Unlocking the Black Box

We are living at the onset of a cyber era where technology is playing an ever-increasing role in our daily lives. Yet the growing dependence of economies and societies on digital technologies, which has only accelerated during pandemic, is a source of concern for the public and policy-makers alike. In general, users want to understand what happens to their data, and governments want to know how the technologies upon which depends the very functioning of the modern world work.

In cyberspace, most technology remains in private hands, and this results in heightening tensions. In her recent article, Marietje Schaake, the former European MP, noted that “public authorities are largely at the mercy of private companies; they cannot look under the hoods of the companies that, for instance, supply software to hospitals, electricity networks, or smart devices”.

We started our Global Transparency Initiative back in 2017 to allow just that – to ‘unlock the black box’ of our technologies and let regulators and customers explore our products’ inner workings – from architecture and data processing protocols to our code and software development practices. We were (and remain) the only cybersecurity company to do so, and dozens of customers and regulators have already visited our Transparency Centers, with more exploring the possibility of remote reviews.

For a security company, efforts to step up transparency seem logical. The renowned security visionary Bruce Schneider wrote in the afterword to Cory Doctorow’s novel Little Brother: “only bad security relies on secrecy; good security works even if all the details of it are public," so one may wonder why our industry at large remains somewhat reluctant to open up to greater scrutiny.

Putting aside geopolitical concerns, part of the problem is that, according to Olav Lysne, Director of the Simula Metropolitan Centre for Digital Engineering, today’s “electronic devices and tools are built with a complexity that surpasses human capacity for analysis.” ^[1] Indeed, the real barriers to adopting transparency are more technological than regulatory or commercial. In a world where even graduate-level cybersecurity talent is hard to find, inviting people to review a complex product with millions of lines of code does seems a daunting if not futile task.

We are doing our bit by introducing our Cyber Capacity Building Program to help organizations develop their code-review skills as well as provide the necessary tools for assessing the security of modern products as part of our GTI offering. In conjunction with Kaspersky Academy we are now offering a free train-the-trainer toolkit so that university graduates can acquire practical knowledge of what to look for and where to look for it when assessing a software product. However, with large companies’ employees using on average 130 different apps in their work, and smaller businesses regularly accessing over 70 third-party software products – and that was in pre-COVID times – there simply are not enough man-hours in the IT world to audit them all.

But then, what is the alternative to enabling customers and regulators to audit the product components they consider critical for their line of business? The market incentivizes a ‘fail early, fail often’ product cycle, which values speed over security, and even more so today when companies are pushed to remote working arrangements. Product certification becomes mandatory – and rightly so – but it is slow, expensive, and may only cover a certain set of requirements for specific industries. Selecting products based on geopolitical bubbles may ease the choice somewhat, but it stifles competition and may not necessarily lead to greater safety for end-users.

As a business, the best we can hope for is that over time a combination of regulatory requirements and broader adoption of digital industry’s best practices will gradually evolve into a set of product security standards that is accepted and adopted by customers, regulators and vendors. We believe that the ability to look into the inner workings of a product and understand what is happening ‘under the hood’ will be an integral part of those practices. Until then, trust – as always – remains something one must take efforts to earn, and GTI is one one of the ways of doing so.

[1] Olav Lysne (2018) The Huawei and Snowden Questions: Can Electronic Equipment from Untrusted Vendors be Verified? Can an Untrusted Vendor Build Trust into Electronic Equipment?, Springer Open