Ransomware attacks on the JBS beef plant and the Colonial pipeline before it have sparked a familiar set of reactions. There are promises of retaliation against the groups responsible, company executives likely to be brought before Congress in the coming months, and even a proposed executive order on cybersecurity that needs to be fully implemented. It may take months.
But once again, in the midst of this flurry of activity, we must ask or answer a fundamental question about the state of our cyber security: Why does this keep happening?
I have a theory why. In software development, there is a concept called “technical debt”. It describes the costs that companies pay when they choose to build software correctly, rather than the easier (or faster) way to piece together temporary solutions to meet a short-term need. Over time, as teams struggle to maintain a patchwork of poorly architectured applications, technical debt accrues in the form of lost productivity or poor customer experience.
Complexity is the enemy of security. Some companies are forced to put together 50 different security solutions from 10 different vendors to protect their vast technology wealth.
Our country’s cyber security security is burdened by a similar debt. Only the scale is bigger, the stakes are higher and the interest is compounded. It is difficult to estimate the actual cost of this “cyber security loan”. While we still don’t know the exact cause of either attack, we do know that beef prices will be significantly impacted and gas prices soared 8 cents on news of the Colonial pipeline attack, costing consumers and businesses billions. Mother The damage done to public confidence cannot be counted.
How do we get here? The public and private sectors are spending more than $4 trillion annually in the digital arms race that is our modern economy. These investments are aimed at speed and innovation. But in pursuit of these ambitions, organizations of all sizes have assembled complex, disorganized systems – drawing on data from hundreds of locations and devices, many running thousands of applications in private and public clouds.
Complexity is the enemy of security. Some companies are forced to put together 50 different security solutions from 10 different vendors to protect their vast technology wealth – acting as a systems integrator of sorts. Each node in these fantastically complex networks is like a door or window that can be left open inadvertently. Each represents a potential point of failure and exponential growth in cybersecurity debt.
We have an unprecedented opportunity and responsibility to update the architectural foundation of our digital infrastructure and pay down our cyber security debt. To accomplish this, two important steps must be taken.
First, we must embrace open standards in all critical digital infrastructure, especially the infrastructure used by private contractors to serve the government. Until recently, it was thought that the only way to standardize security protocols across a complex digital estate was to rebuild it from the ground up in the cloud. But it is like changing the foundation of the house even while living in the house. You can’t easily lift and move massive, mission-critical workloads from private data centers to the cloud.
Put another way: Open, hybrid cloud architectures can combine and standardize security across any kind of infrastructure, from private data centers to public clouds, to the edges of networks. It integrates security workflows and enhances the visibility of threats across the network (3rd and 4th party networks where data flows) and streamlines response. This essentially eliminates the weak link without moving data or applications – a design point that should be adopted in the public and private sectors.
The second step is to address the remaining loopholes in the data security supply chain. President Biden’s executive order requires federal agencies to encrypt the data being stored or transmitted. We have the opportunity to take this a step further and address the data in use as well. As more organizations outsource the storage and processing of their data to cloud providers, expecting real-time data analysis in return, this represents an area of vulnerability.
Many believe that this vulnerability is simply the price we pay for outsourcing digital infrastructure to another company. But this is not true. Cloud providers can and do protect their customers’ data at the same speed as they protect their own data. They do not need access to the data stored on their servers. sometimes.
Ensuring this requires confidential computing, which encrypts data at rest, in transit, and in process. Confidential computing makes it technically impossible for anyone to access data without an encryption key, not even your cloud provider. For example, at IBM, our customers run workloads in the IBM Cloud with complete privacy and control. They are the only ones who have the key. We could not access their data even when forced by a court order or ransom request. It is simply not an option.
Paying off the principal on any type of loan can be difficult, as anyone with a mortgage or student loan can attest. But it is not a low interest loan. As the JBS and Colonial Pipeline attacks clearly demonstrate, the cost of not addressing our cyber security debt far outweighs the monetary damage. Our food and fuel supplies are at risk, and the entire economy could be disrupted.
I believe that with the right measures – strong public and private collaboration – we have the opportunity to build a future that brings forth the combined power of security and technological progress built on trust.