More vulnerable devices, an absence of effective diplomacy, and greater emphasis on cyber responses mean the unstable status quo in cyberspace will be tough to maintain in 2021.
There's no one factor that raises the risk of a cyber tipping point. The digital realm, where any computer or smartphone can be an entry point for malicious hackers and nation states and criminals act with near impunity, is too unpredictable for that. Instead, a combination of low-probability, high-impact risks and inexorable technology trends make 2021 the year that cyber conflict will create unprecedented technological and geopolitical risk.
First, the technology side. Hundreds of millions of people will continue to work, shop, receive an education, and socialize from home in 2021 as the world waits on vaccines to change the public health outlook. The merger of home, school, and workplace isn't just a nightmare for parents, it's a nightmare for IT departments, since much of this activity uses less secure home computers and connections, giving bad actors more vulnerabilities to exploit.
This year will also see an explosion of new end devices added to the internet, as 5G networks expand coverage, and as Internet of Things sensors, cameras, and other devices proliferate. There is no broadly accepted industry standard for ensuring low-cost, commodity devices are secure and regularly updated to protect against hacking. This expanded “surface area” of vulnerability, created by more connected devices and online activity, is a playground for bad actors. In 2017, a cyberattack launched by suspected Russian state-backed hackers using stolen US hacking tools tore through corporate computer networks, inflicting more than $10 billion of damage. The next “NotPetya” will be worse.
Geopolitically, governments and the private sector have made no headway in developing global rules for state behavior in cyberspace. Instead, they've fallen back on unproven strategies such as targeted economic sanctions and “naming and shaming.” Geopolitical rivalries among cyber capable states have also grown more acute. Suspected Iranian attacks on Saudi oilfields in 2018, which combined kinetic strikes with cyber operations, are a prime example. Iran and Israel are already fighting a shadow cyber war that targets each side's critical infrastructure, threatening the eruption of broader conflict.
Governments and the private sector have made no headway in developing global rules for state behavior in cyberspace.
“Usual suspects” Russia, China, and even North Korea are capable and difficult to deter. During the Trump administration, the US granted its own cyber warriors more leeway to go on the offensive against malicious hackers. But despite claims of victory, there has been an increase in cyber efforts to steal vaccine research and gain access to government and critical infrastructure networks. The lack of a global effort to shore up systems and impose penalties beyond symbolic gestures such as sanctions and travel bans will continue to embolden bad actors this year.
The Biden administration will attempt to stabilize the situation, mainly by trying to improve US government coordination on cyber responses. But a downturn in US-Russia relations will be a key factor in making 2021 ripe for cyber trouble.
Under Biden, the United States will pursue a tougher policy toward Russia, flowing from Biden's lesser tolerance for authoritarian leaders and anger over the massive hack last year—believed to be by Russia—of US companies and government agencies. Tough US sanctions against the perpetrators are likely. Also, the United States will retaliate against Russia in cyberspace, and more generally Biden will continue the more forward-leaning posture on cyber adopted during the Trump administration, seeking to deter Russia. In this atmosphere, the risk of miscalculation or unintended cyber-escalation between the US and Russia will increase.
Non-state rogue actors will also try to take advantage of the increased “surface area” to disrupt digital business as usual.
Finally, China's demonstration late last year that its photonic quantum computer has achieved “supremacy” over supercomputers marks a milestone with far-reaching implications. The Chinese technology exceeds the quantum advantage over classical computing that Google demonstrated in late-2019 and will increase concerns that quantum computing could render modern cryptography—the bedrock of today's cyber defenses—obsolete. This year won't be the one that quantum computing cracks the world's secrets, but it will crystallize this risk for many governments.