Five Eyes nations tell tech startups to take infosec seriously. Again
Only took 'em a year to dish up some scary travel advice, and a Secure Innovation … Placemat?
Cyber security agencies from the Five Eyes nations have delivered on a promise to offer tech startups more guidance on how to stay secure.
The Five Eyes nations – Australia, Canada, New Zealand, the UK and US – are best known for their unusually close intelligence-sharing arrangements and joint commitments to defend each other's interests. But in October 2023 the group participated in a summit at which they outlined the extent of the threat posed by Chinese IP theft and delivered five principles to "better inform innovators around the types of threats we face and what they can do about it."
Those principles were not rocket science:
- Know the threats – understand the potential vulnerabilities that might put your product or innovation at risk.
- Secure your business environment – create clear lines of ownership around the management of security risks in a business. Appoint a security lead at board level who factors in security considerations into decisions and initiatives.
- Secure your products – build security into the front end of your products by design. This will help protect your IP, make your products more marketable and ensure your products don’t become a supply chain vulnerability.
- Secure your partnerships – make sure the people you collaborate with are who they say they are and can be trusted with your IP.
- Secure your growth – be aware of security risks as you expand, such as hiring new people into positions of trust and managing risk around entering new markets.
More than a year later, member nations' infosec agencies have expanded on the principles with a joint campaign that offers advice on how to put the principles into action.
In the UK, startups can reference a three-page infographic [PDF] or video. Canada has delivered a guide for tech investors.
New Zealand has done rather better with a 33-page advisory [PDF] that offers basic procedures for improving security and responding to incidents.
The United States delivered five documents, including one that outlines risks that are prevalent during travel abroad. That document recommends ensuring phones can be remotely wiped, employing on-device encryption, and considering only carrying essential data while travelling.
- Five Eyes tell critical infra orgs: Take these actions now to protect against China's Volt Typhoon
- Five Eyes nations warn Moscow's mates at the Star Blizzard gang have new phishing targets
- Australia building 'top secret' cloud to catch up and link with US, UK intel orgs
- Five Eyes intel chiefs warn China's IP theft program now at 'unprecedented' levels
Australia has served up a Secure Innovation Placemat [PDF].
The wide variance in the documents is by design: each Five Eyes nation chose its own approach, although the campaign is a coordinated effort that is billed as "consistent and consolidated advice reflecting both the globalized and interconnected tech startup ecosystem as well as the global nature of the security threats startups face." And everybody uses placemats.
Whether this advice will break through the "move fast and break things" culture that many startups nurture is anyone's guess. The Register has reported on security and resilience troubles in the early years at Uber and Lyft, GitLab, and at OpenAI.
It might take more than PDF checklists to prevent similar issues in future. ®