Section 889, the Cybersecurity Maturity Model certification, and the Clean Network initiative are just a few of the U.S. information technology initiatives that are upending the compliance and geopolitical landscape. The U.S. government is not alone in pursuing major shifts in industrial policy. Democracies across the globe are beginning to seek technology alliances in much the same way as military alliances and preferential trade agreements shaped previous eras. Governments across the globe have reached similar conclusions: ensuring the security and privacy of data requires trusted technology and trusted partners. The role of trusted data, however, remains largely overlooked in this significant paradigm shift that is underway.
The world continues to divide into competing technospheres driven by disparate democratic and authoritarian norms. With mounting evidence of weak security protocols and backdoors, democratic governments are mandating trusted technologies within federal networks as well as export restrictions through security risk designations. While Huawei and ZTE are the most prominent examples, a growing list of surveillance and AI companies are increasingly added to these designations. India has banned over 100 Chinese-based apps, while the United Kingdom recently introduced a 10-country democratic pact for 5G technologies. Australia, India, and Japan are discussing a trusted supply chain alliance, including digitization components.
For their part, authoritarian regimes are also creating their own trusted networks, but more so focus on domestic champions and localized data control, with occasional technology cooperation. Russia passed a law requiring the installation of Russian-made software. Cambodia has plans to install a national firewall reminiscent of the China’s Great Firewall. As part of the escalating tit-for-tat trade war with the U.S, China has introduced its own unreliable list of companies or products that aims to restrict U.S. corporate to the Chinese market. In addition, many governments increasingly rely on data sovereignty laws that mandate localized data storage as well as government access to data, including source code and local storage of encryption keys.
As trusted technologies and partners reshape the international order, the emerging technospheres introduce a range of compliance and security risks. For instance, the democratic-leaning technospheres introduce a range of compliance challenges. Section 889 prohibits federal contractors from having specific products from Huawei, ZTE, Dahua, Hytera, and Hikvision within their systems. ‘Rip and replace’ compliance is much easier said than done. One recent study by the Federal Communications Commission found that it would cost $1.8 billion for small carriers to remove Huawei and ZTE equipment. For CMMC compliance, and depending on the level, there are over 100 different controls across a range of hardware and software solutions and data protection standards.
Conversely, the techno-dictator spheres introduce a range of data security challenges as governments require access to data within their borders if requested, through data localization or through weakened or prohibited encryption laws. Moreover, countries from Venezuela to Russia to Cambodia to Kazakhstan to China continue to implement surveillance schemes that provide an additional means to access digital data within their borders.
Due to these rising security risks, a democratic alternative based on trusted networks is long overdue. However, while momentum grows to instantiate trusted hardware and software ecosystems, data largely remains absent from these discussions. There are no guarantees that data will remain within a trusted network. The costs of these technology renovations may be extensive and removing legacy architecture can be extremely disruptive to business operations. Even if data somehow is contained to trusted networks, accidents happen. As we’ve seen with cloud misconfigurations, not all data breaches are due to malicious behavior but rather due to configuration errors.
Trusted networks require trusted data to strengthen data protection whether within or external to trusted networks. Object-level data access and controls empower data owners to establish who can access specific data, for how long, and expire or revoke it if the situation changes. For instance, as supply chains undergo significant changes, organizations may no longer want to grant data access to former suppliers. Similarly, audit logs help data owners visibly assess whether their data remains within a trusted network ecosystem and if attempts to access it have occurred from untrusted environments. For organizations, an emphasis on trusted data helps address both the security and compliance challenges emerging from the different techno-spheres.
While globalization drove unprecedented levels of economic, political, and technological interdependence, over the last decade these connections began to rupture along geopolitical fault lines. The emerging techno-spheres will influence where and by whom technologies are made, with the security and privacy risks of untrusted environments fracturing global trade and data flows. Techno-dictators have shaped their environments for decades; only recently have democracies replaced aspirations of a global free and open internet with an emphasis on trusted networks among like-minded nations. To strengthen security and privacy within a trusted network, trusted data must be an essential component of this strategic shift.
Dr. Andrea Little Limbago is a computational social scientist specializing in the intersection of technology, national security, and information security. As the Vice President of Research and Analysis at Interos, Andrea leads the company’s research and analytic work applying computational methodologies to global supply chain risk, with a focus on globalization, cybersecurity, and geopolitics. Her writing and research has been featured internationally and in dozens of industry, academic, and government publications. Andrea also oversees community engagement and research partnerships with universities and think tanks, and is a frequent contributor to program committees and mentorship and career coaching programs. Andrea is a Co-Program Director for the Emerging Tech and Cybersecurity Program at the National Security Institute at George Mason, where she publishes on digital authoritarianism, data protection, and the impact of emerging technospheres of influence. She is also an industry advisory board member for the data science program at George Washington University, and is a board member for the Washington, DC chapter of Women in Security and Privacy (WISP). Andrea previously taught in academia, was a technical lead at the Department of Defense, and was Chief Social Scientist at Endgame and Virtru. Andrea remains an advisor at Virtru, focusing on privacy policy and data protection across the globe. Andrea earned a PhD in Political Science from the University of Colorado at Boulder and a BA from Bowdoin College.