Last year's cyberattack involving the IT company SolarWinds and the attack on the Health Service Executive illustrated with painful clarity how security breaches can trigger a domino effect: a single organisation gets hacked, putting thousands of others at risk.
Data breaches have more than doubled over the past decade. Recent cyberattacks have exploited the "trusted supplier" status of SolarWinds and Microsoft Exchange, among other companies, and raised concerns at the highest levels of government and the private sector.
Some experts say such attacks are "child's play" for the best nation-state hackers, including those of Russia, China, the US, and a few others. They can break into almost any system, sometimes by compromising otherwise trusted supply chains through a third-party vendor. Their formidable capabilities are quickly being augmented by artificial intelligence.
Given the increasing frequency and scope of these incidents, it's time for a rethink. We need to start taking a "zero trust" approach to cybersecurity.
Traditionally, cybersecurity protocols are implemented on a company-by-company basis. Although some organisations harden their networks against attack, many lack the proper defenses to protect their systems and their customers' data. The stakes are only getting higher as the internet of things makes everything more connected and we all become more dependent on 5G-enabled technologies.
What’s being done to prevent cyberattacks — and is it enough?
To ward off skilled, motivated, and well-resourced cyber miscreants, countries like Ireland need a comprehensive national approach closely aligned to what is being directed by the European Union. Countries must start by re-examining traditional notions of trust.
The zero-trust approach mandates organisation-level policies for continuous supplier and product verification, as well as application-level mechanisms, such as application timeout and multi-factor authentication. It continuously checks for red flags, such as whether information is being accessed from an unknown IP address.
Collaboration needs to be the operating principle going forward. Collaborative efforts should build on the recognised importance of standards and best practices to increase transparency and accountability. Because cybersecurity by necessity has to be a shared responsibility, the players in a risk-managed cyber ecosystem should have clear responsibilities and objective requirements. Third-party suppliers, operators and, in some circumstances, others should explicitly commit to fulfilling requirements that apply to them (the details of which will vary depending on the criticality of components and systems and whether government regulations are also applicable). Responsible parties must be held accountable and face meaningful consequences for non-conformance.
The government should move to a “trust no one” approach to managing cyber risk — an approach building on the concept of zero trust that already enjoys growing support. In a zero-trust world, no critical technology would be accepted with minimal or reduced scrutiny based solely on its country of origin or because a supplier is considered “trusted”.
What's more, it's hard to know how robust an organisation’s cybersecurity infrastructure really is. Organisations generally don't like to talk about the measures they've taken, for fear that doing so might invite an attack or give away information that helps their potential adversaries.
For those reasons, you can't simply assume that a Fortune 500 company or a state agency will have proper security measures in place. Likewise, judging a company's trustworthiness based on its country of origin or even the absence of prior problems, is likely to induce a false sense of security.
For example, there's a misconception that US companies make secure products, while Chinese companies don't. Yet SolarWinds, once a trusted supplier, is headquartered in Texas, about as trustworthy a location for a corporate headquarters as an American company can have.
On the other hand, DJI, the world's largest maker of commercial drone aircraft, is headquartered in China. That was enough to get the company blocklisted by the US government for fear of security issues. But DJI was later vindicated when a Pentagon audit said two of its drones were "recommended" for use by government entities and forces working with US services.
As a society, we need to support those who are working to make critical technology more secure, while at the same time demanding greater accountability from organisations and leaders to incentivise them to meet appropriate requirements. In Huawei, we adopt a zero-trust principle for cyber security and follow a simple ABC mantra: A: Assume nothing, B: Believe nobody, C: Check everything.
In short, we have to do away with the notion that some suppliers are inherently trustworthy and thus subject to reduced scrutiny Instead, networks will be more secure if there is a greater recognition that security is a responsibility shared by players in different parts of the technology ecosystem. Only through incentivised risk management practices and rigorous programs of testing, verification and assurance can we create a truly open, risk-informed level playing field where all parties are subjected to appropriate scrutiny so that we have an ecosystem where there is an objective and transparent basis for knowing which products and services are worthy of trust and can be counted on.