This article was first published by Oliver Wyman here.
Artificial intelligence, quantum computing, Internet of Things (IoT) devices, 5G mobile, and its planned successor, 6G: The list of fast-developing technologies and the development of entire new industries like space commercialization and green tech goes on and on. This innovation offers tremendous opportunities for growth, but the scale of disruption also creates new cybersecurity risks, giving malicious actors fresh avenues to try to steal, damage, destroy, or demand ransom.
The challenge requires an all-out response from business and government to enhance cybersecurity and more effectively buy down cyber risk, industry experts agreed at a panel session on disruptive technologies at the Billington CyberSecurity Summit.
A starting point involves embracing a Zero Trust Architecture, the cornerstone of the Biden administration’s new cyber strategy, which tightens access controls on everybody on the assumption that attackers already may have penetrated computer systems. Organizations also need to be more proactive and adopt a risk-management approach that prioritizes protecting critical assets.
“Each of the new technologies we are adopting creates new attack surface, and if we don’t go into deploying those new technologies in sort of a conscious way, that attack surface is going to bite us,’” Neal Ziring, technical director of the National Security Agency’s Cybersecurity Directorate, told moderator Paul Mee, who leads Oliver Wyman’s Cyber Risk platform and the Oliver Wyman Forum’s cybersecurity initiative. Executives should begin by asking themselves, “what are my really critical business trust relationships, my really critical crown- jewel data, and how am I going to continue to foster that and protect it as I move into these new technologies,” Ziring added.
Zero Trust isn’t a new concept but turning it from an industry ambition to real changes in technology, systems, and procedures will be many years in the making. An analogy might be Europe’s General Data Protection Regulation. It sets broad standards for privacy and data protection but doesn’t specify the exact measures or technology companies should employ to meet those standards. Zero Trust is even more complex and far-ranging. Yet the good news is that industry is moving from talk to implementation.
“While there is a lot of hype around it, I think the basic principle of Zero Trust in terms of identity and other technologies is something that is going to be widely adopted,” said Katie Gray, who leads the cybersecurity investment practice at In-Q-Tel. “There is a lot of innovation that’s happening now.”
Artificial intelligence and machine learning aren’t yet playing as big a role in cybersecurity as they are in other fields, but experts say that will need to change. The proliferation of data and the pace of tech innovation, especially the massive shift to digital working and service provision witnessed during the pandemic, is outrunning the ability of cybersecurity teams to keep up, hence driving demand for automated tools.“
We don’t have enough people or resources, and the attacker dwell time is so long that we’re not able to do the triage fast enough to minimize the impact, especially with destructive malware,” said Travis Rosiek, chief technology and strategy officer at cybersecurity firm BluVector. “We’re going to continue to see the application of things like machine learning to the cyber space. We sorely need it right now.”
One of the trickiest issues for cyber teams is, ironically, one of the oldest. Open-source software has been in wide use for decades, and its incorporation into new applications means old bugs or features can create new and unintended risks. The recent US executive order on cybersecurity addresses this by calling on companies to provide a software bill of materials detailing the components and supply chain relationships involved in every product, but that will be a daunting task.
However far back a company digs into the coding history of a given product, “you’ll find that it probably wasn’t far enough,” said Bryan Ware, founder and CEO of Next5, a company that seeks to promote US leadership in emerging technologies. He also cited a “a lack of awareness of who those second- and third-order suppliers are” in software supply chains.
Disruptive technologies risk making it harder for cyber defenders to keep up with adversaries, but participants agreed that innovation is the only way forward. The recent spate of high-tech flotations and deal-making is reminiscent of the dot.com era, Ware said, but some of today’s tech giants emerged from that frenzied hype and the same is likely to be true going forward. ”We’re going to see quantum computing companies fail, and we’re going to see space companies fail,” he said. “But we’re also going to see a revolution in companies none of us are talking about today, but all of us will be talking about five years from now.”
The race is on with the ever-accelerating pace of innovation in disruptive technologies. We need to ensure that security can keep up.