By Akash Mathur
It takes a village to raise a child, it is said. Stretching this adage, it will be equally true to say it takes the global village to build any modern ICT technology product. Take for instance any of today’s smartphones, which carry components from as many as 43 countries, if not more. The modern ICT ecosystem involves complex global supply chains with multiple players that are far more prone to cybersecurity risks.
Small wonder, a key challenge for large companies today, including in India, is finding ways to reinforce their cybersecurity defenses to ward off cyberattacks to their digital infrastructure and foster a vibrant ecosystem. Fortunately, the global ICT industry has risen to the challenge and come up with potent cybersecurity strategies that are transparent and designed to help companies beef up information security via constant intervention drills based on facts, verification, transparency, and risk management.
Traditionally, cybersecurity protocols are implemented on a company-by-company basis. However, in such a scenario, it is hard to know how robust a company’s cybersecurity armor is. It will be erroneous to simply assume that a Fortune 500 company will have proper security measures in place. This calls for a top-to-bottom and supplier-blind cybersecurity structure as cyber security concerns can come at any time from any direction.
Since the current discussion on cyber security is largely focused on geopolitical considerations, it creates a very real challenge of distracting from the urgent need to mount comprehensive cyber defenses and also likely to prevent authorities from taking a pragmatic, sustainable approach to a global problem. And given what’s at stake, companies should be required to prove that they are worthy of trust. They can do so by meeting certain globally recognized cybersecurity standards, just as many companies use the ISO family of standards to evaluate organizational systems such as quality management.
Herein comes the ‘zero trust’ approach. The zero-trust cybersecurity model is a marked departure from the old fashioned “trust but verify” approach to one of “never trust, always verify” in an increasingly connected world. It calls for zero-trust in all participants as the basis for creating a robust cyber security strategy.
It can also be explained using what is termed as the “ABC principle”, which advocates to `A’ (Assume Nothing), `B’ (Believe Nobody) and `C’ (Check Everything) forming the core building blocks, or signposts, if you will, to fostering a trustworthy business environment in the digital era.
Zero-trust cybersecurity model, based on the idea of never trusting, always verifying allows for intervention based on facts, verification, transparency, and risk management to create an environment for innovation while protecting national security.
A robust cybersecurity practice calls for building security into every aspect of the company, from requirements, strategy, governance, and standards, to processes, design & development, manufacturing, third-party management, delivery, human resources and audit functions. And all this, while demanding strictest compliance from its global supply chain.
And therein lies the USP of the `zero-trust’ model, in that, it helps enterprises minimize damage and system vulnerability. The industry needs to adopt best practices including zero trust identity and access management policy to validate each device connected to an organisation’s network to prevent cyber-attacks.
India’s decision to mandate purchase of “trusted telecom products” from “trusted sources” is a welcome move, as is the launch of the “trusted telecom portal” under the cyber wing of the National Security Council Secretariat.
However, even strengthened national cyber defence is not enough. Global solutions are needed to make the globally connected technologies of the future as safe as possible. More needs to happen around product testing, and it’s imperative to allow global adoption of standardized processes to verify if a piece of telecom gear is safe. Approving trusted sources and products should be based on both documentary evidence as well as a robust testing mechanism based on global standards. To reiterate, Trust needs to be based on facts. Facts must be verifiable, and verification must be based on common standards. We are hopeful the upcoming National Cyber Security Strategy (NCSS) will address these requirements adequately.
A zero-trust approach to cybersecurity — pragmatic and defensive rather than ideological — together with effective global rules for new tech, could yet demonstrate that, as in previous eras, it is possible to coexist, verify and enforce minimum standards to build a robust ecosystem.
(Akash Mathur is Vice President and Chief Compliance Officer, Huawei India)