Security and risk leaders engaged in digital transformation should take note—the US Justice Department is poised to file an antitrust lawsuit as soon as this week against Alphabet Inc.’s Google 1. Added to the mix, UK and EU regulators are cracking down on Amazon, Apple, and Facebook. Historically speaking, this isn’t a surprise; the twentieth century saw similar actions breaking up companies like Standard Oil and Northern Securities Company (a short-lived American railroad trust). But before Northern Securities Co. v. United States was heard by the US Supreme Court in 1903, the US had made substantial infrastructure investment in the railroads during and after the Civil War. In addition, the Interstate Commerce Commission (ICC) was established in 1887 as the regulatory agency to regulate the railroads, aimed at forming a national strategy for infrastructure and safety.
While antitrust actions are aimed at regulating competition, what could the break-up of big tech mean for safety and security?
Unlike the US railroads, big tech in the US remains largely unregulated, with the question of IoT and cyber-physical systems posing privacy and safety consequences. While parts of Asia and Europe have taken steps to put up guardrails and have made investments in infrastructure, the US has stagnated. With an aging infrastructure, inadequate standards, brownfield vulnerabilities, poor visibility and controls, and disparate systems, the US is an attacker’s paradise. It wasn’t surprising, then, that over recent months, cyber actors have doubled down on conducting malicious cyber activity against critical infrastructure (CI) by exploiting digital connectivity for operational technology (OT) assets. Their actions led the NSA and CISA to issue Alert (AA20-205A), recommending immediate actions to reduce exposure across operational technologies and control systems.
The digital transformation of OT/IoT/CPS (cyber physical systems) has a consolidated vendor market and devices connected on top of an aging infrastructure. While one can only speculate what breaking up tech giants might look like, what is clear is that without addressing infrastructure, security risk, and standardization, the pathway for security professionals might become more complicated.
A Complicated Path for SRM Embracing IoT, OT & CPS
Here’s what we know about security and risk leaders that will complicate the road ahead if there is a major break-up of big tech that fails to address the current risk environment, according to Gartner’s Security & IAM Solution Adoption Trend Survey from June 2020:
- Organizations consider security and integration capabilities and brand recognition as the most important factors in choosing security vendors. Simply put, security organizations leverage big names, consolidating their vendor base in an effort to ease integration woes. In the process, they often fail to address the underlining intricacies which drive the need for complex integration, namely lack of uniformed standards (particularly in OT, IoT and CPS).
Reasons to select organization’s information security vendor in terms of budget or spend for the current budget year
- OT/IoT/CPS is identified as the number one external factor impacting information security functions and control of organizations for next 3-5 years. With IoT and CPS having real-life safety and privacy consequences, the associated risks are only exacerbated.
- Organizations still face a cyber-security skills shortage, and have high dependency on a handful of selected vendors to address their internal knowledge gaps.
Given heavy investment in a handful of technology vendors, integration woes, and the future of OT/ IoT/CPS, security and risk leaders must plan now to avoid a security quagmire if the break-up of big tech becomes a reality without the guardrails of standardization and investment in infrastructure. Cleveland based attorney Shaun Whitehead offered “US antitrust laws were established in response to industrialization and have proven to be one step behind in the digital age due to technology’s speed. For example, everyone is focused on Facebook, while many of its younger users have already moved on. While it is unclear what regulators will do in terms of antitrust actions, technology leaders can counter disruption. They will need to keep one eye forward toward using their collective power to strengthen product terms and conditions and demand stricter security, privacy, and integration standards to mitigate risk.” Security and risk leaders should also:
- Focus on standardization to ease integration woes that might be compounded by antitrust activities by using your seat at the table in user group communities, forming a vertical partnership with peers to demand standardization, and simplifying protocols and product architecture to harden your security posture.
- Mitigate risk by building in-house knowledge and less vendor dependency for security, risk, and incident management, concentrating on talent that has a strong balance between business and tech acumen.
- Use more detailed business and IT use cases to drive security architecture decisions. Do not assume the status quo is the ideal approach to address the new mission of safety, resiliency, and privacy.