This article was first published by Oliver Wyman .
听
Artificial intelligence, quantum computing, Internet of Things (IoT) devices, 5G mobile, and its planned successor, 6G: The list of fast-developing technologies and the development of entire new industries like space commercialization and green tech goes on and on. This innovation offers tremendous opportunities for growth, but the scale of disruption also creates new cybersecurity risks, giving malicious actors fresh avenues to try to steal, damage, destroy, or demand ransom. 听
The challenge requires an all-out response from business and government to enhance cybersecurity and more effectively buy down cyber risk, industry experts agreed at a panel session on disruptive technologies at the Billington CyberSecurity Summit.听
A starting point involves embracing a Zero Trust Architecture, the cornerstone of the Biden administration鈥檚 new cyber strategy, which tightens access controls on everybody on the assumption that attackers already may have penetrated computer systems. Organizations also need to be more proactive and adopt a risk-management approach that prioritizes protecting critical assets.
鈥淓ach of the new technologies we are adopting creates new attack surface, and if we don鈥檛 go into deploying those new technologies in sort of a conscious way, that attack surface is going to bite us,鈥欌 Neal Ziring, technical director of the National Security Agency鈥檚 Cybersecurity Directorate, told moderator Paul Mee, who leads Oliver Wyman鈥檚 Cyber Risk platform and the Oliver Wyman Forum鈥檚 cybersecurity initiative. Executives should begin by asking themselves, 鈥渨hat are my really critical business trust relationships, my really critical crown- jewel data, and how am I going to continue to foster that and protect it as I move into these new technologies,鈥 Ziring added.
Zero Trust isn鈥檛 a new concept but turning it from an industry ambition to real changes in technology, systems, and procedures will be many years in the making. An analogy might be Europe鈥檚 General Data Protection Regulation. It sets broad standards for privacy and data protection but doesn鈥檛 specify the exact measures or technology companies should employ to meet those standards. Zero Trust is even more complex and far-ranging. Yet the good news is that industry is moving from talk to implementation.
鈥淲hile there is a lot of hype around it, I think the basic principle of Zero Trust in terms of identity and other technologies is something that is going to be widely adopted,鈥 said Katie Gray, who leads the cybersecurity investment practice at In-Q-Tel. 鈥淭here is a lot of innovation that鈥檚 happening now.鈥
Artificial intelligence and machine learning aren鈥檛 yet playing as big a role in cybersecurity as they are in other fields, but experts say that will need to change. The proliferation of data and the pace of tech innovation, especially the massive shift to digital working and service provision witnessed during the pandemic, is outrunning the ability of cybersecurity teams to keep up, hence driving demand for automated tools.鈥
We don鈥檛 have enough people or resources, and the attacker dwell time is so long that we鈥檙e not able to do the triage fast enough to minimize the impact, especially with destructive malware,鈥 said Travis Rosiek, chief technology and strategy officer at cybersecurity firm BluVector. 鈥We鈥檙e going to continue to see the application of things like machine learning to the cyber space. We sorely need it right now.鈥
One of the trickiest issues for cyber teams is, ironically, one of the oldest. Open-source software has been in wide use for decades, and its incorporation into new applications means old bugs or features can create new and unintended risks. The recent US executive order on cybersecurity addresses this by calling on companies to provide a software bill of materials detailing the components and supply chain relationships involved in every product, but that will be a daunting task.
However far back a company digs into the coding history of a given product, 鈥測ou鈥檒l find that it probably wasn鈥檛 far enough,鈥 said Bryan Ware, founder and CEO of Next5, a company that seeks to promote US leadership in emerging technologies. He also cited a 鈥渁 lack of awareness of who those second- and third-order suppliers are鈥 in software supply chains.
Disruptive technologies risk making it harder for cyber defenders to keep up with adversaries, but participants agreed that innovation is the only way forward. The recent spate of high-tech flotations and deal-making is reminiscent of the dot.com era, Ware said, but some of today鈥檚 tech giants emerged from that frenzied hype and the same is likely to be true going forward. 鈥We鈥檙e going to see quantum computing companies fail, and we鈥檙e going to see space companies fail,鈥 he said. 鈥淏ut we鈥檙e also going to see a revolution in companies none of us are talking about today, but all of us will be talking about five years from now.鈥
The race is on with the ever-accelerating pace of innovation in disruptive technologies. We need to ensure that security can keep up.
听