Frankly Speaking - Wars will become more digital
That's why cybersecurity has to evolve.
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
We’re already in April! This means that RSA is coming up soon. If anyone wants to meet up, send me a note.
Also, I am hiring for my team at Headway! If you’re excited to help secure a mental healthcare platform that everyone can access, please consider applying.
It’s obvious that there’s an increased digital element to conflicts, and many countries are exploiting it for gain. However, these types of “battles” and advantages are regularly under-reported — it’s more commonplace to hear about physical battles or violence, such as rockets, tanks, etc. as the “frontline” aspects of war.
Some examples of increased digital warfare
Let’s take the Ukraine war as an example. Initially, Russia attacked Ukraine’s telecommunication infrastructure, so they had to use Starlink because digital communication was a necessity. However, recently, Starlink had to curb Ukraine’s use because they were no longer using it to just communicate but also as a weapon (they were using it to control drones).
Another example is TikTok. Substantial US government resources are being spent on understanding the implications of TikTok, an application, on the surface, that seems to just show user-created video content. However, there have been Congressional hearings to discuss how its parent company is using and collecting data. There’s a belief that it is being used to profile and spy on US citizens. Regardless of its actual intent, the data that TikTok collects can be extremely valuable to those with malicious intent.
Countries like North Korea are using technology to fund their illicit activities in untraceable ways. They have allegedly been behind the hacks of major cryptocurrency firms and exchanges, and using them to move around more easily and anonymously. These are large sums of money, and they are increasingly hard for the US to trace, follow, and prevent.
The examples go on. It’s clear that war technology is not just physical, such as planes, missiles, and ships but also digital. In fact, there’s a greater shift toward the use of digital tech because there’s less physical danger, and quite frankly, it’s cheaper and easier to use. There’s no need for physical land for airfields. The distribution costs are lower because there’s no need to ship goods and coordinate. This shift is more pervasive than what’s reported but needs to be taken more seriously.
We are entering an era where there’s a higher weaponization of digital technology, and the countries that do it better will have a substantial advantage.
This change is a big deal!
Technology is becoming a bigger part of everyone’s lives. Almost every job now requires a laptop and/or digital device. It’s hard to find a task that doesn’t involve a computer of some sort. A vast majority of people have a smartphone, which is a mobile computer, and communication has shifted toward more text-based than call-based, focusing more on digital technology than analog.
Even traditional industries are embracing technology as a core part of their operational strategy. This means that core parts of our economy are dependent on the internet and digital technologies to operate. COVID accelerated this as many services were forced to have an online presence and embrace more technology.
What this means is that digital technologies are an important backbone of our economy. Even many financial companies, which are commonly seen as a key backbone of our economy, heavily use digital technology. Any disruption of the internet or key digital technologies like AWS, etc. would have huge blast radiuses.
We’ve seen this in microcosms and macrocosms. For example, when the power goes out in your home, most homes lost their access to the internet, so as a result, WFH employees can’t work or will scramble to find working internet. On a larger scale, if a service like Okta goes down, many companies wouldn’t be able to log into their important SaaS applications. That’s why Okta has to promise better uptime than AWS, and it cannot go down if AWS goes down.
You can only imagine the operational blast radius if certain services go down. This changes the game and what we consider critical infrastructure. It’s not just utilities and telecommunications, but it’s large parts of our digital infrastructure, which are invisible to many.
As a result, we have to think of new strategies to protect this infrastructure.
What does this mean for cybersecurity?
It’s always been known that cybersecurity has been national security issue, but at least for most of the technology industry, we haven’t been able to agree as a community on a strategy that better protects us.
Most cybersecurity standards are outdated and don’t lead to better security. In fact, it provides people with a false sense of security. I’ve discussed this phenomenon in past articles.
What needs to change? The solution is simple but hard to implement and execute. We need to have new standards that represent our new technological reality. These standards need to involve as the technological landscape evolves. Unfortunately, cybersecurity considerations are a laggard to the broader changes in the market both in innovation and in response to innovation. The problem is that the innovation pace in technology, which is a huge benefit and cause of positive disruption, also makes it more difficult to manage and protect.
Moreover, it’s a self-fulfilling prophecy. Since standards change so slowly, regulated industries are unwilling to innovate because they worry that it’ll violate these standards or make it hard to fulfill them.
What needs to happen more broadly is that cybersecurity needs to shift from a risk mentality to an engineering mentality. We need to stop trying to reduce risk on existing infrastructure as a default, but we should think about building new technologies that have been included as part of the design. The reason is that for critical infrastructure, risk reduction is insufficient as the blast radius is too high for any security failure. Another way to think about this is that military equipment is not just a better version of existing commercial equipment. For example, military jets are not just jets with some additional features.
We need to start building tools that enable secure designs rather than tools that merely detect problems. We also need to create tools that limit the blast radius when potential issues are exploited rather than spending effort to constantly detect more issues. This will require a fundamental security mindset shift from risk management to secure design.
Takeaway
Conflicts in the future will heavily rely upon and target digital technologies. Many of these technologies need to be considered critical infrastructure, and we have to start investing in new standards and/or secure technologies to make sure we stay resilient to issues in the future. This requires cybersecurity to focus more on engineering new solutions rather than just risk management. Unfortunately, this leads to increased scope for the industry, but it’s a necessary change!