How cybersecurity industry can survive in the world of mistrust
Anastasiya Kazakova, CEO Office Projects Coordinator
Igor Kumagin, Senior Project Manager
The fast-growing, ubiquitous digitalization of recent years marks a point of no return, since data processing and data storage activities of IT companies have raised privacy and ethics issues. Journalists paint gloomy pictures from Orwell’s 1984, saying that we have come to the end of privacy due to uncontrolled technological development. The revelations of Edward Snowden, recent data breaches such as the Facebook-Cambridge Analytica data scandal , growing amount of espionage attacks, debates over and initiatives on (the UK’s plans for Centre for Data Ethics and Innovation Consultation, the European Commission’s research on ‘Ethics and data protection’, Singapore’s newly launched Council on ethical use of data, AI etc.) ethical standards for tech companies, businesses, politicians and users raised the problem– how to handle personal data properly and keep privacy as a fundamental human right[1].
Back in 2006, Daniel J. Solove, a professor at George Washington University Law School, in his book ‘A Taxonomy of Privacy’ identified 16 ‘privacy harms’ caused by new technologies (data collection by surveillance, personal data disclosure, distortion, increased accessibility of information, etc.). Ten years later, in April 2016, the EU was among the first who renewed its data protection regime by adopting the GDPR, applying strict extraterritorial regulatory requirements on the business world. Since then, many non-EU citizens have started thinking seriously about the value of personal data and real liability in case of its misuse. This move triggered similar actions among different governments (India’s Data Protection Bill, Brazil’s General Data Protection Law, the California Consumer Privacy Act, etc.). But does greater control imply greater security?
While regulators and governments are still trying to find the right balance between regulation and innovation, we believe its tech companies’ call to find the way to get the trust back.
Impact on the cybersecurity industry
With regard to the AV or cybersecurity industry, trust is the core basis upon which these industries operate. However, because of the privacy concerns mentioned above, the state of trust in the cybersecurity field has become even more fragile. There is no doubt, that AV vendors have legitimate grounds for accessing and collecting certain information (statistics, details of malware, etc.) about the computers on which their software is running. However, the question regarding how vendors handle personal data may concern both users and policymakers.
As for now, to analyze how AV products work with data, one of the possible instruments are vendors’ End User License Agreement (EULA) and privacy statements. These documents tell users what and how data may be processed, and what data may be sent for additional analysis to verify whether it’s malicious or not. Though they make clear that it is the duty of AV vendors to protect users and their privacy from cyberthreats, users may still have concerns over the ‘future life’ of information that has been collected by AV software. Apparently, to ensure trust and trustworthiness of AV products, the industry needs to take steps forward.
Meanwhile, global governments are tending to tighten control and introduce greater regulation over the cybersecurity industry by:
- developing certification requirements (e.g., the EU cybersecurity certification framework);
- introducing criminal liability for violations of critical infrastructure protection requirements (e.g., Russia's Critical Information Infrastructure Bill; Singapore’s Cybersecurity Act);
- forcing vendors to follow strict data localization requirements (e.g., Vietnam’s data localization law; Russia’s Federal Law No. 242-FZ (on processing personal data); and
- forcing vendors to weaken encryption (e.g., Australia’s Assistance and Access Bill).
We are certain that greater control doesn’t always work. Daniel Solove said that ‘protecting privacy requires balancing, as neither privacy nor its countervailing interests are absolute values’. Global cybersecurity companies cannot fight cybercrime without collecting data for identifying those who stand behind attacks. Therefore, the answer to the problem cannot be simplistic, but has to be simple. Binding laws and strict regulation and policies cannot guarantee 100% security; however, on the contrary, they can place a burden for further development of digital technologies, and thus for further improvement of people’s wellbeing.
Clearly, to maintain the trust of users and to ensure the trustworthiness of cybersecurity products, steps forward need to be taken by AV-vendors as well. That’s why we, as representatives of the IT security industry, encourage both vendors and policymakers to support the idea of a transparency framework.
Transparency framework
Whereas earlier AV vendors had to improve their detection mechanisms and increase performance of their products, now is the time to move up to the next level, i.e., to define rules for collecting and processing users’ personal data.
We have already approached several independent testing organizations and received their feedback. To attract greater attention, we present the core ideas of the framework here.
We believe that AV-vendors need:
- to have more transparent and open communication with their users about data processing in clear and plain language;
- to perform detection and performance testing, together with assessing data protection;
- to introduce a Code of Conduct for the AV industry as a response to global privacy concerns.
Therefore, we are calling for support of the development of a transparency framework, which presumes but not limited to
- Transparency about user data storage and its location;
- Suspicious/unnecessary cloud traffic check;
- Clear instruction in case of requests for deleting the data collected;
- Transparency about data sent to cloud systems;
- Implementation of existing personal data protection requirements to increase security assurance.
To illustrate how the framework might work, here is the following example. The suspicious or unnecessary cloud traffic check (point 2) can be implemented through installing an AV product without any recent updates or unusual programs, then copying some documents or other media files on the system, and finally checking if the traffic to the cloud has or has not been increased. If the traffic remains the same, the AV product passes the check.
Concluding remarks
We invite both the AV industry and policymakers to support the transparency framework. Self-regulation might work, and the AV industry might become a pioneer in developing a new approach to data protection and data management.
Trust lies at the heart of the AV industry; it is also the core of most all business relations.
Are you ready for evolution? As the world changes, it’s time we change too.
[1] The right to privacy as a human right is established in Article 12 of the Universal Declaration of Human Rights (UDHR), and enshrined in Article 17 of the International Covenant on Civil and Political Rights (ICCPR).