“Bert and Tom went off to the barrel. William was having another drink. Then Bilbo plucked up courage and put his little hand in William’s enormous pocket. There was a purse in it, as big as a bag to Bilbo. “Ha”, he thought, warming to his new work as he lifted it carefully out, ” this is a beginning!”.

It was! Trolls’ purses are the mischief, and this was no exception.” ‘ Ere, oo are you” it squeaked, as it left the pocket, and William turned around at once and grabbed Bilbo by the neck, before he could duck behind the tree. (J.R.R. Tolkien, The Hobbit, p.34)

Imagine the entire world, all your things and all the things that surround you could talk to each other

what language would they speak?

where would you go for silence?

what thing would the nicest?

and what thing could you trust to speak the truth?

At a speech to the Pittsburgh Technology Council in 2009, Google’s CEO, Eric Schmidt focused on the negative effects on innovation and integration of (what he called) institutional fragmentation and wondered if governments – and the very process of policy and policymaking itself – could not benefit from the iterative cycles of measuring success and failure that characterize the engineering and design prototyping cycles. He argued that with this amount of real-time tracking, aggregated data, and information – not heuristics, governing itself could benefit. In essence, laws can be effective for three months and evaluated, adjusted and based on real data – not estimates, adjusted again. It is this process that can lead to combinatorial innovation and system innovation. As we know government is still a long way from this set of principles, but business practices area taking this up fully.

Fifteen years later, the information gathered by sensors in datasets is actuating back into our everyday objects and services (energy grids, connected cars, wearables) so it was predictable (and predicted) that safety and security of people, objects, and events (i.e., formatted templates of behaviour of people and machines) becomes the focal point of the new models of governance and the new notion of value and trust itself. Large ecosystems compete to offer trustworthy schemes, and all of them need to occupy the position of first issuer in the first place. To achieve this, you must understand conflict.

Along the axis of trust versus distrust, it is difficult to situate yourself as there is no precondition to ‘trust’. That position is always empty, temporarily occupied by an arbitrary issuer of ‘trust’. Maybe the mental framework in a world of full hybrid connectivity is about distributing insecurity in the fairest possible way. And being trustworthy means in the end that you are trusted to manage conflict in the best possible way. Does this mean that every organization must develop its own definition of and strategy of achieving for trust? No, but as Cisco claims in Trust in Network Security:

The word “trust” is often overused in cybersecurity discussions, yet it describes a foundation that must be established. An organization must have the confidence and belief that they can identify and manage their information technology assets. While trust seems like a simple function, it is often a fundamental challenge.[1]

This feeling is widely shared by cybersecurity professionals in their 2022 trends. Larry Roshfeld, CEO of CodeHunter hopes “that organizations will move to effectively implementing a defense-in-depth cybersecurity strategy, and become more proactive in handling threats by adopting software or strategies that tackle cyber threat issues prior to impact.”[2] Rohyt Belani, CEO and cofounder of Cofense expects to see more collaboration among the cybersecurity industry and recognition that the best security defense is a combination of people, AI and automation. According to Chris Jacob, global VP of Threat Intelligence Engineers at ThreatQuotient we will see more focus on decentralized services and individual privacy and “innovative new ways of utilizing blockchain, specifically leveraging the open and auditable ledger and smart contracts.” Sarbari Gupta, CEO of Electrosoft believes that ransomware attacks on public and private sector businesses will continue to grow exponentially in 2022. “To help qualm the threat, Gupta said she expects a rise in zero-trust architectures and solutions as well as expansion on AI and machine learning to identify attacks and block them before they get to the end users.”[3]

Zero Trust is a relatively new paradigm. It describes a situation that is tuned to Internet of Things, things being connected through various protocols, with different security settings, and people working from home, bringing their own devices to work using various cloud operators and networks under continuous ransomware attack. In this hybrid operation security needs to be operationalized at different levels of access and at random moments in time the status of anyone in the network can be questioned:

“Zero Trust is a strategic approach to cybersecurity that secures an organization by eliminating implicit trust and continuously validating every stage of a digital interaction. Rooted in the principle of “never trust, always verify,” Zero Trust was created based on the realization that traditional security models operate on the outdated assumption that everything inside an organization’s network should be implicitly trusted. This implicit trust means that once on the network, users – including threat actors and malicious insiders – are free to move laterally and access or exfiltrate sensitive data due to a lack of granular security controls.”[4]

Yet, Zero Trust is not an all-encompassing solution. In Avoiding the Next Cyber Supernova Mirko Ross, CEO of asvin.io states:

One thing is certain: It is the operator’s responsibility to ensure that she achieves the desired operating result. She thus bears the final responsibility for the Cybersecurity of his IT and OT landscape. While supply chain attacks such as Sunburst / Supernova are fundamentally difficult to avoid and their effectiveness will make them even more sought-after attack vectors in the future. Zero Trust does not offer a solution here, on the contrary it might even be counterproductive, because it puts us in a situation where we are not able to apparent security. The key will be in trust building, traceability in the supply chain and collaboration. With a particular role also falling to the Cybersecurity industry to advance their current strategic view and their culture.[5]

It is only one piece of the puzzle in bringing the best possible balance between explicit and implicit trust mechanisms. We are reminded of the distinction between the Wirkliche Feind (the real enemy) and the Absolute Feind (the absolute enemy) of the German thinker Carl Schmitt. This latter is ‘Die Eigene Frage als Gestalt’ meaning that it is an ontological question that goes deep into the heart of why you are doing what you are doing. If you cannot answer that and make it tangible at some point you will lose sight of the contextual shift that has changed your original solution and made it less effective or even ineffective to counter current threats. The real enemy can be very concrete. In the world of SCA (Software Component Analysis key criteria for cybersecurity solutions include vulnerability identification, license risk management, software bill of materials, policy management, SDLC integration, remediation, reporting, and breadth of coverage. Forrester Research scores companies in this field on these eight criteria:

Vulnerability identification 22%

License risk management 13%

Softthware Bill of Materials 10%

Policty Management 10%
SDLC Integration 10%

Remediation 25%

Reporting 5%

Breadth of coverage 5%[6]

This is where you build explicit trust by scoring on these criteria. Balancing operational efficiency with explicit trust mechanisms needs to have a definition of implicit trust that can be operationalized as well. Implicit trust needs a framework – balancing convenience, workload, operational process with access controls, explicit trust criteria and a broad threat landscape that is proactive and considers emerging threats. It is the aim of asvin.io to be part of a select leading group of SCA who go beyond explicit trust mechanisms to set the standard for supply chain security.

About the Author

Rob van Kranenburg (CIO) Chief Innovation Officer of asvin
Founder of IoT Council, the most prominent independent IoT thinktank and Creator of the yearly IoT Day

Rob is globally considered one of the most influential thought-leaders in IoT, renowned for his keynote talks on various topics in the industry. Rob paves the way for more robust, secure devices within the IoT and IIoT ecosystems and is in the Top 100 #IOT Influencers list and the Top 10 of IIoT Influencers to watch in 2022. Additionally, in 2019 he was listed by Telensa as one of the 100 most important influencers for the Smart City.

He wrote “The Internet of Things”, a critique of ambient technology and the all-seeing network of RFID, Network Notebooks 02 and Institute of Network Cultures. He has over 20 years of experience analysing the IoT environment to conjure deep meanings and trends in this exciting and fast-paced industry.

As Ecosystem manager in various FP7 and Horizon 2020 projects (EU initiatives) such as Tagitsmart, Rob chairs the IERC Hyper-connectivity chain and is part of the Expert Group for CSA Next Generation Internet Project NGI MOVE, which successfully operates since Oct 2017.

Rob is co-founder of Bricolabs. Together with Christian Nold, he published “Situated Technologies Pamphlets 8: The Internet of People for a Post-Oil World”. Rob is co-editor of “Enabling Things to Talk Designing IoT solutions with the IoT Architectural Reference Model”, Springer Open Access. He works as Ecosystem Manager for the EU projectsTagitsmart and Next Generation Internet. In addition, Rob is Chief Innovation Manager for asvin.io.

https://www.asvin.io

https://theinternetofthings.eu

https://iotday.org/

LinkedIn: @robvankranenburg

Twitter: @robvank

Sources: 

[1] https://www.cisco.com/c/dam/en_us/solutions/industries/docs/gov/cybersecurity_bvr_wp.pdf

[2] What will the cybersecurity industry look like in 2022?

Experts from ThreatQuotient, Cofense, CodeHunterand Kion and Electrosoft share their predictions for what’s likely to be another active year of attacks.

[3] What will the cybersecurity industry look like in 2022?

Experts from ThreatQuotient, Cofense, CodeHunterand Kion and Electrosoft share their predictions for what’s likely to be another active year of attacks.

[4]

[5] https://www.linkedin.com/pulse/avoiding-next-cyber-supernova-mirko-ross/

[6] The Forrester WaveTM: Software Composition Analysis, Q3 2021

The 10 Providers That Matter Most And How They Stack Up

August 18, 2021

SC Sandy Carielli
with Amy DeMartine, Peggy Dostie