Great things have small beginnings
At the heart of everything important we do online is encryption, and at the heart of encryption is often a method premised on sharing public keys which in turn are secured by a system known as RSA.
RSA is premised on a simple notion: that mathematics allows for a situation in which large values are generated effortlessly through multiplication, all the while their factorisation is incredibly difficult. This is achieved by using large prime numbers, and the entire approach is a fascinating illustration of the weight a little bit of math can carry in our IT-reliant world.
RSA is also an allegory of sorts for the underlying nature of reality. As with our biological makeup itself, the emergence of advanced society over time through the interaction of billions of individuals entails significant complexity. While complexity emerges seemingly effortlessly – like the tangle of headphone cables in your coat pocket – reverse-engineering and managing such complexity for the sake of maintaining a sense of order and security is non-trivial.
Tapping into talent, globally
The above is of particular relevance for cybersecurity. No “silver bullet” exists, as I’ve written before – we critically rely on the implementation of appropriate processes and behaviours, but also and just importantly on the talent and ingenuity of countless engaged ecosystem participants.
While internalised expert talent will always be required and prized by large organisations in particular, crowdsourcing provides a compelling complementary approach towards identifying and tackling vulnerabilities.
Having an expert team keep a watchful eye on your systems is good. Empowering that team with advanced automation & AI is better.
Connecting your capabilities with a large, diverse talent pool is best.
Insights generated by the large and growing community of “ethical hackers” have recently caught my attention. In its 2021 Hacker Report, the globally active cybersecurity advisory firm HackerOne reports on trends from its community of registered ethical hackers, which has doubled to reach 1 million members over a 2-year period.
Some key insights:
- 63% increase in hacker-submitted vulnerabilities over the past 12 months
- Roughly 20 major areas of vulnerability
- 53% rise in submissions for improper access control and privilege escalation
- 310% rise in reports for misconfiguration
- 50% of hackers have not reported a bug due to a lack of a clear reporting process or prior negative experience
- 85% of hackers hack to learn, 62% do it to advance their career
Unsurprisingly, HackerOne’s business model is en vogue. In a March 8 PR, the company announced reaching the milestone of >2000 active customer programs. About half of its customers are major businesses generating >$1bn in annual revenues. In parallel, the company announced a major hire in the form of Google Cloud’s CISO.
Infrastructure and supply chain challenges
Another leg of the global InfoSec and cybersecurity landscape is comprised of hardware and infrastructure.
As if things weren’t complex enough on the software end already, hardware also poses fundamental and equally sinuous challenges. As the World Economic Forum lays out in this post, “hardware attacks take advantage of vulnerabilities in hardware-manufacturing supply chains. Modern chips are incredibly complex devices consisting of billions of transistor components that can be compromised during the processes of design, fabrication, and assembly and testing.”
This issue was thrust into the spotlight in 2018 by investigative reporting suggesting that certain hardware suppliers may have altered their chipsets with the backing of government intelligence agencies – with the ostensible goal of stealthily integrating hardware “backdoors” into equipment used globally.
Skip forward a few years and we are seeing a global chip shortage, with a major impact on sectors beyond IT, such as the automotive industry. This highlights the growing cross-sector reliance on IT components, and it reiterates the urgency of supply chain management and the emerging discipline of cyber supply chain management (C-SRM). This is a far-ranging issue which hitherto was subject to piecemeal approaches by individual public and private sector stakeholders, but which is seeing increasing formalisation of late.
Take for instance the U.S. IoT cybersecurity improvement act of 2020, discussed here by Gibson Dunn:
- While the Act is focused on U.S. federal government use of IoT, “the measures set pursuant to the Act should be closely monitored by all industry stakeholders”
- 85% of federal agencies are currently using, or plan to soon use, IoT devices
- Another pillar of the Act concerns itself with InfoSec disclosure procedures in order to streamline the reception, reporting and dissemination of knowledge around security vulnerabilities
- Throughout the legislation, Federal agencies are advised to consider & align with private sector best practice and international standards. Given the overarching importance of these matters to both government and industry, it should be expected that public-private interactions and partnerships will remain key.
- The “real bite” of the Act derives from the power it gives the CIOs of federal agencies to prohibit procurement of non-compliant devices, beginning December 2022.
- NIST has acted swiftly upon passage of the Act by publishing draft documents providing practical guidance to the federal agencies tasked with evaluating the security requirements for IoT devices.
At the EU level, ENISA in November 2020 similarly published guidelines on securing the IoT supply chain which:
- Acknowledge that “IoT supply chains have become a weak link for cybersecurity”
- Discuss results from an ENISA survey showing that untrusted 3rd party components and vendors, as well as the vulnerability management of 3rd party components, are the 2 main threats to the IoT supply chain
In response, ENISA highlights the need to develop “innovative trust models” as “trust between the stakeholders is one of the most relevant and important challenges to consider for securing the IoT supply chain”. The agency highlights that there is unlikely to be a “one size fits all” approach to define required trust parameters in light of the proprietary nature of source code, the needs of different organisations, and so forth. ENISA also cross-references a NIST publication recapping observations from industry with regard to C-SCRM, which are manifold and illustrative of the previous statement that a one-size-fits-all is unlikely.
The quantum leap
Developments in IT infrastructure are also driven by fundamental scientific advances, and this opens up new avenues for competition and innovation.
You will have heard of quantum computing – a fundamentally different way of computing, premised on the qualitatively different nature of physics at very small (quantum) scales – all the while being a little hazy on the details. Don’t feel bad. Quantum physics is so un-intuitive that Einstein famously dismissed the notion of quantum entanglement as “spooky interaction at a distance”.
That doesn’t mean that quantum physics isn’t real – quite to the contrary – and generations of physicists, engineers and now also IT experts have been chipping away at its implications for science and industry.
A hot concept in InfoSec is that of quantum key distribution, and the field of quantum cryptography at large. Below is an intuitive and fun introduction to these concepts:
If the topic has piqued your interest, a foundational academic paper can be accessed for free here.
In its recently published recovery and resilience plan, the Luxembourg government emphasises investment in the area of quantum communication by drawing upon EU funding allocated through the the Recovery and Resilience Facility & by integrating with existing EU initiatives, as discussed here. The stated goal is to develop and implement infrastructure and communications channels based on the quantum cryptography with a view on future-proofing the sharing of sensitive informative within government and industry.
Needless to say that the successful implementation of quantum cryptography would represent a major leap forward, awarding early adopters with a significant security advantage. It is also worth considering the the impact that this new paradigm would have on the above-mentioned C-SRM issues: by making older standards obsolete, quantum cryptography would seed a new wave of manufacturing which is “up for grabs” by strategic players worldwide.
If the saying “nothing new under the Sun” has any residual relevance, it certainly isn’t in the area of IT & cybersecurity.
Author: Jérôme Verony – LHoFT Research and Strategy Associate