Cyber Diplomacy – building resilience through digital transformation
Opinion by Dragos Preda, General Manager of RADIOCOM
Admittedly, our entire digital economy and infrastructure revolves around one thing: trust. We are confident that our systems will respond when we need them. We are confident that services and APIs will be secure, well-tested and available when operated in our own applications. We are confident that the data that comes into our analysis systems is accurate and accurate. We trust that cloud providers operate continuously in accordance with best practices to keep our data and transactions secure. We trust that our suppliers make the right business decisions.
Paradigm Trust as a Service goes far beyond technological solutions such as firewalls, malware protection, event and information security management (SIEM), data loss prevention (DLP), identity access management (IAM), application security, and of devices, although they are important.
Security is not about securing assets, but about creating trustworthy assets that can be capitalized on the market. Digitally transformed businesses, consumers adapted to this digital world, in a digital economy, need, more than ever, to build their business based on the element of trust.
Today’s businesses face risks both to their internal assets and to their largest asset, their customers. Hacking and data theft – especially personal data of consumers – ruin the customer experience and lower the level of trust.
At the same time, in the new approach of RADIOCOM we consider collaborations, also in the sense of the CaaS approach, of the Security as a service (SECaaS) solutions, namely, the outsourced management of business security to a third-party contractor. Although a cyber security subscription may seem strange, it’s not much different from paying for antivirus license. The difference is that SECaaS is a combination of many security products packaged in one central service. The range of security services offered is wide and goes down to a granular level. Examples range from simple email SPAM filtering to cloud-hosted antivirus, remote remote vulnerability scanning, managed backup, business continuity and cloud-based DR systems, and cloud-based MFA systems. The services are either delivered directly from the supplier from where the reseller or are delivered from specialized companies that have the internal skills to build, integrate and manage specialized security services for their customers.
Just a note here: let’s not confuse SaaS (software as a service). This is different from SECaaS.
As I stated in the last statements, RADIOCOM aims to go through a new 5-year evolutionary cycle, corresponding to the period 2021-2025, based on a general strategic framework that offers a short, medium and long-term vision – until 2030/2035. The main goal is to define a new strategic direction for RADIOCOM, so that the challenges of the future can be overcome and the strategic objectives can be successfully met. In order to achieve its strategic objectives, RADIOCOM must carry out a set of activities and actions.
At the same time, in response to the above-mentioned threats, interested entities have turned to the idea of ”cyber norms” – expectations for appropriate cyberspace behavior – to regulate the behavior of states and limit the damage caused by malicious cyber activity. In order to develop and disseminate these cyber norms, various interested states and non-state entities have promoted various processes, including in multilateral, private, industrial contexts.
This is how multilateral normative diplomacy emerged, which involves states’ efforts to develop cyber norms. The most important efforts are being made under the auspices of the First Committee of the UN General Assembly. Previous efforts to identify and operationalize cyber norms continue today in a new UN EJG on developments in information and telecommunications in the context of international security. Other organizations have also tried to stimulate their own multilateral processes, such as the Shanghai Cooperation Organization, the G7 and the G20.
Private regulatory processes involve groups of high-profile experts from diverse backgrounds who study and provide recommendations on cyber norms for states or non-state entities. Some examples of this dimension of normative cooperation would be the Bildt Commission (officially the Global Commission for Internet Governance) which marked one of the first processes of normative analysis on data security. The Global Commission on Cyber Space Stability and the Carnegie Cyber Policy Initiative are more recently participating in this category of regulatory processes.
Industry-focused regulatory processes involve its efforts to identify cybersecurity rules. The two most prominent examples of this at present are the Microsoft Cyber Security Technology Agreement and the Siemens-led Charter of Trust.
Normative processes also bring together entities from various backgrounds in inclusive forums that bring together states, international organizations, industry, civil society or academia, generating the opportunity for debate, identification or promotion of rules already experienced. Sometimes these processes focus on cyber norms indirectly, either because the process is simply a forum for dialogue (for example, the so-called London Process or the Internet Governance Forum), or because its mission is to relate to the development of rules (for example, the Global Cyber Expertise Forum). In other cases, however, multi-stakeholder trials have openly advocated for rules, either for all stakeholders or for certain subgroups. The NETmundial initiative focused on internet governance, the Paris Call focused on trust and security, and the Christchurch Call sought to coordinate normative expectations regarding extremist, violent online content.
The concept of infrastructure security includes not only protection against a traditional cyber-attack, but also protection against natural disasters and other calamities.
It also addresses the issue of resilience, which takes into account how a company recovers after an attack or other outage.
The ultimate goal is to increase security measures and minimize downtime and associated customer wear and tear, loss of brand and reputation, and compliance costs facing companies.
Fundamentally, infrastructure security describes a high-level way of thinking about protecting the entire technological perimeter of the organization. Several tactical security plans – (for example, how will we protect the data on our employees’ laptops?) – can be developed as subsets under this global strategy.
There is no universal definition of different levels or categories of infrastructure security, but in an enterprise, a common way of looking at security includes securing the following four levels: Physical level / Network level / Application level / Data level.
Today, sensitive data is usually encrypted and then sent via fibre optic cables and other channels along with the digital “keys” needed to decode the information.
Data and keys are sent as classic bits – a stream of electrical or optical pulses representing 1s and 0s. And that makes them vulnerable. Hackers can read and copy bits in transit without leaving a trace.
Quantum communication takes advantage of the laws of quantum physics to protect data. These laws allow particles – usually light photons to transmit data along optical cables – to take on an overlapping state, which means that they can represent several combinations of 1 and 0 simultaneously. Particles are known as quantum bits or qubits.
The beauty of cybersecurity is that if a hacker tries to observe them in transit, their super-fragile quantum state “collapses” to either 1 or 0. This means that a hacker can’t change qubits without letting behind a tell-tale sign of activity.
Some companies have taken advantage of this property to create highly sensitive data transmission networks based on a process called quantum key distribution or QKD. In theory, at least, these networks are ultra-secure.
QKD involves sending encrypted data as classic bits over networks, while keys for decrypting information are encrypted and transmitted in a quantum state using qubits.
Various approaches or protocols have been developed for the implementation of QKD. A widely used one known as BB84 works on this pattern.
We are already starting to see more QKD networks. The longest is in China, which boasts a 2,032-kilometer (1,263-mile) land link between Beijing and Shanghai. Banks and other financial companies already use QKD to transmit data.
In the United States, a startup called Quantum Xchange has entered into an agreement that gives it access to 500 miles (805 kilometers) of fiber optic cable running along the East Coast to create a QKD network. The initial stage will link Manhattan to New Jersey, where many banks have large data centers.