At Callan’s recent National Conference, our guest speakers tackled the major issues and themes facing institutional investors in the coming years. We’ll cover the highlights of their comments in a series of posts. This is the second; the first appeared earlier here.
R. David Edelman, the director of the Project on Technology, the Economy, & National Security at the Massachusetts Institute of Technology and a former technology adviser in the Obama administration, focused his talk on what he called the “new faces of cybersecurity.”
To address the threats posed by cyberattacks, he said enterprises are trying to “build higher walls and deeper moats.” But the cybersecurity guidance many have received is “woefully inadequate” to changes happening in these technologies, and that guidance needs to go far beyond simply firewalls and changing passwords.
For instance, Intel’s recent cybersecurity issue, one of the most significant such incidents of the last five years, was atypical: it involved a chip maker, not a software company; it was a flaw in hardware, not software; and it affected not one application or operating system but a critical hardware dependency of our digital ecosystem. Further complicating matters were reports that Intel told Chinese companies before the U.S. government, raising national security concerns. Thus, a technical cybersecurity concern became one of national security, and with global economic implications.
How would the old rules of cybersecurity help Intel? They wouldn’t, nor would they help its customers. The old rules are inadequate because the world has changed.
For instance, cybersecurity is as human as it is technical. We know computers are at risk, but so are humans—they are often the weakest link. For example, a number of companies are increasingly subject to wire fraud schemes that leverage viruses, but are at their core acts of social engineering, taking advantage of human failings to succeed. The financial losses from these attacks are significant and the incidence is growing.
Cybersecurity also has a social face. The sale of anonymized data from fitness devices reportedly revealed the location of a secret military base. This happened because the company gathering the information failed to think through all uses of its data. Open data, he said, is not always smart data, in part because of the mosaic effect: even if anonymized, individual pieces of information can be used to build a picture (such as the location of those bases).
And this is a two-sided market. The other side is the underground economy of social media (i.e., fake followers). This economy comes at a cost: it uses stolen online identities. It also distorts authenticity, which can have an effect on the bottom line. Brands may end up on the wrong side of a major scandal after violating consumer trust, or even committing crimes.
The result is a kind of cybersecurity paradox: that 91% of consumers feel they have lost control of their data, yet only 10% have punished a firm for a breach. Why? Because of what he called “cybersecurity fatalism,” or feeling that there was nothing individuals could do to meaningfully protect their data, even if they wanted.
The Equifax breach, however, has the potential to be a game-changer. Combined with other breaches, it means that close to every American’s sensitive financial information has been hacked in one way or another. The result has the potential to lead to a tsunami of identity theft for which consumers—and businesses—may be unprepared.
This also means “the status quo of identifying consumers is dead.” There is a huge opportunity to replace the outdated Social Security Number with a more technically secure, purpose-specific method of authentication.
Cybersecurity is also now ubiquitous. Everything is connected through the “Internet of Things.” But the problem is that those devices might not be fully inoculated against cyberthreats. As he put it, “How many of us check to see if our cable box is running the latest software?”
As a result, every business needs to understand where they are critically dependent and how to handle a cybersecurity breach. Boards must wake up to the issue, in particular, and demand metrics from their company and expertise from their executives—or from the outside, to support them.
The face of cybersecurity is also, increasingly geopolitical. Hacks on U.S. financial institutions reportedly came from Iran’s government, in retribution for the imposition of financial sanctions. While the long-term effects were minimal, the opportunity they created in helping the sector think seriously about how to safeguard consumer accounts, and create a “sheltered harbor” of immutable records, was an example of a best practice other sectors might emulate.
But what if the attacks were broader and more disruptive? In 2007 a cyberattack by Russia blacked out the Estonian internet in response to Estonia’s move of a World War II memorial that honored Soviet soldiers.
Was this an act of war? The North Atlantic Treaty Organization (NATO) had no clear answer, and remains uncertain. Yet despite that uncertainty, in recent weeks the Pentagon was reportedly weighing its options in considering nuclear responses to cyberattacks. In other words, cybersecurity may be at the center of future geopolitical instability—including and especially offline.
Far less dramatic than a nuclear strike, but far more insidious, are the avenues for a new form of political warfare. For evidence, look no further than the biggest story of the last year and a half: alleged Russian operatives trying to influence the U.S. election.
The technology that made Russian micro-targeting of potential voters possible was the same technology—rooted in data collection and enriched by artificial intelligence—that social networks designed to serve consumers ads. While influencing elections is not new, the weaponization of micro-targeting to do so is. This creates the potential for institutional erosion. And there is no easy way out: This vulnerability is endemic to the business model of social media.
The same technologies that were designed to help have not been similarly programmed to avoid hurting, or dividing, a country and its political system. And this is particularly relevant as artificial intelligence increasingly becomes a part of not just the technology sector, but all sectors.
As a result, cybersecurity is imperative, he said. Companies and governments must make cybersecurity a top priority. And the time is now to do the hard work of figuring out how companies are affected by cybersecurity risks—in all their manifestations—and what can be done to prepare.
