Cybersecurity futures 2025: What the scenarios got right, and what we learned

In 2018, the UC Berkeley Center for Long-Term Cybersecurity (CLTC) partnered with CNA’s Institute for Public Research to develop scenarios exploring potential “cybersecurity futures” for 2025. Now that 2025 is here, we ask, how did we do?

We conducted a detailed “postmortem” on our scenarios to understand which signals we correctly identified and those we missed, collecting those insights for lessons learned.

Early breakthroughs in quantum computing prompted attempts to establish a global non-proliferation regime. These efforts failed as quantum technology spread beyond original state control to multiple countries and criminal networks.

Non-proliferation efforts slowed competitors but rarely stopped them, leading major powers to consider accelerating quantum dissemination to allies instead of containment.

The push to use secure digital technology, the internet of things and machine learning to quantify individual and social life led to an unexpected dilemma: the loss of constructive ambiguity.

As hyper-precise data eliminated the small uncertainties that smooth social, legal and economic interactions, people sought new flexibility through multiple, fluid digital identities. This created new security challenges around identity management and verification.

Following catastrophic security failures, the world split into two competing internet governance models: one where governments ceded control to large tech firms (fulfilling John Perry Barlow’s cyber-libertarian vision) and another embracing digital nationalism, where the internet became an explicit instrument of state power.

The sharpest tensions emerged where these approaches collided.

After digital insecurity nearly collapsed the internet economy, companies turned security over to “SafetyNet,” an artificial intelligence (AI) driven mesh network detecting intrusions and patching vulnerabilities in real time.

Cyberspace is split into the traditional internet (less secure but more private) and the SafetyNet environment (highly secure but heavily monitored), raising questions about whether privacy, freedom and trust could survive in a world secured by omnipresent AI oversight.

Revisiting these scenarios in 2025 surfaced a few key insights:

We correctly anticipated that technologies such as AI and quantum computing would advance through dramatic step functions rather than smooth curves. The rapid emergence of generative AI (GenAI) models since 2022 exemplifies this pattern, as GenAI transformed expectations, investment patterns and technology trajectories seemingly overnight.

Similarly, quantum computing has moved faster than contemporary forecasts anticipated (the National Institute of Standards and Technology accelerated its timeline for transitioning to quantum-resistant cryptography).

The CHIPS Act and similar initiatives highlight how semiconductor manufacturing, AI development and quantum research have become central theatres of great power competition.

This dynamic has extended to export controls and increasingly, to fundamental tenets of recent globalization, such as capital flows, particularly in the US-China relationship, precisely as our scenarios anticipated.

We underestimated how quickly boundaries between government and corporate capabilities would blur, creating hybrid institutional forms. Organizations like OpenAI demonstrate this hybridity, operating as nonprofits with for-profit subsidiaries while partnering with defense agencies.

Meanwhile, open-source AI development has introduced governance models that transcend traditional state or market binaries – a dynamic our scenarios didn’t adequately explore.

While we named digital identity an important contested space, we underestimated how synthetic media would weaponize ambiguity. According to the World Economic Forum’s “Global Cybersecurity Outlook 2025,” 47% of organizations view adversarial advances powered by GenAI as their primary concern, as these enable more sophisticated and scalable attacks.

Today’s environment combines excessive certainty (thanks to algorithmic profiling) with radical uncertainty, where even video evidence carries a diminishing truth value. This contradiction creates excessive precision and fundamental doubt – a tension our scenarios only partially capture.

We failed to anticipate how global talent flows would shape technological development. The movement of researchers between organizations transfers crucial knowledge, making immigration policies instruments of technology strategy.

This is particularly visible in AI, where key scientists moving between technology companies such as DeepMind, OpenAI and Anthropic have created competitive advantages while accelerating overall capability development.

The malware that encrypts the victim’s personal data until a ransom is paid transformed the threat landscape through business model innovations rather than technical advances.

Ransomware-as-a-service platforms democratized attack capabilities, revealing limitations in our focus on technologies rather than economic organization and incentives. That was an ironic and unacceptable miss – we failed to make adequate use of the best knowledge and understanding in this area.

The pandemic accelerated digital transformation and tested security architectures. Though we didn’t predict COVID-19, the resilience demonstrated by digital infrastructure suggests security capabilities had matured more than anticipated.

Weaknesses within a business’s network of suppliers, processes and infrastructure emerged as a central attack vector. The SolarWinds incident demonstrated how adversaries leverage trusted distribution channels to bypass conventional security, exposing an offence-dominance we failed to capture in our scenarios.

Per the Global Cybersecurity Outlook, 54% of large organizations cite supply chain challenges as the greatest barrier to achieving cyber resilience.

Looking forward to 2030, these are three tensions decision-makers should monitor.

Scenarios cannot precisely predict the future but they surface strategic decisions we can take now to better prepare for multiple possible futures.