Take nation-states creating tools that can then be repurposed by anyone and hardware that is insecure all the way down and you have a cyberworld where it looks like offense is going to be superior to defense for a while.
This is the way real world warfare has gone historically. Guns made medieval armor obsolete, defenses against missiles are more fig leaves than serious factors and simple mobile units have become standard.
Where does it end? Or at least go next? The death of the general purpose computer [1], that's where. Signed bootloaders show up as opt-in, luring you with safety. Soon enough, they'll be mandated by legislation. Next ISPs will be required to execute authentication protocols against all devices -- no more anonymity.
Cellular providers are already feature-gating users based on whether their crapware is installed on user devices or not. Certain providers are also basing it off of whether or not you bought the phone from them, via the IMEI number. Updates to devices are often different based on the phone's "affiliation." They can easily corral people into using specific firmwares.
And in a world like this with weaker defense than offense, the only good defense is a good offense, i.e., deterrence.
In military terms, this means that an attacker knows that arousing the enemy will mean hell to pay, and they can only engage in asymmetric warfare.
In the computing space, we don't have much of an offense. The best I saw was the Blue Frog anti-spam, which was great while it lasted. Russian crackers have mostly learned not to attack their own govt unless they want the appropriate unit of measure for the expected lifespan to change from decades to weeks. Seems that we'll need to live very cautiously for some time, or develop responses that 'reach out and touch someone' (specifically the attackers).
edit:+ Moreover, it seems that in international cyber-attacks, some of the responses will need to be kinetic in order to deter.
Then you’d better be able to prove you’re striking the right targets, and that the purpose of the attack you’re responding to isn’t to elicit that strike.
Yup. That's the job of good intel agencies and cyber-defense.
Of course with BlueFrog, that work was already done -- just automate the response do complain/unsub, and the spam campaign becomes a DDOS on the advertiser. I'd love to see that back again.
Same for spam/spoofed-ID tel calls. Answering and trolling the telemarketer by wasting their time is nice by ineffective 1-on-1. It'd be nice to ID & target them with a scaled-up response.
This is the way real world warfare has gone historically. Guns made medieval armor obsolete, defenses against missiles are more fig leaves than serious factors and simple mobile units have become standard.