For delivering secure-by-design digital products, companies currently lack market incentives. Just as governments need industry for developing smart regulations and policies, the industry needs governments for setting the tone and impetus for the market. It is difficult to disagree with Bruce Schneier when he says that, in particular, the ‘Internet of Things (IoT) will remain insecure unless the government steps in and fixes the problem’. But he said that in November 2016; four years later – this is still the case. In approaching digital transformation and making sure it will be cyber-resilient, the industry needs governments to join the dialogue on fixing the growing common cyber-insecurity.
The first reason explaining why governments need to step in is the lack of incentives for companies to invest in cybersecurity. Cybersecurity awareness does not equal cyber-secure behaviour: even if companies are aware of industry security best practices, it does not mean that those practices are actually implemented. Companies’ decision-making regarding investment choices is influenced by the return on investment (ROI); thus, the chief executive officer (CEO) of a medium-sized company would likely ask: ‘Why do I need to think about making my products safer? How would that help me earn profit to innovate further?’ Instead, that typical CEO will likely decide ‘to optimize production and product-support costs; come up with new, attractive features; and have consumers change products faster’.
The role of governments, in this case, seems critical: in consultation with the private sector, governments need to create the right economic environment as well as to help small and medium-sized enterprises (SMEs), which often lack resources and capacity, with certain targeted policy tools that would be part of the common technology ecosystem. In building closer dialogues and trusted partnerships with companies of any size, the governments’ role is to shape the rules so that cybersecurity becomes a competitive advantage. Addressing the lack of resources and capacity through stimulating educational programmes and RnD investments is another possible direction in which governments can play a critical role.
The second reason for greater government intervention for building a cyber-resilient digital transformation is the existing complexity of regulatory approaches. At the SAP Product Security Summit in 2019, Holger Mack and Tom Schröer showed that in today’s IT products, less than 5% of the computer code is home-grown; the rest is code of third-party companies or third-party components. Why is this so? To produce and deliver faster, as well as to ensure the interoperability of IT products, companies need to optimise their software development and use modules of other vendors. However, growing in complexity and sophistication, modern software products are becoming more vulnerable. In managing modern IT products, into which a great many third-party components are embedded, the manufacturer needs to decide: (1) which certification is necessary to pass, and (2) how certification should be approached. The answer to both questions may not satisfy the needs because there is no institutional framework in which certification could be considered optimal within the particular market. What is more, it is impossible to imagine stand-alone certification for the entire technology stack: for each module and component, there would be, probably, separate certification requirements. While large enterprises are more likely to be able to handle this, SMEs would face a huge burden to their business in attempting to ensure rigorous regulatory compliance.
Therefore, again, governments, in consultation with the private sector, need to address this issue by agreeing on baseline security requirements and on different layers of certification to address different levels of the criticality of technologies. The idea behind this is to secure technology and enhance confidence in technology through standards and certification – but this has to be made proportionate to the companies’ size and sector of operations.
The third reason for the government to play a bigger role in designing security policies is the need for greater transparency and accountability about handling vulnerabilities – in both the public and private sector. There are no 100%-secure products, and probably never will be. This is the default situation: humans, who produce technology, sometimes make mistakes. But it is humans’ responsibility to address these mistakes too, and accountability remains critical. A vulnerability may remain undiscovered for some time, but the digital security risk appears only when the vulnerability is discovered and (intentionally or unintentionally) exploited.
This why we need greater transparency and accountability about how vulnerabilities are handled. While companies are currently enhancing software development and implementing secure-by-design practices for reducing vulnerabilities, we also need this transparency from governments. Particularly, governments not only need to promote responsible vulnerability management and disclosure among software manufacturers, but they need to follow those processes and be a part of collective efforts together with the industry, including critical-infrastructure owners and cybersecurity providers.
Concluding this piece, we must add a disclaimer that this is not an exhaustive list of all the reasons; there might be more. While the IT security community is getting better at maintaining the security of applications, it is often the people who use the technology who are the ‘weakest links’, and it would be naïve to presume that the behaviour of people may be ‘fixed’ forever. Thus, it is not the technology per se, but the use of technology that creates risks, and therefore, here too, industry will not be able to go it alone in incentivising both other companies and users to turn cybersecurity awareness into secure behaviour. The Geneva Dialogue on Responsible Behaviour in Cyberspace – an international conversation on product security led by the Federal Department of Foreign Affairs of Switzerland and DiploFoundation – has taken a big step forward this year by preparing baseline good practices for reducing vulnerabilities. But further work needs to be done to make those practices international and interoperable. The success in building a secure-by-design IT ecosystem will depend on the ability of both governments and industry to be agile in keeping up with consumer demand, and making sure that security and safety are built-in when designing innovative solutions.
Ms Anastasiya Kazakova is the Public Affairs Manager at Kaspersky