You are here
It's time to create a global playbook for cybersecurity
IN ITS business predictions for 2019, industry analyst Forrester says more companies will implement cybersecurity strategies based on a principle of "zero trust" - the practice of continuously questioning the security of all internal and external activity.
For cybersecurity as a whole, however, a zero trust approach is not an option. Everything cybersecurity vendors need to be able to do to protect customers - collect and process information on suspicious and malicious files, hunt malware, share threat intelligence and collaborate (including with law enforcement and governments) - is impossible if there is zero trust. How can we ensure they have faith in the industry and their specific provider?
This is where "digital trust" comes in. Digital trust is defined as the blend of cybersecurity, effective data privacy, accountability and ethical data handling that leads customers to trust an organisation. Cybersecurity needs to establish its own digital trust. Unfortunately, this is under growing threat from external forces such as geopolitics and technology nationalism.
Thanks to cyber criminals and advanced threat actors, cyber space has become a landscape of fear, uncertainty and doubt. Geopolitical tensions are being played out online, with security software and other technology products positioned as potential cyber weapons. As a result, people, organisations and governments are increasingly concerned about what cybersecurity software could be doing to or with their data and devices.
Technology nationalism is flourishing because the world is engaged in a game without rules: there is no unified, independent global framework for standards in cybersecurity. That is not altogether surprising; it is a relatively young industry, still finding its feet as a sector, and an agreed global playbook has not been essential before.
It is now.
In an increasingly connected world, cybersecurity has become fundamental to digital trust. It underpins the confidence people have in the security of their national economy, critical infrastructure and everyday life. It is time for the industry to take control of its own destiny. The world needs a set of global standards and principles that everyone abides by and which are clear, transparent and accountable.
LEARNING FROM OTHER SECTORS
The long established automotive sector got its global regulatory relationships in place in 1952, with, among other things, the setting up of the World Forum for the Harmonisation of Vehicle Regulations under the auspices of the UN Economic Commission for Europe. Through the forum, the world's main automotive manufacturing markets collaborate on essential motor vehicle regulations that apply to all.
At the same time, every country has its own unique needs, approach and regulations. In healthcare, the World Health Organization (WHO) gives guidance on the laws and healthcare approaches of countries around the world.
Imagine if such things existed for cybersecurity: What if vendors could operate internationally on a level playing field, within an industry-wide trust framework, but tailor their activity and choices to the needs and regulations of individual countries?
The absence of a global framework puts the industry at risk of what is known as "Balkanisation", where barriers, restrictions or even outright bans are put in place by governments to keep technology vendors it wants to exclude on the other side of the fence. We believe that technology nationalism is damaging, and will stifle competition, innovation and collaboration and undermine trust in the global digital economy. The only winners will be the cyber criminals who don't see and certainly won't respect any of those borders.
The response of governments to industry insecurity needs instead to be based on dialogue with the relevant industry players and on real evidence and assessment of the potential risks.
We are not the only ones concerned about trust and the future of cyber security. Across the industry there are partnerships and calls for a Digital Geneva Convention, including, most recently, the Paris Call. We are enthusiastic supporters of them all. But we also believe it is time to move beyond good intentions and take action, to introduce tangible measures that prove trustworthiness, integrity and resilience.
For us, the answer is our Global Transparency Initiative. Launched in October 2017, the programme involves, among other things, the relocation of key elements of our data processing and software build infrastructure to Switzerland, independent third-party audits of our engineering practices, and the opening of three transparency centres where trusted partners can access external reviews of our source and update code and documentation. We achieved the first major milestone last November, with the start of data processing in Zurich for customers in Europe, and the opening of our first transparency centre in the city.
Becoming more transparent is not risk-free. Exposing your source code, for example, even in highly-controlled circumstances, could make it a target for attack. But these are risks we are prepared to take.
The days of black box cyber security are over. Yes, not everyone understands or even wants to know about the hundreds of thousands of lines of code that make up a security product. But they need to be able to see clearly what you do, how you do it, and how protected it is from outside interference. Equally importantly, they need to know what kind of data you don't collect and what things you will never do - and not just for one vendor, but for all of them, measured by the same high global standards that we create together.
- The writer is vice-president, Public Affairs, at Kaspersky Lab