Crossing the Cybersecurity Trust Chasm

Editor’s Note: Deepak Jeevankumar is an enterprise IT investor at General Catalyst Partners where he has a wide range of investments in cybersecurity, big data and storage startups. The opinions expressed here are Deepak’s personal opinions and do not reflect the views of General Catalyst or their portfolio companies. 

Kudos to the President for visiting Silicon Valley last month and drawing the attention of the nation to a new world of continuous cyber attacks.

The executive order signed by the President addresses the critical piece that is needed to help companies protect themselves in the future  – by sharing cyber threat information between different private sector companies, and between the government and the private sector.

But we need to cross the cybersecurity trust chasm to make sharing really work.

Today, this trust has been broken in the system due to incessant hacking of employee/customer confidential data stored in private sector enterprises. Multiple allegations of excessive snooping against the private sector and the government have only complicated matters.

We need to (re)build trust: between the government and the public; between a company and its employees; between a company and its customers; between different private sector companies; and finally between the government and the private sector.

The traditional cybersecurity debate has been portrayed as a security vs. privacy dialog. Trust has largely been ignored. But, trust and only trust can bring together the repelling poles of security & privacy.

To build trust effectively, we need three ingredients: timing, talent and technology.

In the last couple of years we have seen increasing severity and public exposure to cyberattacks. Public awareness of the effects of cyber-terrorism has probably never been higher.

The Sony attack specifically has created a perfect storm of timing. Unlike most other cyber-theft activities where credit card, personal information or critical business information is stolen, the Sony attack was real cyber-terrorist activity.

We need to (re)build trust: between the government and the public; between a company and its employees; between a company and its customers; between different private sector companies; and finally between the government and the private sector.

It is a rare case, where the perpetrators of cyber-theft crossed the line in to threatening violence in real life. Cyber attacks are now a top national issue. People are outraged that cyber terrorism could lead to physical terrorism. They want to know how the government and private sector can safeguard them against such scenarios.

Everyone’s interests are seemingly aligned. Let us all seize the moment before it is lost and build trust.

A critical piece for rebuilding trust is having the right talent focused on it. Box recognized that trust is a competitive advantage and appointed a Chief Trust Officer few years ago to build trust with their customer base on their security practices.

We need Chief Trust Officers in every private company, in the NSA and in other branches of the government. It will be the responsibility of these executives to make sure that the trust concerns of the public/employees/customers are adequately addressed by using the right tech tools and instituting controlled security-monitoring processes.

Technology can also be used to build this trust by addressing transparency, data persistence and trusted sharing.

In the Silicon Valley code development world, we are familiar with the continuous integration model of code development. Similarly, we need to implement the concept of ‘continuous trust’. Just like consumers have financial tools like Mint.com that monitor their different financial accounts and provide an easy conduit to understand their ‘financial health’, they need access to easy-to-use tools to check the status of their ‘security health’.

These tools can increase transparency in the system by showcasing how efforts taken by corporate and government security actors are protecting people’s assets in real-time. Frankly, there is a dearth of such tools in the market today.

Another major tech hurdle in the way of building trust is the question of data persistence. Once we upload a photo or a file, it can stay in cyberspace, unprotected & unencrypted in many cases, ‘forever’. The owner of the data looses control.

Can we have expiring data based on time and need? Can an employee revoke access given to his company for his/her personal data once he leaves the company? Can the keys to the data be handed to the employee and not the employer? Again this is an area screaming for startup innovation.

Cyber-terrorists deploy guerilla warfare tactics. To fight a ‘distributed’ adversary, we need a ‘distributed’ army of the people / customers / employees. Technology innovations can also create secure sharing platforms to create this distributed army.

The private sector already has industry forums like FS-ISAC. We need to build automatic & real-time sharing platforms with the help of such forums. Sharing should start selflessly from the government to the private sector.

To fight a ‘distributed’ adversary, we need a ‘distributed’ army of the people / customers / employees. Technology innovations can also create secure sharing platforms to create this distributed army.

 

Once trust is re-built with the private sector, sharing will start organically in the other direction (i.e. private sector to government). Tech product features in these sharing platforms can also ensure that such trust doesn’t get exploited.

The President’s executive order addresses this problem at its heart. In the recent past, we have seen a few innovative startups working on this hard problem like ThreatConnect, Vorstack, Soltra, and ThreatStream (a General Catalyst portfolio company).

While fear, vanity & revenge hold cyber-terrorists together, only trust can hold us all together. Security entrepreneurs have been handed a golden opportunity by the President raising the cyber threat issue to national consciousness. There are many product gaps that need to be filled to increase transparency, promote continuous trust and to create new trustworthy threat sharing networks.

Let us turn trust into a competitive advantage. And let us not forget we are fighting the war on the same side. Few weeks ago, I woke up to the news of a potential $1B global cyber heist. Winter is coming!