What could protect us from future cyber threats? A good imagination

August 8, 2022 | By Sophie Hares

On the eve of the biggest merger of his career, the chief executive of a major bank is flooded with calls from panicked investors. They’re upset about a viral video apparently showing him using drugs in a hotel with a gaggle of young women.

Soon headlines purport that he paid bribes to regulators from his personal bank account. Despite his frantic denials, the merger collapses, sending shock waves through the global financial sector.

While this might sound like the story line of the latest Netflix thriller, it’s actually a scenario created using a technique called threatcasting. This particular fictitious scenario sketches out the implications of a rogue nation stealing digital data to create deepfake videos and spark a dangerous disinformation campaign.

Increasingly, threatcasting is helping organizations — from major companies to the National Cyber Security Centre of Ireland — project 10 years into the future and visualize how risks, such as cyberattacks or bombings, may evolve so that they can disrupt or mitigate them, or recover from them if they happen, says Brian David Johnson, a futurist who runs the Threatcasting Lab at Arizona State University.

Johnson developed the concept and helps organizations use it, and he’s seen growing interest since the pandemic exposed how quickly single events can spiral into global crises that paralyze businesses, supply chains and everyday life. Rather than predict the future, threatcasting builds on expert knowledge to create detailed frameworks that organizations can use to plan and invest the resources they need to tackle or avoid looming dangers.

At a recent Mastercard-hosted workshop in Dublin, Johnson asked attendees to imagine how disinformation, informational warfare and large-scale destabilization could impact customers, markets and global business resilience.

Mastercard's Marie Hansen, left and Michael Lashlee, center, work through a potential response to a disinformation attack at the company's annual threatcasting exercise with Michelle Garrigan, right, from Bank of America.

Mastercard's Marie Hansen, left and Michael Lashlee, center, work through a potential response to a disinformation attack at the company's annual threatcasting exercise with Michelle Garrigan, right, from Bank of America.

Working in small groups, the attendees conjured up characters such as a diabetic bus driver whose digital glucose monitor is hacked, a corrupt politician peddling disinformation and a banker whose digital identity is stolen.

Some brainstormed what would happen if high-tech medical, communication or city infrastructure were hijacked. Others considered the impact of cybercriminals stealing metaverse assets or people manipulating data to stoke political upheaval.

“Information disorder is right in front of us. We’re living it right now,” Johnson says. “What we’re trying to do is get to the other side of it and be able to approach it by looking backwards.”

These scenarios often start small, with forecasters imagining how one event would affect a single person before seeing how it could snowball to impact businesses, industries or even countries. Backcasting — or reverse forecasting — can then pinpoint which events or new technologies could facilitate a particular threat.

Not a one-time exercise

It’s a long-term strategy designed to allow organizations to continuously feed fresh information about new technologies or geopolitical instability into their risk models to see how threats may change.

“This gives us a chance to build on our relationships, our thinking and our ideas year after year,” said Ron Green, Mastercard’s chief security officer, in recent testimony before the U.S. Congress about the practice.

“We’re developing an informed, textured picture of the future,” he said. “It helps us identify emerging and intersecting trends. We’re anticipating how they might threaten businesses like [Mastercard], institutions like Congress and free societies like the United States.”

Though threatcasting is still in its infancy, massive leaps in connectivity, combined with fast-evolving technologies like artificial intelligence and quantum computing, may make it easier to predict and analyze possible threats, Johnson says.

How successfully organizations respond will ultimately hinge on whether people prepare for potential threats, from state-sponsored cyberterrorism to fresh pandemics and climate change.

“Everything we do is about humans — it begins with humans, it ends with humans,” says Johnson, who, despite his line of work, considers himself a committed optimist. “I’m not trying to replace people with robots. I’m trying to make their lives better.”

Top banner: This year's threatcasting exercise brough together cybersecurity leaders including, from left, Mastercard Chief Security Officer Ron Green, Caitriona Heinl of The Azure Forum for Contemporary Security Strategy, Mastercard's Katie La Zelle, Ian Sullivan of CBI, and Robert Dartnall of SecAlliance.


Disrupting the future

Brian David Johnson, who runs the Threatcasting Lab at Arizona State University, discusses how the discipline can help organizations prepare themselves for emerging threats with Mastercard's Alissa "Dr. Jay" Abdullah. 

Sophie Hares, Contributor