During a preview RSA 2018 conference webcast, participants discussed the impact of the new European law, GDPR, and blockchain on multiplying data attacks.
Today, data is the currency of business. Data can identify customer preferences, inefficiencies in a company’s supply chain or whether a network is performing optimally.
But while data is an asset, it’s also a weapon being used to make companies, governments and countries vulnerable. That was one of key themes discussed during the RSAC Advisory Board Roundtable, which previewed themes at the RSA 2018 conference.
“That trend is only going to continue—whether it’s holding companies’ data hostage with all these types of ransomware attacks or as we’ve seen with influence operations,” said Dmitri Alperovitch, co-founder and CTO of a cybersecurity technology company, and RSAC board member.
The theme is timely in light of revelations that the data of nearly all of Facebook’s 2.2 billion users may have been improperly shared with the political consulting firm Cambridge Analytica. The firm used its data tools to influence Americans’ voting behavior during the 2016 election. A former employee of Cambridge Analytica described the firm as having an “arsenal of weapons” to engage in a “culture war”—eerily echoing Alperovitch’s warnings.
“Companies aren’t fully ready” for the next wave of data attacks, said Todd Inskeep, principal at Booz Allen Hamilton and RSAC board member.
While countries such as China and Russia have readily engaged in data attacks against adversaries, Alperovitch indicated that the U.S. has lagged in understanding the data-as-a-weapon mentality.
“Our adversaries have been much more focused on information, either using it for propaganda or manipulating information,” he said. “This country is behind in thinking about it—not just to defend ourselves but also in leveraging it ourselves.” Companies need to think more creatively about how to fend off nefarious actors but also to use intelligence proactively.
Inskeep said that it makes sense that companies may be ill-prepared for malicious actors’ next wave of data attacks, because they often hold conflicting views about data privacy and data risk.
On the one hand, enterprises approach data as a treasure trove of information about customer behavior and preferences. On the other, data breaches and recent news about use of customer data at companies like Facebook indicates the dangers associated with companies having access to so much personal data.
“As long as we continue to have diverse views on what privacy means, we’re going to have challenges with protecting that data,” Inskeep said.
The General Data Protection Regulation (GDPR) further catalyzes these questions. GDPR takes effect May 25, 2018, in EU countries. GDPR gives EU citizens greater control over how their data is used and it harmonizes regulation throughout EU countries on the handling of personally identifiable information. Most experts see GDPR as a move in the right direction. It enables companies to be more discriminating about the data they store and use.
GDPR requires companies “to think long and hard about whether they need to store this data,” Alperovitch said. “That is a very, very good thing.”
At the same time, the reality is that most enterprises aren’t ready for GDPR to take effect.
According to one recent study, while 38% of companies are aware of GDPR, one-quarter have taken steps to prepare for the regulation.
Panelists also debated the benefits of blockchain and whether the distributed ledger, which requires consensus to validate transactions, could revitalize faith in these transactions after years of digital distrust.
“What [blockchain has] showed us that there were ways to let people work together who had no existing reason to trust each other,” said Benjamin Jun, CEO of HVF Labs and RSAC board member. “Through these systems, we could build enough consensus and enough trust to exchange money, to exchange contracts. Most of the stuff we see right now deals with using these technologies in a very transaction oriented way. . . . [But] these are just the beginnings of how things are going to change.”
Other members of the panel were measured in their belief that blockchain can restore trust.
“We’re going to have to find some way to put trust and accountability back into our systems,” Inkseep noted. “Blockchain may be a way to do that. We’re going to have to figure out where and when it makes sense.”
Lauren Horwitz is the managing editor of Cisco.com, where she covers the IT infrastructure market and develops content strategy. Previously, Horwitz was a senior executive editor in the Business Applications and Architecture group at TechTarget;, a senior editor at Cutter Consortium, an IT research firm; and an editor at the American Prospect, a political journal. She has received awards from American Society of Business Publication Editors (ASBPE), a min Best of the Web award and the Kimmerling Prize for best graduate paper for her editing work on the journal article "The Fluid Jurisprudence of Israel's Emergency Powers.”