image not found image not found
image not found
image not found

Governments are starting to recognise a private national sovereign cybersecurity partner is a better choice

11 May 2020 | Lee Cocking

Industrialised nation-states are facing a growingly challenging dilemma. On one hand, the critical functions of their societies – water and power supply, healthcare, communications and transportation – are likely built on top of a distributed digital infrastructure. On the other hand, the equipment and software for the same infrastructure are probably put together by several integrators, and of components constructed, and software developed, in several different countries. Inevitably, sooner than later, this approach becomes high in complexity. And complexity is the enemy of security. Yet, modern society must be able to rely on its digital infrastructures.

When buying solutions, nations must trust not only the provider but anyone in the supply chain who has contributed to the solution. Even those in power to change it. Few providers are in control of all security aspects of the entire supply chain. Yet, the ability to govern a state in a situation of a national crisis depends on them. Why is this so? It is known that some of these third parties, and the countries they reside in, can't be inherently trusted. Governments realise that, and in fact, there are already a few global ICT vendors that have been banned by countries because of their connections to their government or military.

The procurement of national digital infrastructures represents exposure to risk and decisions on whom to trust when buying complex digital solutions. The security implications of this can be enormous. A society's critical functions are so instrumental to people's well-being that threats to their integrity also threaten the integrity of entire nations.

Let's take a look at these risks from two angles. In most cases, digital infrastructure buyers are not expected to find possible bugs. Regardless of the resources their organisation may have, neither are they assumed to be able to correct them. If governments are not expected to understand what the system they bought can do, they are no longer in control of what was bought, and they are obliged to trust the vendors. This means the vendors of the solution – or malicious actors through them – may have control or monitoring abilities of the solution. In other words, vendors can deliver solutions that turn against their owner without the owner ever finding out. Meanwhile, adversaries can be carrying out espionage and surveillance to get hold of confidential information, or things much worse. Knowing this, how can nations possibly afford to trust every single vendor in the supply chain?

In terms of cybersecurity, complex digital infrastructures from multiple multinational vendors allow too many opportunities for error and flaws, but most critically, too many 'seams' to be attacked. Accurately managed, patched, and configured servers are difficult to attack. Still, professional hackers are looking at the seams – spots in the system where integrations are left exposed, where people and processes are not perfect. The more complex the infrastructure, the more likely it is to have seams with exposed vulnerabilities.

It is not that one set of services is better or worse than another -- it's that they are different, developed with varying security practices. These differences are what make large deployments complex, and their exploitation is the ever-growing activity of threat actors, often with nation-state backing and immunity. The good news is that governments and security-conscious enterprises are realising this, and hence making national private cybersecurity vendors as their choice.

Few nations can design and produce digital equipment for their critical infrastructure entirely by themselves. If designing and building human-safety-critical solutions nationally were a viable path, it would be an obvious solution to the problem. This is due to the scale of technology change dwarfing any ability for governments and enterprises to understand the full impact, and it's moving faster than they can come to grips with. We need to get used to a future where cyber threats and crime will continue to advance and evolve. The private sector, due to the nature of competition, has much more tools and capabilities than any government can assemble. Therefore governments are choosing a new model where the private sector and government collaborate and move in tandem.

At Digital14, our secure solutions operate on a single sovereign security plane which is the only way to reduce complexity and eliminate the infrastructure vulnerabilities. This is an element in our principle to uphold values like trust and accountability in cybersecurity. We believe that countries have to rise to a correspondingly high standard with the help of the private sector. Digital14 was created to help governments advance their digitalisation and cybersecurity maturity.

In achieving this, we work in cooperation on a larger scale with a broader set of government institutions and partners working together to build trust and share responsibility, and to protect the increasing numbers of citizens and residents who rely on the government's digital networks to survive and thrive. The public's trust in government digital services is what makes countries attractive for investors, people to move in, work and live. This is the ultimate value proper cybersecurity sovereignty ultimately can deliver.

Since we were founded, Digital14 has practised a secure by design approach in everything we do. We develop solutions that are secure by design, using a security-first philosophy. We believe that one is not done; to ensure business continuity and resilience, we apply continuous threat modelling that assumes something will be compromised at some point. We are unique in our holistic threat modelling in that our protocols consider dozens of attack vectors in our products and services' threat models, and we apply that in how our code is written. We enforce ourselves that there should be no single point of failure resulting in a catastrophic security breach.

We Are Digital14

Connect with us

© Digital14. All rights reserved.