6 historical threat patterns suggest that cyberwar could be inevitable

Predicting cyberthreats has been an elusive goal. Unlike in healthcare, where early diagnostics can be used to predict and hopefully prevent disease, cybersecurity has never had a reliable means for determining that an attack is coming. This is especially true for isolated cyberbreaches, such as data theft, which are often decided on a whim. 

That said, it’s been noticed by this author recently that certain historical patterns do exist that can be used to predict large-scale cyberthreats. Sadly, as will be shown below, analysis and extrapolation of the patterns suggest an uncomfortable progression toward a major global cyberwar. Let’s go through the relevant patterns.

Threat pattern 1: Worms

In 1988, the first worm was created by a student with the innocent goal of determining whether such a program might work. This was followed by a long period of minimal worm activity, only to be broken in 2003 by a major rash of worms such as Slammer, Blaster and Nachi. These worms caused significant disruption to major business operations.

The pattern here was that an initial small-scale attack occurred in 1988, followed by 15 years of relative quiet, which ended with a significant large-scale attack in 2003. Worms still represent a cyberthreat, but not much change has occurred in their design since 2003. Worms are now in a period of relative quiet once again.

Threat pattern 2: Botnets

In 1999, the first botnet appeared, followed by a similar attack in March of 2000. This was followed by a period of relative quiet in terms of DDoS attack design innovation. Attack volumes, for example, remained relatively constant until 13 years later when Iranian hackers launched a series of massive layer 3/7 DDoS attacks at US banks. 

Again, the pattern was that an initial small-scale attack occurred in 1999, followed by 13 years of quiet, which ended with a large-scale event in 2012. Like worms, botnets are also still a security problem, but they have not experienced much significant design change since 2012. Botnet design is also in a period of relative quiet today.

Threat pattern 3: Ransomware

In 2008, a paper by the anonymous Satoshi introduced Bitcoin. That year, nearly half of all Bitcoin transactions were initiated for nefarious purposes. Little changed in terms of how cryptocurrency was used for illegal activity for about 11 years until roughly 2019, when cryptocurrency-enabled ransomware exploded as a massive problem. 

Once again, the first small-scale threat emerged in 2008, followed by 11 years of relatively constant abuse, which ended with ransomware exploding as a large-scale problem. Ransomware remains a problem, but the basic mechanism and approach have not changed much since 2019.

Threat pattern 4: ICS attacks

In 2010, electronic attackers launched the Stuxnet attack against an Iran nuclear processing facility. This futuristic campaign targeted a centrifuge and spun it out of control, causing much physical damage. Since then, we’ve seen relatively few spikes in the intensity of ICS attacks, despite a 2015 attack by Russia on Ukrainian power infrastructure.

Using our pattern analysis, we can start with the small-scale Stuxnet incident in 2010, add roughly 14 years and predict a massive rash of large-scale ICS attacks to come in 2024. This would likely involve ICS attacks occurring with the frequency and inevitability of ransomware today. The potentially harsh consequences of such attacks cannot be underestimated.

Threat pattern 5: AI

In 2013, Cylance was one of the early innovators in applying artificial intelligence (AI) to problems related to cybersecurity. In the ensuing years, AI techniques such as machine learning have become de rigueur for cybersecurity, mostly for defense. Few major advances have occurred in this area over the past decade, other than vendors building AI products.

Using our pattern analysis, we can start with small-scale application of AI in 2013, add roughly 14 years, and predict that large-scale AI security incidents will occur in 2027. It seems reasonable to expect that such innovation will involve the use of AI for cyberoffense. China seems well-suited to engage in such threats.

Threat pattern 6: Cyberwars

Dorothy Denning’s 1999 book showed how cyberoffense could complement conventional warfare, and the 2007 Estonian cyberincident was indeed troubling. Nevertheless, the first real cyberwar battles have yet to occur. We’ve never seen, for example, significant loss of life as a result of cyberwarfare.

Our definition of cyberwar is that it involves cyberattacks being used as a primary means for accomplishing the ultimate mission of the warfighter. This includes use of cyberoffense to kill people, damage or destroy infrastructure, and claim ownership and control of the cities and regions of some nation-state adversary. 

One might thus expect the first real cyberwarfare to occur later in 2022 between Russia and Ukraine. If we add 14 years to this imminent event, then we can predict a full-scale global cyberwar to occur in 2036. The U.S., European Union, and China will likely be involved. 

Cyberwar: the implication of predictive modeling

Our analysis suggests that organizations should begin preparations for ICS attacks, AI-based offensive attacks and a global cyberwar. While such depressing events might produce a moment of pause, reflecting back on the progression of cyberthreats from innocent hackers to nation-state actors is equally disturbing.

Guidelines for cyber readiness are beyond the scope here, but risk reductions can come from the following: First, cybersecurity education must be improved to expand the skilled workforce. Second, inflexible hardware components should be replaced with more virtualized software. And third, cyber infrastructure must be simplified. Complexity always equals insecurity.

Ed Amoroso is founder and CEO of Tag Cyber.