By Baan Alsinawi, Managing Director, Strategy and Risk, CISO Global, and Founder of TalaTek, a CISO Global company
All anyone wants to talk about these days is AI, and when seven leading U.S. producers of AI technology recently stepped forward with their commitment to voluntarily include cybersecurity in their platforms, cybersecurity practitioners everywhere were cautiously optimistic. After conversations with the Biden-Harris administration, representatives from Amazon, Anthropic, Google, Inflection, Meta, Microsoft, and OpenAI publicly “agreed that AI firms have a duty to build systems that put security first.” That means safeguarding their AI models against cyber and insider threats and sharing best practices and standards to prevent misuse, reduce risks to society and protect national security.” The question is whether or not it will it go far enough. In the battle between good AI cyber hygiene and the need to be “first”, who do we really believe will be the winner?
More Positive Pressure from Regulators
How many U.S. startups will actually be willing to invest in making their platforms and IoT devices secure before going to market? This is the question Federal Communications Commission Chairwoman Jessica Rosenworcel and several of her cohorts proposed a new voluntary program last spring that would encourage companies to include information about the out-of-the-box security status of technological products, rewarding those which meet special standards with a U.S. Cyber Trust Mark. Security by design and default is not a new concept, but it often seems to take time before businesses understand the real costs of risk and the various ways to mitigate it before they are willing to wholeheartedly adopt the recommendations of cybersecurity professionals.
The Last Time We Saw This Trend
After public backlash to Mark Zuckerburg’s infamous appearances before both the U.S. Senate and EU Parliament, in which the CEO sidestepped a great many well-articulated privacy and security questions, it became clear that both legislators and consumers were fed up with the lack of protections required of these giants. Giving up on Big Tech’s previous lobbying efforts to prevent regulation, Apple, Google, AT&T, and Charter then decided to move away from the Big Tech herd, publicly acquiescing to – if not outright supporting – the winds of change favoring federal data privacy laws for consumer protection. There are some very strong opinions out there about why Big Tech made this shift, but the important thing is that the shift has begun. States are filling the gap in data privacy regulation until the matter of federal protections and a proper oversight body can be settled. According to Bloomburg Law, a total of nine states have now passed privacy protection laws, with an additional sixteen states having introduced new privacy bills just during the 2022-23 legislative cycle.
What Could This Mean for U.S. Tech Startups?
There are currently over 70,000 active technology startups in the United States. Most of those are still vying for funding and answering to investors on ROI, so how many of them are willing to set aside enough of their budgets to incorporate security into their dev processes the way it really needs to be done? An annual pen test almost doesn’t count in this context. What’s being called for is security by design, not add-on or ad hoc solutions – a truly architectural approach to keeping attackers out of technology from day one, and releasing products in the market that are preconfigured to be secure by default. The NIST Special Publication 800-160 provides a framework for building secure systems.
CISA and FBI Support Protecting End-Users
The constant pressure to perform can tempt startup executives to hit the gas pedal on speed-to-market, often forcing development teams to push out software that hasn’t undergone thorough efforts in security architecture, multiple rounds of security testing, and secure code reviews for each new release. Instead, manufacturers often wait for bug bounty hunters to identify vulnerabilities before they take action. This puts the onus on end users to constantly watch their new technologies for signs of attack – which may not be easy to detect, even if those clients have invested in solutions designed for the task. CISA and FBI co-authored a document called Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default, published in June 2023 that states:
[We] strongly encourage every technology manufacturer to build their products in a way that prevents customers from having to constantly perform monitoring, routine updates, and damage control on their systems to mitigate cyber intrusions. Manufacturers are encouraged to take ownership of improving the security outcomes of their customers. Historically, technology manufacturers have relied on fixing vulnerabilities found after the customers have deployed the products, requiring the customers to apply those patches at their own expense. Only by incorporating Secure-by-Design practices will we break the vicious cycle of creating and applying fixes.
So, it would seem that the support needed for future regulation is beginning to fall into place, but sweeping voluntary change in the industry may delay laws with consequences attached. It is wishful thinking to assume the trends will change voluntarily! There is no substitute for the use of regulatory compliance and accompanying enforcement, with monetary penalties, which are largely underutilized for most industry standards. FedRAMP is as an example of a model to copy, where strict adherence to the standard is enforced and monitored and any deviation is promptly acted upon with consequences for business and government alike. Absent such a strict model, leaving to the industry to decide, profitability, the only metric rewarded by Wall Street, will always win!
Will Following These Steps Really Help Stop Cyber Attacks?
Of course, no one can blame businesses for being skeptical in a world where last year, alone, the world spent $262 billion on cybersecurity, yet global losses to cyber-attacks are expected to hit $8 trillion in 2023. There seems to be an industry effectiveness problem, and most experienced practitioners would agree. So, where’s the disconnect?
Not Enough Experts for Full-Time, In-House Help
To begin with, there aren’t enough people with the skills necessary to help all IoT technology manufacturers and SaaS development companies in the U.S. With an ongoing 3.4 million cybersecurity professional shortfall, expertise is extremely difficult to find. So, while new commitments secure technology manufacturing and development are important steps, organizations will still need to solve the problem of who will help them implement proper architecture, configurations, testing, and remediation cycles. Fractional CISO services are one way people choose to solve for this, making experts more accessible both time-wise and financially for midmarket and below. And, there is the issue of enforcement: scarcity of qualified audit resources who enforce regulatory requirements contribute to slack industry adherence.
Vendor Sprawl is a Challenge
With a shortage of experts, most companies have opted to try solving their cybersecurity challenges with technology. This is a logical step but has had limited results. The average enterprise is currently using 76 different cybersecurity tools, most of which have their own reports, portals, and visualizations. Lack of visibility across all these tools in an aggregated way prevents cyber executives from understanding the big picture accurately. With incongruent sources of data that invariably don’t correlate, technology is not enough to solve the problem, and in fact it creates a whole new set of challenges, where more isn’t better. After all, an unqualified practitioner with a tool is still an unqualified practitioner. So, significant work needs to be done in the space of data curation and visibility to help address vendor and tool sprawl.
In the end, the move to reward tech companies for voluntarily taking cybersecurity measures will not solve our woes in technology development, absent monitoring and enforcement through strict regulatory requirements.
Change doesn’t happen overnight in any sector, much less cybersecurity. Looking at the past 50 years, it’s easy to see that tech develops and matures at a rate that is much faster than regulation, knowledge base of buyers, and technological understanding necessary to write and enforce effective laws. So, all steps we take forward need to be lauded and supported. I’m in favor of a certification badge, as well as any other positive incentives that lawmakers can create for manufacturers and developers willing to improve their processes to include cybersecurity by design and default, rather than an afterthought or check the box activity.
Image by rawpixel.com on Freepik