Artificial intelligence, quantum computing, Internet of Things (IoT) devices, 5G mobile, and its planned successor, 6G: The list of fast-developing technologies and the development of entire new industries like space commercialization and green tech goes on and on. This innovation offers tremendous opportunities for growth, but the scale of disruption also creates new cybersecurity risks, giving malicious actors fresh avenues to try to steal, damage, destroy, or demand ransom.
The challenge requires an all-out response from business and government to enhance cybersecurity and more effectively buy down cyber risk, industry experts agreed at a panel session on disruptive technologies at the Billington CyberSecurity Summit.
A starting point involves embracing a Zero Trust Architecture, the cornerstone of the Biden administrationâs new cyber strategy, which tightens access controls on everybody on the assumption that attackers already may have penetrated computer systems. Organizations also need to be more proactive and adopt a risk-management approach that prioritizes protecting critical assets.
âEach of the new technologies we are adopting creates new attack surface, and if we donât go into deploying those new technologies in sort of a conscious way, that attack surface is going to bite us,ââ Neal Ziring, technical director of the National Security Agencyâs Cybersecurity Directorate, told moderator Paul Mee, who leads Oliver Wymanâs Cyber Risk platform and the Oliver Wyman Forumâs cybersecurity initiative. Executives should begin by asking themselves, âwhat are my really critical business trust relationships, my really critical crown- jewel data, and how am I going to continue to foster that and protect it as I move into these new technologies,â Ziring added.
Zero Trust isnât a new concept but turning it from an industry ambition to real changes in technology, systems, and procedures will be many years in the making. An analogy might be Europeâs General Data Protection Regulation. It sets broad standards for privacy and data protection but doesnât specify the exact measures or technology companies should employ to meet those standards. Zero Trust is even more complex and far-ranging. Yet the good news is that industry is moving from talk to implementation.
âWhile there is a lot of hype around it, I think the basic principle of Zero Trust in terms of identity and other technologies is something that is going to be widely adopted,â said Katie Gray, who leads the cybersecurity investment practice at In-Q-Tel. âThere is a lot of innovation thatâs happening now.â
Artificial intelligence and machine learning arenât yet playing as big a role in cybersecurity as they are in other fields, but experts say that will need to change. The proliferation of data and the pace of tech innovation, especially the massive shift to digital working and service provision witnessed during the pandemic, is outrunning the ability of cybersecurity teams to keep up, hence driving demand for automated tools.
âWe donât have enough people or resources, and the attacker dwell time is so long that weâre not able to do the triage fast enough to minimize the impact, especially with destructive malware,â said Travis Rosiek, chief technology and strategy officer at cybersecurity firm BluVector. âWeâre going to continue to see the application of things like machine learning to the cyber space. We sorely need it right now.â
One of the trickiest issues for cyber teams is, ironically, one of the oldest. Open-source software has been in wide use for decades, and its incorporation into new applications means old bugs or features can create new and unintended risks. The recent US executive order on cybersecurity addresses this by calling on companies to provide a software bill of materials detailing the components and supply chain relationships involved in every product, but that will be a daunting task.
However far back a company digs into the coding history of a given product, âyouâll find that it probably wasnât far enough,â said Bryan Ware, founder and CEO of Next5, a company that seeks to promote US leadership in emerging technologies. He also cited a âa lack of awareness of who those second- and third-order suppliers areâ in software supply chains.
Disruptive technologies risk making it harder for cyber defenders to keep up with adversaries, but participants agreed that innovation is the only way forward. The recent spate of high-tech flotations and deal-making is reminiscent of the dot.com era, Ware said, but some of todayâs tech giants emerged from that frenzied hype and the same is likely to be true going forward. âWeâre going to see quantum computing companies fail, and weâre going to see space companies fail,â he said. âBut weâre also going to see a revolution in companies none of us are talking about today, but all of us will be talking about five years from now.â
The race is on with the ever-accelerating pace of innovation in disruptive technologies. We need to ensure that security can keep up.