Five Predictions For The Security World in 2024
With some Advanced Technology punditry thrown in for good measure
That time of year is upon us, and I’ve already seen a few prognostications for the coming twelve months - some of which were so inane they don’t warrant even an acknowledgement. I guess people don’t want to be wrong - but I don’t see why not. Some of the world’s greatest institutions do it all the time.
Certainty (or at least our belief in a degree of it) is perhaps the greatest threat to the ongoing evolution of our species. If we commit to a set of beliefs that always come true, we no longer experience the potential for adversity to smack us in the face now and then, and unless our lizard-brain reflexes remain in the loop there won’t be any reason for us to retain the ability to flinch.
We’re moving deeper into the age of the imperfect model. An age in which threats appear to have been eliminated, but are in fact just more scarce than they were - lurking in the fractions of percentages of probability to lull us into false senses of security and dull our perceptions of risk.
In this age, those of us who work in the world of risk are going to find it more and more difficult to persuade others to listen.
Facts - those most elusive and apparently irrelevant of things - will not help us, because everyone will be ‘doing their own research’ and making up their own facts instead.
In this age, the weight of individual wants pushes us closer and closer towards the hysteresis point beyond which we’ll be stuck until we get the rug pulled out from beneath our particular tiny square of the universe has it’s rug pulled out or fall forever into the void…
But that makes it sound like I’m making a prediction. My personal timescales aren’t calibrated for that, so for now, the things that my hunches tell me will happen can just stay hanging up there on the Christmas Tree of destiny until something more concrete falls from the sky to dislodge them.
Instead, I’m going to make some predictions of things that ARE NOT going to happen in the year of 2024. Some of them are maybe vague, but I think it’s the things that these predictions indicate or suggest that are more important than the actual events themselves…
So when I come back and read this at the end of 2024, there will be some sort of get out of jail free card I can cling to if I'm completely wrong.
No eVTOL vehicles will be type certified for regular flying taxi operations
The convoluted definition of this particular non-starter makes it look as though I’m trying to wriggle out of a proper commitment, but this topic is slippery, and many of the people putting forecasted dates for the commencement of service into their diaries for the next few years are doing so with such disregard for facts and reality that if you’re not careful, the smoke and the mirrors will blind you.
For a start, let’s unpick the idea of a ‘flying taxi’.
There are plenty of vehicles in the development pipeline, some of which have received jaw-dropping levels of investment via all manner of exotic instrument. There are even a few vehicles that have received much celebrated type certification from Civil Aviation Authorities in their target nations, but despite all of this, nobody is going to be sticking their thumb out in the street and having the choice of a Tesla or an eVTOL any time in the foreseeable future - not anywhere.
Even in locations where the air was thick with hype and expectation - Paris, for instance, at the 2024 Olympic Games - we’re seriously unlikely to find anything other than perhaps a demo version of a non-volume produced vehicle, operating over a fixed route under strict limitations and just for the period of the event…if that. The people of Paris have in fact spoken, describing the proposals as ‘absurd’, despite so many of the stakeholders enthusiastically pinning their hopes on the possibility. It’s more likely that we’ll see something akin to a ‘test bed’, maybe doing little more than any of the other highly speculative and unrealistic prototypes that have popped up elsewhere already.
The AAM Reality Index is as good a place as any to start peering at the potential for certified vehicles coming to the market, and as is often pointed out by my fellow Linkedin member, Gary Vermaak, the process can take decades. Many of those looking to enter service before the end of this particular decade - in some instances (despite having received orders for machines along the way) have not yet even flown a full size prototype, or put a human inside one, for that matter.
The economics of achieving anything like a viable service that might compete with ground-bound ride hailing per mile simply don’t seem to add up. Of course, I don’t deny that there are likely ultra-sweet-spot instances (or should I call them uber-sweet-spot?), where some magical combination of demand, range, price tolerance, geographical orientation and community apathy could somehow fall into place to make a service that could work, particularly where they coincide with an Aviation Authority and other regulators who’re willing (or have a vested interest) to just make it happen, no matter the cost. But that’s a description of the most Goldilocks set of circumstances that ever existed for anything, anywhere.
It’s not the norm.
A trickle of recreational electric flying vehicles are also beginning to find their way out through the vice-like grip of regulators here and there. eHang might claim that their vehicle is not of that sort, but given where it comes from and the fact that it is a fully autonomous aircraft with a pretty short range, I don’t think we’re going to see those things offering rides anywhere other than a theme park in a country with lax public liability laws or a nice big insurance waver sitting alongside the booking form.
Stand well back from the rotors, children…
It isn’t the only vehicle, but it is unusual for being autonomous. The piloted versions that are seeing limited certification elsewhere are clearly aimed at the wealthy thrill-seeker, and come with a set of restrictions and limitations that make it very clear that what you’re buying is an aircraft with a set of aircraft-level responsibilities and obligations that few are going to be in a position to keep up.
They’re vulgar ornamentation - worse even (one might suggest) than a pointless shiny supercar.
Don’t be surprised if the news articles continue to emerge over the next twelve months, possibly even claiming that the flying taxi has arrived, but pop open the lid and take a closer look.
Regular operation in my definition means not temporary.
Not some sideshow.
Flying taxi in my definition means that it’s intended to be a self sustaining business model of some sort that comes with some sort of break-even point and a demonstrable route to profitability, providing fixed or flexible routing via at least two locations - not a summer season trip around the bay for tourists.
There are far more roadblocks in the way of getting to a point where a service like this can actually work, and the majority of them are technical issues - particularly around energy and traffic management, but also touching on how we’re going to establish a supply chain of pilots and when we’re going to begin addressing all of the safeguarding that will really allow the introduction of these new vehicles into the highly regulated aviation space.
Community acceptance, meteorological and air quality issues, and the availability of appropriate landing spots are all going to be kicked down the road until there’s a choice for people to make about which aircraft they want to adopt, and none of those things are going to happen before 2025.
In the meantime, there will be more (and more) adoption of larger and more autonomous Uncrewed Aerial Systems for last mile and specific types of service delivery - right up until the tempo of operations gets so high that people suddenly remember they haven’t yet fixed all of the other technical issues, and we have a nasty incident that sets us back a while on the hype cycle. That is going to happen. We just don’t yet know how soon.
Destiny appears to be pushing me back in this direction, and I expect 2024 will have me speaking on this topic much more, once again. Watch this space.
Analogue CCTV will still be a thing
Despite the snobbery of an industry that doesn’t understand why it’s snobbish to deny it, there will always be people for whom cheaper and easier is a better option than unjustified cost and unnecessary complexity.
The commoditized medium of TCP/IP related protocols and the array of active and passive networking devices that have grown in availability and shrunk in cost over the past couple of decades was an obvious choice when it came to finding a better way to push video images around than the old fashioned systems of analogue PAL and NTSC. Those unidirectional, capacity limited, insecure, highly corruptible hangover technologies, dating back to the days when the TV camera and the TV itself worked as a single closed circuit system needed to overcome all of those issues, and the IP network was the route of least resistance at the time.
When people started to wonder why they couldn’t get more than 700 or so TV lines (look it up) resolution from their surveillance systems, even though megapixel camera chips were becoming available, the industry responded by latching on to the simplest solution they could find off the shelf, which involved chopping up a digital representation of each frame and bundling that data into handy sized packets that could be shoved across a network to some place else, where it was somebody else’s problem to put the packets back together into a meaningful sequence of frames.
This move enabled a whole lot of stuff that just would never have been possible had we stuck with analogue, and in general, those extra features and image quality enhancements do far outweighed the issues of network time lag and round-trip latency.
But when it comes to the real-time needs of users who need to physically interact with the world at the other end of the video feed, the fundamental (and mostly unfixable) problem of latency can be a disaster.
Latency is not just the time difference that occurs while the camera captures the image, encodes it into something digital, transmits it down the cable to the active network components where it gets routed and retransmitted to a computer, where it either gets thrown onto a disk drive or decoded back into a picture to be displayed on a screen. That time difference can easily be a quarter second or more, but it really doesn’t matter, because the time delay does not result in any loss of information, and in the grand scheme of things is totally insignificant when looked at in the context of the speed at which the real world works.
Where the issue with latency comes in is when you’re using something like a PTZ camera to track a person walking down the street while you sit in the security control room waggling a joystick to aim the camera at the target.
In these circumstances, every action you take and every response that happens at the camera is delayed by the period of the network lag, making it just about impossible to match your actions to the activity in the real world.
By the time you see the target it has already moved, and so by the time you decide to redirect the camera, sending a command back down the same network, the target could be anywhere.
Round trip delays exceeding half a second are not unusual, and when you’re using a long zoom lens or have a fast moving target it’s impossible to keep the camera pointing in the right direction.
It intuitively feels as though network latency in manually controlled PTZ cameras should be a thing you can fix in software - but it isn’t. Automatic tracking functions can work under some circumstances but they need to be local to the camera and need a clean field of view to work well.
Even with networks that are as finely tuned and as optimized as possible, latency remains a barrier to your ability to do very finely controlled activities in response to unpredictable real world events, and that is a major problem.
In some applications the solution is still to use direct point to point controls between the camera, the monitor and the joystick, with no network involved, but as soon as you start needing to maintain those connections to cameras on the next building or the next district or the next city, that option just stops being economically viable.
But it’s not just in the world of high performance, long range surveillance that the decision to use IP based systems can uncover difficulties.
When you’re right down at the dirty end of the market and just want to throw in a few cheap-as-chips cameras, going down the IP route can be more trouble than it’s worth. Cable distance restrictions, the need to configure switches, the relative scarcity of all-in-one PoE switch and recording devices that come with an environmental rating that allow you to chuck them under a desk or into a cleaner’s cupboard are all reasons why you still find a lot of analogue cameras and digital video recorders in markets where this is the most practical option.
Professionals in the surveillance space might try to brush these issues off like they’re meaningless, but they’re also the reasons why analogue CCTV is not going away any time soon in a whole lot of places (and in particular in the developing world).
Of course there's a possibility that as the current generation of home security IP cameras drifts out of fashion to be replaced by something else, this leftover supply chain will maybe open the door to wider adoption of IP in less mature markets, but there are still a lot of barriers preventing that from being likely.
Those cameras have been designed to deliver mediocre performance in a low cost, plug and play package to act as a vehicle to hook consumers on to subscription based cloud surveillance services. They rely on a wifi service and somebody paying the bills. I just believe that for many outside of their cosy western urban bubbles the priorities for the weekly housekeeping budget may lay elsewhere.
Dig deep into the inner cities of the west and you'll find a similar set of circumstances.
So don’t throw out your BNC crimp tool quite yet.
Access control credentialing vulnerabilities will not disappear
For a short while - back around the early 2010s - I had a feeling that we might see access control get its act together on identification technology, but it didn’t. It didn't on a whole plethora of dimensions, and still (about a decade on) has not.
It’s still a little amusifying to hear people talk about their use of ‘smart’ cards and the like, alongside the various stories that drop into my inbox about all manner of credential and reader vulnerabilities that have been unhidden by some black hatted individual who's taken a momentary interest in the hardware world.
What makes it so funny (in a gritted teeth sort of way) is that everywhere I go I find people using RFID and weigand just as much they always have. I walk into fancy buildings as a visitor and am handed some pre-made card that the security person pulls out of a draw full of others, allowing me to go where and when I want in the building.
When I point out the plethora of ways in which the credentialing strategy of these organizations is bananas, the people in charge just shrug at me and say “but what do you expect me to do?”
I get it, and they’re kinda right - although it really doesn’t need to be that way.
Let’s wind back a little.
If we look at the fundamentals of physical access control and what it ought to be, the ideal situation would be that when a person walks up to a door :
a. Some form of unequivocal identity authentication process occurs that proves beyond any doubt that the person is who they claim to be.
b. Once that's been done, another process determines whether or not this person has the appropriate permissions under the current set of contextually verifiable conditions to pass through the door. This might be as simple as the person's role in the organization, or something more specific - like the time of day or the location - but if you're really paying attention then why not check out if this person is doing something that's expected from them, or whether there are other clues from other systems that might help to prove that this is definitely the right person and also that their behavior is aligned with your values?
c. Finally, some other process needs to happen that allows that person (and only that person) to move through the door, after which the door is secured once again, ready for the next transaction.
But this is not what happens.
It's almost never what happens.
What we generally see is :
a. A person walks up to a door and waves a credential at a reading device or gestures at some sort of biometric sensor (if they think they're being real sophisticated).
b. The reader (or the biometric device) transmits some form of index number to a door controller, usually as unencrypted plain text. There is no validation that the index number transmitted has anything to do with the individual who waved the credential or even the credential they were waving…stolen cards and spoofed cards still result in an index number being transmitted. We'll look at biometrics in a minute.
c. The door controller receives the plain text index number and immediately compares it with a list of stored index numbers, all of which are considered valid and equivalent.
d. If the number is found in the list then the door controller fires a relay that switches the lock and the door is released for several seconds while the person (and anyone else who is around) walks through the door.
No real authentication of the individual requesting access occurs.
No checking of the integrity of the credential or the relationship between the individual, the credential and the index number occurs.
No contextual validation beyond the fact that the index number exists in a list of index numbers, all of which deliver a successful result to a search, maybe with a basic time or date qualification if anyone can be bothered to set that up.
To be honest, under these circumstances the technical vulnerabilities of the credential itself are sort of beside the point, but…
Okay. Credentials are mostly insecure - on more than one level - but if your last line of defense is making sure that your staff have a piece of plastic in their hand then you've already lost.
Door controller Interfacing is mostly insecure, but if your security is so lax that anyone can tamper with readers or get access to the cabling or the controller hardware then again, you're already toast.
If you're not administering or maintaining your system well enough that you realise how many zombies are in the database or how non-granular your access permissions are, or how many sets of logical conditions there are where your authorized staff are able to do things that don't make sense for their roles, or the contexts of their activities, then you don't really have an access control system. You might have a credential activity recording system, but that's not the same thing.
But I get it.
You've got 10,000 cardholders and 500 doors across 100 sites in a dozen cities… Your dinosaur Access Control provider needs you to pay a bunch of license fees before they'll even talk to you, then they'll need to sell you new readers and door controllers before you can even think of using a reasonably secure credential, all the while your C-Suite is demanding you just switch to mobile - because that's just so much more frictionless...
Even if they would let you switch to a more secure means of identification, how the heck would you manage the credential migration?
Nobody's going to get budget for that in 2024, no matter how crap the cards might be. “Migrate to the cloud!” shouts somebody from the crowd… Thanks for your suggestion, person in the crowd…
Of course, it's also true that if you've built a security strategy that's so flimsy that a lost credential brings the organization to its knees, then whoever agreed to that needs to be publicly hung, drawn and quartered…but there are plenty of organizations that are in that position, and I see no vendors or security managers (or consultants) hanging from the lampposts.
Artificial General Intelligence will still not be a thing
If you haven't already read my series on AI from earlier in the year then where have you been?
This space is moving at breakneck speed, dude! If you don't read things when they happen then you're out of date after roughly 26.37 nanoseconds…
The LLM story has already moved on in terms of the fine details since my AI series, but even though I've seen some very cool stuff since then, my basic position has not changed.
It's still just hyper functional computer stuff, right?
You get that?
2024 is going to see lots and lots of new and impressive things dive out of the development labs and into the real world (if the companies involved can stave off the urge to fire their CEOs…). My honest feeling is that very soon (next couple of years) we're going to see an inflection point after which a chunk of the population will divorce themselves from human interactions, maybe voluntarily, but many of them are just going to drift off without even knowing it - and be much happier for the move.
I can completely understand why people would do this.
It would not take a great deal of development from where we are now to get to the point where I would find an artificial entity to be a funnier, more engaging and stimulating conversationalist than 95% of the real people I meet.
Does that make the machines who represent my new circle of besties intelligent? Well, it makes me perceive them as such. If I can't tell, then they are.
Is that AGI?
Go back and read the post on models in my AI series. A model can be good enough to fly you to the stars. It doesn't mean it's the whole thing. It's just a model of the whole thing.
After another year of deep contemplation on this topic my opinions have not changed.
The great risk from what we're calling AI is far more about our own perceptions and the risks of handing over control of things that we need to work 100% of the time to models that we know will be <100% effective, without first understanding how much “<“ means.
But one thing I do know for certain is that AI will make the 2024 US presidential election a complete klusterphukk.
Some people will still have to take off their shoes and remove their laptops at airport security
After a quick memory check from the internet, it turns out that IATA introduced the idea of the Checkpoint Of The Future back in 2011, which is twelve years ago right now…
Their concept was actually about pre-approval of known passengers and not about the idea that people could wander through a frictionless version of airport security without even pausing to smile at the friendly TSA person…
At that point, we were still back in a world of two dimensional X-ray baggage scanners and walk through metal detectors, and you'd think that in the intervening decade that's seen Tesla and SpaceX and ChatGPT we would be getting somewhere on the road towards that vision.
But not so much.
Aviation security is a weird space. Nobody is entirely certain where aviation safety and aviation security begin and end, and it's difficult to argue with those who insist that there can be no compromise…although that's actually a little hypocritical when you start picking at the seams between these jealously maintained disciplines.
People who work in AVSEC are really focused on screening technologies - which is obviously really important - but checkpoint security is often more about theater than it is about logic.
Weird thing - it used to be that finding a genuine threat object at a cabin bag checkpoint was close to being a once in a career occurrence for screening operators. Threat Image Projection technology - the automated insertion of fake weapon images into the workstation video feeds of the Xray machines - was created to stop operators from falling asleep from the boredom of staring at the insides of hair dryers and sex toys. In the past few years, however, the frequency of firearms - often loaded - being discovered in the carry on luggage of passengers at US airports have rocketed.
Somehow, people understand that it makes no sense to allow cigarettes to be smoked in a metal tube with a few thousand gallons of kerosene at 35,000 feet, but bringing your Glock onboard sounds like a great idea?
Checkpoints need to be more secure, not less.
However, as an airport security master planner I am mostly frustrated by the AVSEC community's failure to take adequate notice when it comes to all of the other electronic security requirements of an airport, before the terminal design progresses to the point where silly uncoordinated design decisions get made that cost people money in the long run, but that's not really today's topic.
Right now we have some great technology that's very good at automating the detection of some quite specific substances concealed within baggage or about the person of individuals. Even if we ignore the deficiencies of these technologies we still have many airports that are failing to take advantage of these capabilities, or effectively ignoring those capabilities because they fall outside of the technical understanding of the people in charge of security, or because there is some bizarre cultural reason to deviate from logically justifiable practice.
But at the same time, we also have significant gaps in the threat detection capabilities of the systems we deploy at our checkpoints that also go ignored or forgotten because dogmatic standards do not require AVSEC professionals take a step back and question what has become an accepted set of norms.
Despite the ICAO SARPS for aviation security (that ought to establish a unified set of globally agreed baselines for the security of our skies) the actual interpretation and implementation of those “standards“ is more about local practices and budgetary limitations than about achieving that baseline, and probably always will be.
So depending on where you go in 2024, you're probably going to find yourself standing in security in your socks, arguing about the futility of the process with somebody who doesn't give it crap about the fact it's more about theater than thoroughness.
That's a real shame when we have CT Xray and body scanning technologies that are actually pretty good at narrowing the window of opportunity of pre-boarding detection, but if we're not really going to pull all of the information we have available in the airport into some sort of coordinated picture then we're just playing.
Is our strategy to catch the amateurs and let the professionals through? Sometimes AVSEC feels that way.
Meanwhile, threat objects will get onboard our aircraft, and the bigger issue of securing aviation infrastructure and air traffic management systems against cyber influence will remain less invested than is appropriate.
Maybe next decade.
The whole security industry is completely full of holes and vulnerabilities. But on the whole, it rarely matters (until it does).
It's a weird whack-a-mole Venn diagram space, where things work out to be okay much of the time and then - one day - we find ourselves looking back at the aftermath of some completely predictable incident as if it was unavoidable.
Of course, we look at it through the filter of personal perspective that can make it appear better or worse than it really is.
I know that.
You know that.
2023 has not been a great year for stability or predictability, and I don't think that's going to get better, but we do need to find ways to adapt the way we deal with things to accept reality and prepare for what comes next.
Physical Security Professionals (I am trying to keep a straight face while I type that) now need to accept that unless they come out of the can with a range of technology skills that enable them to plug in to other neighboring disciplines pretty seamlessly, their days are numbered. If they're ex forces or policing, then I would question how likely it is that they’re going to have those skills. Certainly they will not, unless they actively pursue the necessary learning and fieldwork, rather than plonk themselves directly into a consulting role and expect their service record to be credentials enough. Look up the Dunning Kruger Effect if you think you know all you need to know.
Information and cyber security professionals (and those who label themselves in the resilience or sustainability fields) need to accept that the world is full of much nastier people than Greta Thunberg. If those computer science (or some other weird humanities) grads turned techie didn't spend a period of their adolescence doing something slightly illegal then I also have to wonder if they're adequately prepared for real world security.
Adversity brings out the characteristics that made humans the ultimate Apex Predators of our planet. In the age of the imperfect model adversity is on the rise, and your predictions may once again mean the difference between life and death. Perhaps now is the time to start worrying about outcomes instead of the imperfect and subjective dimension of risk based on yesterday’s version of the model?
The next year could be your last chance.
The next year will one day be your last chance.
Securiosity is the place for you if you want to challenge the status quo in security. There are so many ways we could be doing so much better, and if the few of us who are willing to upset the applecart don’t make a start then somebody’s going to come along and steal the apples…or put a VBIED in the cart…or hack into the International Fruit Exchange and collapse the world’s economy…or something.
Let me know what your predictions are for the next year, or send me some examples of the nonsense that you’ve seen from the “industry” so far.
Work has been busy for the last couple of months, and so posts on Securiosity have been a little thin on the ground, but I’m really going to pull my finger out in 2024 and get back to a more sensible frequency.
In the meantime, I hope that all of my loyal readers had an interesting 2023 and a peaceful Christmas. 2024 is almost upon us. Let’s see where the chaos spreads.
In 12 months you may be able to change the date to 2025 and repost. I’m not sure many of these subjects will change in the short term unfortunately.