Threatcasting Future Risks from Fraud, Cyber Attacks and Technology


Posted on

Over the next ten years, adoption of emerging technologies will continue to rise. As a result, vulnerabilities will be exposed and exploited by cybercriminals, nation-states, corporations, organizations and individuals to capture data (physical, digital, biological) and identities to commit fraud. Opportunities for fraud will grow and criminals will take advantage. Perpetrators of fraud will have political and ideological goals, co-opting criminals, proxy attackers and unsuspecting combatants as allies. Financial gain will not necessarily remain a consistent driver for these types of attacks.

How do we know what the next ten years will bring and what should we do to prepare for it?

Mastercard conducts annual Threatcasting exercises in which a global multidisciplinary group of practitioners comes together to discuss future threats and the actions we need to take now to prepare for the future. As a part of these events, Mastercard works with futurist and Arizona State University professor Brian David Johnson. Johnson invented the Threatcasting methodology. The practitioners recruited to participate in the exercise were instructed to follow a specific process to explore how to transform the future they desire into reality while avoiding an undesired future. This process uses social science, technical research and economics to encourage thinking beyond the present day and determine a range of possible and probable threats. These various inputs allow for the creation of potential futures. Some of these futures are desirable, while others are to be avoided.

Through the most recent workshop, we sought to identify possible threats ten years into the future at the intersection of fraud, cybersecurity and technology and determine what organizations and ecosystems could do to disrupt, mitigate and recover from these possible threats.

What does fraud look like in the decade ahead?

The data from the workshop shows that we can expect to see fraud evolve in two primary ways.

First, cybercriminals will hide in the complexity of newly adopted technologies and conduct old fraud in new ways.

Second, attackers will have new motivations to conduct fraud and will use emerging vulnerabilities to conduct new fraud in old ways.

Bad actors will use the expanding technological landscape to commit traditional fraud by hiding in the complexity and scale of the technology—including business and financial ecosystems. Attackers will use traditional fraud and broader criminal activities to achieve nontraditional effects such as attacking beyond financial systems to adjacent infrastructure. The logic of these attacks will be consistent with traditional attacks, but with expanded objectives to destabilize, distract, disrupt, influence and, in some scenarios, just prove it is possible. 

A example of old fraud in new ways could be an attacker using ransomware as a method to gain access to a corporation’s line of biomedical devices such as pacemakers already installed into thousands of patients, and the attacker demanding ransom from the corporation to avoid compromising the devices that would result in significant loss of life in return for payment. In this case, the attacker could be an adversary with motivation to destroy the reputation and confidence in the competitor’s brand.

An example of new fraud in old ways might be the use of digital mercenaries, highly trained in cyber warfare, being paid to execute sophisticated attacks on a vulnerable nation’s critical infrastructure on behalf of their nation-state “customer” that has political, non-financial motivation to neutralize their target.

What can we be doing now to prepare for the threats of the future?

Form Deeper Sharing Relationships: In recognition of the broad implication of these future threats, broader industry-sharing relationships are needed. Engage with individuals, entities, organizations and industries with a variety of perspectives. The more inclusive the partnerships, the higher level of awareness and the stronger the solutions that will be formed.

Monitor Threats: Use Threatcasting findings to monitor for emerging threats and work to coordinate their disruption. Work backwards to identify gates and flags. Gates are actions we can take, that we can control to prepare for these futures. Flags are external indicators that we can’t control that show us that we are meaningfully moving toward a specific future.

Periodic Reporting: In the coming future, periodic reporting is needed on the progression of these threats and the emergence of new ones. A fraud assessment framework paired with global emerging threat radar will allow us to leverage data to continuously recalibrate and stay prepared.

Threatcasting: Conduct regular Threatcasting workshops with a diverse group of participants to identify new and changing threat futures and continue to define and improve tactics to disrupt, mitigate and recover as the future becomes today.

Security is everyone’s responsibility, and this responsibility spans across industries and ecosystems. Threatcasting is one tool in our tool kit to predict the actions of our attackers and disrupt their efforts at the intersection of fraud, cybersecurity and technology. Consider the future today. Be resilient tomorrow.

Anti-Fraud

identity management & governance

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs