At last year’s Gartner Risk Management Conference in the DC metro area, I attended a seminar where some of Gartner’s analysts were looking out on the horizon – 2020 to be exact – to give their perspective on where CyberSecuity was heading. Gartner basically identified two uncertain forces that they think will impact their potential scenarios:
- The target is Enterprise vs. Individuals
- The authority will be Monolithic vs. Tribal
(Note: If you are a Gartner client you can access the report here.)
As you might imagine, Gartner has even created a “quadrant” of sorts to visually summarize the nexus of forces they see impacting security.
Over the past year or so a lot has changed – a whole lot…which can basically be summarized in a name: Edward Snowden.
Leaving aside personal opinion’s as to the merits of the situation – after all one man’s freedom fighter is another’s terrorist – what has been revealed to date rather confirms what we have already assumed was going on all along: In one way or another the major powers of the world are engaging in what, up until recently, amounts to a silent, large-scale war played out on a virtual battlefield.
To go back to what Gartner was presenting for a moment, they are essentially looking at four scenarios:
- Regulated risk, which is what we look most like today for most enterprises. Governments continue to guide IT security through reactive mandates.
- Coalition rule, basically continued attacks on the enterprise - cyber-cartels being to form and corporations fights back with their own coalitions
- Controlling parent, where a central government steps in to protect individual citizens and puts new regulations on enterprises to meet the customer security demands
- Neighborhood watch, where individuals become the target of attack and communities with common interest ban together as government forces prove themselves to be ineffective
With the revelations made by Edward Snowden – who has exposed this “silent” virtual war – is a new dimension at play in the nexus of forces. Has IT security evolved into an extension of the industrial military complex? If so, will it become – or is it already – a major component of defensive and offensive military capabilities of the nation state? With the lines graying between friend and foe, how will this impact the current IT security market place?
Like Gartner, I’d like to propose a few scenarios of my own (perhaps not as nicely wrapped as a quadrant):
- Status quo, where the enterprise is essentially building up defenses with little ability to respond offensively. Coalitions reactively put in place regulations but breaches continue to occur. Government regulation is limited and reactive. The IT security market continues to operate in a global way, but mistrust continues to dominate the discussion
- Cold war, where a lack of trust in IT security vendors (based on country of origin) and continued cyber-attacks by major powers against each other as well as neutral powers begins to polarize the world. The current framework of global IT security is fractured with different blocks aligning themselves and sourcing only vendors from trusted nations
- Hot escalation, agencies escalate their attacks and other nation-states develop and use counter-measures. These attacks and counter-measures are designed to inflict physical, economic and political damage to other nation states (think attacks on the banking sector or electrical grid).
- Détente, government’s realize that the short-term gains of engaging in cyber-attacks are more costly over the long run from an economic and political perspective. International agreements are put in place and a multi-national authority ensures compliance of signatories and certifies vendor software as trusted. Those that don’t sign – or violate the agreement – find themselves marginalized and effectively self-inflict sanctions on their own IT security vendors. A global framework for IT security is rebuilt and trust is restored.
This blog is called “Below the Surface” because, as Snowden revealed, there is a lot going on in the Cyber-X world that we don’t see. In fact what goes on below the surface may make up a large part of what we today refer to as IT security. In an uncertain world we don’t know how individuals, enterprises and corporation will react to this new and rapidly changing landscape.
In the near term the best we can hope for is continued vigilance. In the long term, I think we can all hope that all parties recognize the risk of doing nothing, allowing a virtual cold war to occur or escalation leading to systemic damage. Technology, and specifically IT security, is a powerful tool, one that must be managed and grown within a framework designed to be fair and hold all parties accountable.