Cybersecurity Debt: Understanding and Addressing the Risks

The Recurring Threat of Cybersecurity Breaches

Recent ransomware attacks targeting JBS and the Colonial Pipeline have initiated a predictable cycle of responses. These include pledges to pursue those responsible, potential congressional hearings for company leaders, and the consideration of new cybersecurity executive orders, the full implementation of which may take considerable time.

However, a crucial question persists amidst this activity: why do these incidents continue to occur?

Understanding Cybersecurity Debt

A compelling explanation lies in the concept of “technical debt” within software development. This refers to the consequences companies face when prioritizing expediency over best practices, implementing temporary fixes to meet immediate needs.

Over time, maintaining these improvised systems leads to decreased productivity and diminished user experiences. Our national cybersecurity defenses are similarly burdened, but on a much larger scale, with escalating risks and compounding costs.

Quantifying this “cybersecurity debt” proves challenging. While the precise causes of the JBS and Colonial Pipeline attacks remain under investigation, the economic impact is already evident. Beef prices have been affected, and gasoline prices rose by 8 cents following the pipeline attack, resulting in billions of dollars in losses for consumers and businesses. The erosion of public confidence is immeasurable.

The Cost of Speed and Innovation

Currently, the public and private sectors collectively invest over $4 trillion annually in the digital realm. The primary objectives of these investments are speed and innovation.

Yet, in this pursuit, organizations have created intricate, disjointed systems, managing thousands of applications across diverse cloud environments and drawing data from numerous sources.

Complexity is a significant vulnerability. Many companies rely on as many as 50 security solutions from 10 different vendors, effectively functioning as systems integrators. Each connection point within these complex networks represents a potential weakness and contributes to the growing cybersecurity debt.

Addressing the Debt: A Two-Pronged Approach

We now have a critical opportunity to modernize our digital infrastructure and mitigate this debt. This requires two key actions.

Firstly, we must adopt open standards across all vital digital infrastructure, particularly that utilized by government contractors. Previously, standardization was thought to necessitate a complete rebuild in the cloud.

However, this approach is impractical for large-scale, critical workloads.

The Power of Hybrid Cloud Architectures

An alternative exists: open, hybrid cloud architectures can standardize security across diverse infrastructures—private data centers, public clouds, and network edges. This streamlines security workflows, enhances threat visibility, and orchestrates responses, effectively eliminating vulnerabilities without data or application relocation.

This design principle should be embraced by both public and private sectors.

Securing the Data Supply Chain

Secondly, we must address remaining vulnerabilities in the data security supply chain. President Biden’s executive order mandates data encryption for federal agencies. We can extend this to include data in use.

As organizations increasingly outsource data storage and processing to cloud providers for real-time analytics, a new area of vulnerability emerges.

Some believe this vulnerability is an unavoidable consequence of outsourcing. However, cloud providers can protect customer data with the same rigor they apply to their own. They require no access to the stored data.

Confidential Computing: A New Standard

This is achieved through confidential computing, which encrypts data at rest, in transit, and during processing. This technology prevents unauthorized access, even by the cloud provider. For example, IBM Cloud allows customers to run workloads with complete privacy and control, retaining sole possession of the encryption key.

Access to the data is impossible, even under legal compulsion or ransom demands.

The Urgency of Action

Addressing this debt is a significant undertaking, akin to managing a mortgage or student loan. However, the consequences of inaction are far-reaching. The JBS and Colonial Pipeline attacks demonstrate that the costs extend beyond financial losses.

Our food and fuel supplies are vulnerable, and entire economies can be disrupted.

Through strong public-private collaboration, we can build a secure future that harnesses the power of technology and fosters trust.