In 2016, in his book The Fourth Industrial Revolution, Klaus Schwab, Executive Chairman of the World Economic Forum, suggested that we have entered into a fourth industrial revolution, one defined by emerging technologies where physical and virtual systems work together. He emphasized that, unlike the past, the fusion of breakthrough technologies like nanotechnology, 5G, 3D printing, quantum computing and the Internet of Things (IoT) “across the physical, digital and biological domains …make [s] the fourth industrial revolution fundamentally different than previous revolutions.” (Schwab, 2016, 12).
The term ‘exponential technology’ has also been used to describe “innovations progressing at a pace with or exceeding Moore’s Law” that “evidence a renaissance of innovation, invention, and discovery…[and] have the potential to positively affect billions of lives.” (Hagel, etal, n.d). Additional phrases like Industry 4.0, the Industrial Internet of Things (IIoT), the cyber revolution and the digital revolution, have been used to describe the acceleration of technology and its potential impact on areas such as business, industry, society, commerce, healthcare, communication, economy, warfare, and governance.
These ever-expanding connections amongst devices already provide tremendous advantages to productivity and efficiency. For example, Schwab describes progressive smart cities that manage “their energy, material flows, logistics and traffic” (2016). Two cities, Singapore and Barcelona, have “implemented many new data-driven services, including intelligent parking solutions, smart trash collection and intelligent lighting” (Schwab. 2016). Similarly, the industrial internet of things (IIoT) is being used in manufacturing, connecting people and industrial devices, such as “sensors, controllers and actuators, integrating advances in smart machinery and data analytics driven by computing, networking and artificial intelligence techniques” (Xu, 2020).
Unfortunately, since the advent of the Internet, malign cyber threat actors have also evolved, demonstrating their ability to adapt quickly, identify gaps in security, exploit advances in technology and leverage geopolitical events to gain access to a wide range of targets. Supply chain breaches to SolarWinds, and the ransomware attacks against critical targets like Colonial Pipeline, the JBS meat packing company and the CNA financial company illustrate recent, concerning, and costly cyber-attacks. In July 2021, Google CEO Sundar Pichai warned corporations around the world about the increase in cyber and ransomware attacks, calling them a ‘wakeup call for the industry’ (Eggan, 2021).
As we move into a more complex and connected digital future, cyber-attacks continue to accelerate, with the potential to become more destructive, impacting human, environmental and national security in a scope unseen before. In fact, according to former White House CIO, Theresa Payton, innovative technology like 5G will make it easier for hackers to engage in criminal activity resulting in “massive cyber-attacks,” in part due to existing cybersecurity issues that are still ‘unresolved’ (Wheeler, etal, 2019).
Considering the rapid acceleration, convergence and use of cyber and physical systems, it is critical that the security of the future is considered, anticipated, and prepared for. Experts around the world have offered suggestions on how to secure the future which include the following recommendations. Examples are provided below regarding the implementation of some of these ideas.
Increase collaboration among international partners:
Currently, the policy of the United States in cyberspace promotes an “open, interoperable, secure, and reliable information and communications infrastructure that supports international trade and commerce, strengthens international security, and fosters free expression and innovation” (State Department, n.d.) Demonstrating consensus among international partners, in 2019, the U.S. State Department and 27 other countries released a Joint Statement on Advancing Responsible State Behavior in Cyberspace. They noted that, ‘when necessary, we will work together on a voluntary basis to hold states accountable when they act contrary to this framework, including by taking measures that are transparent and consistent with international law. There must be consequences for bad behavior in cyberspace” (State Department. n.d.).
Uphold international norms of behavior:
Consequences for ‘bad behavior in cyberspace’ must be effective and act as an appropriate deterrent against cybercriminals as well as states. Unfortunately, current approaches have not done enough to prevent cybercriminals or nation state adversaries from attempting to breach critical systems. On March 11, 2020, The Cyberspace Solarium Commission (CSC), established to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyber-attacks of significant consequences” (CSC, 2020), published its final report. In it they proposed a ‘strategy of layered cyber deterrence’ and offered over 80 other recommendations that fall under the six pillars below.
- Reform the U.S. Government’s Structure and Organization for Cyberspace.
- Strengthen Norms and Non-Military Tools.
- Promote National Resilience.
- Reshape the Cyber Ecosystem.
- Operationalize Cybersecurity Collaboration with the Private Sector.
- Preserve and Employ the Military Instrument of National Power (CSC, 2020).
Some of the recommendations from the report were passed into legislation. Since then, the CSC has shared other important security resources with the public.
Legislation and continued cooperation among law enforcement agencies around the globe has effectively addressed some areas of cybercrime. Though collaboration in this area exists, it remains “fragmented and insufficient for current needs’ (WEF, 2021). Furthermore, responses after an attack are too late. Global enterprises need to consider how to protect their critical assets before a breach occurs.
Continue to remove barriers for appropriate and proactive information sharing and safeguarding. According to Brad Smith, President of Microsoft, in a testimony before the Senate Select Committee on Intelligence on February 23, 2021, despite many of the information sharing portals, organizations and agreements that currently exist, national and corporate security requires “a national strategy to strengthen how we share threat intelligence across the entire security community” (2021). In May 2021, President Biden signed EO 14028 on Improving the Nation’s Cybersecurity, removing some of the barriers related to information sharing between the public and private sector. Additional steps need to be taken as corporations continue to evolve.
Secure the supply chain, build security into development, and improve and secure IoT device management. Cyber supply chains are constantly at risk of compromise, however, as more companies embrace technology, use, and produce digital services and products, they often do not have full transparency into all the products that impact what they do or the services they provide. This can lead to gaps in security and increase the potential damage of a cyber incident. Furthermore, once a supply chain has been breached, an organization can no longer trust the security of the device (NIST, 2019). As a result, it has become essential to ensure the security of the digital supply chain and the IoT devices that are increasingly a part of everyday life.
One initiative to secure IoT devices and the cyber supply chain, the Internet of Things Cybersecurity Improvement Act of 2020, was passed into law on December 4, 2020. This legislation mandated that the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) take specified steps to increase cybersecurity for Internet of Things (IoT) devices. In February 2021, NIST published the draft document on IoT cybersecurity that offers guidance regarding the secure development and management of IoT devices (US Congress, 2020).
Additionally, in February 2021 President Biden signed an Executive Order on supply chain security. EO 14028 on Improving the Nation’s Cybersecurity also addresses challenges with the integrity of the cyber supply chain. EO 14028 called for NIST to publish guidance related to securing critical software, testing software source code and on software supply chain security. Many of these documents serve as guidance to manufacturers, federal agencies, contractors and organizations that may need to consider future cybersecurity compliance issues.
In March 2021, the NIST Computer Science Resource Center released the draft of Validating the Integrity of Computing Devices. This document provides a process for ‘identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of cyber supply chains’ (Diamond, etal, 2021). The integrity of the cyber supply chain is critical to future security, but it is also essential for organizations to implement cybersecurity across their enterprise with implications for security considered prior to the acquisition of new technology or innovation.
Evolving Risk Management: Given the current and potentially challenging future cybersecurity environment, it will likely be more difficult for organizations to manage the risks presented by evolving technologies. Many corporations already face complex issues related to the cloud, regulation (or the lack of regulation), the IoT and the emergence of 5G and quantum technologies. As organizations invest in emerging and innovative technologies, they will need to effectively manage current risk across their enterprise, anticipate future innovation and should be prepared for internal evolution as well.
For an organization, this means that corporate risks related to innovation should be evaluated prior to adopting new technologies. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks is also key to effective risk management. The function of cybersecurity is to protect and support the business and should be aligned with corporate goals and objectives.
As organizations and communities become increasingly connected and embrace new innovation, preparing for the future may demand a more adaptive, flexible, approach to risk management. Thomas Huckabee examined risk, growth and innovation and maintains that adaptive risk management should include early involvement in the innovation cycle. He further claims that, to allow for greater growth and innovation, “risk management programs must be equipped to effectively identify, assess, and manage innovation risk. Applying rigor, using multiple approaches, pushing the organization to periodically adjust risk appetite, adding sophisticated skills and tools, and comprehensively monitoring how successfully the program is tackling innovation-related risk best help risk executives meet their organization’s strategic objectives.” (2019)
Reinforce, enable, and share cybersecurity industry best practices and tools. In some cases, like the SolarWinds breach, it was clear that basic cyber hygiene was missing in some agencies and organizations and made it easier for cyber threat actors to breach their systems. At the very least, common practices like multi-factor authentication, zero-trust, and other basic approaches to cybersecurity should be adopted and implemented across all corporations and sectors. Playbooks, the NIST Framework and other documents can provide stakeholders with guidance on how to assess and improve their current cybersecurity. The Cybersecurity and Infrastructure Security Agency (CISA) has also made a document on Cybersecurity and Physical Security Convergence available to the public that offers insight into protecting cyber-physical systems and industries that have adopted the IIoT.
There are countless benefits to a connected society, but it is one that also introduces considerable, shared security risks. Considering the exponential growth of digital connections in a world where attackers can hide, undetected, in systems for sometimes months or even years, prioritizing cyber and physical security is fundamental. Despite steps in the right direction, more needs to be done. In fact, it should be concerning to note that “a significant share of manufacturers….have yet to build the cyber capabilities to secure some of these business-critical systems. Given the rapid pace at which new technologies are added to factories via smart factory use cases, IT and OT leaders may be unprepared to respond to new threats that arise.” (Deloitte, n.d.) To increase collective cyber resilience, it is more important than ever to strengthen partnerships, encourage and enable public-private collaboration, to secure the supply chain, encourage industry best practices, and to consider new ways to safeguard the future and innovations that promise to make our lives better.
- CSC final report. (2020). United States of America, Cyberspace Solarium Commission.
- Cybersecurity for Smart Factories. Tools for Managing Cyber Threats to Manufacturing. (n.d). Deloitte.
- Diamond, Tyler; Grayson, N; Polk, W; Regenscheid, A; Souppaya, M; Scarfone, K. Validating the Integrity of Computing Devices. NIST Computer Security Research Center. (March 2021).
- Eggan, Martin. “What Google CEO Sundar Pichai stated about Covid vaccine, Pixel Android 12, Reliance Jio and extra throughout Q2 earnings name.” Kaiserin-magazine.com. July 29, 2021 What Google CEO Sundar Pichai stated about Covid vaccine, Pixel, Android 12, Reliance Jio and extra throughout Q2 earnings name | Devices Now – Top Stories (kaiserin-magazine.com)
- Evolving the U.S. Cybersecurity Strategy and Posture: Reviewing the Cyberspace Solarium Commission Report. (2020).
- Executive Order on Improving the Nation’s Cybersecurity. (2021). In White House Press Releases, Fact Sheets and Briefings / FIND. Federal Information & News Dispatch, LLC.
- Executive Order on America’s Supply Chains. (2021). In White House Press Releases, Fact Sheets and Briefings / FIND. Federal Information & News Dispatch, LLC.
- Hagel, John; Brown, J.S.; Lui, M. “From Exponential Technologies to Exponential Innovation.” Deloitte Insights. (n.d.). From exponential technologies to exponential innovation | Deloitte Insights
- Huckabee, Thomas. “Managing Risks and Enabling Growth in the Age of Innovation.” Techpa.net. (April 12, 2018). Managing Risks and Enabling Growth in the Age of Innovation (tehcpa.net)
- Internet of Things Cybersecurity Improvement Act of 2020 or IoT Cybersecurity Improvement Act of 2020. (2020).
- Partnership Against Cybercrime (2021). World Economic Forum. Partnership against Cybercrime | World Economic Forum (weforum.org)
- Schwab, Klaus. The Fourth Industrial Revolution. First U.S. edition. New York: Crown Business, 2017. Print.
- Stewart, Chris; Tiffany Armentrout, Daniel Shorstein, & Katherine Giesen. (2020). Managing Risk Through Innovation. The Journal of Government Financial Management, 69(2), 56–58.
- Weathering the Storm: The Role of Private Tech in the SolarWinds Breach and Ongoing Campaign. Congressional Hearing, 2021-02-26, Feb. 26, 2021. (2021).
- Wheeler, Tom; Simpson, D. “Why 5G requires new approaches to cybersecurity,”
- Brookings. Edu. September 13, 2019. Why 5G requires new approaches to cybersecurity (brookings.edu)
- Xu, H., Yu, W., Liu, X., Griffith, D., & Golmie, N. (2020). On Data Integrity Attacks against Industrial Internet of Things. 2020 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech), 21–28. https://doi.org/10.1109/DASC-PICom-CBDCom-CyberSciTech49142.2020.00020