What happens when world events compel CIOs to take a zero-trust approach to buying the sophisticated vendor software that protects and runs companies?
The dust has far from settled on recent allegations that Kaspersky Lab antivirus software was co-opted by Russian spies to conduct large-scale espionage. But the Kaspersky news, along with the can-it-get-any-worse fallout from the Equifax breach in September, may prove to be the point where CIOs, CISOs and every other chieftain of the enterprise say aloud that things have reached a tipping point.
If software vendors can be infiltrated by foreign agents and if the paragons of digital business can't get network security right, but industry success continues to depend on digital connectivity, then something has to change. Exactly how our hyper-connected, data-laden, easily corrupted IT systems need to change, however, remains unclear, and the answers won't be immediate. But one thing is absolutely clear: Infiltration of commercial vendor products for malicious purposes makes the CIO's job more difficult than it has ever been.
"It's hard work to live in an environment of distrust," said veteran IT executive Niel Nickolaisen, CTO at Salt Lake City-based O.C. Tanner, which designs employee recognition programs. "Where does that leave us? It forces us to take a radically different approach. I feel like no matter what we do, we're doomed as long as we keep on doing it the way we do it today."
'An impossible task'
Industry analysts don't disagree that something has to change. To be sure, there are incremental, well-worn steps CIOs and businesses can take to minimize risk, they said, such as putting in layered controls -- endpoint protection, data protection, data auditing -- using network segmentation, exploring roles-based access, doing vendor due diligence and writing in strong contractual protections. Of course, the most obvious protection is to keep sensitive assets offline.
"That is what I tell my clients. If they have intellectual property that they're really concerned about, don't connect those assets to a network. Keep them off the internet," said Gartner security analyst Avivah Litan.
But even this and other traditional best practices may not be up to the task of protecting businesses in the current reality. Vendor trust, for example, is not a new issue for CIOs, said Litan, whose expertise includes endpoint security, insider threat detection and fraud.
"We've been speaking about this at Gartner for a while -- about supply chain certification and vendor certification," she said. But the specter of vendor products being infiltrated by highly sophisticated government actors adds a new wrinkle to vendor due diligence.
"Who knows what really happened with Kaspersky, but it should be a very big wake-up call. I think the moral here for CIOs is really this: You can't trust your vendors, and you need to have some type of independent, verifiable way of validating how trustworthy they are. And that is difficult because they are all interconnected," Litan said.
It's also fair to ask whether it's even reasonable to expect CIOs to validate the thousands of vendor products they use that control everything from the phone systems to building security. "It is almost an impossible task, but there is really nothing more you can do," she said.
Forrester on 'zero trust'
Jeff Pollard, who covers security risk for Forrester Research, was less fatalistic. He said the Kaspersky news -- whatever proves to be true -- should persuade CIOs and CISOs to look at their security vendors and their products "from a geopolitical perspective." Is the vendor, for example, actively selling to governments in other countries or foreign intelligence entities? Is it a vendor of record for those organizations?
"If so, then the CIO or CISO needs to think about the hurdles that vendor had to jump through in order to obtain that contract," Pollard said. And if a CIO believes those hurdles might have involved providing access to source code, that is perhaps a reason to go with another vendor.
"What we're seeing is that this geopolitical tension is now influencing a lot more decisions than it used to," he said, "in part because this cyberconflict is escalating between countries, but also because we are completely dependent on connected technologies. That is what drives the worldwide economy."
As to the spread of malware, Pollard said 2017 proved just how interconnected we are. "Things like WannaCry and Petya showed that sophisticated malware can spread throughout not just an environment, but the world."
Forrester advises its clients to adopt zero-trust security, laid out in a July report by Pollard, "Future-Proof Your Digital Business with Zero Trust Security." An example of zero trust is Google's BeyondCorp, a security architecture developed by the search giant over the past six years that shifts access controls from the network perimeter to individual devices and users. "It's not easy, but it's possible," Pollard said.
For mere tech mortals, the good news is this new security architecture -- necessitated by digitization -- may also be fundable as part of the digital transformation efforts many businesses are making to compete in this new marketplace.
Under the thrall of Metcalfe's law
The possibility of bad actors exploiting a vendor's privileged access to get to valuable information inside government or enterprise systems may be shocking, but it's not surprising, said Steve Wilson, principal analyst at Constellation Research covering digital identity and privacy.
"The much duller story is that everything is so connected, and all our resources are online waiting to be stolen. The mundane thing is inside corruption," he said. "The insider attack is the elephant in the room in security. I think it happens more often than anyone thinks."
Wilson, who was taking the call in the lobby of a hotel in India, said he often thinks about how easy it would be to gain access to the reservation systems that hotels feel compelled to have available on every terminal in every hotel. What would it take -- a $1,000 bribe? We have a "fetish" for connectivity, he said. We have a blind faith in Metcalfe's law, which holds the value of the network is proportional to the square of the number of connected users of the system -- the more connectivity, the better.
"We need to slow the hell down and stop assuming everything needs to be online all the time. It is a disaster waiting to happen," he said. "Speaking to the CIO, I say you've got to be brave enough to take a step backwards before we all fall over the cliff."
Nickolaisen said his IT organization recently put in new antivirus software that is behaviorally based to improve the company's security posture.
"But what if I can't trust the behaviorally based guys? What if they've been hacked?" Lately, he's been thinking a lot about the Equifax hack. "Here I am a practitioner, a generalist; I am guessing Equifax spent a bigger percentage of their revenue on security than I do, and they still couldn't get it right, so I think I'm doomed," he said.
As for auditing vendors, Nickolaisen is guessing most have their certifications and audit results that show they're doing the right things. "Am I going to audit their audits to make sure they're actually patching on time like we do?"
This week, he met with a company that's developing identity management systems based on blockchain, the nearly unhackable distributed ledger technology bitcoin is built on, "where I retain my data and permit others to use my data but on my terms, not theirs," he said.
"I don't know what the different approach is -- maybe it is blockchain -- but there has to be somehow someway, because I've decided that I can't trust anybody."
For the record, Gartner's Litan had the same epiphany in the wake of the Kaspersky news. "Theoretically, you could build an endpoint protection system on blockchain that would be much easier to trust. It's a way to get away from our governments, because none of our governments are trustworthy anymore," she said, adding: "You think maybe that's why bitcoin went up to a record high today?"
CIO news roundup for the week of Oct. 9
SearchCIO was looking into the Kaspersky news backstory this week. Here's what else was drawing pageviews.
Samsung CEO to resign. Samsung Electronics announced Friday its CEO and vice chairman, Kwon Oh-hyun, plans to resign as the company's head when his term ends in March. Kwon will not seek re-election as the chairman and a member of Samsung's board, and he will also resign as the CEO of Samsung Display. The announcement came in the same week the corporation forecast record quarterly profits. "As we are confronted with unprecedented crisis inside out, I believe that time has now come for the company start anew, with a new spirit and young leadership to better respond to challenges arising from the rapidly changing IT industry," Kwon said in a letter sent to employees. Kwon joined Samsung in 1985 as a researcher at the company's Semiconductor Research Institute in the U.S., and he was expected to take a bigger role after Samsung heir Lee Jae-yong was jailed for bribery earlier this year.
Google pledges $1 billion to train workers. On Thursday, Google CEO Sundar Pichai unveiled a new program, dubbed Grow with Google, to help train U.S. workers for technology jobs. The company will donate $1 billion over the next five years to nonprofits catering to education and professional training, Pichai said. "By 2020, one-third of jobs will require skills that aren't commonly found in today's workforce. To address this challenge, we're funding organizations that are using technology and innovation to train people with new skills, connect job-seekers with high-quality jobs, and support workers in low-wage employment," according to a company statement. As part of the initiative, Google is donating $10 million to Goodwill for digital skills training programs.
Windows 10 breaches Dutch data protection laws. The Dutch Data Protection Authority (DPA) concluded that Microsoft breaches Dutch privacy law by processing personal data of people using the Windows 10 operating system. "It turns out that Microsoft's operating system follows about every step you take on your computer. That results in an intrusive profile of yourself," Wilbert Tomesen, vice chairman of the Dutch DPA, said in a statement. Users lack control of their data because Microsoft does not clearly inform users about the type of data being collected and for what purpose, the DPA added.
Assistant site editor Mekhala Roy contributed to this week's Searchlight news roundup.
Kaspersky-Russian ties unresolved, despite FBI push
NSA contractor sets off international incident