Governments resent their dependence on Big Tech
Singapore summit hears how private sector's constant security sins create risk for sovereigns
Senior politicians gathered at Singapore International Cyber Week (SICW) this week to discuss the current state of cybersecurity have articulated their discomfort with finding themselves dependent on Big Tech.
"Large tech companies wield an unprecedented level of influence over economies and societies. At the same time, they enjoy a remarkable degree of freedom from regulation and accountability for their activities and the content they carry," opined Singaporean minister Teo Chee Hean at Monday night's opening address.
Teo pointed out that private industry owns and controls significant parts of the technology stack that the majority of the world depends on, and the vast amount of data such systems contain. The revenue Big Tech squeezes from this data exceeds the GDP of many countries.
That strength means governments rely on the private sector for cybersecurity and other necessities in the digital domain. Meanwhile, these companies ultimately "make their own decisions," such as which nations they boycott or the content they carry.
Teo said it's somettmes hard to know how government and Big Tech can work together given that national security, defense, and social governance have long been the exclusive domain of governments. An added complication is that Big Tech companies are often foreign entities.
"Their interests may not always align with public or national interests," he said.
A big part of the problem, according to Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), is that the tech industry prioritizes getting to market quickly over security – a situation she labelled a "crazy malalignment" that results in an unacceptable "shaky technology platform" the world ends up relying on.
"We have perversely normalized a world where the technology that underpins the critical services that we rely on for water, for healthcare, power, transportation, communication – the devices we rely on every minute every day – are all built on insecure foundations," said Easterly. "We don't need more security products. We need more secure products."
Easterly was particularly keen to have tech companies prioritize security before generative AI becomes the "most powerful technology and most powerful weapon of our time."
The CISA director called on CEOs, boards, and other business leaders to treat cyber risk like they do equity, franchise, or liquidity risk.
"The days of delegating cyber risk to infotech people – your chief info officer, then fire them when you have a breach – must be over," she declared.
Easterly then scoffed at Microsoft's Patch Tuesday, comparing it to a consumer getting a car recalled once a month, and holding it up as proof that vulnerabilities and flaws have been normalized.
Regardless of what disasters flow from poor security, it's far too late to be having any conversations regarding reining in reliance on tech vendors. And for countries in distress or at war, like Ukraine, the unquestionably vital necessity of Big Tech is even more stark.
- Generative AI slashes cloud migration hassles, says McKinsey partner
- So, the US, China, and Russia walk into an infosec conference
- Ukraine accuses Russian spies of hunting for war-crime info on its servers
- President Biden still wants his cybersecurity labels on those smart devices
Anton Demokhin of the Ministry of Foreign Affairs of Ukraine credited Big Tech with giving his nation the ability to focus on its war with Russia. Demokhin credited a number of companies with providing resources – from cybersecurity support to the use of cloud to back up resources that would otherwise be at risk of being destroyed during Russia's invasion.
"That's given us the momentum to deal with challenges and war and cyberattacks," said Demokhin.
But the question, at least for Australia's National Cyber Security Coordinator, Darren Goldie, centers around where to divide the duties of government versus Big Tech, ultimately deciding how much power to continue to give to industry.
Goldie asserted it was best to utilize expertise, which is rarely located within government.
Goldie said Australia is pursuing threat sharing and blocking capabilities.
"Threat blocking tries to raise the bar with one private entity asking another one to block," stated Goldie. "If you have a threat that everyone agrees should be taken down, you could ask a telco to take it down."
He then posed the question: if threats and ongoing blockades persist, when does a nation reach a point where it becomes uneasy about outsourcing this responsibility?
There appears to be no end in sight to what could be privately offloaded within the domain of digital infrastructure.
"Critical infrastructure has been outsourced to private industries," surmised Danish tech ambassador Anne Marie Engtoft Meldgaard on Tuesday.
Denmark became the first country to appoint an ambassador to tech, with the same responsibilities as a conventional ambassador to a sovereign nation, in 2017. Meldgaard replaced the first person to have that role, Casper Klynge, in 2020.
"There's quite a lot of us tech ambassadors who have been appointed to represent our countries in a much more mature, concerted effort and dialog with tech," said Meldgaard. "And on the other side, Big Tech has been hiring diplomats too; recognizing the need for engaging interchangeably with governments."
When Klynge left Silicon Valley under Denmark's Ministry of Foreign Affairs, he promptly joined Microsoft.
"The time for tech platform as neutral actors is over," Meldgaard declared. ®