The rise of cybersecurity debt – TechCrunch
The ransomware attacks on the JBS beef factory, and the colonial pipeline before it, sparked a now-familiar series of reactions. There are promises of retaliation against responsible groups, the prospect of corporate executives being taken to Congress in the coming months, and even a draft cybersecurity decree that could take months to fully implement. .
But again, in the midst of this whirlwind of activity, we must ask or answer a fundamental question about the state of our cybersecurity defense: Why does this keep happening?
I have a theory on why. In software development, there is a concept called “technical debt”. It describes the costs businesses pay when they choose to build software the easy (or quick) way rather than the right way, putting together temporary solutions to meet a short-term need. Over time, as teams struggle to maintain a patchwork of poorly architected applications, tech debt builds up in the form of lost productivity or a poor customer experience.
Complexity is the enemy of security. Some companies are forced to implement up to 50 different security solutions from up to 10 different vendors to protect their sprawling technology parks.
Our country’s cybersecurity defenses are under the weight of a similar debt. Only the scale is much larger, the stakes are higher and interest accumulates. The true cost of this “cybersecurity debt” is difficult to quantify. While we still don’t know the exact cause of either attack, we do know that beef prices will be significantly affected and gas prices have jumped 8 cents on news of the pipeline attack. colonial, costing consumers and businesses billions. The damage to public confidence is incalculable.
How did we get here? The public and private sectors spend more than $ 4 trillion a year in the digital arms race that is our modern economy. The goal of these investments is speed and innovation. But in pursuit of these ambitions, organizations of all sizes have assembled complex and uncoordinated systems, running thousands of applications across multiple private and public clouds, drawing on data from hundreds of locations and locations. ‘devices.
Complexity is the enemy of security. Some companies are forced to implement up to 50 different security solutions from up to 10 different vendors to protect their sprawling technology parks, acting like a systems integrator. Every node in these incredibly complicated networks is like a door or window that could be inadvertently left open. Each represents a potential point of failure and an exponential increase in cybersecurity debt.
We have an unprecedented opportunity and responsibility to update the architectural foundations of our digital infrastructure and pay off our cybersecurity debt. To achieve this, two essential steps must be taken.
First, we need to embrace open standards in all critical digital infrastructure, especially infrastructure used by private entrepreneurs to serve government. Until recently, it was believed that the only way to standardize security protocols in a complex digital realm was to rebuild it from scratch in the cloud. But it is like replacing the foundation of a house while living in it. You simply cannot move and move massive, critical workloads from private data centers to the cloud.
There’s another way: open hybrid cloud architectures can connect and standardize security across any type of infrastructure, from private data centers to public clouds, to the edges of the network. This unifies the security workflow and increases visibility of threats across the network (including third and fourth networks where data flows) and orchestrates the response. It essentially eliminates weak links without having to move data or applications – a design point that should be adopted in both the public and private sectors.
The second step is to close the remaining gaps in the data security supply chain. President Biden’s executive order requires federal agencies to encrypt data stored or transmitted. We have the opportunity to go further and also process the data in use. As more and more organizations outsource the storage and processing of their data to cloud providers, waiting in return for real-time data analytics, this represents an area of vulnerability.
Many believe this vulnerability is simply the price we pay for outsourcing digital infrastructure to another company. But this is not true. Cloud providers can and do protect their customers’ data with the same ferocity as they protect their own. They don’t need to access the data they store on their servers. Never.
To ensure this, confidential IT is needed, which encrypts data at rest, in transit and in process. Confidential computing makes it technically impossible for anyone without the encryption key to access the data, not even your cloud provider. At IBM, for example, our customers run workloads in IBM Cloud with complete privacy and control. They are the only ones who hold the key. We could not access their data even if we were forced to do so by a court order or a ransom demand. It is simply not an option.
Paying off the principal on any type of debt can be daunting, as anyone with a mortgage or student loan can attest. But this is not a low interest loan. As the JBS and Colonial Pipeline attacks clearly demonstrate, the cost of not paying off our cybersecurity debt goes far beyond pecuniary damage. Our food and fuel supplies are threatened and entire economies can be disrupted.
I believe that with the right measures – strong public and private collaboration – we have the opportunity to build a future that emphasizes the combined power of security and technological progress based on trust.