From brutal aggressors to confident incumbents — everyone, these days, seems to be perfectly comfortable with the notion of Digital Disruption. Centered around competitive advantage, its application ranges from the abrupt and irreversible stealth takeover of market dominance to a mere irritating interference of “fireflies before the storm” or even “wampum,” as the dotcom insurgents were famously depreciated by IBM’s Lou Gerstner and GE’s Jack Welch, at the end of the 20th century. In our modern Cyber-Physical Systems universe, however, where the digital mycelium has been pervasively mushroomed, Cybersecurity vulnerabilities and threats rank among the most dangerous disruptive forces, because they are inextricably linked to the omnipresent phenomenon of competitive Digital Disruption.
Digital Disruption Beyond the Buzz
By the end of June 1999, seven months before the dotcom crash set in, BusinessWeek devoted an issue to the then prevalent “Internet Anxiety.” Its symptoms were on the cover: “You’re Merrill Lynch when Schwab.com comes along. You’re Barnes & Nobles when Amazon.com hits big. You’re Toys “R” Us when eToys shows up. What would you do?” The response, then, was the cover story’s caption: “Part in envy, part in fear, Corporate America is embracing a radically new business model.” Although Mr. Welch surely didn’t have to fear or envy any competitor, his stance toward the Internet was utterly respectful: “I don’t think there’s been anything more important or more widespread in all my years at GE. Where does the Internet rank in priority? It’s No. 1, 2, 3, and 4.” At that time, many mainstream corporate giants were racing to solidify and build out what was called a company’s “Web Strategy,” while digital development exploded.
The year 2000 not only saw the dotcom bubble burst, but also the birth of Web Services (“a software system designed to support interoperable machine-to-machine interaction over a network”), as a new defining mechanism for what was commonly called the Digital Economy. Now, fifteen years later, Amazon has matured from a pure-play search / recommendation engine around books to the poster child of modern retail, Amazon Web Services is a 5 billion dollar business, and much of the attention has shifted to APIs, i.e. to programmable flexibility.
The Internet has expanded to the “Internet of Things” – the phrase that Kevin Ashton had coined in 1999, as he couldn’t think of something better. Radically new business models, once again, are transforming the way in which companies and industries operate. Sensor-laden smartphones and Smartphones On Wheels (aka Connected Cars) have followed the well-known application of RFID tags for Collaborative Planning, Forecasting and Replenishment (CPFR) purposes at Procter & Gamble; where Mr. Ashton – who headed the MIT Auto-ID Center – implemented, for the first time and successfully, his Connected Things That Talk & Think .
We have traded in dotcoms for lean startups, GE’s FastWorks proudly touting itself as The Biggest Startup Ever, and added both “Industrial” and “of Things (and Services)” to the Internet. Ours is the Age of Exponential Organizations where new entrants may well be ten times faster, better, and cheaper than incumbents. Increasingly, enterprises organize themselves around embedded automated sense & respond data feedback loops, which enable better operations, faster product innovation, new service models, and vastly-enhanced customer-targeting and retainment. The “Anything Internet” phase that we have entered is based on three mutually dependent “C” pillars: Cloud Computing or simply digital infrastructure, Cognitive Computing or digital intelligence, and last but not the least Cybersecurity.
Cybersecurity Beyond the Buzz
The security of products and services is a key element of the overall security of cyber-physical systems, but a number of things are affecting organizations’ ability to put in place a solid digital defense system. These include an expanded attack surface, inefficiencies in the development process, a weak security architecture of the entire system, lack of specialized security skill sets, and insufficient use of third-party support. Securing a cyber-physical system is a challenge, because of its multiple points of vulnerability. These include the products and the services involved, the embedded software and the data residing within, plus the data aggregation platform, the data centers used for analysis, and of course, the communication channels.
The current Top 10 list from the Open Web Application Security Project (OWASP), covers the following alarming basic issues:
1 – Insecure Web Interface
2 – Insufficient Authentication/Authorization
3 – Insecure Network Services
4 – Lack of Transport Encryption
5 – Privacy Concerns
6 – Insecure Cloud Interface
7 – Insecure Mobile Interface
8 – Insufficient Security Configurability
9 – Insecure Software/Firmware
10 – Poor Physical Security
Probably, Target, Home Depot, Sony, JP Morgan Chase, the U.S. Postal Service, the Office of Personnel Management, the White House, and many other organizations and institutions around the globe could have done more to prevent their breaches. On top of security fundamentals, we badly need more sophisticated data-handling techniques: access control management, tracking and auditing; anonymization; encryption; separation of data; plus well defined and enforced data destruction policies. We simply cannot afford Internet Anxiety Disorder to disrupt economic progress and technological trustworthiness.