European Cyber Defense

Part 2: Future of Cyber Security 2030

 European Cyber Defense | Part 2: Cyber security in Europe 2030

Scenario Thinking 04
Critical Uncertainties 06
Four Possible Scenarios for the Future 08
Conclusions and Outlook 14
Methodology 15
Contacts 16

02 03
 European Cyber Defense | Part 2: Cyber security in Europe 2030

Scenario Thinking
A glimpse into the future of the cyber security landscape in Europe

How the cyber security landscape will develop in Europe look like in 2030? What risks and iand business is migrating to areas with clear
in the future is one of the most uncertain opportunities result from it? To answer these cyber regulation. Individualization has led to
questions we face today. Exponential questions, we have developed four possible the end of globalization. Although multilateral
technological developments, changing scenarios. and bilateral alliances continue, there is a high
regulations, and dynamic political degree of rearmament. All in all, Europe
environments lead to constant changes in the In the Golden Cage scenario, the cyber consists of failed cyber states.
field of cyber security. New players enter the security landscape in Europe is highly stable
cyber security field, and the role of cyber and secure. Threats are known and there is In the Cyber Oligarchy scenario, a small
security in political and military spheres is little disruption. Despite sharing the high cyber elite controls cyber security. The highly
shifting. These are just some of the many costs of security, the industry is healthy. innovative free market profits from little state
powerful forces reshaping the cyber security However, there is very little innovation, and a influence and control. However, automation
landscape. high vulnerability to unforeseen threats. Non- has caused high unemployment, while
state actors outside the functioning order increases in cyber attacks and counterattacks
Decisions taken by different stakeholders in threaten cyber security. ‘Golden Walls’ have have led to a high risk of (cyber) conflict. There
this uncertain environment will determine the arisen around protected regions, such as the is a strong need for deterrents, resulting in a
future of public and private sectors, as well as EU, and protectionism reigns. Society has Cyber Arms Race and many small hot wars.
that of civil society and citizens of states. become complacent, but threats are lurking There is a large potential for new concepts of
Decision-makers today thus have the in the shadows. state, and the private sector takes an active
potential to set the scene for the future cyber interest in building a functioning state.
security landscape. The Protect Yourself scenario describes a
deeply insecure and technologically The cyber security landscape of today is
Undeniably, capturing such complexity is fragmented world characterized by a culture changing rapidly and significantly. These four
difficult – especially if one resorts to of mistrust and a high level of bureaucracy. scenarios demonstrate how different the
conventional policy or strategy analysis. While The privatization of security and cyber self- future could be. Each one has its own
it is impossible to predict the future, scenario regulation has generated small thematic opportunities and risks – let´s see what they
analysis can cut through the complexity by islands of security. Innovative pressure to would mean for all of us.
telling plausible stories of the future, counteract the lack of effectiveness in cyber
highlighting the risks and opportunities. security is high, and diplomatic negotiations Enjoy the ride
Scenarios are narratives of alternative futures have increased significantly. However, new
that serve as a foundation for strategic rules and regulations are not enforced, and
decision-making by private, public, or civil cyber mercenaries are often the only
society stakeholders engaged in cyber protection against frequent cyber attacks.
security issues. It gives these decision-makers
a chance to develop robust yet flexible In another scenario world, Cyber Darwinism
strategies for potential future scenarios. has taken over. A laissez-faire Europe has
become a digital jungle in which non-state or
The cyber security landscape is undergoing quasi-state actors have risen, and cyber
rapid and accelerating changes. We have federalism is the norm. While small heavily
captured this in two distinct parts of this protected islands of (cyber) security exist, the
study. While the first part of the European outside world is highly insecure. The
Cyber Defense 2018 looked at the status quo subsequent rise of two-class security has led
of national cyber security strategies, this to a high level of social injustice. Cyber
second part of the study focuses on the security has become a clear competitive
future: What will the cyber security landscape advantage

04 05
 European Cyber Defense | Part 2: Cyber security in Europe 2030

Critical Uncertainties
Drivers shaping the future of the cyber security landscape

As part of the scenario analysis, we have operationally driven rules and regulations on Fig. 1 – Scenario matrix describing the future of the cyber security landscape in Europe
developed a comprehensive list of political, cyber-related issues, bilateral and multilateral
military, technological, social, economic, and cooperation, and general human interaction Sufficient effectiveness
environmental drivers that have the potential in cyber space. By contrast, in the latter it is
to influence the cyber security landscape in defined by a lack of generally accepted and
Europe. This list is based on extensive enforced regulations, with cyber security
research using natural language processing being driven and controlled by a powerful
AI, expert interviews, and traditional research. minority. The underlying drivers of this critical
A diverse expert panel from the public and uncertainty include international cyber
private sectors and civil society then rated cooperation, international unilateral cyber
these drivers according to their impact on the regulation, data protection and privacy
cyber security landscape in Europe in 2030 regulation, the importance of the EU in cyber
and the uncertainty of their development. security, and the relationship between the EU

Anticipation + attribution of cyber threats / attacks

Following this, the most impactful and and other players such as NATO, the UN, and
uncertain drivers were grouped into critical individual states like Russia, China, or North
uncertainty clusters. Critical uncertainties are Korea.
overarching key themes that have the Cyber Oligarchy Golden Cage
potential to tip the development of the cyber Anticipating cyber threats and attributing
security landscape in Europe in one direction cyber attacks can be either sufficiently or
or another. insufficiently effective in future. On the one
hand, this critical uncertainty could take the
Our expert panel identified two critical form of prevention, early detection, and
uncertainties as key determinants of the resolution of cyber threats, with authorities
future of cyber security in Europe. First, the being able to attribute attacks and efficiently Fragmen- Rule-based order Clearly
existence and degree of a rule-based order. persecute perpetrators. On the other, it could ted defined
This delineates an order that is based on legal be characterized by high (cyber) insecurity
frameworks and standards at the local, due to inability to prevent or follow up on
national or international level, or any cyber threats. Drivers underlying these
combination of these. Second, the possibility developments include the development of
to anticipate cyber threats and attribute cyber computing power, quantum computing, the
attacks. Anticipating cyber threats involves the level of cyber risk, the efficiency and accuracy
identification of and preparation for cyber of attribution, the effectiveness of law
attacks within the known range of attack enforcement in countering cybercrime and
mechanisms and methods. Attributing cyber ICT terrorism, threat intelligence, and malware
attacks refers to the process of ascribing and ransomware attacks.
crimes to perpetrators by successfully
tracking, identifying, and prosecuting cyber The combination of both critical uncertainties
criminals. leads to four visions of the future, illustrated
in figure 1. All four of the resulting scenarios
The rule-based order can become either adhere to five criteria: They must be plausible,
clearly defined and operational, or relevant, divergent, challenging, and balanced.
fragmented and based on the rule of the Each of these four scenarios thus signifies a
strongest. In the case of the former, Europe is different story of the future, four alternative Cyber Darwinism Insufficient effectiveness Protect Yourself
characterized by the existence of worlds that could exist in 2030.

06 07
 European Cyber Defense | Part 2: Cyber security in Europe 2030

Four Possible Scenarios

for the Future
The cyber security landscape in Europe in 2030

Golden Cage In this scenario, Europe is highly secure and now, in 2030, there is very little room for
stable and faces very little disruption. Cyber innovation, and the little innovative potential
threat levels are known, and security that remains is limited to the engineering
Clearly defined and organizations report honestly on current sector. While the private sector is healthy, it
operational rule-based threats and developments. While a strong shares in the heavy costs of the cyber security
cyber surveillance culture exists to ensure system. Society has become complacent and
order and sufficient high levels of security, this is regulated clearly reliant on existing solutions. While states are
effectiveness of the and transparently. Strong innovation in the on high alert and in a state of readiness when
early 2020s has led to a state of technological opponents and threats are present, they
possibility to anticipate readiness for facing cyber threats. Frequent become drowsy when this is not the case.
cyber threats and attribute training and testing of cyber capabilities Consequently, while Europe is ready for
ensures constant vigilance regarding cyber known threats, it is highly vulnerable to
cyber attacks threats. This is supplemented by civilian cyber unforeseen developments. Non-state actors
drills, for example in schools and private operating outside of the existing order thus
firms. A Golden Wall has been erected constitute the biggest threat to the European
around Europe, and protectionism defines cyber security landscape.
European politics.

However, following the initial innovative push,

Protect Yourself In this world, Europe is highly bureaucratic, cyber security, there is huge innovative
extremely insecure, and technologically pressure in Europe, with both public and
fragmented. While there are small thematic private sectors driving technological
Clearly defined and islands of security, for example around developments. The innovative potential lies in
operational rule-based connected health care, cyber security outside the private sector, but there is a focus on
these areas is lacking. As the public sector has national cyber security innovation. Where
order and insufficient failed to provide effective cyber security, necessary, states nationalize private firms in
effectiveness in security has been privatized, and cyber self- their search for efficient cyber protection.
regulation and the use of cyber mercenaries Economies of scale rule in this environment,
anticipating cyber threats is the norm. This has led to a new cyber and small and medium enterprises are
and attributing cyber security economy and competition between suffering.
private and public security providers. The
attacks public sector is fighting hard to gain the To keep up and increase the rule-based
respect of security spheres. There are order, there has been a stark increase in
extensive cyber reconnaissance troops and negotiations and diplomacy. Cooperation and
cyber task forces. However, increasing threat regulation has mushroomed on bilateral and
levels have led to the necessity of private- multilateral levels, and new alliances continue
public partnerships. The resulting corset of to be formed. However, there is a lack of
security is suffocating society, and a culture of efficiency in enforcing these clearly defined
mistrust has taken over. and operational rules.

To counteract the lack of effectiveness in

08 09
 European Cyber Defense | Part 2: Cyber security in Europe 2030

The cyber security landscape in 2030

Cyber Oligarchy IIn this scenario, a small elite of cyber experts (IWMDs), is high.
rules the cyber security landscape in Europe.
The state is no longer in the driving seat of The lack of state influence and control has
Fragmented rule-based cyber security. Instead, there is private resulted in ample opportunities for the
order driven by a rule of enforcement of cyber security according to private sector. The free market profits from
the ‘laws of the jungle’. Consequently, there is the large amount of room for innovation and
the strongest and a high potential for new concepts of state, creativity. Start-ups have thrived and generally
sufficient effectiveness in and the private sector takes an active interest aim not for independence, but hope to merge
in the presence of a functioning cyber security into one of the tech giants. Strong alliances
anticipating cyber threats state, contributing both finances and have also formed between traditional
and attributing cyber knowledge to the public sector to (re)establish industries, such as the automotive industry,
order. In this fragmented order ruled by the and tech giants, with leading traditional firms
attacks strongest, there is a strong need for operating underneath the umbrella of
deterrence, including nuclear. As a result, a innovative tech empires. However,
Cyber Arms Race has ensued and tensions automation has caused high unemployment
have been vented in many small hot conflicts. and social protests are frequent. Traditional
There has been an increase in cyber attacks, bilateral and multilateral alliances remain and
and the risk of (cyber) conflict, including the there is a high degree of clarity of players in
use of Internet Weapons of Mass Destruction the cyber security sphere.

Cyber Darwinism In this alternative future, Europe has become territories, and non-state and quasi-state
a jungle that operates on a laissez-faire actors have gained power. Globalization has
mentality. While small islands with a high level ended and individualization has taken over.
Fragmented rule-based of (cyber) security exist within gated
order driven by a rule of communities, the outside world is highly Cyber security has become a clear
insecure. This has resulted in a two-class competitive advantage. Industries migrate to
the strongest and security system, which heavily discriminates areas with high cyber regulation clarity, such
insufficient effectiveness in against and excludes low security classes. A as China. Alliances continue alongside existing
flood of highly inefficient cyber regulation on bilateral and multilateral lines, but the lack of
anticipating cyber threats a regional, or at most national, level has led to international regulation has resulted in the
and attributing cyber Cyber Federalism: To compensate for the lack heavy rearmament of individual states and
of effective national and international sub-regions. Overall, Europe consists of failed
attacks regulation, federal states and sub-regions cyber states, ruled by the principle of the
have made their own cyber policies. The survival of the fittest.
resulting regulatory chaos and existence of
security hubs has given rise to regional cyber
security havens, which profit from their
security status and enjoy a high standard of
living. Cyber warlords rule over individual

10 11
 European Cyber Defense | Part 2: Cyber security in Europe 2030

Conclusions and
outlook
The future of the cyber security
landscape in Europe will have far-
reaching implications for the private and
public sectors and civil society

Contemplating these four scenarios, the completely and unequivocally as described While there are a myriad of common to cooperate with states and each other to four scenarios will enable decision-makers to to successfully navigate the ever-changing
most striking point is perhaps their here; rather, the future of the cyber security implications emerging from these scenarios, enable cyber security on any level. respond flexibly to the dynamic cyber security map of the cyber security landscape in
timeframe. In the uniquely dynamic field landscape will lie somewhere in between the biggest one is perhaps the overarching environment within and outside Europe. By Europe. Scenario analysis can serve as the
of cyber security, thinking even a few them. By thinking about and preparing for need for cooperation. Cooperation and Many other general implications emerge doing so, decision-makers can proactively compass to do so – and let you lead the way.
years ahead often seems an these four extreme scenarios, stakeholders coordination within and between states and across all four scenarios. The need for digital drive transformation in the cyber security
unfathomable task, yet our scenarios can formulate robust but flexible strategies regional and international organizations will education and training, the necessity of landscape and prepare for the risks that
give an outlook at what the cyber for any future in between these alternatives. be crucial. The private sector, including engaging with questions around shifts toward linger in the shadows along the way. As such,
security landscape may look like beyond Based on the insights into the status quo of military and intelligence services, the public hybrid or cyber warfare, including the these stories of the future aim to stretch
that, in 2030. national cyber security strategies in Europe, sector and civil society in each country will potential offensive use of cyber weapons by minds, challenge perceptions, and capture
as outlined in the first part of the European have to work together to prepare for future states, and the need to protect critical complexities that would otherwise be lost.
While the future of cyber security is extremely Cyber Defence 2018, this is particularly risks and make use of future opportunities. infrastructure are just a few examples here. At
uncertain, it is highly necessary to consider its crucial. With many cyber strategies dating Equally, states will need to work in unison to the same time, each scenario brings with it a The four scenarios may be radically different,
implications for the public and private sectors back a number of years, and none looking drive cyber governance regionally and number of specific implications, both in terms but they share one common theme:
and civil society in Europe and beyond. Our forward into future threats, preparing for the globally. Regional and international of risks and opportunities. Foresight, vision, and close cooperation
four scenarios enable precisely that. We do future is particularly paramount. organizations and alliances, including in between decision-makers in the private and
not expect one scenario to happen particular the EU, NATO and the UN, will have Developing specific strategies for each of the public sectors and civil society will be required

12 13
 European Cyber Defense | Part 2: Cyber security in Europe 2030

Methodology
A short introduction to scenario design between key words, phrases, people, reverse-engineer the milestones that would Fig.2 – Seven step scenario development approach
and its methodology companies, or institutions. This allows us to lead to each future, we can determine the key
gain a holistic understanding of highly elements for each scenario.
This study on the future of the cyber security complex issues and interrelationships, as well
landscape in Europe is based on the seven- as to identify global trends. It also helps to Then, in a sixth step, we make use of these
step scenario design methodology by the avoid the bias of traditional approaches that scenario narratives to derive resulting
Center for the Long View (CLV), which applies
the guiding scientific principles of objectivity,
often have a built-in tendency based on the
character, mood, or personal preference of
implications for the stakeholders involved,
such as the private and public sectors and 7 Monitoring
1 Focal Question
reliability, and validity. This study is the the scenario analysts. civil society.
outcome of comprehensive research, expert
interviews, and a scenario workshop involving In a third step, we prioritize and cluster the In a seventh and final step, we define key
selected political, military, economic, and identified drivers into critical uncertainties. indicators for each of the four scenarios to
social cyber security experts from the private This is necessary as not all driving forces are enable the monitoring of trend
and public sectors and civil society, as well as uncertain. Some may be predictable and developments. The aim of this step is to
the Deloitte network and experienced unlikely to vary significantly in the different observe which scenario is most likely to

6
scenario practitioners from the CLV. scenarios. Thus, critical uncertainties must materialize at any given moment, and identify

Our scenario design methodology starts with

fulfill two criteria: Firstly, they must have a high
impact on the outcome of the focal question.
shifts from one scenario to another one. Implications
& Options Seven Step 2 Driving Forces
the formulation of a focal question in order to Secondly, they must be highly uncertain or Scenario
determine the project’s scope and strategic volatile. Initially, all uncertainties appear Development
direction. The focal question for this study unique, however, by analyzing the Approach
was the following: What will the cyber security comprehensiveness and correlation of each
landscape in Europe look like in 2030? critical uncertainty we can establish the
building blocks for our scenario framework.
As scenarios are a way of understanding the
dynamics that shape the future, the second
step of our methodological approach is the
The scenario framework is developed in the
fourth step of our scenario design approach. 5 Scenario
3 Critical
Uncertainties
identification of driving forces that have the The critical uncertainties determined serve as Narratives
potential to impact the outcome of the focal the two axes that are combined into a matrix,
question. These drivers can be grouped into resulting in four highly divergent but plausible
five categories, known as STEEP forces, which scenarios. In our study, the two critical
consist of social, technological, economic, uncertainties are the nature of the rule-based
environmental, and political factors. order and the possibility to anticipate cyber

In order to determine this study’s long list of

threats and attribute cyber-attacks.
4 Scenario Frameworks

drivers, we primarily made use of interviews Having established the scenario matrix, we
with selected Deloitte experts and our AI- then develop the four scenario narratives in a
based research tool, CLV Deep View. Deep fifth step. Scenario narratives define the
View uses proprietary natural language framework conditions and atmosphere of
processing algorithms to read millions of data each scenario within the context of a story. By
sets with the aim of identifying patterns using the previously identified drivers to

14 15
Contacts

Katrin Rohmann Dr. Florian Klein Annina Lux

Public Sector Leader Head of the Center for The Long View Center for the Long View
Deloitte Risk Advisory Monitor Deloitte Deloitte Risk Advisory
Tel: +49 (0)30 25468 127 Tel: +49 (0)69 9713 7386 Tel: +49 (0)30 25468 5131
[email protected] [email protected] [email protected]

Special thanks to Knut Schönfelder and André Roosen for their contribution.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private

company limited by guarantee (“DTTL”), its network of member firms, and their
related entities. DTTL and each of its member firms are legally separate and
independent entities. DTTL (also referred to as “Deloitte Global”) does not provide
services to clients. Please see www.deloitte.com/de/UeberUns for a more detailed
description of DTTL and its member firms.

Deloitte provides audit, risk advisory, tax, financial advisory and consulting services
to public and private clients spanning multiple industries; legal advisory services in
Germany are provided by Deloitte Legal. With a globally connected network of
member firms in more than 150 countries, Deloitte brings world-class capabilities
and high-quality service to clients, delivering the insights they need to address their
most complex business challenges. Deloitte’s more than 244,000
professionals are committed to making an impact that matters.

This communication contains general information only not suitable for addressing
the particular circumstances of any individual case and is not intended to be used
as a basis for commercial decisions or decisions of any other kind. None of Deloitte
Consulting GmbH or Deloitte Touche Tohmatsu Limited, its member firms, or their
related entities (collectively, the “Deloitte network”) is, by means of this
communication, rendering professional advice or services. No entity in the Deloitte
network shall be responsible for any loss whatsoever sustained by any person who
relies on this communication.

IIssue 11/2018