If there is something positive to come out of COVID-19, it might be a new awareness of how unprepared the world is for this type of enemy. Additionally, it is demonstrating how dependent many nations have become on other countries to provide manufacturing, fabrication and supply chain services for critical infrastructure components. We will recover, but things will never go back to normal after our “global reboot.” Companies that focus on security and critical infrastructure will emerge as force multipliers to guard against the next phase of uncertainty. Governments must change how they buy technology, businesses must reevaluate their supply chains and consumers need to be more prepared to confront the next round of changes. I wanted to share a few thoughts going forward.
Governments must move quickly to protect their critical infrastructure
Within critical infrastructure, there is no difference between physical and cybersecurity. In my last article, I discussed how we are in World War III, and the ultimate prize is information. However, data/information is only useful if you can use it—the bad guys have to do something with the data once they obtain it. The evolution of security is a combination of both cyber and physical security know-how and experience. The Internet of Things (IoT) and edge computing is exposing many security flaws that OEMs, ODMs and systems integrators oft overlook when deploying services and solutions. Governments must move quickly to ensure the suppliers they buy from, the solutions they deploy and the partners they choose are qualified, trusted and aligned with new business models/certifications/assurances. New standards and certifications, such as the cybersecurity maturity model certification (CMMC) is a good start. CMMC is a model being deployed by the US Undersecretary of Defense for Acquisition and Sustainment (OUSD A&S) which measures an organizations cybersecurity maturity across five levels. Processes, practices, disciplines and procedures are based on the type and sensitivity of information that needs to be protected across a range of threats. When CMMC is eventually implemented, it will change the way companies do business with the US government.
Further, the delineation between physical and cyber demonstrates how woefully behind public cloud providers like Amazon Web Services and Google Cloud are when it comes to managing both sides of the fence. In my opinion, Microsoft Azure is the only public cloud provider with the chops to understand the nuances of how each world (physical/cyber) operates. From a security perspective, both government and corporate entities need to understand their security risk profiles from both a cyber and physical security perspective. Organizations must understand the gaps in their infrastructure, ways to remediate and eliminate risks and put the processes and procedures in place to deploy strong incident response (IR) programs to ensure business continuity.
Enterprises either have a competitive advantage or they are relegated to competitive parity
For businesses, supply chain visibility, security and pedigree are the new transformation imperatives. Thomas Vollman’s 1996 book, The Transformation Imperative, focused on how highly integrated corporations can adapt to weather not just competitive challenges, but also unexpected market changes like what we are experiencing now. Companies either gain competitive advantage, or they are victims of competitive parity. Sadly, North America leans to the latter, with a vast array of sub-par systems and parts embedded in some of the most sensitive systems (including intelligence and defense). All in the name of expediency and higher margins. There will be a large-scale push to bring manufacturing on-shore within North America and Europe, instead of relying on foundries, manufacturing and assembly plants in Asia. The new competitive advantage is evolving in North America and Europe, while competitive parity will shift to Asia. No longer can the world sustain a model where IP developed in the US and Europe is stolen and transferred to bad-actor nation-states. COVID-19 has exposed the real intentions of these rogue countries, and thankfully we are in a position to regroup and take back our competitive advantage.
Consumers have an opportunity to take back their liberty and privacy
Consumers: protect your freedoms and don’t be a sucker. Zoom Inc., or the “the Pandemic Pollyanna,” is a great example of companies taking advantage of the crisis. It has become the poster child for ad-hoc web conferencing and dystopian virtual happy hours. Free and easy is not a business model, however—it’s a marketing opportunity. Over the last several years, I have given hundreds of presentations on both security and privacy (they are not the same). Most consumers do not realize how much privacy they give away when they download free applications on their smartphones. We estimate the average smartphone user provides personal data to over 5,000 companies per day, including location, browsing history, purchasing information and other points of interest. Zoom and many other applications of its kind are no different from a security vulnerability prospective. Consumers need to understand the risks and know how these companies are using and selling their personal information in exchange for the convenience of using the service. Tellingly, the US Department of Defense recently prohibited Zoom from being used for official business. While Zoom has garnered much attention, it is Cisco’s WebEx that provided the conferencing communications platform for the recent G20 summit. Additionally, Microsoft Teams has emerged as a strong, real-time collaboration and file sharing platform. Free and cheap might be fun and convenient, but the new realities of the world require us to focus on security, reliability and privacy.
Why we will ultimately win
When we finally come out of this dilemma, things will not return to “normal.” Instead, there will be a reset on how we conduct business—from the government to enterprises, and to the consumer. In my opinion this not a bad thing. As a veteran and patriot, I look at COVID-19 as a mechanism to affect real change globally and help us identify which countries really have our back. From a business perspective, it should inspire companies to get back to the fundamentals, with an eye towards investing in long-term strategies rather than focusing on short-term profits. Lastly, as a consumer, maybe it’s time to start reading user license agreements—well, probably not. Stay safe and secure my friends.