Governments, the private sector and users in cyberspace: what are the concerns regarding mistrust?

governments-the-private-sector-and-users-in-cyberspace-1.jpg

First ever attempt to share our perspective and approach with the use of International Relations (IR) theories.

Disclaimer: follow-up remarks after the 2020 Closing the Gap Conference by EU Cyber Direct are given below. The research paper with full analysis attached. This story is the result of Kaspersky colleagues’ work.

Anastasiya Kazakova, Public Affairs Manager

Having the best experience which modern technologies or ICTs offer us (especially now with the pandemic) and, at the same time, ensuring security and safety, requires cooperation. To make cooperation fruitful and mutually beneficial, we need trust. But trust requires effort, time and patience to build.

In cyberspace there’s a crisis of trust, and cyber-insecurity has become a growing problem worldwide. This trust issue is present in three dimensions: mistrust among states; mistrust between state and non-state actors; and users' mistrust of technologies/ICTs.

governments-the-private-sector-and-users-in-cyberspace-2.jpg

Each dimension is explained below.

governments-the-private-sector-and-users-in-cyberspace-3.jpg

For us as a global cybersecurity company, the trust issue has to be fixed, and fixing this problem is critical – in the same way as it is critical for doctors: without trust, they’ can hardly be able to cure people. But how to fix it?

Having been affected by the crisis of trust, we started searching for a solution to fix the problem. We clearly realized that it is beyond our capacity to make any impact in the first dimension (mistrust among states) – our actions as well as the actions of any other non-state actor may only have an indirect effect to raise awareness of state actors only. But being powerless on this track, we could and should directly improve trust in other two dimensions.

When you face uncertainty and problems, the first thought that usually comes to your mind is to check what has been said or done by others before. That’s why, in a search of a possible solution – aconfidence and trust building measure – we checked how this could be fixed in theory (particularly in constructivist theory in international relations).

We learned three things:

To push any transformations, you need ideational shifts – “shared ideas, expectations and beliefs about appropriate behavior that give the world structure, order, and stability”.
People act toward an object and other actors, relying on the meanings that they perceive about those objects or actors.
To make a change/transformation, you need to reinterpret or frame the existing meanings so the new frame resonates with broader public understanding.

Therefore, to fix the crisis of trust, we needed to (1) understand existing meanings (what are the particular concerns?); and (2) frame new meanings/suggest alternatives.

For (1), we began communicating with both corporate and consumer customers. A series of dialogues with regulatory bodies in Europe, large enterprise customers, and partners allowed us to realize two fundamental concerns that all those actors had.

governments-the-private-sector-and-users-in-cyberspace-4.jpg

We faced the assumption that,

“if you don’t understand the technology, you cannot trust it”.

So the new meaning could be,

“trust, but verify – applying a set of clear evidence-based measures”.

Applying the new rule, we created our Global Transparency Initiative (GTI) – a set of measures that address both concerns above:

Data care measures: relocation of data processing and data storage to Switzerland, a country with a long history of neutrality, today – good ICT infrastructure and connectivity, and a robust approach to data protection regulation. (Concern #2).
Transparency Centers with a three-layer approach to executive briefings and reviews of software development and business processes. (Concern #1).
Third-party assessments (security audits) to confirm the security and reliability of engineering practices and data services. (Both concerns).
Vulnerability Management Program and Ethical Principles for Responsible Vulnerability Disclosure (RVD) (Concern #1).

So has it worked, and has the GTI helped? Yes. It has done and it still does – we got support and positive comments from the community and from our customers and partners. The GTI has been highlighted by others as a confidence-building measure and, in particular, as a project that supports and implements principle 6 of the Paris Call for Trust and Security in Cyberspace.

The GTI also works because we got the opportunity to deeply analyze the reason for the crisis of trust: “you don’t trust because you don’t understand. You don’t understand, because you lack skills and knowledge to understand the complexity of modern technologies”. This is one of the main lessons learned for us and therefore one of the priorities to work further with a multi-stakeholder community. A first attempt has been made: we announced the Cyber Capacity Building Program to help the community – including governments, academia and companies – develop necessary skills and to get a better understanding of what the possible blind spots might be in ensuring the security of products/applications they use and therefore what could be done.

So, this is almost two A4 pages of explanation of what required several months to understand, three years of project work, cross-team cooperation, and a strong belief in a tomorrow where technology brings endless opportunities and improves all of our lives.

The research paper can be found here https://media.kaspersky.com/en/research-paper-global-transparency-initiative.pdf.