Security Industry at a crossroads - Time for 'Constructive Disruption' or 'Sandboxing Innovation'
It’s been a busy first quarter to 2017. We’ve attended the RSA Conference, CiscoLive! and we now head to the ACSC Conference and more. The cybersecurity industry is buzzing. But is this a good thing? Be it record spikes in ransomware, DDoS attacks and manipulation of information systems to influence elections or commit fraud on a massive scale, the Internet is clearly an unsafe place. Add to this the use for terrorist financing, recruitment and radicalisation.
The RSA Conference hardly put me at ease in terms of the cybersecurity challenges ahead of us. ‘Nuclear’ and ‘Atomic’ were two ear-pricking words used in the opening keynote sessions. Read Part 1 of my RSA review to find their context. Yet regardless of the context, these terms already have a place in the threat landscape and need to be acknowledged by Governments throughout the world and at all levels – that includes State and Local, not just Federal.
CiscoLive! in Melbourne was inspirational yet again, as this vendor links their distributed network architecture (DNA) and partner community solutions with a look out to the future in the next 3 – 5 years. Indeed, this year they went out to 10 – 15 years, predicting 500 billion devices will be connected to the Internet in this time. Kevin Bloch, Chief Technology Officer for Cisco outlined how, as a company spending $6 billion a year on research and development, as well as making many acquisitions, they need to understand what the micro transitions are and then look from the outside in, as well as to customers, partners and the media. Such as why is Cisco making investments in some areas and not others? It’s not just about the technology, it’s also about the timing. The world is moving from a ‘world of data’ to a ‘data driven world’ – there is a clear divergence occurring from the ‘old world’ to a new world of digital platforms, data intensive +AI (artificial intelligence), global scales and innovation investment in what is a boundary-less market. Indeed, according to Cognizant’s Frank, Roehrig and Pring, “we are now entering the ‘digital build-out’ phase of the fourth industrial revolution.”
We need to accept this is the case – the digital transformation has begun and will continue to occur at a rapid pace. The scale in compute processing, network bandwidth and applications we see today will be dwarfed with the use of quantum computing platforms, artificial intelligence and smart infrastructure becoming the norm within 10-20 years. The societal benefits on offer should be immeasurable and the opportunities astounding. However, as a security practitioner, I see risk, uncertainty and threats that need to be recognised and managed. Ignorance is no excuse and should not be tolerated, especially within government.
A large proportion, if not all, of the 20th century security threat challenges, physical and cyber, have not been solved and we continue to stubbornly abide by our 19th century bureaucracies. The thought of radical reform to our institutions and legal frameworks is often met with mistrust and dogged oppression. But there is a way, and thanks to Kevin Bloch at Cisco for highlighting the two possible concepts of managing the consequences of digital transformation. These being ‘constructive disruption’, such as the likes of Uber who charged through taxi industry regulations around the world, breached the laws, paid the fines and went to court in battle. Ultimately, they have achieved industry deregulation. The second approach is ‘sandboxing innovation’ where technologies, industries and locations can be trialled with moratoriums of legislation, regulation or de-regulation trials in locations and for industry to be freed up to try out new ideas. The second approach is most preferred but not widely enough adopted – as yet.
In Australia, speculation of the formation of a Homeland Security Department has been quashed by the Prime Minister. However, with national policing issues abounding (too many to list) and prisons full, we should not be so quick to reject radical reform ideas. A national discussion is needed and I would submit it is urgently needed and increasingly so. Nor should it be limited to just law enforcement. Reform is needed across the security sector. To do nothing shows ignorance. Is it not ‘insane’ to think if we keep doing the same thing, we should still expect different results?
Let us be bold and brave and review digital transformation reform across public and private security systems, federally and across the states. And this could go further to be expanded across the region, with better alignment between public law enforcement and private sector agencies, allowing them to share systems, data, intelligence and training platforms.
For the private sector, cyber and physical sectors must be fully converged in order to scale and be better consolidated for public safety applications, support roles and for adoption of skills development, security technologies and information gathering and reporting. New models are clearly needed, highly possible and achievable. Outcomes would be applicable to Australia and ASEAN partners
When COAG failed to acknowledge a rapidly changing and emerging landscape of the security industry in 2008, it failed to design legislation that would properly recognise the extent of the industry’s technology and innovation. But the landscape was clearly foreseeable, predictable and the Governments and Industry Associations of the day (some people still hold the same positions) were advised of the tsunami of technology innovation coming over the next decade. Yet here we are today, still with a security sector in Australia not only vulnerable to cybercrime, but unable to support a regulatory and compliance framework across the country.
Cybersecurity is not a new thing. Go back to the Australian computer crime and security surveys from the 1990s – even then the consistent theme was a call to increase education, training and awareness. Yet, it would seem from the perspective of the Australian Government with the emphasis on the Australian Cyber Security Strategy that it is all new – indeed launching a Cybersecurity Growth Network suggests it is the ‘only’ worthwhile part of the security industry, despite the national terrorism threat level sitting at ‘probable’ since 2014. Thwarted terror attacks have become the norm rather than the exception. We shouldn’t have to wait for a successful attack before changes are made. Like terrorism, nor is ransomware a new thing – I was writing about it in 2005 – but unsurprisingly it has continued to evolve and increased 650% in recent years. Indeed, my book published in 2009 – Security Risk Management in Corporate Governance highlighted the convergence of technology, corporate crime and terrorism and need for companies to get their security policies in order.
At the time of my 2005 study, less that 30% of the sixty companies I surveyed from the ASX 200 had ‘any’ kind of security policy – yet I now understand that the Australian Government is instructing all ASX 200 listed companies to conduct security audits and policy reviews. While many understand the importance of cybersecurity, a new study conducted by IDC proves that little has actually changed since my own survey, with very few companies ready to battle the threat. In fact, IBM says that 68 percent of companies aren’t ready for cyber-attacks, leaving themselves dangerously open out of ignorance, a lack of funds, or an unwillingness to rock the boat by acknowledging a threat.
Yes, this is an ‘I told you so’ moment but it is also another warning. Maybe even a demand. The States and Federal Government must reform national security regulation and legislative frameworks in order to reflect the security threat landscape, and professionalisation across a converging sector, cyber and physical. Breaches of the state legislation are being wilfully ignored by regulators and egotistical cybersecurity practitioners. With every penetration test, with every signoff to an ISO27000 series management plan, with every Smart facility or Smart city project – there is a likely prima facie breach of state security laws. The Victorian Police Minister admitted that to regulate this would be overly burdensome but that despite this they didn’t’ see a need to change the laws following a KPMG review. It is why I will take any security project in Australia from hereon in and offer my services but I will not get any additional licenses –the States clearly don’t have the interest or resources to regulate the security industry and the Government is too lazy (or slow or both) to change the laws. Be it ‘constructive disruption’ or ‘sandboxing innovation’, in my view, it is open slather and police officers, intelligence officers and any licensed security agent, consultant and technician should be ‘demanding’ responsive government and reform!
And on that note, as always, we provide plenty of thought provoking material and there is so much more to touch on. Stay tuned with us as we continue to explore, educate, entertain and most importantly, engage.
Chris Cubbage, Executive Editor
To highlight where I'm coming from (in case its unclear) recommend watching Mr. Bruce Schneier at RSA - 'Regulating the Internet of Things' https://www.youtube.com/watch?v=b05ksqy9F7k - there's also a book review of Bruce's book 'Data & Goliath' in this current issue.
Managing Director at TechnologyCare
8 年Confusing physical & cyber security may result in due process not being followed in each case. Both have worflows leading to objectives quite different.