The New Security Reality
On the eve of next week’s RSA conference, it’s worthwhile to take a step back to reconsider what security means in today’s tech world. While the show has traditionally concentrated on cybersecurity threats, in an age of YouTube campus shootings, autonomous automobile-related deaths, and nation-state-driven, influence-peddling social media campaigns, the conversations at this year’s show are likely to be much more wide-ranging.
Admittedly, it’s not realistic to think that all the major issues driving these new kinds of threats can be addressed in a single conference. Nevertheless, the reality of these threats dramatically highlights both the depth of influence that technology now has regarding all forms of security, and just how far the tech world has reached into more traditional physical and political notions of security. Tech-related security issues now affect everything and everyone in some way or other.
In light of this new perspective, it’s also important to rethink how tech-related security challenges get addressed. While individual company efforts will clearly continue to be important, it’s also clear now that the only way to effectively tackle these kinds of big issues is through cooperation among many players.
In the past, many companies have been reluctant to share the security issues impacting them for fear of being seen as naïve or unprepared. With large scale brand trust concerns at stake, as well as the egos and reputations of many proud security professionals, perhaps it wasn’t surprising to see these kinds of reactions.
Today, however, the simple fact is that every company of any size is getting digitally attacked on a daily basis in some form or another, and a huge percentage of companies have had at least some type of security compromise impact them—whether they’ve admitted it or not.
Given this troubling, but realistic, landscape, it’s time for companies to more aggressively seek to partner with others to address the enormous tech-related security challenges we all face. In some cases, that might be via sharing critical, or even potentially sensitive, data to ensure that others can learn from the challenges that have already occurred. For example, companies involved in testing autonomous cars ought to be sharing their results with others in the industry, instead of hording them and treating these results as a proprietary resource. For other situations, cooperation might take the form of a more open, willing, and proactive attitude towards sharing experiences and learning best practices from one another.
Regardless of the approach, it’s going to take some strength of corporate character and some new ways of thinking to effectively address these issues.
Interestingly, one of the better and more recent examples of this proactivity that I’ve witnessed is the effort that Intel made to contact and engage with some of its key competitors in the semiconductor space—AMD and ARM—when they learned about the Spectre and Meltdown bugs that plagued many modern CPUs.
In case you need a quick refresh, the Spectre and Meltdown issues essentially involve manipulating a characteristic of modern CPU design called speculative execution that’s been common in processors from these and many other companies for roughly two decades. As the story played out, Intel took the vast majority of the heat, despite the fact that many other large companies, including Apple and Google, had to deal with most of the same issues.
Part of the focus was (and still is) undoubtedly due to the fact that Intel is the largest semiconductor manufacturer in the world and traditionally known as the major CPU provider to many computing devices. But another reason is that Intel took the lead in publicizing the challenges and continually provided updates on remedies for them. In fact, the company helped coordinate one of the more impressive briefings I’ve been on in nearly 20 years as an analyst by pulling together Intel, AMD and ARM people on the same call to explain the news shortly before it was made public.
At the time, it was a bit shocking to have these competitors come together to discuss the issue, but in retrospect, I realize it was exactly the kind of effort that the tech industry is going to need moving forward to address the kind of big security issues we all will likely continue facing.
Instead of benefitting from taking a more proactive approach to these issues, Intel took a great deal of criticism in both the tech and general press, much of it unfairly from my perspective. The company has followed up with a series of commitments to security—including, notably a very public “security first” pledge from CEO Bryan Krzanich—and is using the challenges that the exploits created as a catalyst for building a full complement of better security solutions moving forward.
The process clearly isn’t an easy one, but given the harsh new security realities that we’re facing, it’s the kind of effort we’re going to need other tech companies to make as well.