Erosion of trust in cybersecurity: why it needs fixing
By Evgeny Grigorenko, Head of Public Affairs, Europe
The digitalization of certain sectors and areas, which is gradually becoming the ‘digitalization of everything’, has promised to bring about clear benefits: better functionality, better control, lower costs and higher speeds. While delivering on its promise, it has also revealed an array of issues. One the most prominent is misuse and manipulation of digital technologies leading to both individual and societal risks and threats in the cyber-domain.
This is not the first time humanity has faced an issue of how to ensure safe use of goods. How was it done before? Take the example of drugs. If you introduce a new item to the market, it’s your obligation as a producer to provide evidence that the consumer won’t be harmed. For this, the producer must meet certain health and safety criteria and obtain the necessary permits and certificates. So traditionally, certification – meaning that a certain product conforms to the respective safety criteria – is the way to get to a market. Produced, tested, certified, stamped, and on the shop shelves.
Digitalization adds an additional element to this conundrum. In a world of tangible products, we mostly deal with finished products (which most often have expiry dates, like in the case of food). In the world of software and, more specifically, cybersecurity software, we deal with its evolving nature – via updates – and have to address both possible bugs (old and newly discovered) and the ever-changing threat landscape. By analogy, you can get a certain amount of active ingredient from a prescribed drug, but it’s hard to guarantee that you’ll get a certain – high – level of security with your non-updated cybersecurity solution if you’re being targeted in a malicious attack. Would you trust your solution if it doesn’t protect you from a new threat? On the contrary, would you trust your solution if it’s updated but it rather weakens your protection with new vulnerabilities?
Another layer to the problem in the area of trust in cybersecurity arises on the international level. Digitalization gave rise to the term ‘digital sovereignty’, as adopted by some countries. Cyber is also increasingly seen as the fourth domain of warfare. The reaction to this has been (sadly) predictable. The largest cyber powers entrench themselves with cyberdefenses (the balkanization of cyberspace), develop offensive capacities (militarization), and give preference not to the best but to simply domestic technologies (protectionism). On the top of that, international cybersecurity dialogue between major cyber powers is going through a hard time (some would say, ‘failed’)
Given the privileged access of cybersecurity solutions to data, how can we make sure that our cybersecurity safeguards are not compromised themselves? That no backdoors or critical vulnerabilities exist? The traditional response – certification – would be just one component due to its limitations discussed above. So, following some cybersecurity guidelines, a risk-based approach comes to the fore. The issue with that is that depending on one’s subjective assessment of either ‘negative consequences’ or its ‘probability’, the risk can be easily inflated and misinterpreted. As a result, ‘any doubts – uninstall (ban/restrict)!’ is a new working formula. Sadly, when trying to address supply-chain risks, governments are prone to ignore the ‘presumption of innocence’ principle: there’s no need to prove wrongdoing if you can just point to some ‘intentions’ of wrongdoing (usually hard to assess). Clearly, the current geopolitical climate is a nurturing environment for such an approach.
The dangers of the current trend of the erosion of trust in cyber are a full collapse of dialogue, economic harm, and even global conflict in cyber.
How can we tackle this global trend? Kaspersky, as an integral element of the global cybersecurity ecosystem, believes that it could be done by responding to the root causes of it. While we understand our limitations as a private company and are not going to ‘play geopolitics’, we are committed to adding a layer of trust in cybersecurity solutions through our Global Transparency Initiative. The GTI is both our response to geopolitical turbulence and our commitment to enhancing existing technologies and infrastructure so they match the current technological challenges.
Very soon, we’re going to announce a new series of specific steps within the Initiative – something, we plan, that won’t only be related to Kaspersky but also to our proposal to our partners worldwide to work together on. Update to follow soon!...