Anton Shingarev, Vice President of Public Affairs at Kaspersky Lab
In its business predictions for 2019, industry analyst Forrester says more companies will implement cybersecurity strategies based on a principle of “zero trust” — continuously questioning the security of all internal and external activity.
For cybersecurity as a whole, however, a zero trust approach is not an option. Everything cybersecurity vendors need to be able to do to protect customers — collect and process information on suspicious and malicious files, hunt malware, share threat intelligence, and collaborate – including with law enforcement and governments — is impossible if there is zero trust. How can we ensure they have faith in the industry and their specific provider?
This is where digital trust comes in. Digital trust is defined as the blend of cybersecurity, effective data privacy, accountability, and ethical data handling that leads customers to trust an organization.
Cybersecurity needs to establish its own digital trust. Unfortunately, this aim is under growing threat from external forces, such as geopolitics and technology nationalism.
A world without trust
Thanks to cybercriminals and advanced threat actors, cyberspace has become a landscape of fear, uncertainty and doubt. Geopolitical tensions are being played out online, with security software and other technology products positioned as potential cyber weapons.
As a result, people, organizations and governments are increasingly concerned about what cybersecurity software could be doing to or with their data and devices. Kaspersky Lab has found itself at the receiving end of some of these trends, and they are not a nice place to be, especially when you’ve done nothing wrong.
Globalisation vs. nationalism
Technology nationalism is flourishing because the world is engaged in a game without rules: there is no unified, independent global framework for standards in cybersecurity. That is not altogether surprising; cybersecurity is a relatively young industry still finding its feet as a sector and an agreed global playbook has not been essential before.
It is now.
In an increasingly connected world, cybersecurity has become fundamental to digital trust. It underpins the confidence people have in the security of their national economy, critical infrastructure and everyday life.
It is time for the industry to take control of its own destiny. The world needs a set of global standards and principles that everyone abides by and which are clear, transparent, and accountable.
What we can learn from other sectors
The long established automotive sector got its global regulatory relationships in place in 1952, with among other things, the setting up of the World Forum for the Harmonization of Vehicle Regulations under the auspices of the UN Economic Commission for Europe (UNECE). Through the forum, the world’s main automotive manufacturing markets collaborate on essential motor vehicle regulations that apply to all.
At the same time, every country is different and has its own unique needs, approach and regulations. In the case of the healthcare industry, the World Health Organization (WHO) provides details on the laws and healthcare approaches of different countries around the world.
Just imagine if such things existed for cybersecurity: if vendors could operate internationally on a level playing field, within an industry-wide trust framework, but tailor their activity and choices to the needs and regulations of individual countries?
The risk of failure to act
The absence of a global framework puts the industry at risk of what is known as “balkanization” where barriers, restrictions or even outright bans are put in place by governments to keep technology vendors it wants to exclude on the other side of the fence. We believe that technology nationalism is damaging and will stifle competition, innovation and collaboration and undermine trust in the global digital economy. The only winners will be the cybercriminals who don’t see and certainly won’t respect any of those borders.
The response of governments to industry insecurity needs instead to be based on dialogue with the relevant industry players and real evidence and assessment of the potential risks.
We are not the only ones concerned about trust and the future of cybersecurity. Across the industry there are partnerships and calls for a Digital Geneva Convention, including, most recently, the Paris Call. We are enthusiastic supporters of them all. But we also believe it is time to move beyond good intentions and take action to introduce tangible measures that prove trustworthiness, integrity and resilience.
Our model
For us, the answer is our Global Transparency Initiative. Launched in October 2017, the program involves, among other things, the relocation of key elements of our data processing and software build infrastructure to Switzerland, independent third party audits of our engineering practices, and the opening of three Transparency Centers where trusted partners can access external reviews of our source and update code and documentation. We achieved the first major milestones in November 2018 with the start of data processing in Zurich for customers in Europe, and the opening of our first Transparency Center in the city.
Becoming more transparent is not risk-free. Exposing your source code, for example, even in highly controlled circumstance could make it a target for attack. But these are risks we are prepared to take.
Roadmap for resilience
The days of black box cybersecurity are over. Yes, not everyone understands or even wants to know about the hundreds of thousands of lines of code that make up a security product. But they need to be able to see clearly what you do, how you do it, and how protected it is from outside interference. Equally importantly, they need to know what kind of data you don’t collect and what things you will never do. And not just for one vendor, but for all of them, measured by the same high global standards that we create together.