Friend and foe: The little-known pact at the heart of cybersecurity
The cybersecurity industry is founded upon two types of competition: that between security vendors and cybercriminal adversaries, and that between the vendors themselves.
What’s unusual about the situation is the way in which these two battlegrounds are connected; to prevent threat actors from infecting devices with malware and infiltrating business networks, cybersecurity vendors often have to establish a temporary truce.
This balance between competition and collaboration is characterized by Jaya Baloo, CISO at antivirus company Avast, as a “friendly rivalry” that allows for all the largest market players to work hand-in-hand when it is important to do so.
In conversation with TechRadar Pro at MWC 2022, Baloo spoke to the unconventional relationship between vendors in the sector. She insists the cybersecurity community is focused first and foremost on shielding people against attack, and that turning a profit is a secondary consideration.
“I don’t really care which antivirus you’re using, so long as you’re using one,” she told us. “We’re still seeing so many people attacked on so many different devices, so our biggest concern is the people who are completely unprotected.”
Sharing is caring
In the coming years, there is expected to be a blending together of various emerging technologies, which will create the foundation for new digital experiences for consumers and businesses.
At MWC 2022, for example, there was plenty of talk about the interplay between 5G, AI, IoT and edge computing, a heady mixture that will enable use cases ranging from driverless cars to autonomous factories and more.
However, this level of interaction between technologies is bound to create headaches for security professionals, noted Baloo, especially if new products and services are not developed with security front-of-mind.
“There is an organic and orgasmic coming together of technologies right now,” she said. “But this will involve an increase in complexity, and complexity is the enemy of security.”
In a scenario such as this, cybersecurity companies stand the best chance of shielding customers from attack if they share intelligence on new vectors, vulnerabilities and cybercriminal groups.
Baloo highlighted the work of the Avast threat intelligence team, which publishes regular reports unpacking its discoveries. One recent report analyzed an increase in phishing attacks on Ukrainian companies in the leadup to the Russian invasion, for example, and the previous instalment covered the spike in DDoS hacktivism.
When the threat intelligence team discovers a new malware strain or route of attack, not only does Avast build protections into its own services where possible, but also offers assistance to the victims and alerts the wider community to its findings, Baloo explained.
“We work with all the people you’d think we’d be competing against. There’s a very healthy level of dialogue across the ecosystem,” she told us.
“That’s why it’s so much fun; we’re collaborating with like-minded people to take down the bad guys. I love our threat intelligence work.”
Asked whether there are any instances in which Avast would not share intelligence, say, if withholding information had the potential to confer a competitive advantage, Baloo gave us a disapproving shake of the head. “When it’s information about the bad guys, we share. It’s as simple as that.”
Going in blind
Last year, the cybersecurity news cycle was dominated by the SolarWinds attack and Log4J vulnerability, both of which highlighted the dangers posed by the software supply chain, a source of risk often overlooked by businesses.
Despite the commotion that surrounded both incidents, Baloo told us she expects to see more of the same in 2022, because the necessary lessons have still not been learned.
“Supply chain attacks are not going anywhere,” she said. “The biggest problem is that we don’t fully understand our potential points of weakness.”
“We’ve reached a certain level of maturity in terms of the technologies we use, but don’t understand how they interlink to create areas of weakness.”
This is an issue that affects open source software to the same extent as proprietary services, notes Baloo. The fact that code is available for anyone to pore over does not necessarily mean someone has done so with the requisite level of scrutiny, as Log4j demonstrated.
However, Baloo is optimistic that regulation requiring companies to maintain greater oversight over their software bill of materials (SBOM) could play a role in minimizing risk for their customers.
In the aftermath of the SolarWinds attack, for example, US President Biden put in place an executive order that led to new guidance that requires software vendors to provide a comprehensive SBOM as part of the government procurement process.
The US stopped short of requiring vendors to provide SBOMs to all customers, but the hope is that the practice will become more mainstream and, at the very least, that new regulation will raise the profile of supply chain-related risk.
The next frontier
Not only are cybersecurity companies tasked with anticipating the kinds of attacks that may threaten customers in the short-term, but they must also look further ahead and further afield.
Another developing field of technology expected to have a significant impact on the cybersecurity landscape is quantum computing, which happens to be an additional area of expertise for Baloo, who advises the World Economic Forum on the issue.
Quantum computers solve problems in an entirely different way to classical machines, exploiting a phenomenon known as superposition (whereby subatomic particles exist in multiple states at once) to perform certain calculations many times faster than is currently possible.
Although the world’s most powerful quantum processors currently offer too few quantum bits (qubits) to establish a meaningful advantage over traditional supercomputers, the maturation of quantum computing will create various problems from a security perspective.
Most significantly, large-scale quantum computers will have enough horsepower to break modern cryptography. It is a mistake, therefore, to assume that information protected by encryption today will remain secure for years to come. State-sponsored threat actors may already be collecting large quantities of encrypted data in the hope of one day being able to access it.
“Quantum computing will answer fundamental needle-in-the-haystack scientific questions,” noted Baloo. “But we’re screwed as soon as we have a quantum computer capable of breaking current encryption.”
“To enjoy the benefits of quantum computing, we need a new set of cryptographic algorithms that will be unbreakable even with a quantum computer. As a cybersecurity community, we need to have a forward-looking defence, so we’re ready for these kinds of challenges.”
Again, this is a problem on which security companies will have to collaborate closely in the coming years, both to develop new quantum-safe algorithms and push for regulation that ensures the most vulnerable portions of the economy are “quantum ready”.
In a scenario in which quantum-secure technologies do not develop apace with quantum computers, the foundations of modern cybersecurity will be compromised.