It’s been a wild five years, hasn’t it? The Covid-19 pandemic accelerated a shift to hybrid work, creating a complex web of security challenges that teams had to tackle on the fly. We saw landmark legal actions against CISOs from SolarWinds and Uber, which changed the game in terms of accountability for cyberattacks and their disclosure. Around the world, new regulations like NIS2 and the Cyber Resilience Act emerged, aimed at safeguarding organizations and consumers alike. On top of that, artificial intelligence transformed cybersecurity, presenting both allies and rivals in this ongoing battle. AI became a tool for security teams to combat a flood of new threats, while at the same time, cybercriminals used similar tech to enhance their attacks.
In the cyber world, change is constant, but the last few years brought unprecedented challenges. The surge in threats is paired with talent retention struggles and rising burnout rates among security professionals. Yet, the industry has shown remarkable resilience. We’re starting to share our challenges openly and support each other more than ever before. As we face whatever comes next, keeping this sense of community is crucial.
Predicting the future is tricky. I’m not equipped with a crystal ball to foresee the vulnerabilities on the horizon, but some trends seem entrenched and won’t disappear anytime soon. For instance, quantum computing could reshape everything within the next five years. Unlike the Y2K scare, this will unfold over time and won’t be an overnight disaster—but governments will need to find ways to protect their secrets.
I’ll throw out a bold idea: the current form of AI, especially large language models, may not live up to the hype. Despite huge investments, significant parts of the economy aren’t adopting AI as quickly as expected. Reports suggest that we’ve hit a saturation point with human-created data, and the returns from AI are beginning to dwindle. We might be approaching ‘peak AI,’ and I’m not sure that’s a cause for celebration.
Now, let’s change gears. I believe that the main cybersecurity events in the coming years will stem from geopolitical issues, especially concerning China. By 2030, we could witness heightened tensions and potential conflict, particularly around Taiwan. China has been testing boundaries with acts that resemble past encroachments in Hong Kong and has been asserting control over regional waters. If this escalates, it could lead to a major global crisis, forcing Western companies that produce critical technology to become more entwined with national security.
We’re also likely to see significant failures in critical infrastructure due to espionage and conflict. Chinese state-sponsored groups are already targeting areas like ISPs, telecommunications, and energy, positioning themselves for future conflicts. If basic infrastructure isn’t sufficiently fortified, governments might feel pressured to intervene more directly. It’s hard to justify why, in 2024, we’re not requiring multi-factor authentication for all users or why we still rely on unsafe programming languages.
Russia isn’t going away as a global threat either. As they cope with sanctions and dwindling access to Western technology, we might notice cracks in their operations. Russian ransomware groups are increasingly aligning with the Kremlin and acting as its proxies.
Expect supply chain disruptions to continue, too. We’ve seen how tightly interwoven some technologies are, where a single attack can trigger widespread chaos. Whether these come from rogue nation-states like Russia and China or organized crime, it seems we’re in for a rocky road ahead.
Eventually, governments will need to respond with policies and actions that strike a balance—not overreacting but also not missing the chance to shape norms around data security and ethical technology use. I hope that my colleagues in Washington and Whitehall will lead a thoughtful response that echoes our values and principles as a society.
Elliott Wilkes is the Chief Technology Officer at Advanced Cyber Defence Systems (ACDS). He has over a decade of experience with both the American and British governments, most recently consulting on cybersecurity for the Civil Service.