A new way to view cybersecurity: Moving to cyber-enabled threats
Five years ago cyber-related issues weren’t on the minds of many people. Now, concern over cyber issues is at an all-time high, but that attention has given us somewhat tunnel vision on what cybersecurity really is, and the risk it presents.
The constant evolution of the Internet and specifically Internet Enabled Devices has been the key to the rise of cyber and ironically provides a roadmap to the future of cybersecurity.
The Internet started as its own ecosystem that was, in essence, parallel to existing business models. In essence, the Web was the Web, and “traditional” brick and mortar businesses were not really focused on it, and they did not see it as a threat. As an example, I am certain that video rental stores didn’t think that the Web would be a competitor, let alone a disruptive competitor that fundamentally changed how we consume video when the Internet began. Yet here we sit, using devices that existed before, including our televisions and DVD players, which have new capabilities because they are now “Internet Enabled”, to access content that we used to rent in the physical world. In essence, we moved from the world of the “Internet” being segmented from “Traditional Business”, into a world of Internet Enabled Devices.
Now we are moving to a world where we have more devices that are Internet Enabled, and the future only holds more technological advances that expand the old “Internet” into areas we can’t fully imagine. What that means is the Internet Ecosystem has gone far beyond what we thought in the Dot Com days, and it will only continue to do so.
The backbone of this expansion is the connectivity that has become ubiquitous. That is a wonderful thing in many ways, but it has implications we are only beginning to understand. As more systems went online, more money began changing hands via electronic commerce. That drove criminals to become cyber criminals because there was money to steal. Moreover, I doubt as the Internet first gained traction, that many people were thinking that electronic connectivity between systems could become a way that nation-states conducted massive intelligence operations, yet here we are in the Post-Snowden world where many countries are trying to expand their cyber capability. In some ways, this capability brings as much street cred globally as nuclear weapons did for emerging nation states in the 20th Century. And I think it is safe to say that no one in 2000 was thinking that terrorists would be actively seeking weapons that would be deployed exclusively in the cyber theater, again through electronically connected systems, but here we are looking back at attacks like the one against Saudi Aramco.
The way to conceptualize this is, to put it plainly—we are all in the same pipe now. Everyone from teenagers obsessively using Social Media, to multinational companies whose existence depends on upon connectivity, to nation states and terrorists seeking to exploit intelligence, gain economic advantage, or damage critical systems to create economic or other harm, and everyone in-between effectively uses the same transmission system, or pipe, to conduct their business. That is a feigning concept, but it is the reality.
It is important, in light of that reality, to go back and look at the early development of the Internet to understand where “cyber” necessarily will go. Right now, while people are starting to understand that cyber is a mainstream issue that most companies need to consider, it is still seen as a discrete, or parallel issue that is important for certain kinds of companies, companies that rely more on technology, that have certain forms of data, or are government contractors. Sound familiar? We all need to keep in mind the lesson of Internet 1.0, where we moved from an Internet that was distinct from mainstream business, to the Internet Enabled world where virtual and physical have become hopelessly enmeshed. When, and it is not if, but when, we move from the cyber world to the cyber-enabled world, the threats and the risks will again change again.
What this means is that cyber is really a threat vector everyone needs to consider. Today, it may be that your company is subject to a direct attack—a Distributed Denial of Service attack (DDoS) that shuts your company down, ransomware that seeks money to unlock your data, theft of data for monetary, or other gain, or any number of other threats. While those are the majority of the threats now, we have just really started to understand what the cyber threat landscape looks like.
The reality is because we are all now in the same pipe, the threats have just started to appear, and they will change over time. Like with the Internet, we will move from a cyber world to a cyber-enabled world where the threats are not as direct as the ones identified above, and they will have ramifications for everyone, whether connected or not. This means that a cyber-attack could present risks though the “cyber” portion is indirect —in other words, cyber will be at least a part of the attack, but the attack itself isn’t exclusively a cyber-attack, at least in the way that we now think about it.
And the cyber-enabled issues only become clearer as technology continues to become more enmeshed in our daily lives—whether it is driverless cars, drones, remote-controlled medical devices, or any of the technological advances that we can’t foresee yet. That is not to say that these technologies shouldn’t be used—that isn’t a possible outcome. Instead, everyone needs to realize that there will be threats we cannot foresee yet that we collectively will have to address because cyber is a shared responsibility that we all must be accountable for as we move into the cyber-enabled world.
About the Author: Andrew Serwin is co-chair of the Global Privacy and Data Security Group at law firm Morrison & Foerster. He regularly advises businesses and institutions on data security incidents and privacy enforcement and litigation. He can be reached at [email protected].