Cybersecurity 2024: Quo Vadis?
Presented by Johan Kestens at BE-CEC on September 11, 2025 in Dolce, La Hulpe
In a thought-provoking keynote at the Belgian Cybersecurity Executive Conference (BE-CEC) 2025, Johan Kestens, former CIO at ING and CISO at BNY Mellon, made a few predictions about security in the future and gave advise on how to build up your defences.
Three provocative theses
Reflecting on the current state of cyber security, and what is happening in terms of technology development and geopolitical evolutions, I would like to offer three provocative theses on the state of cyber security in 2030:
- Cybersecurity tooling, for threat identification, network security, access control will consolidate as an industry, largely controlled by a few US-based companies.
- The combination of publicly accessible data repositories on cyber security and AI-generated code will raise the stakes in the cyber security arms race, which will become a permanent silent war.
- The internet started as a global public good, but major sovereign powers will increasingly create barriers to keep control over their generated data and global traffic. The internet may evolve into a collection of regional networks.
This is not an optimistic view, but it could become reality in my opinion. Let me develop each of these points in some detail to see whether the logic is somehow convincing.
1. Cyber tooling will consolidate under US control.
There is a vibrant industry in cyber security tooling offering a wide range of tools for threat analysis, detection, vulnerability management, access and authentication, security operations, and data protection. There are about 6000 companies offering tools, with about 70 unicorns. The major hyper-scalers also have an integrated security tooling stack.
Over the last 2 months, there were more than 15 acquisitions of sizeable players by US-based competitors. At this rate about 150 firms are integrated per year.
This is a high speed of consolidation. In my opinion, three factors are driving it:
- Industry leaders deploy a platform strategy, seeking a full offering and a large client base, using acquisitions to supplement platform strength and to create cross-selling opportunities. Palo Alto Networks in the network area, Z-scaler for secure access and Microsoft for end points are examples.
- Defence companies are expanding in the cyber field. Modern weapon systems are increasingly software driven and need cyber security capabilities, both with defensive and offensive capabilities to build state-of-the-art weapon systems. Supported by increased valuations, defence firms are acquiring cyber capabilities
- Logs, the system message variant, are the next frontier in data management and the raw material to train AI models, just like messages and search queries did for the current providers of LLMs, Meta, Google, and Microsoft. Scale matters, and deep pockets are needed. Only exceptionally large firms can aspire to lead in a cyber security world which will be powered by AI.
So, we are likely to be depending on either hyper-scalers, exceptionally large firms, or defence conglomerates to get access to the best tooling. Most of them will be located in the US, and Europe may be increasingly dependent on their products.
2. The cyber arms race will intensify significantly.
The use of logs to train AI models on defensive and offensive cyber capabilities is a major evolution. AI has been used for years in cyber defence, basically with machine learning seeking outliers or anomalies. To a large degree, the early use of machine learning allowed for an edge in detection of new threats and kept many attacks at bay.
The neural network technology behind LLMs may change that.
- First, if you have massive reservoirs of logs, and you train your neural model to study it, you may automatically discover patterns pointing either at vulnerabilities or unusual behaviour.
- Second, the cyber industry benefits from open, public data repositories, allowing to build a defence. Think of MITRE ATT&CK for adversarial tactics, CVE for vulnerabilities, and NIST, OWASP and CIS for secure practices and control.
- New LLMs are able to generate code and do so with increasing quality, as code is a relative formal declaration of statements, without nuance, or implied meaning.
The result is a powerful cocktail: use a modern LLM for code generation, train it on publicly available data repositories, and use massive amounts of logs to validate the outcome. The result is an automated way to develop patches, or zero-day vulnerabilities. The arms race accelerates.
Today, you can subscribe for 150 USD per month to Xanthorox AI. The first publicly acknowledged cyber-attack generated by AI happened on August 26. It involved the open-source build platform Nx, which is used by over 70% of the Fortune 500, and downloaded 16 million times a month. It was active for 5 hours and stole privileged credentials for GitHUb. Earlier in July there was a similar attack on AWS.
We have seen ever more sophisticated attacks over the last years, and it may very well be that this sophistication may further increase. Automated discovery of vulnerabilities could create an avalanche of new zero-day vulnerabilities.
Especially open-source software is vulnerable, as its source code is public. In the past, this may have helped in hardening it, the question is whether it will be able to withstand a massive, automated attack by a cyber version of Chat-GTP or any other LLM.
The internet will follow world trade and deglobalize.
3. The internet will follow world trade and de-globalize
The current geopolitical situation is one where multiple blocks are increasingly developing a complex rivalry, using trade wars, in addition to plain, normal wars to bolster their influence. One of those blocks has carefully managed the internet: China. It has always managed it judiciously, collected massive amounts of data, and has at times blocked its entrepreneurs from going global, as illustrated with the volatile relationship with Alibaba, blocking the IPO of Alipay and seeing its founder shying away from the public for some time. At the same time, it was always fostering innovation. Think of Tencent, or the recent LLM Deep Seek.
Now China is massively investing in AI, fostering entrepreneurship. China has a clear long-term vision, invests in robotics to supplement its work force, which will decline over time, and uses massive amounts of collected data to influence social order.
Europe has started a debate on data sovereignty because it is worried its data are not under its control and could be leveraged or even abused by other geopolitical blocks. This is a first step of going in the same direction as China. It may not happen at the same pace, it may not go as far, but clearly the complete open free culture of harvesting data globally is under pressure.
The US has not yet taken much action in this area, because clearly today’s winners are US-based companies, extracting significant economic rent out of collected data from people all over the world. But the current volatility in policy making is at such an elevated level that this could easily change. And the US already forced Tik Tok as a social media application to change ownership into US hands.
So, it is not unthinkable that we will have three to five subnets of the internet at some point in time, each guarding their own data for internal use. And cyber-attacks will be used between those subnets, powered by powerful AI tools that automatically generate attacks trained with massive amounts of logs.
This is a very bleak picture, it predicts a permanent cyber war, which may be stealthy and silent, but nevertheless is aimed at creating economic and sociologic damage. I hope I am wrong, but I believe the logic of the scenario to be pretty strong.
Build up your defences, now more than ever.
So far, I have painted a world where technology will be largely under US control, and cyber-attacks will proliferate and become more effective. Major political powers will seek control over its information technology infrastructure and its data, as China has been doing for 10 years. Where does it leave Europe, renowned for issuing plenty of well- intended rules, but struggling to defend its position in geopolitical terms?
First, things are changing. Perhaps the pace is still far too slow, but some significant things have happened. Sweden and Finland took 6 months to abandon more than a century of political neutrality and joined NATO; Germany abandoned half a century of budgetary chastity to increase public spending. The unthinkable can happen, maybe one day we will even have a government for the Brussels region.
But it may be insufficient. Yet there are more things we can do to better prepare ourselves for this kind of admittedly scary scenario. I want to give some examples:
1. Adopt a franchise model for major hyperscalers
- Turn the hyper-scalers, the major cloud providers, into franchise organisations, the way McDonalds is working. The cumulative investment in cloud infrastructure and service management is so big, that Europe should not try to catch up by massively trying to overhaul this effort. It may make more sense to force the hyper-scalers into franchise organisations, as McDonalds is operating. Wherever you go in the world, you have the same concept same experience, but a local entrepreneur running it.
Cloud could become a world where AWS and Microsoft licence their software to local data centres, built according to AWS or Microsoft prescriptions, but operated by local franchisees. These would pay a handsome licence fee for the software and the concept, but the data stored would be under the control of the local franchisee, accountable to the local government. In case of geopolitical conflict, at least the data would be there, and operations could in one way or another continue.
This may need considerable work to flesh out, but the concept preserves the historical investment of the hyper-scalers and gives Europe enhanced control over its data. It is far preferable to the alternative where the US would control all cloud activity, or to the alternative where in an act of desperation Europe would nationalize all the assets, without means to continue operations. Tellingly, recent organizational evolutions of both AWS and Microsoft point already in that direction.
Europe could prepare for an enhanced level of cyber-attacks by selectively disconnecting systems form the internet. This may reduce some convenience or appeal but would at least protect core assets.
Is it really necessary to have a nuclear power plant addressable over the internet? Can we not separate the core systems for nuclear control from a network used for other business functions? Equally, every pacemaker today has an IP address, but what is the value of an app telling you your heart is beating, compared to the risk somebody may take it over and give you a heart attack?
Cyber security is an eternal trade-off between ease of use and control of behaviour. We may have gone too far in designing an app for everything. Because everything will then be hacked.
3. Prepare for sophisticated attacks
Prepare for increasingly sophisticate attacks in your company by ensuring your control frameworks are up to date, and practice what to do in a total outage or a complete loss of data. Because it will happen.
Maybe Europe should invest in massive drill exercises. Think of a weekend where we halt the internet, just to see what would happen and how we would react. Now, such an exercise may need careful planning, and it is not the intent to cause major damage. But think of the incident in Spain where power was lost in large parts of the country. Although this example may not have been a cyber incident, major disasters of this kind, caused by system failure, are happening frequently. . Is there anybody who believes this type of accident will never occur again? If not, then we better prepare as a society.
NIS 2 is taking steps in that direction. The financial industry went a step further with Dora, also emphasizing business continuity. We need to amplify our efforts here.
One reason is that our traditional access control methods may no longer work. Quantum computing could decrypt our confidential information, and that damage may have been done. Hackers may have captured encrypted files already now, only to decipher them when quantum computing is commercially available. And Ai may make the use of biometrics harder, as it can emulate our faces or even our fingerprints. Solutions exist, such as lattice cryptography to fight the risk of quantum computing, or advanced hashing to preserve some biometrics, but these controls will have to be implemented.
4. Double down on efforts to create a real security culture
Double down on efforts in awareness and really create a security culture. The human factor, as fallible as it can be, is probably also at the end of the day our best defence. Many companies are doing quite a lot in this area, but it is enough?
We expect people to pass a test before driving a car. Should we have a similar concept in the area of using computers, the Internet and generating data? For sure, it will have to be an exercise which is repeated over time. The development of cyber fraud is much faster than the evolution of the ergonomics of driving a car. But in a way, we are protecting the individual and society by doing so.
These are just ideas; they are by far not exhaustive or complete and may even be unrealistic. But I hope to bring the message that more can be done. It does imply change, and this is always painful. But it starts by wanting it. Regardless, our efforts in cybersecurity will likely have to increase over the next years.
This will take effort, but to paraphrase Mario Draghi, I am confident we will in the end do whatever it takes.
