The Data Privacy Dilemma and Threats
Introduction
I think we all know the quote, "there is no privacy once you open your data and connect to internet" which I believe is true. We live in an online world where everything we do is taken as a data and those data are turned into a knowledge/information about us. All tech companies collect so many data that made them realize they need to turn those data into something that is understandable which led to the realization of Big Data and use of AI as their core business strategy. And now, we all are being ruled by it. In many scenarios Google/Meta/Apple/TikTok or any other big tech companies knows more about us than what we know about ourselves. This is because all data collected from our interaction with the platforms they provide are measured and turned into a valuable information that mostly is used against us. All the data they collect are used to give us recommendations on what we should watch/do/buy next tailored according to our behavior. They are so good that they also suggest what we might like to do differently based on interactions with their platform. They have our identity information like our name, date of birth, gender, country, etc. And they use that just as a starting point to feed their AI engine on the basic information about us and we are put in a group where our identity lies just to give the engine to suggest what we might want to see/buy/do on their platform. Then based on our interactions, we move from group to groups that is more tailored to what we are like, so they could "serve" as better.
Having said this, the main focus of this article is not about social medias data usage practices. I used that as a steppingstone for what I'm about to discuss as it is a perfect analogy for cybersecurity vendors telemetry data collection and the risk it has on a country's cybersecurity posture.
The Data Dilemma
Yes! All cybersecurity vendors collect data too.? And no, we can't be sure what and how exactly it is being used. Should we worry? - A little bit. But I strongly believe, the discussions must start regarding this. Let me explain why.
Let's start with our country - Ethiopia. Many major institutions and organizations license at least one or more endpoint security solutions. And for the "sake of security", those vendors collect telemetries from all endpoint devices to their AI engine to "give us better security posture and recommendations." I know, telemetries must be collected for analysis that help make decisions. But since AI is now becoming the core element for malware analysis or other cybersecurity tasks, potential misuse of this data, especially in the context of geopolitical tensions and cyber warfare raises big question.
Microsoft came up with a Generative AI called Copilot. Now, they have integrated with Microsoft Azure to work along with users. The AI will scan your environment then give you suggestions what to do. Basically, you can ask the AI saying like, "hey, can you give me all the activities performed by Wakeyo Tolera in the past 2 days including the places from where he has logged in, what his behavior is like, what he is majority doing across all the Azure environments?" Then, waaala! All those information are presented to you. Plus, it has capability to do analysis of any threat because it has access to your entire environment. And I know, this AI has many positive sides too which help organizations and cybersecurity professionals do their job right. But, just like Google, Facebook, and TikTok use our data to provide other businesses targeted advertising, don't you think, cybersecurity vendors may also use our data to play against us in some way?
The Growing Scope of Cybersecurity Vendors
What are all cybersecurity vendors doing right now? They are expanding and say they provide other protections than what they originally provide because of the mergers and acquisitions happening or they are not getting a small pie out of the big market.
So, the vendor that used to provide you Next Generation Firewall is now in the endpoint security/WAF/Identity Protection business and tries to sell you their solution for endpoint protection. The vendor that used to provide you endpoint protection, now tries to sell you their email security solution/DLP solution/PAM solution or any other form that cybersecurity vendors come up with that is other than what we originally know them for.
But, hold up. I'm not saying that is completely wrong although I have reservations and a little bit of concern in that approach which I am not going to discuss in this article. My concern in this article is DATA PRIVACY.
You may hear them all say, they are expanding in those sectors, because they want to provide better security with the worldwide reputation and "threat intel" they have. Yes, the term used in every cybersecurity vendor - "THREAT INTEL." I'm not going to bother defining the term as my concern is what it could be used for potentially. All of them collect artifacts and telemetries sighting they are used to analyze threats better and protect our companies just like Google collect information to "provide, improve, and protect their services, understand how people use their products, and create more relevant experiences." And what do we know about Google regarding our identity? Doesn't it surprise you how much they know about ourselves and what they are using it for like targeted advertising? Or Do you remember Facebook being used targeting specific people to spread misinformation and influence public opinion in the 2016 presidential election that made many citizens change their opinion about Trump and made Clinton lose election by manipulating the feeds they see?
So, don't you for at least a bit think that all the IPs, MAC addresses, Domain Names, DNS records, device type, software applications, OS, device identifiers, user accounts, user activity, user location, security events, security configurations, vulnerabilities, etc. collected for the sake of "Threat intelligence" can also be used to know about what organizations have and don’t have? What their cybersecurity posture is like?
Having mind that, imagine what one single vendor who provides many protections against different layers of OSI has a power to do. And they may even collect this data without even you knowing about it. To be honest, I don't think we know much. Then, I want you to multiply what this vendor gets with as many organizations as there are in the country who use that product. And what would that give you? - Your countries cybersecurity posture! And what can that be used for? - Living in a generation where cyberwarfare is the biggest weapon that is being used as nuclear bomb, I don't think I need to answer that question.
领英推荐
Therefore, my question is, what is there that protect our country from this?
Data collection in the name of "threat intelligence" is beyond an organization and it is one's countries biggest security risk.? What is our government doing to address this?
The Role of Data Sovereignty
I believe data privacy is dilemma. And we can't make it 100% private. After all we need it for analysis. But we can address these issues. And for Africa, as we are the one affected by this risk the most, what are we doing?
In Ethiopia, we have Data Sovereignty. This is very crucial and to whoever enforced this policy - I salute you. Because this mandates any organization's data not to leave the land and must be kept in a data center located in Ethiopia. If you ask, does this insure data privacy 100%? I would say No. Because, no matter where the data leaves, it is collectable and can be exported anywhere. So, what would our strategy be to address this issue?
I guess, governance and technology. Be like Europe and audit organizations practice toward data privacy and be strict. Some vendors, have solutions that address these things. For example, Kaspersky provides, what they call, Private Security Network (PSN) that allows organizations to benefit from threat intelligence and malware detection without sending their telemetry data to Kaspersky's cloud. Instead, the data is processed locally or within the organization’s infrastructure, ensuring that no sensitive information leaves the organization’s network while still leveraging Kaspersky's AI-driven threat detection. This could be a start which can be enforced to make other vendors also provide this. But this requires a big discussion from cybersecurity community and developers on how to implement this in a way that ensures the real data privacy.
I could also mention, "Proton VPN" that gives this kind of services and handles a better anonymity than any other providers out there.
What else? Create, support, and fund local talent to develop cybersecurity solutions. China is doing it. Why not our country?
The recently approved "Personal Data Protection Proclamation" is a good act that help realize or at least help in protecting organizations data handling practices. But, unless there is a serious audit, it can't be realized. But, even with an audit, I wonder where that leaves our country unless a comprehensive strategy is implemented. Because we still rely heavily on cybersecurity vendors to provide us the tools we need to protect from the cybersecurity attacks out there.
Why did USA pass a bill that hinders Kaspersky's licensing in the country? Why is TikTok forced by USA to separate the technology they use from the rest of the world and have them use database owned and controlled by USA? Why is Europe enforcing and punishing those who violate GDPR?
I hope those questions spark the importance of Data Privacy. Even though I think of it like it is dilemma, I believe when basic things that help protect data of users and organizations get addressed well, then collectively our countries data governance become clearer to certain degree and safe.
Conclusion
The growing power of cybersecurity vendors presents a significant challenge to national security. By understanding the risks associated with vendor data collection and implementing appropriate regulations, supporting immerging technologies and companies that care how data is being used and are standing against any government monopoly of accessing data's stored by bending laws, and leading cybersecurity innovations, governments can protect their citizens and organizations from potential threats.
What do you think? Put it in the comments.