapes European power”, European Council on Foreign Relations
policy brief, 15 July 2021,
https://ecfr.eu/publication/geo-tech-politics-why-technology-shapes-european-power/
29 Scott, M., “US offers deal to woo Europe on data”, Politico, 21 October 2021,
https://www.politico.eu/article/negotiations-for-new-transatlantic-data-deal-nudge-forward/
30 Keane, J., “With Biden in the White House, EU officials are pushing hard for a new data-sharing pact with the U.S.”, CNBC, 19 April 2021,
https://www.cnbc.com/2021/04/19/privacy-shield-eu-officials-pushing-hard-for-us-data-sharing-pact.html
31 “Can Diplomacy Win the Fight against Ransomware?”, SecAlliance, 15 June 2021,
https://www.secalliance.com/blog/can-diplomacy-win-the-fight-against-ransomware
Environmental
32 Barnes, K., “Earth may temporarily pass dangerous 1.5 warming limit by 2024, major new report says”, The Conversation, 9 September 2020,
https://theconversation.com/earth-may-temporarily-pass-dangerous-1-5-warming-limit-by-2024-major-new-report-says-145450
33 Weatherley-Singh, J., “Time for governments to take biodiversity loss as seriously as climate change”, Euractiv, 14 April 2021,
https://www.euractiv.com/section/energy-environment/opinion/time-for-governments-to-take-biodiversity-loss-as-seriously-as-
climate-change/
34 “’Sustainable’ Companies Face Increased Pressure to Justify the Sustainability Label Amid Investor Challenges and Demands for
Greater Risk Assessment and Disclosure”, National Law Review, 15 December 2021,
https://www.natlawreview.com/article/sustainable-companies-face-increased-pressure-to-justify-sustainability-label-amid
35 Levin, J., “Imagining The Future Of ESG – Investing Is Just The Beginning For The Values-Based Economy”, Forbes, 26 May 2021,
https://www.forbes.com/sites/forbesbusinesscouncil/2021/05/26/imagining-the-future-of-esg--investing-is-just-the-beginning-for-
the-values-based-economy/
36 Rowling, M., “Tired of COP26 promises, Glasgow protesters push climate justice from ‘the outside’”, Reuters, 6 November 2021,
https://www.reuters.com/business/cop/tired-cop26-promises-glasgow-protesters-push-climate-justice-the-outside-2021-11-06/
1 Well-intentioned regulations have unintended consequences

37 Cimpanu, C., “US Treasury said it tied $5.2 billion in BTC transactions to ransomware payments”, Recorded Future, October 2021, https://
therecord.media/treasury-said-it-tied-5-2-billion-in-btc-transactions-to-ransomware-payments/
38 “Ransomware Trends in Bank Secrecy Act Data Between January 2021 and June 2021”, FinCEN, October 2021,
https://www.fincen.gov/sites/default/files/2021-10/Financial%20Trend%20Analysis_Ransomware%20508%20FINAL.pdf
39 “The State of Ransomware 2021”, Sophos, April 2021,
https://secure2.sophos.com/en-us/medialibrary/pdfs/whitepaper/sophos-state-of-ransomware-2021-wp.pdf
40 “Initial Access Brokers Are Breaking Into Corporate Networks and Selling Access to Bad Actors”, CISOmag, 5 May 2021,
https://cisomag.eccouncil.org/initial-access-brokers/
41 “The State of Ransomware 2021”, Sophos, April 2021,
https://secure2.sophos.com/en-us/medialibrary/pdfs/whitepaper/sophos-state-of-ransomware-2021-wp.pdf
42 Meltzer, D., “The Future of Ransomware”, Dark Reading, 21 December 2021,
https://www.darkreading.com/vulnerabilities-threats/the-future-of-ransomware
43 Ibid.
44 Balmforth, T., and Tsvetkova, M., “Russia takes down REvil hacking group at U.S. request - FSB”, Reuters, 14 January 2022,
https://www.reuters.com/technology/russia-arrests-dismantles-revil-hacking-group-us-request-report-2022-01-14/


45 Roper, S., and Hart, M., “The State of Small Business Britain”, Enterprise Research Council, 20 June 2018,
https://www.enterpriseresearch.ac.uk/wp-content/uploads/2018/06/SSBB-Report-2018-final.pdf
46 Obermeyer, Z. et al., “Algorithmic Bias In Health Care: A Path Forward”, Health Affairs, 1 November 2019,
https://www.healthaffairs.org/do/10.1377/hblog20191031.373615/full/
47 “Civil Rights Advocates Settle Lawsuit with Facebook: Transforms Facebook’s Platform Impacting Millions of Users”, National Fair
Housing Alliance, 19 March 2019,
https://nationalfairhousing.org/facebook-settlement/
48 Xiang, A., “Crucial Yet Overlooked: Why We Must Reconcile Legal and Technical Approaches to Algorithmic Bias”, Partnership on AI, 17
December 2020,
https://partnershiponai.org/legalapproaches-algorithmicbias/
49 Marsh, S., “Councils scrapping use of algorithms in benefit and welfare decisions”, The Guardian, 24 August 2020,
https://www.theguardian.com/society/2020/aug/24/councils-scrapping-algorithms-benefit-welfare-decisions-concerns-bias
50 Candelon, F., et al., “AI Regulation Is Coming”, Harvard Business Review, September 2021,
https://hbr.org/2021/09/ai-regulation-is-coming
51 OECD.AI Countries and Initiatives overview, OECD,
https://oecd.ai/en/countries-and-initiatives
52 Mesa, N., “Can the criminal justice system’s artificial intelligence ever be truly fair?”, Massive Science, 13 May 2021,
https://massivesci.com/articles/machine-learning-compas-racism-policing-fairness/
53 Crawford, K., (2021) Atlas of AI, Yale University Press
54 Slaughter, R. K., “Algorithms and Economic Justice: A Taxonomy of Harms and a Path Forward for the Federal Trade Commission”, Yale
Journal of Law and Technology, August 2021,
https://law.yale.edu/sites/default/files/area/center/isp/documents/algorithms_and_economic_justice_master_final.pdf
55 Binns, R., et al., “Known security risks exacerbated by AI”, UK ICO blog, 23 May 2019,
https://ico.org.uk/about-the-ico/news-and-events/ai-blog-known-security-risks-exacerbated-by-ai/
1.3 Attackers undermine central cryptocurrencies

56 Zandt, F., “The Biggest Crypto Heists”, Statista, 12 August 2021,
https://www.statista.com/chart/12707/largest-known-crypto-currency-thefts/
57 Drakopoulos, D., et al., “Crypto Boom Poses New Challenges to Financial Stability”, IMF blogs, 1 October 2021,
https://blogs.imf.org/2021/10/01/crypto-boom-poses-new-challenges-to-financial-stability/
58 Robinson, T., and DePow, C., “DeFi: Risk, Regulation, and the Rise of DeCrime”, Elliptic, 18 November 2021,
https://www.elliptic.co/hubfs/downloads/The%20Elliptic%202022%20DeFi%20Report.pdf
59 Central Bank Digital Currency Tracker, Atlantic Council,
https://www.atlanticcouncil.org/cbdctracker/
60 Banescu, S., et al., “4 key cybersecurity threats to new central bank digital currencies”, World Economic Forum, 20 November 2021,
https://www.weforum.org/agenda/2021/11/4-key-threats-central-bank-digital-currencies/
61 Wong, P., and Maniff, J.L., “Comparing Means of Payment: What Role for a Central Bank Digital Currency?”, FEDS Notes, 13 August 2020,
https://www.federalreserve.gov/econres/notes/feds-notes/comparing-means-of-payment-what-role-for-a-central-bank-digital-
currency-20200813.htm
62 Raghuveera, N., “Design choices of Central Bank Digital Currencies will transform digital payments and geopolitics”, Atlantic Council, 23
April 2020,
https://www.atlanticcouncil.org/blogs/geotech-cues/design-choices-of-central-bank-digital-currencies-will-transform-digital-
payments-and-geopolitics/
63 Auer, R., et al., “Multi-CBDC arrangements and the future of cross-border payments”, Bank of International Settlements, March 2021,
https://www.bis.org/publ/bppdf/bispap115.pdf
64 Memoria, F., “Defi Protocol Bzx Suffers Second Attack as Flash Loan Nets Hackers $630,000 in ETH”, Cryptoglobe, 18 Feb 2020,
https://www.cryptoglobe.com/latest/2020/02/defi-protocol-bzx-suffers-second-attack-as-flash-loan-nets-hackers-630000-in-eth/
65 “vStake Pool Incident Post-Mortem”, Medium, 5 May 2021,
https://medium.com/valuedefi/vstake-pool-incident-post-mortem-4550407c9714
66 “RETAIL CBDC: A THREAT OR OPPORTUNITY FOR THE PAYMENTS INDUSTRY?”, UK Finance, August 2021,
https://www.ukfinance.org.uk/system/files/CBDC-report-FINAL.pdf
67 Adams, J., “The Potential Orwellian Horror of Central Bank Digital Currencies”, adamseeconomics.com, 11 July 2021,
https://www.adamseconomics.com/post/the-potential-orwellian-horror-of-central-bank-digital-currencies
68 Robinson, A. and Leising, M., “Blythe Masters Tells Banks the Blockchain Changes Everything”, Bloomberg Markets Magazine, August 31, 2015,
https://www.bloomberg.com/news/features/2015-09-01/blythe-masters-tells-banks-the-blockchain-changes-everything

2 Technology choices diminish control

69 Bowers J. and Zittrain J., “Internet Entropy”, Lawfare, 21 June 2021,
https://www.lawfareblog.com/internet-entropy
70 Bates, S., et al., “Evidence of Decreasing Internet Entropy: The Lack of Redundancy in DNS Resolution by Major Websites and Services”,
Journal of Quantitative Description: Digital Media, 1, 26 April 2021,
https://doi.org/10.51685/jqd.2021.011
71 “Usage Statistics of DNS server providers”, W3Techs, 10 January 2022,
https://w3techs.com/technologies/overview/dns_server
72 Ibid.
73 Bates, S., et al., “Evidence of Decreasing Internet Entropy: The Lack of Redundancy in DNS Resolution by Major Websites and Services”,
Journal of Quantitative Description: Digital Media, 1, 26 April 2021,
https://doi.org/10.51685/jqd.2021.011
74 Molina, B., “Global internet outage knocks out Amazon, Reddit, Google, Instagram, Twitter”, USA Today, 8 June 2021,
https://eu.usatoday.com/story/tech/2021/06/08/fastly-outage-causes-major-internet-outage-impacts-amazon-reddit-
error-503/7598273002/
75 Snider, M., “Internet outage shuts down travel, banking sites and many others, plus online services including PlayStation Network”,
USA Today, 22 July 2021,
https://eu.usatoday.com/story/tech/2021/07/22/playstation-network-banks-and-travel-sites-shut-down-net-outage/8056664002/
76 Durden, T., “After Massive Web Outage, Akamai Implements ‘Fix’, Says ’Not Cyberattack’”, ZeroHedge, 22 July 2021,
https://www.zerohedge.com/markets/least-24000-websites-down-dns-issues-arise
77 Conditt, J., “Amazon Web Services went down and took a bunch of the internet with it”, Engadget, 7 December 2021,
https://www.engadget.com/amazon-web-services-outage-dec-2021-173157290.html
78 Shah, A., “Facebook, WhatsApp, Instagram deplatform themselves: Services down globally”, The Register, 4 October 2021,
https://www.theregister.com/2021/10/04/facebook_sites_outage/
79 Sharwood, S., “OVH data centre destroyed by fire in Strasbourg – all services unavailable”, The Register, 10 March 2021,
https://www.theregister.com/2021/03/10/ovh_strasbourg_fire/
80 Graham-Cumming, J., “Cloudflare outage on July 17, 2020”, Cloudflare, 18 July 2020,
https://blog.cloudflare.com/cloudflare-outage-on-july-17-2020/
81 Kaur, D., “3 of the biggest cloud outages of 2020”, TechHQ, 17 December 2020,
https://techhq.com/2020/12/3-biggest-public-cloud-outages-of-2020/#:~:text=It%20was%20an%20initial%20early%20March%20six-
hour%20outage,system%20failure%20was%20the%20cause%20of%20the%20outage
82 Lawrence, A., “Annual Outage Analysis 2021: The causes and impacts of data center outages”, Uptime Institute, 16 April 2021,
https://uptimeinstitute.com/uptime_assets/25ff186d278b32c202fc782e60a0d473bd72bfbc6d4d65afedfa15dd406c7656-annual-
outage-analysis-2021.pdf
83 Ibid.
84 Ibid.
85 Posey, M., “The Cloud Complexity Storm and the Changing Organizational Dynamics of IT”, 451 Alliance, 6 October 2021,
https://www.451alliance.com/resources/reports/view/articleid/2024/the-cloud-complexity-storm-and-the-changing-organizational-
dynamics-of-it
2.2 Activist campaigns penetrate the cyber domain

86 Mir, A., “How both old and new media polarise society for profit (or survival)”, IPPR Progressive Review, 29 March 2021,
https://onlinelibrary.wiley.com/doi/epdf/10.1111/newe.12227
87 Campbell, T. and Hribernik, M., “A dangerous new era of civil unrest is dawning in the United States and around the world”, Verisk
Maplecroft, 10 December 2020,
https://www.maplecroft.com/insights/analysis/a-dangerous-new-era-of-civil-unrest-is-dawning-in-the-united-states-and-around-
the-world/
88 Dobie, G., et al., “10th Allianz Risk Barometer”, AGCS Allianz, 19 January 2021,
https://www.agcs.allianz.com/content/dam/onemarketing/agcs/agcs/reports/Allianz-Risk-Barometer-2021.pdf
89 Labott, E., “Get Ready for a Spike in Global Unrest”, Foreign Policy, 22 June 2021,
https://foreignpolicy.com/2021/07/22/covid-global-unrest-political-upheaval/
90 Hamilton, I. A., “77 cell phone towers have been set on fire so far due to a weird coronavirus 5G conspiracy theory”, Business Insider, 6
May 2020,
https://www.businessinsider.com/77-phone-masts-fire-coronavirus-5g-conspiracy-theory-2020-5
91 O’Neill, P.H., “Hackers are trying to topple Belarus’s dictator, with help from the inside”, MIT Technology Review, 26 August 2021,
https://www.technologyreview.com/2021/08/26/1033205/belarus-cyber-partisans-lukashenko-hack-opposition/
92 Peterson, A., “A new wave of Hacktivists is turning the surveillance state against itself”, Recorded Future, 27 August 2021,
https://therecord.media/a-new-wave-of-hacktivists-is-turning-the-surveillance-state-against-itself/
93 Neuberger, T., “Andreas Malm: ‘Because Nothing Else Has Worked’”, Thomas Neuberger, 26 July 2021,
https://neuburger.substack.com/p/andreas-malm-because-nothing-else
94 Waldman, A., “Gartner: ‘Weaponized’ operational tech poses grave danger”, Search Security, 26 July 2021,
https://searchsecurity.techtarget.com/news/252504484/Gartner-Weaponized-operational-tech-poses-grave-danger
95 Seals, T., “IoT Attacks Skyrocket, Doubling in 6 Months”, Threat Post, 6 September 2021
https://threatpost.com/iot-attacks-doubling/169224/
96 Burton, F., “The attack cycle, mass shootings and lone wolves: What companies should know”, Security Magazine, 25 August 2021,
https://www.securitymagazine.com/articles/95937-the-attack-cycle-mass-shootings-and-lone-wolves-what-companies-should-know
97 Simon, J.D., “State of Terrorism: Predicting the Next Wave of Lone Wolf Attacks”, Homeland Security Today, 13 September 2021,
https://www.hstoday.us/911/state-of-lone-wolf-terrorism-predicting-the-next-wave/
98 “Allianz Risk Barometer 2021 - Political risks and violence”, Allianz Risk Barometer 2021, 19 January 2021,
https://www.agcs.allianz.com/news-and-insights/expert-risk-articles/allianz-risk-barometer-2021-political-risks.html

2.3 Misplaced confidence disguises low-code risks

99 Mlitz, K., “Global low-code development platform market revenue 2018-2025”, Statista, 23 August 2021,
https://www.statista.com/statistics/1226179/low-code-development-platform-market-revenue-global/
100 Duruk, C., “Software will eat software in a remote-first world”, Margins, 25 March 2020,
https://themargins.substack.com/p/software-will-eat-software-in-a-remote
101 “Gartner Forecasts Worldwide Low-Code Development Technologies Market to Grow 23% in 2021”, Gartner, 16 February 2021,
https://www.gartner.com/en/newsroom/press-releases/2021-02-15-gartner-forecasts-worldwide-low-code-development-
technologies-market-to-grow-23-percent-in-2021
102 McKendrick, J., “What is low-code and no-code? A guide to development platforms”, ZDNet, 3 March 2021,
https://www.zdnet.com/article/special-report-what-is-low-code-no-code-a-guide-to-development-platforms/
103 Chen, M., et al., “Evaluating Large Language Models Trained on Code”, Arxiv, 14 July 2021,
https://arxiv.org/abs/2107.03374
104 Arghire, I., “Code Generated by GitHub Copilot Can Introduce Vulnerabilities: Researchers”, Security Week, 31 August 2021,
https://www.securityweek.com/code-generated-github-copilot-can-introduce-vulnerabilities-researchers
105 “By Design: How Default Permissions on Microsoft Power Apps Exposed Millions”, UpGuard, 3 August 2021,
https://www.upguard.com/breaches/power-apps
106 Rohlf, C., “AI Code Generation and Cybersecurity”, Council on Foreign Relations, 9 November 2021,
https://www.cfr.org/blog/ai-code-generation-and-cybersecurity

107 Coughlin, T., “175 Zettabytes By 2025”, Forbes, 27 November 2018,
https://www.forbes.com/sites/tomcoughlin/2018/11/27/175-zettabytes-by-2025
108 “Data Creation and Replication Will Grow at a Faster Rate than Installed Storage Capacity, According to the IDC Global DataSphere and
StorageSphere Forecasts”, IDC, 24 March 2021,
https://www.idc.com/getdoc.jsp?containerId=prUS47560321
109 Ibid.
110 Wong, A., “By 2025, nearly 30 percent of data generated will be Real Time”, Angela Wong, 25 October 2020,
https://angela-wong.medium.com/by-2025-nearly-30-percent-of-data-generated-will-be-real-time-f37fba359904
111 Coughlin, T., “175 Zettabytes By 2025”, Forbes, 27 November 2018,
https://www.forbes.com/sites/tomcoughlin/2018/11/27/175-zettabytes-by-2025
112 Violino, B., “Many executives lack a high level of trust in their organization’s data, analytics, and AI”, ZDNet, 7 February 2018,
https://www.zdnet.com/article/most-executives-dont-trust-their-organizations-data-analytics-and-ai/
113 Poremba, S., “Data Poisoning: When Attackers Turn AI and ML Against You”, Security Intelligence, 21 April 2021,
https://securityintelligence.com/articles/data-poisoning-ai-and-machine-learning/
114 Schwartz, O., “In 2016, Microsoft’s Racist Chatbot Revealed the Dangers of Online Conversation. The bot learned language from people
on Twitter—but it also learned values”, IEEE Spectrum, 25 November 2019,
https://spectrum.ieee.org/in-2016-microsofts-racist-chatbot-revealed-the-dangers-of-online-conversation
115 Yuanchun, L., et al., “DeepPayload: Black-box Backdoor Attack on Deep Learning Models through Neural Payload Injection”, Arxiv, 18
January 2021,
116 Comiter, M., “Attacking Artificial Intelligence: AI’s Security Vulnerability and What Policymakers Can Do About It”, Belfer Center for
Science and International Affairs, August 2019,
https://www.belfercenter.org/publication/AttackingAI
3.2 Misleading signals subvert cyber fusion centres

117 Coker, J., “Nation State Interference During the US Presidential ‘Pandemic Election’”, Infosecurity, 10 September 2020,
https://infosecurity-magazine.com/news-features/nation-state-interference-us/
118 Hansler, J., et al., “Russian disinformation campaign working to undermine confidence in Covid-19 vaccines used in US”, CNN Politics, 8
March 2021,
https://edition.cnn.com/2021/03/07/politics/russian-disinformation-pfizer-vaccines/index.html
119 Chattopadhyay, A. and Mitra U., “Security against false data injection attack in cyber-physical systems”, Arxiv, 31 July 2018,
https://arxiv.org/pdf/1807.11624.pdf
120 Ahmed, M and Pathan, A., “False data injection attack (FDIA): an overview and new metrics for fair evaluation of its countermeasure”,
Complex Adaptive Systems Modelling, 23 April 2020,
https://casmodeling.springeropen.com/articles/10.1186/s40294-020-00070-w
121 Narisada, S., et al., “Stronger Targeted Poisoning Attacks Against Malware Detection”, CANS2020, 9 December 2020,
https://link.springer.com/chapter/10.1007/978-3-030-65411-5_4
122 “Attacking SIEM with Fake Logs”, LetsDefend, 13 September 2020,
https://letsdefend.io/blog/attacking-siem-with-fake-logs/


123 “Can Digital Twins Transform Singapore’s Built Environment?”, Eden Strategy Institute, 4 August 2021,
https://www.edenstrategyinstitute.com/2021/08/04/is-digital-twin-technology-the-key-to-transforming-singapores-built-
environment-industry/
124 “Dassault Systèmes and the FDA Extend Collaboration to Inform Cardiovascular Device Review Process and Accelerate Access to New
Treatments”, Dassault Systems, 24 July 2019,
https://www.3ds.com/newsroom/press-releases/dassault-systemes-and-fda-extend-collaboration-inform-cardiovascular-device-
review-process-and-accelerate-access-new-treatments
125 Clarke, P., “The Cyber-Physical Fabric”, LinkedIn Pulse, 24 June 2021,
https://www.linkedin.com/pulse/cyber-physical-fabric-paul-clarke/
126 Chen, Y., et al., “Digital Twins in Pharmaceutical and Biopharmaceutical Manufacturing: A Literature Review”, MDPI Processes, 2
September 2020,
https://www.mdpi.com/2227-9717/8/9/1088/htm
127 “The Undisputed Role of Digital Twins to Improve Pharma Manufacturing Processes”, Gramener, 16 June 2021,
https://blog.gramener.com/digital-twins-pharma-manufacturing/
128 Von See, A., “Number of IoT connected devices worldwide 2019-2030”, Statista, 19 October 2021,
https://www.statista.com/statistics/1183457/iot-connected-devices-worldwide/
129 “Plan Ahead for Phase Out of 3G Cellular Networks and Service”, FCC guides, 28 October 2021,
https://www.fcc.gov/consumers/guides/plan-ahead-phase-out-3g-cellular-networks-and-service
130 “Alert (AA21-287A): Ongoing Cyber Threats to U.S. Water and Wastewater Systems”, CISA, 14 October 2021,
https://us-cert.cisa.gov/ncas/alerts/aa21-287a
132 Kovacs, E., “Many Ransomware Attacks on OT Organizations Involved Ryuk: IBM”, Security Week, 27 October 2021,
https://www.securityweek.com/many-ransomware-attacks-ot-organizations-involved-ryuk-ibm
Appendix B: Assessing predictions from threat horizon 2021
1.1 5G technologies broaden attack surfaces

134 Daws, R., “CCS Insight: 5G is becoming mainstream in some markets despite rollout slowdown”, Telecoms Tech News, 10 May 2021,
https://telecomstechnews.com/news/2021/may/10/ccs-insight-5g-mainstream-markets-rollout-slowdown/
135 Rudra, N., “Where Does the Growth of Global 5G Deployment Stands amid COVID-19 Pandemic?”, Circuit Digest, 7 July 2021,
https://circuitdigest.com/article/where-does-the-growth-of-global-5g-deployment-stands-amid-covid-19-pandemic
136 Mares, O., “This new vulnerability in 5G networks allows intercepting data & performing DoS attacks”, Information Security Newspaper,
24 March 2021,
https://www.securitynewspaper.com/2021/03/24/this-new-vulnerability-in-5g-networks-allows-intercepting-data-performing-dos-attacks/
137 “Potential threat vectors to 5G infrastructure”, US Department of Defense, 10 May 2021,
https://media.defense.gov/2021/May/10/2002637751/-1/-1/0/POTENTIAL%20THREAT%20VECTORS%20TO%205G%20
INFRASTRUCTURE.PDF
138 Arghire, I., “U.S. Warns of 5G Wireless Network Security Risks”, Security Week, 24 July 2019,
https://www.securityweek.com/us-warns-5g-wireless-network-security-risks
139 Judge, P., “Mind the doors! The unexpected problem with Edge computing”, Data Center Dynamics, 22 December 2020,
https://www.datacenterdynamics.com/en/analysis/mind-doors-unexpected-problem-edge-computing/
1.2 Manipulated machine learning sows confusion

140 Leight, E., “Inside the ‘Black Market’ Where Artists Can Pay for Millions of Streams”, Rolling Stone, 20 March 2021,
https://www.rollingstone.com/music/music-features/digital-marketing-streaming-manipulation-1138529/
141 Chierici, S., “Detecting new crypto mining attack targeting Kubeflow and TensorFlow”, Sysdig, 30 June 2021,
https://sysdig.com/blog/crypto-mining-kubeflow-tensorflow-falco/
142 Mitre Atlas knowledge base, Mitre Corporation, June 2021,
https://atlas.mitre.org/
143 Pearce, W., et al., “AI security risk assessment using Counterfit”, Microsoft Security, 3 May 2021,
https://www.microsoft.com/security/blog/2021/05/03/ai-security-risk-assessment-using-counterfit/
1.3 Parasitic malware feasts on critical infrastructure

144 Kaye, J., et al., “Protecting critical infrastructure from a cyber pandemic”, World Economic Forum, 20 October 2021,
https://www.weforum.org/agenda/2021/10/protecting-critical-infrastructure-from-cyber-pandemic/
145 Ilascu, I., “Docker Hub images downloaded 20M times come with cryptominers”, Bleeping Computer, 29 March 2021,
https://www.bleepingcomputer.com/news/security/docker-hub-images-downloaded-20m-times-come-with-cryptominers/
146 Spring, T., “Crypto-Miner Campaign Targets Unpatched QNAP NAS Devices”, Threat Post, 8 March 2021,
https://threatpost.com/miner-campaign-targets-unpatched-qnap-nas/164580/
147 Cimpanu, C., “Crypto-mining gangs are running amok on free cloud computing platforms”, Recorded Future, 18 May 2021,
https://therecord.media/crypto-mining-gangs-are-running-amok-on-free-cloud-computing-platforms/
148 Cohen, G., “The Foreshadowing Of An Increase In Cyberattacks Necessitates Global Security Transformation”, Forbes, 23 November 2021,
https://www.forbes.com/sites/forbestechcouncil/2021/11/23/the-foreshadowing-of-an-increase-in-cyberattacks-necessitates-global-
security-transformation/

2.1 State-backed espionage targets next gen tech

149 Gatlan, S., “Google sent 50,000 warnings of state-sponsored attacks in 2021”, Bleeping Computer, 14 October 2021,
https://www.bleepingcomputer.com/news/security/google-sent-50-000-warnings-of-state-sponsored-attacks-in-2021/
150 Burt, T., “New nation-state cyberattacks”, Microsoft, 2 March 2021,
https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/
151 Whittaker, Z., “FBI, NSA say ongoing hacks at US federal agencies ‘likely Russian in origin’”, Tech Crunch, 5 January 2021,
https://techcrunch.com/2021/01/05/fbi-nsa-says-hacks-on-us-federal-agencies-likely-russian-in-origin/
152 Lakshmanan, R., “North Korean Hackers Targeting Defense Firms with ThreatNeedle Malware”, The Hacker News, 26 February 2021,
https://thehackernews.com/2021/02/north-korean-hackers-targeting-defense.html
153 Bing, C. and Satter, R., “China-linked hackers used VPN flaw to target U.S. defense industry -researchers”, Reuters, 20 April 2021,
https://www.reuters.com/technology/china-linked-hackers-used-pulse-secure-flaw-target-us-defense-industry-2021-04-20/
154 Sharwood, A., “Japan accuses Chinese military of cyber-attacks on its space agency”, The Register, 21 April 2021,
https://www.theregister.com/2021/04/21/japan_accuses_china_of_attacking_jaxa/
155 Goodin, D., “High-performance computers are under siege by a newly discovered backdoor”, Ars Technica, 2 February 2021,
https://arstechnica.com/information-technology/2021/02/high-performance-computers-are-under-siege-by-a-newly-discovered-backdoor/
156 Hoecker, A and Want, J., “US and China: The Decoupling Accelerates”, Bain & Company, 14 October 2020,
https://www.bain.com/insights/us-china-decoupling-tech-report-2020/
2.2 Sabotaged cloud services freeze operations

157 Bartoletti, D., “Predictions 2021: Cloud Computing Powers Pandemic Recovery”, Forrester, 19 October 2020,
https://www.forrester.com/blogs/predictions-2021-cloud-computing-powers-pandemic-recovery/
158 Jones, H. and Milliken, D., “Bank of England to crack down on ‘secretive’ cloud computing services”, Reuters, 13 July 2021,
https://www.reuters.com/business/retail-consumer/bank-england-crack-down-secretive-cloud-computing-services-2021-07-13/
159 Cimpanu, C., “Microsoft said it mitigated a 2.4 Tbps DDoS attack”, Recorded Future, 11 October 2021,
https://therecord.media/microsoft-said-it-mitigated-a-2-4-tbps-ddos-attack-the-largest-ever/
160 Cimpanu, C., “Swiss Cloud becomes the latest web hosting provider to suffer a ransomware attack”, Recorded Future, 1 May 2021,
https://therecord.media/swiss-cloud-becomes-the-latest-web-hosting-provider-to-suffer-a-ransomware-attack/
161 Bagwe, M., “Voipfone DDoS Attacks Raise Specter of Protection Racket”, Bank Info Security, 28 October 2021,
https://www.bankinfosecurity.com/voipfone-ddos-attacks-raise-specter-protection-racket-a-17805
2.3 Drones become both predator and prey

162 “Defence Minister to get detailed presentation on Jammu drone attack today”, The Economic Times, 29 June 2021,
https://economictimes.indiatimes.com/news/defence/defence-minister-to-get-detailed-presentation-on-jammu-drone-attack-
today/articleshow/83949069.cms
163 “Bomb-laden drones hit airport in northern Iraq”, Dunya News, 7 July 2021,
https://dunyanews.tv/en/World/609477-Bomb-laden-drones-hit-airport-in-northern-Iraq
164 “Will Saudi Arabia become a new drone battleground?”, Egypt Independent, 31 January 2021,
https://egyptindependent.com/will-saudi-arabia-become-a-new-drone-battleground/
165 Egozi, A., “Iranian Nuke Centrifuge Plant Badly Damaged By Drones”, Breaking Defense, 25 June 2021,
https://breakingdefense.com/2021/06/iranian-nuke-centrifuge-plant-madly-damaged-by-drones/
166 Smith, H.L., “Turkey closes Diyarbakir airport for month after drone attack ‘by PKK’”, The Times, 25 May 2021,
https://www.thetimes.co.uk/article/turkey-closes-diyarbakir-airport-for-month-after-drone-attack-by-pkk-gmcj8skfz
167 Kehoe, A. and Cecotti, M., “Multiple Destroyers Were Swarmed By Mysterious ‘Drones’ Off California Over Numerous Nights”, The Drive,
23 March 2021,
https://www.thedrive.com/the-war-zone/39913/multiple-destroyers-were-swarmed-by-mysterious-drones-off-california-over-
numerous-nights
168 Van Boom, D., “Autonomous drone attacked soldiers in Libya all on its own”, CNET, 31 May 2021,
https://www.cnet.com/news/autonomous-drone-attacked-soldiers-in-libya-all-on-its-own/
169 Kersley, A., “The slow collapse of Amazon’s drone delivery dream”, Wired, 3 August 2021,
https://www.wired.co.uk/article/amazon-drone-delivery-prime-air
170 Venckunas, V., “What happened to the promise of drone delivery?”, AeroTime Hub, 13 September 2021,
https://www.aerotime.aero/28865-What-happened-to-the-promise-of-drone-delivery
171 Sharwood, S., “Angry birds ground some Google Wing drones in Australia”, The Register, 23 September 2021,
https://www.theregister.com/2021/09/23/bird_attacks_ground_google_wing_drones/
172 Gannon, B., “JMU’s food delivery robots are now the targets of vandals”, The Breeze, 23 September 2021,
https://www.breezejmu.org/news/jmu-s-food-delivery-robots-are-now-the-targets-of-vandals/article_ce655dec-1bf0-11ec-88a2-
377802a50ee5.html
3.1 Digital vigilantes weaponise vulnerability disclosure

173 Cimpanu, C., “Cisco routers come under attack, including a destructive hacktivist campaign”, Recorded Future, 28 June 2021,
https://therecord.media/cisco-devices-come-under-new-attacks-including-a-hacktivist-campaign/
174 Palmer, D., “Ransomware gangs are now rich enough to buy zero-day flaws, say researchers”, ZDNet, 16 November 2021,
https://www.zdnet.com/article/ransomware-gangs-are-now-rich-enough-to-buy-zero-day-flaws-say-researchers/
175 “Initial Access Brokers: An Excess of Access”, Digital Shadows, 22 February 2021,
https://resources.digitalshadows.com/whitepapers-and-reports/initial-access-brokers-report
176 “2021 Vulnerability Statistic Report Press Release”, Edgescan, 15 February 2021,
https://www.edgescan.com/2020-vulnerability-statistic-report-press-release/
177 “Verizon 2021 Data Breach Investigations Report,” Verizon, 13 May 2021,
https://www.verizon.com/business/resources/reports/dbir/
178 Vijayan, J., “CISA Issues New Directive for Patching Known Exploited Vulnerabilities”, Dark Reading, 3 November 2021,

https://www.darkreading.com/vulnerabilities-threats/cisa-issues-new-directive-for-patching-known-exploited-vulnerabilities
3.2 Big tech break up fractures business models

179 Chappell, B., “The Facebook Papers: What you need to know about the trove of insider documents”, NPR, 25 October 2021,
https://www.npr.org/2021/10/25/1049015366/the-facebook-papers-what-you-need-to-know
180 “Irish regulator proposes 36m euro Facebook privacy fine - document”, Reuters, 13 October 2021,
https://www.reuters.com/technology/irish-regulator-proposes-36-mln-euro-facebook-privacy-fine-document-2021-10-13/
181 “CMA fines Facebook over enforcement order breach”, UK Competition and Markets Authority, 20 October 2021,
https://www.gov.uk/government/news/cma-fines-facebook-over-enforcement-order-breach
182 “WhatsApp privacy policy tweaked in Europe after record fine”, BBC News, 22 November 2021,
https://www.bbc.co.uk/news/technology-59348921
183 “Google fined €500m by French competition authority”, BBC News, 13 July 2021,
184 Lovejoy, B., “$1.3B Apple antitrust fine was politically motivated, claims company lawyer”, 9to5 Mac, 5 November 2021,
https://9to5mac.com/2021/11/05/apple-antitrust-fine-political/
185 Shead, S., “Amazon hit with $887 million fine by European privacy watchdog”, CNBC, 30 July 2021,
https://www.cnbc.com/2021/07/30/amazon-hit-with-fine-by-eu-privacy-watchdog-.html
186 Bartz, D., “Breaking up Big Tech in focus as new U.S. antitrust bills introduced”, Reuters, 11 June 2021,
https://www.reuters.com/technology/us-house-lawmakers-introduce-bipartisan-bills-target-big-tech-2021-06-11/
187 “European Commission would police Big Tech under new rules agreed by EU members”, Euronews, 9 November 2021,
https://www.euronews.com/next/2021/11/09/european-commission-would-police-big-tech-under-new-rules-agreed-by-eu-members
188 Yu, S. and McMorrow, R., “Beijing to break up Ant’s Alipay and force creation of separate loans app”, Financial Times, 13 September 2021,
https://www.ft.com/content/01b7c7ca-71ad-4baa-bddf-a4d5e65c5d79
3.3 Rushed digital transformations destroy trust

189 “How COVID-19 has pushed companies over the technology tipping point—and transformed business forever”, McKinsey, 5 October 2021,
https://www.mckinsey.com/business-functions/strategy-and-corporate-finance/our-insights/how-covid-19-has-pushed-companies-
over-the-technology-tipping-point-and-transformed-business-forever
190 Mlitz, K., “Spending on digital transformation technologies and services worldwide from 2017 to 2025”, Statista, 26 November 2021
https://www.statista.com/statistics/870924/worldwide-digital-transformation-market-size/
191 Krasner, H., “The Cost of Poor Software Quality in the US: A 2020 Report”, Consortium for Information and Software Quality, 1 January 2021,
https://www.it-cisq.org/pdf/CPSQ-2020-report.pdf
192 “INTERPOL report shows alarming rate of cyberattacks during COVID-19”, Interpol, 4 August 2020,
https://www.interpol.int/en/News-and-Events/News/2020/INTERPOL-report-shows-alarming-rate-of-cyberattacks-during-COVID-19
193 Silverberg, D. and Smale, W., “Home working increases cyber-security fears”, BBC News, 1 February 2021,
https://www.bbc.co.uk/news/business-55824139
Appendix C: Assessing predictions from threat horizon 2022
1.1 Augmented attacks distort reality

194 “F1 Team Williams Unveils New Car After Hackers Foil Launch”, Security Week, 7 March 2021,
https://www.securityweek.com/f1-team-williams-unveils-new-car-after-hackers-foil-launch
195 Gonzalez, W., “How Augmented And Virtual Reality Are Shaping A Variety Of Industries”, Forbes, 2 July 2021,
https://www.forbes.com/sites/forbesbusinesscouncil/2021/07/02/how-augmented-and-virtual-reality-are-shaping-a-variety-of-industries/
196 Hannah, F., “Virtual reality headsets for work ‘could snowball’”, BBC News, 11 March 2021,
https://www.bbc.co.uk/news/business-56359061
1.2 Behavioural analytics trigger a consumer backlash

197 Robertson, A., “Detroit man sues police for wrongfully arresting him based on facial recognition”, The Verge, 13 April 2021,
https://www.theverge.com/2021/4/13/22382398/robert-williams-detroit-police-department-aclu-lawsuit-facial-recognition-
wrongful-arrest
198 Srinivasan, R. and Sarial-Abi, G., “When Algorithms Fail: Consumers’ Responses to Brand Harm Crises Caused by Algorithm Errors”,
Journal of Marketing, 25 June 2021,
https://www.sciencedaily.com/releases/2021/05/210505075011.htm
199 “Data privacy: Behavioural analytics, data hoarding and government crackdowns to dominate 2021”, ITP.Net, 31 January 2021,
https://www.itp.net/security/95838-data-privacy-behavioural-analytics-data-hoarding-and-government-crackdowns-to-
dominate-2021

1.3 Robo-helpers help themselves to data

200 Stanley, J., “Robot Police Dogs are Here. Should We be Worried?”, American Civil Liberties Union, 2 March 2021,
https://www.aclu.org/news/privacy-technology/robot-police-dogs-are-here-should-we-be-worried/
201 Jarrett, C., “Could Your Robot Be Spying on You? - Cybersecurity Tips for Manufacturers Employing Robotics”, Robotics Tomorrow, 6
September 2021,
https://www.roboticstomorrow.com/article/2021/06/could-your-robot-be-spying-on-you-cybersecurity-tips-for-manufacturers-
employing-robotics/16978/
202 Vilches, V.M. et al., “Introducing the Robot Vulnerability Database (RVD)”, Arxiv, 24 December 2019,
2.1 Edge computing pushes security to the brink

203 “Edge Computing Market Size, Share & Trends Analysis Report By Component (Hardware, Software, Services, Edge-managed
Platforms), By Application, By Industry Vertical, By Region, And Segment Forecasts, 2021 - 2028”, Grand View Research, May 2021,
https://www.grandviewresearch.com/industry-analysis/edge-computing-market
204 Pohlmann, T., “Who is leading the 5G patent race for edge computing?”, Managing IP, 26 May 2021,
https://www.managingip.com/article/b1rznbcc4dsk23/who-is-leading-the-5g-patent-race-for-edge-computing
205 Alwarafy, A., et al., “A Survey on Security and Privacy Issues in Edge Computing-Assisted Internet of Things”, Arxiv, 15 March 2021,
https://arxiv.org/ftp/arxiv/papers/2008/2008.03252.pdf
2.2 Extreme weather wreaks havoc on infrastructure

206 “Headline Statements from the Summary for Policymakers”, IPCC, 9 August 2021,
https://www.ipcc.ch/report/ar6/wg1/downloads/report/IPCC_AR6_WGI_Headline_Statements.pdf
207 Guo, J., et al., “The economics of climate change: no action not an option”, Swiss Re Institute, 31 March 2021,
https://www.swissre.com/dam/jcr:e73ee7c3-7f83-4c17-a2b8-8ef23a8d3312/swiss-re-institute-expertise-publication-economics-of-
climate-change.pdf
208 Bruder, M., “Texas winter storm blackouts hit chip production”, Financial Times, 17 February 2021,
https://www.ft.com/content/ec2f93ad-d23c-4ff4-867a-59385d1cc8a6
209 Taiwan is facing a drought, and it has prioritized its computer chip business over farmers.”, New York Times, 8 April 2021,
https://www.nytimes.com/2021/04/08/business/taiwan-is-facing-a-drought-and-it-has-prioritized-its-computer-chip-business-
over-farmers.html
210 Fleming, S., “These are the world’s greatest threats in 2021”, World Economic Forum, 19 January 2021,
https://www.weforum.org/agenda/2021/01/these-are-the-worlds-greatest-threats-2021/
2.3 The Internet of forgotten things bites back

211 “IoT Cybersecurity: regulating the Internet of Things”, Thales, June 2021,
https://www.thalesgroup.com/en/markets/digital-identity-and-security/iot/inspired/iot-regulations
212 Newman, L.H., “100 Million More IoT Devices Are Exposed—and They Won’t Be the Last”, Wired, 13 April 2021,
https://www.wired.com/story/namewreck-iot-vulnerabilities-tcpip-millions-devices/
213 “Urgent/11”, Armis, 15 December 2020,
https://www.armis.com/research/urgent11/
214 Seals, T., “‘URGENT/11’ Critical Infrastructure Bugs Threaten EternalBlue-Style Attacks,” Threat Post, 29 July 2019,
https://threatpost.com/urgent-11-critical-infrastructure-eternalblue/146731/
215 Slabodkin, G., “Legacy medical devices, growing hacker threats create perfect storm of cybersecurity risks”, MedTechDive, 22 June 2021,
https://www.medtechdive.com/news/legacy-medical-devices-growing-hacker-threats-create-medtech-cyber-risks/602157/
216 Sergiu, G., “SonicWall warns of ‘critical’ ransomware risk to EOL SMA 100 VPN appliances”, Bleeping Computer, 14 July 2021,
https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-critical-ransomware-risk-to-eol-sma-100-vpn-appliances/
217 Arghire, I., “Capcom Says Older VPN Device at Heart of Ransomware Attack”, Security Week, 14 April 2021,
https://www.securityweek.com/capcom-says-older-vpn-device-heart-ransomware-attack
218 Mares, O., “Chinese Cybercriminals Hack Cameras to Sell Private Videos on Dark Web”, Information Security Newspaper, 31 March 2021,
https://www.securitynewspaper.com/2021/03/31/chinese-cybercriminals-hack-cameras-to-sell-private-videos-on-dark-web/
3.1 Deepfakes tell true lies

219 “Deepfakes, Fraud’s Next Frontier”, Recorded Future, 20 April 2021,
https://go.recordedfuture.com/hubfs/reports/cta-2021-0429.pdf
220 “Malicious Actors Almost Certainly Will Leverage Synthetic Content for Cyber and Foreign Influence Operations”, Internet Crime
Complaint Center, 10 March 2021,
https://www.ic3.gov/Media/News/2021/210310-2.pdf
221 Townsend, K., “Becoming Elon Musk – the Danger of Artificial Intelligence”, Security Week, 1 July 2021,
https://www.securityweek.com/becoming-elon-musk-%E2%80%93-danger-artificial-intelligence
222 “Deepfake Voice Technology: The Good. The Bad. The Future”, Econotimes, 1 February 2021,
https://www.econotimes.com/Deepfake-Voice-Technology-The-Good-The-Bad-The-Future-1601278
3.2 The digital generation become the scammer’s dream

223 Koop, A., “Charted: The Gen Z Unemployment Rate, Compared to Older Generations”, Visual Capitalist, 25 March 2021,
https://www.visualcapitalist.com/gen-z-unemployment-rate-chart/
224 Fung, B. and Sands, G., “Former SolarWinds CEO blames intern for ‘solarwinds123’ password leak”, CNN, 26 February 2021,
https://edition.cnn.com/2021/02/26/politics/solarwinds123-password-intern/index.html
225 Biasini, N., et al., “Sowing Discord: Reaping the benefits of collaboration app abuse”, Cisco Talos, 7 April 2021,
https://blog.talosintelligence.com/2021/04/collab-app-abuse.html
226 Cox, J., “How Hackers Used Slack to Break into EA Games”, Vice, 11 June 2021,
https://www.vice.com/en/article/7kvkqb/how-ea-games-was-hacked-slack
227 Turse, N., “Pentagon War Game Includes Scenario for Military Response to Domestic Gen Z Rebellion”, The Intercept, 5 June 2020,
https://theintercept.com/2020/06/05/pentagon-war-game-gen-z/

3.3 Activists expose digital ethics abuse

228 Jenkins, J., “Whistleblowers: Software bug keeping hundreds of inmates in Arizona prisons beyond release dates”, KJZZ, 22 February 2021,
https://kjzz.org/content/1660988/whistleblowers-software-bug-keeping-hundreds-inmates-arizona-prisons-beyond-release
229 Feathers, T., “Facial Recognition Is Racist. Why Aren’t More Cities Banning It?”, Vice, 25 February 2021,
https://www.vice.com/en/article/4avx3m/facial-recognition-is-racist-why-arent-more-cities-banning-it
230 Angwin, J., “Working for an algorithm,” The Markup, 5 January 2021,
https://themarkup.org/series/working-for-an-algorithm
231 Matyszczyk, C., “I looked at all the ways Microsoft Teams tracks users and my head is spinning”, ZDNet, 17 January 2021,
https://www.zdnet.com/article/i-looked-at-all-the-ways-microsoft-teams-tracks-users-and-my-head-is-spinning/
232 Horwitz, J., “The Facebook Files”, Wall Street Journal, 13 September 2021,
https://www.wsj.com/articles/the-facebook-files-11631713039
Appendix D: Assessing predictions from threat horizon 2023
1.1 AI industrialises high‑impact attacks

233 Rao, A.S. and Verweij, G., “Sizing the prize”, PWC, 7 July 2017,
https://www.pwc.com/gx/en/issues/data-and-analytics/publications/artificial-intelligence-study.html
234 Creese, S., et al., “Cybersecurity, emerging technology and systemic risk”, World Economic Forum, 16 November 2020,
https://www3.weforum.org/docs/WEF_Future_Series_Cybersecurity_emerging_technology_and_systemic_risk_2020.pdf
235 Vogel, S., “What is offensive AI and how do you protect against it?”, IT Pro, 22 April 2021,
https://www.itpro.co.uk/security/cyber-security/359302/what-is-offensive-ai-and-how-do-you-protect-against-it
236 Abrams, L., “LockBit ransomware now encrypts Windows domains using group policies”, Bleeping Computer, 27 July 2021,
https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/
237 Al3x9a, “How hackers are finding creative ways to steal gift cards using artificial intelligence.”, IT Next, 5 February 2021,
https://deceptive.medium.com/how-hackers-are-finding-creative-ways-to-steal-gift-cards-using-artificial-intelligence-
8a0544a54c6f
238 Anderson, R., et al., “Silicon Den: Cybercrime is Entrepreneurship”, Workshop on the Economics of Information Security, 28 June 2021,
https://weis2021.econinfosec.org/wp-content/uploads/sites/9/2021/06/weis21-anderson.pdf
239 Coker, J., “Ransomware Attacks Grew by 485% in 2020”, Infosecurity Magazine, 6 April 2021,
https://infosecurity-magazine.com/news/ransomware-attacks-grow-2020/
1.2 Automated defences backfire

240 Jones, M., “The journey to ‘black box’ automation”, Tech HQ, 13 May 2019,
https://techhq.com/2019/05/the-journey-to-black-box-automation/
241 Anderson, R., “Security engineering and machine learning”, Light Blue Touchpaper, 23 June 2021,
https://www.lightbluetouchpaper.org/2021/06/23/security-engineering-and-machine-learning/
242 Pandab, P., “The Risks and Benefits associated with Automated Cybersecurity Defenses”, IT Security Wire, 27 July 2021,
https://itsecuritywire.com/featured/the-risks-and-benefits-associated-with-automated-cybersecurity-defenses/
243 Biscotti, F., “Forecast Analysis: Robotic Process Automation, Worldwide.”, Gartner, 21 September 2020,
https://www.gartner.com/en/newsroom/press-releases/2020-09-21-gartner-says-worldwide-robotic-process-automation-software-
revenue-to-reach-nearly-2-billion-in-2021
1.3 Layered security causes complacency and confusion

244 “Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services”, CISA, 13 January 2021,
https://www.cisa.gov/uscert/ncas/analysis-reports/ar21-013a
245 Brzezinska, A., “The 2020 State Of Security Operations”, Forrester Consulting, 8 June 2020,
https://www.paloguard.com/datasheets/forrester-the-2020-state-of-security.pdf
246 Ibid.
247 Sheridan, K., “Tool Sprawl & False Positives Hold Security Teams Back”, Dark Reading, 12 July 2021,
https://www.darkreading.com/application-security/tool-sprawl-false-positives-hold-security-teams-back
2.1 Digital doppelgängers undermine identity

248 Takahashi, D., “Magic Leap founder Rony Abovitz creates startup Sun and Thunder to build synthetic beings”, Venture Beat, 27 January 2021,
https://venturebeat.com/2021/01/27/magic-leap-founder-rony-abovitz-creates-startup-sun-and-thunder/
249 Ramirez, V.B., “Epic Games Raised $1 Billion to Fund Its Vision for Building the Metaverse”, Singularity Hub, 14 April 2021,
https://singularityhub.com/2021/04/14/epic-games-raised-1-billion-to-fund-its-vision-for-building-the-metaverse/
250 Balakrishnan, J. and Dwivedi, Y.K., “Conversational commerce: entering the next stage of AI‑powered digital assistants”, Annals of
Operations Research, 12 April 2021,
https://link.springer.com/content/pdf/10.1007%2Fs10479-021-04049-5.pdf
251 Rubin, P., “Horizon Workrooms: Facebook’s Metaverse Is a VR Meetaverse”, Wired, 19 August 2021,
https://www.wired.com/story/facebook-horizon-workrooms-metaverse/
252 Smith, A., “Microsoft patent shows plans to revive dead loved ones as chatbots,” The Independent, 20 January 2021,
https://www.independent.co.uk/life-style/gadgets-and-tech/microsoft-chatbot-patent-dead-b1789979.html
253 Bae, G., “South Korea has used AI to bring a dead superstar’s voice back to the stage, but ethical concerns abound”, CNN, 26 January 2021,
https://edition.cnn.com/2021/01/25/asia/south-korea-kim-kwang-seok-ai-dst-hnk-intl/index.html
254 Paterra, T., “Understanding BEC Gift Card Scams”, Proofpoint, 8 September 2020,
https://www.proofpoint.com/uk/blog/threat-protection/understanding-bec-gift-card-scams
255 Bellotti, M., “Who’s Running the Vincere Bot Network on Instagram?”, Medium, 11 July 2021,
https://medium.com/swlh/whos-running-the-vincere-bot-network-on-instagram-a558be6c69db

2.2 Biological data drives a rash of breaches

256 Criddle, C., “Coronavirus creates boom in digital fitness”, BBC News, 16 December 2020,
257 Cybart, N., “Apple Watch Is Now Worn on 100 Million Wrists”, Above Avalon, 11 February 2021,
https://www.aboveavalon.com/notes/2021/2/11/apple-watch-is-now-worn-on-100-million-wrists
258 Venkataraman, S., “Health leaders, it’s time to prioritize cybersecurity culture and employee awareness”, Security Magazine, 11 August 2021,
https://www.securitymagazine.com/articles/95820-health-leaders-its-time-to-prioritize-cybersecurity-culture-and-employee-awareness
2.3 Gamed algorithms cause commercial confusion

259 Musotto, R. and Wall, D.S., “More Amazon than Mafia: analysing a DDoS stresser service as organised cybercrime”, Trends in Organised
Crime, 4 November 2020,
https://link.springer.com/article/10.1007%2Fs12117-020-09397-5
260 Ridley, J., “UK politicians call for ‘making the resale of goods purchased using an automated bot an illegal activity’”, PC Gamer, 15
December 2020,
https://www.pcgamer.com/uk/uk-parliament-reseller-bots/
261 Ford, B., “DoorDash Drivers Game Algorithm to Increase Pay”, Bloomberg, 6 April 2021,
https://www.bloomberg.com/news/articles/2021-04-06/doordash-workers-are-trying-to-game-the-algorithm-to-increase-pay
262 Gault, M., “Uber Shuts Down App That Told Drivers If Uber Underpaid Them”, Vice, 18 February 2021,
https://www.vice.com/en/article/wx8yvm/uber-shuts-down-app-that-lets-users-know-how-badly-theyve-been-cheated
263 Haworth, J., “Social media scam: Twitter bots are tricking users into making PayPal and Venmo payments into fraudsters’ accounts”,
Daily Swig, 28 September 2021,
https://portswigger.net/daily-swig/social-media-scam-twitter-bots-are-tricking-users-into-making-paypal-and-venmo-payments-
into-fraudsters-accounts
264 O’Brien, M. and Choi, C., “EXPLAINER: Meet the vaccine appointment bots, and their foes”, Associated Press, 25 February 2021,
https://apnews.com/article/public-health-new-jersey-media-social-media-coronavirus-pandemic-5590b7f0cdd5d649f5f52d8c26e48112
265 “The Big Bad Bot Problem 2020”, Radware, 17 April 2020,
https://www.radwarebotmanager.com/big-bad-bot-problem-report-2020/
266 Marcus, P.H., “FTC Brings First BOTS Act Case Against Online Ticket Brokers”, National Law Review, 26 January 2021,
https://www.natlawreview.com/article/ftc-brings-first-bots-act-case-against-online-ticket-brokers
3.1 Smart grids succumb to an attack surge

267 Jaganmohan, M., “Market value of smart grids worldwide from 2017 to 2023, by region”, Statista, 29 January 2021,
https://www.statista.com/statistics/246154/global-smart-grid-market-size-by-region/
268 “Global smart grid data analytics market forecast 2021-2028”, Inkwood Research, 14 April 2021,
https://inkwoodresearch.com/reports/smart-grid-data-analytics-market/
269 “China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions”, Recorded Future, 28 February 2021,
https://www.recordedfuture.com/redecho-targeting-indian-power-sector/
270 Seals, T., “Ransomware Attacks Hit Major Utilities”, Threat Post, 5 February 2021,
https://threatpost.com/ransomware-attacks-major-utilities/163687/
271 Naraine, R., “Wind Turbine Giant Vestas Fending Off Cyberattack”, Security Week, 22 November 2021,
https://www.securityweek.com/wind-turbine-giant-vestas-fending-cyberattack
272 Mares, O., “Schneider Wlectric’s critical smart meter flaws expose business environments to hackers; update immediately”, Security
Newspaper, 11 March 2021,
https://www.securitynewspaper.com/2021/03/11/schneider-electrics-critical-smart-meter-flaws-expose-business-environments-to-
hackers-update-immediately/
273 Kovacs, E., “Vulnerabilities in Eaton Product Can Allow Hackers to Disrupt Power Supply”, Security Week, 27 April 2021,
https://www.securityweek.com/vulnerabilities-eaton-product-can-allow-hackers-disrupt-power-supply
274 “National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems”, US White House, 28 July 2021,
https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/national-security-memorandum-on-improving-
cybersecurity-for-critical-infrastructure-control-systems/
3.2 Isolationism creates a security disconnect

275 Bradbury, D., “Welcome to the splinternet – where freedom of expression is suppressed and repressed, and Big Brother is watching”,
The Register, 4 January 2021,
https://www.theregister.com/2021/01/04/welcome_to_the_splinternet/
276 Temple-Raston, D., “As China creates a new narrative for a great society, it is starting by ‘purifying’ its world online”, Recorded Future, 29
September 2021,
https://therecord.media/as-china-creates-a-new-narrative-for-a-great-society-it-is-starting-by-purifying-its-world-online/
277 Perrigo, B., “India’s New Internet Rules Are a Step Toward ‘Digital Authoritarianism,’ Activists Say. Here’s What They Will Mean”, Time, 11
March 2021,
https://time.com/5946092/india-internet-rules-impact/
278 Titcomb, J., “US blacklists quantum computing firms over national security fears”, MSN, 25 November 2021,
https://www.msn.com/en-gb/money/technology/us-blacklists-quantum-computing-firms-over-national-security-fears/ar-AAR7Gmi
279 Smith, Y., “Ships, Chips, and IPs: The High Costs of Tight Coupling”, Naked Capitalism, 26 March 2021,
https://www.nakedcapitalism.com/2021/03/ships-chips-and-ips-the-high-costs-of-tight-coupling.html
280 Potoroaca, A., “Global shortage of chips is getting worse, with no sign of supply catching up”, Techspot, 24 March 2021,
https://www.techspot.com/news/89019-global-shortage-chips-getting-worse-no-sign-supply.html
281 Whalen, J., et al., “Biden can’t fix the chip shortage anytime soon. Here’s why.” Washington Post, 1 March 2021,
https://www.washingtonpost.com/technology/2021/03/01/semiconductor-shortage-halts-auto-factories/

3.3 Security struggles to adjust to the never normal

282 Landers, G., “Hidden areas of security and the future of hybrid working”, Help Net Security, 24 March 2021,
https://www.helpnetsecurity.com/2021/03/24/hybrid-working-models/
283 Arghire, I., “Collaboration Platforms Increasingly Abused for Malware Distribution, Data Exfiltration”, Security Week, 9 April 2021,
https://www.securityweek.com/collaboration-platforms-increasingly-abused-malware-distribution-data-exfiltration
284 Tung, L., “Hackers are targeting flaws in these VPN devices now. Here’s what you need to do”, ZDNet, 21 April 2021,
https://www.zdnet.com/article/hackers-are-actively-targeting-flaws-in-these-vpn-devices-heres-what-you-need-to-do/
285 Dave, P. and Dastin, J., “U.S. banks deploy AI to monitor customers, workers amid tech backlash” Nippon.com, 19 April 2021,
https://www.nippon.com/en/news/reu20210419KBN2C611O/
286 Wallace, C., “Xsolla fires 150 employees based on big data analysis of their activity,” MCV UK, 6 August 2021,
https://www.mcvuk.com/business-news/xsolla-fires-150-employees-based-on-big-data-analysis-of-their-activity-many-of-you-
might-be-shocked-but-i-truly-believe-that-xsolla-is-not-for-you/
287 Ruth, J-P.S., “CIOs Face Decisions on Remote Work for Post-Pandemic Future”, Information Week, 19 February 2021,
https://www.informationweek.com/strategic-cio/cios-face-decisions-on-remote-work-for-post-pandemic-future/a/d-id/1340193

Feedback
We’d love to hear from you
Threat Horizon 2024 ISF Library

The disintegration of trust
Members can browse the full range of ISF
The ISF works closely with Members to deliver products by visiting the ISF Library on ISF Live.
valuable and relevent research. By taking the As part of Membership, all products can be
time to provide feedback you can contribute to freely downloaded.
maintaining excellence in our future products.
Visit the ISF Library today

Provide a quick
feedback score*
Download the latest ISF products:
Or provide more Information Security in

detailed feedback* Mergers and Acquisitions
Feedback
SOGP WebApp
* Link opens an external Alchemer survey.
An internet connection is required.
The ISF encourages collaboration on its research and tools. ISF Members are invited
to join the Threat Horizon community on ISF Live to to share experiences.
Forward Work Programme

Your opportunity to propose a topic for the ISF to research.
How does it work?

Create Vote for Vote for your favourite ideas Look for the
an idea submitted ideas on the shortlist final results
Submit an idea for the ISF Forward Work Programme on ISF Live

Acknowledgements
The ISF thanks all Members and external experts who contributed to the information gathering
and validation phases of this report, as well as those who reviewed pre-publication drafts. We
are grateful to the ISF Advisory Council and those who participated in discussions at ISF Chapter
meetings and Digital 2021: ISF World Congress. Members often contribute research information
related to their own organisations and those contributions have been anonymised by default.
The views, opinions and comments in this report are not necessarily of work group participants
or Member organisations.
ABOUT ISF
Founded in 1989, the ISF is an independent,
not‑for‑profit association of leading organisations
from around the world. The organisation is dedicated
to investigating, clarifying and resolving key issues in
cyber, information security and risk management and
developing best practice methodologies, processes and
solutions that meet the business needs of its Members.
ISF Members benefit from harnessing and sharing

in-depth knowledge and practical experience drawn
from within their organisations and developed through
an extensive research and work programme. The ISF
provides a confidential forum and framework, which
ensures that Members adopt leading-edge information
security strategies and solutions.
By working together, ISF Members avoid the major

expenditure required to reach the same goals on
their own.
Consultancy services are available to support the

implementation of ISF Products.
For further
information contact:
Information Security Forum

+44 (0)20 3875 6868
info@securityforum.org
securityforum.org
Prepared: January 2022

©2022 Information Security Forum Limited. All rights reserved.

ISF Threat Horizon 2024 Report

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISF Threat Horizon 2024 Report

Uploaded by

Copyright:

Available Formats

THREAT HORIZON 2024

The disintegration of trust

The world in 2024 6

1 Well-intentioned regulations have 9

2 Technology choices diminish control 23

3 Dirty data disrupts business 37

2024 Machines seize

A crisis of trust Invasive technology

Threat Horizon 2022 Threat Horizon 2023 Threat Horizon 2024

How this report helps

Well-intentioned regulations Technology choices Dirty data

Each of the nine threats includes:

Making the most of Threat Horizon 2024

Threat Horizon 2024: The disintegration of trust

The world in 2024

Throughout this report

must be pragmatic in their responses to shifting economic prospects.

6 INFORMATION SECURITY FORUM

Environmental change will become a motivating factor as organisations demonstrate their

Threat Horizon 2024: The disintegration of trust 7

1.1 Ransomware evolves into triple extortion

1.2 Regulators inhibit data-driven innovation

1.3 Attackers undermine central cryptocurrencies

Start preparing now

Threat Horizon 2024: The disintegration of trust 9

1.1 Ransomware evolves into triple extortion

What is the impact of this threat?

2024 Imagine this happens…

10 INFORMATION SECURITY FORUM

AIDS Metropolitan Maze, REvil,

FIGURE 1: A brief history of ransomware

Threat Horizon 2024: The disintegration of trust 11

Justification for the threat

“...organizations that have the most valuable and easily monetizable

12 INFORMATION SECURITY FORUM

How should your PESTLE

– Revisit security architecture to ensure appropriate

Delivering an Effective Cyber Security Exercise

Protecting the Crown Jewels:

Demystifying Zero Trust

Securing the Supply Chain:

Threat Horizon 2024: The disintegration of trust 13

1.2 Regulators inhibit data-driven innovation

What is the impact of this threat?

2024 Imagine this happens…

14 INFORMATION SECURITY FORUM

Develop algorithmic model Ingest data Deploy algorithm

1 Create and test model 1 Confirm design and 1 Respond to regulators,

3 Gain assurances regarding

Threat Horizon 2024: The disintegration of trust 15

Justification for the threat

Ongoing investigations into combatting discriminatory and anti-competitive effects of algorithms by

“To understand how AI is fundamentally political, we need to go

16 INFORMATION SECURITY FORUM

How should your PESTLE

NOLOG LEGAL NME

Legal and Regulatory Implications for

Data Analytics for Information Security:

Continuous Supply Chain Assurance:

Threat Horizon 2024: The disintegration of trust 17

1.3 Attackers undermine central

What is the impact of this threat?

2024 Imagine this happens…

Do you have mechanisms in place to spot theft of digital cash?