The round tables "The Reality of Russian Cybersecurity" (at the Positive Hack Days 10 conference) and "Cryptography for Citizens and the State" (at the CTCRYPT 2021 symposium) once again raised the topic of consolidating forces in the information security industry.
It is difficult to disagree with the opinion that in our country (as, indeed, in many foreign countries), not everything is safe in the field of information security. And, of course, the identified problems in the areas of technical equipment and legal regulation require an unconditional solution.
But one cannot agree with attempts to find such solutions on the basis of far from indisputable "axioms" and hypotheses. Whereas the adjustment or rejection of dubious "postulates" and assumptions will make it possible to adjust the approaches to ensuring information security in the context of the massive introduction of computer automation / automation.
This material uses quotes gleaned by the author from a number of publications on the topic of the information security industry and the principles of its management.
"The industry lives its own life"
The validity of the name of the information security sphere by the industry raises doubts. After all, construction, aviation or nuclear safety are not "branches". "Security" harmoniously develop within the respective industries and live by the interests of their development. And the industries reciprocate for this to their "safety", allocating the necessary resources for the formation, development and implementation of safety requirements.
With this order of affairs (security lives within the industry, and not in the form of an "optional" superstructure to it), even industries that from the common point of view look extremely dangerous (for example, air transport) turn out to be statistically less dangerous than, for example, automobile transportation.
And only information security is trying to officially call it "industry" and claim that it "lives its own life."
It is pertinent to note that until some time these statements were quite justified: quite often representatives of information security vendors and their partners resembled peddlers and salespeople, annoyingly knocking with their exotic goods on the closed doors of potential consumers who until some time did not understand the value of information security.
The situation with the understanding of the value of information security was somewhat improved by the commercialization of ransomware viruses and the organizers of commercial DDoS attacks.
He radically changed the situation with the understanding of the value of IS 187-FZ. Indeed, today "with a targeted attack of even a low level of complexity, 93% of systems will be hacked in the first half hour ...".
"How to manage without knowing what?"
The transition from the "ideology" of the information security industry to ideas about ICT security immediately removes the concern about the problem of "statistical accounting of the market for information security products and services", which in it self looks far-fetched.
What is the difference between a company currently operating in the "information security industry" from an IT company? The same developments or "software", or "hardware", or software and hardware systems!
Are these products specific in terms of development tools or algorithms to be implemented? Isn't there any “special specifics” in the development of any other software, system or application, for a telecom or for managing high-performance computing clusters, for office or embedded systems?
The same can be said for the development of hardware platforms.
About "dear" specialists
One of the sources of information security problems is directly related to the "postulate" that "it is difficult to maintain expensive qualified specialists."
But there is nothing difficult in maintaining expensive qualified specialists. You pay them a salary and they work.
It is “more difficult” to maintain expensive unskilled specialists.
Firstly, after them, everything has to be redone, while wasting time, and even compensating for the damage caused by incompetence.
Secondly, with their ambitions, which are encouraged by the "high cost", "expensive unskilled specialists" hinder simply qualified specialists.
That is why there is a "flow of specialists into prosperous firms" (read, in a company where qualifications are valued, using both material and moral mechanisms for assessment).
But is it worth worrying that this “simply kills competition, creates monopoly and has an extremely negative effect on the quality of the work performed and the support of the products already delivered to the customer. Firms are beginning to “shrink”, and this process is massive ”, is it worth the fear that“ a dozen of the remaining large corporations and firms will not solve the problem ”?
About monopoly and competition
Just the “dozen remaining”, having concentrated expensive qualified specialists who will no longer “flow into prosperous firms”, will compete for orders, increasing the quality of work performed and providing support for the products delivered to the customer.
In the foreign world, technology is simply complex and even more complex technology for the so-called. responsible applications, this is called “mature market” or, in Russian speaking, “mature market”.
In a mature market, either several vendor players line up "in a circle" with almost equal market shares, or these several players form a hierarchy with shares that differ at times when these shares are measured in relative units. At the same time, some part of the market remains for dynamically emerging startups and stable small companies with unique proposals for narrowly specialized niches or for satisfying newly emerging tasks.
In a mature market for vendor companies that do not experience fatal problems with the chaotic flow of specialists “into prosperous firms”, the
following problems are not insurmountable:
"Improving performance for processing large data streams";
"Implementation of new functions."
Moreover, key customers in the same mature market, in contrast to the consumer market, most often remain faithful to the chosen brand or set of brands based on the technical feasibility of operational stability, and do not "rush" between the "tents" of the "weekend market" in search of the cheapest goods. And as a result, vendors are less likely to have problems "with working capital", "with creditors and tax".
Is the hierarchy of business - informatization - security so objective?
187-FZ, regulatory documents of industries and departments and law enforcement practice on them should break a couple more dubious stereotypes:
“Information security ... along with informatization belongs to the category of supporting activities. Unlike business areas ... ";
“The following hierarchy of types of activities of interest to us is objectively built: business - informatization - security ...”.
On the example of events related to the business of Norilsk Nickel, one can see to what SUDDENLY CATASTROPHIC consequences the business ideology of separating the so-called. "Supporting activities".
And even more so, referring to them safety issues, attention to which is paid according to the residual principle, and management is carried out on the basis of the so-called. risk management and risk insurance.
I am sure that many decision-makers are simply not able to assess all aspects of the damage caused to the nature and people of the region by the spill of oil products from the Norilsk Nickel farm, to “assess” the moral suffering of those for whom Motherland is not just a word.
But here is 146 billion of money, in which the damage “versus” was assessed, the 10 billion of the same money that the decision-maker was ready to unbind from the master’s shoulder as compensation for the “risky” views of the company's management on safety management is a good start for sobering up leftover safety management apologists and followers. And a great example for thinking about the reliability of risk assessments.
One of the consequences of the marketing "turbidity" around digitalization, raised first by the IT business, and then by politicians, was the setting of the so-called. "Informatization" in second place in the allegedly "objectively" building hierarchy "business - informatization - security".
From the vertical "hierarchy" to the horizontals of common sense
In fact, "informatization" and "security" are not elements of a hierarchy.
We do not build a hierarchy of carpenter - carpentry tools - safety precautions!
Just as a cabinetmaker-restorer is unlikely to invest in circular saws and electric planers in the first place, unlike a carpenter who is engaged in the production of window frames and stools, so the nature of “informatization” and its costs on the part of the business should not be controlled by TRENDS ” fashion ", the proposals of" IT salesmen "and the principle of" informatization is second only to the cost of capital construction "in the formation of the budget.
Informatization is not a stage, upon the “completion” of which it will be possible “out of profit, according to the residual principle, in the amount of 5 to 20% of the cost of informatization” to deal with security within the framework of the concept of an “objectively” building hierarchy of “business - informatization - security ".
Business, public administration, medicine, education must recognize that INFORMATIZATION IS A NEW SECURITY THREAT IN ITSELF, and not only informational, but also classical "security", which lies behind the concepts of "safety technology", "electrical safety", "fire security "," ACS ".
And also, the fact that INFORMATIZATION is a catalyst for threats and an increase in material and political losses, examples of which are recollections of information leaks due to the betrayal of high-ranking and not very high-ranking military and ordinary employees.
"Leakage" of information from modern information systems due to the fact that "information security ... belongs to the category of supporting activities" and "objectively builds up the following hierarchy of types of activities of interest to us: business - informatization - security", is not as quickly visually noticeable as a diesel fuel leak in the amount of tens of thousands of tons.
However, the current "digitalization" and "digital transformation" based on equipment and technologies in a commercial version or, even worse, in a commercial version of a consumer level (the so-called COTS or Commercial Of The Shelf), allow even without searching for traitors to gain unauthorized access to information to steal or manipulate it.
The current “digitalization” and “digital transformation” based on COTS products and technologies allow not only convenient and centralized accumulation of interesting and valuable information, but also allow convenient and centralized retrieval of it.
Consolidation of an industry in which information security will be comfortable
At the round table "Cryptography for Citizens and the State" at the CTCRYPT 2021 symposium, the topic of industry consolidation was raised in the context of the introduction of domestic (read trusted) cryptographic protection in the so-called systems. Internet of Things (IoT) and mobile communications technologies.
The experts of Infotex and Aktiv have described in great detail the engineering and technical problems arising during the implementation of cryptography in this relatively new IT "field", the direct transfer to which of the developments accumulated during the cryptographic protection of corporate-level information systems is impossible due to the differences in the element base of equipment and tools and techniques / development methodology.
It is pertinent to note that these problems are such only partly and only because for 30 years the once common space of domestic microelectronics and radioelectronics has been torn apart; and the teams of developers working in the markets of the so-called. "Embedded" computer technologies, etc. "Corporate" IT.
This situation today creates a big problem in the field of industrial cybersecurity.
On this "market" rushed, slightly correcting the presentation slides, "IT specialists" with templates and stereotypes of development and business, formed and preserved since the days of the "dot-com bubble". A kind of a kind of foray of "IT tourists" from the "innovative" world of microservices to the reserve of material production with its existing ecosystem of views and requirements for reliability and safety.
And it is very important how the meeting of these two worlds will end, in one of which the system administrator is “asked”, and in the other the system administrator, if one appears in production, will be “must” and “obliged”.
Once the separation of the worlds of corporate IT and "embedded" computer technologies did not contradict the interests of the business, built on the basis of the idealized ideology of the WTO and the so-called. "World division of labor".
But today, this disunity negatively affects the possibility of creating a single space for cybersecurity and information security in the economic and political realities of the present time.
In this regard, the time has come to abandon the idea of information security as an “industry” and force stakeholders to talk about information security within the framework of the concept of “general” security of the ICT industry (ICT).
And "seamlessly" and "transparently" to include information security in ICT industry products and ICT solutions for REAL INDUSTRIES and GOVERNMENT systems.
At the same time, dividing the threats of ICT into internal technological threats of "childhood diseases" of technology, and external threats from attackers or due to the incompetence of operators of ICT solutions (the term "cyberthreats" most often means these "challenges" of ICT).
And then the tasks of combating internal technological threats of BICT can be taken out of the framework of information security and solved within the framework of the THEORY OF RELIABILITY methods, as well as the improvement and implementation of FAIL-TO-SUSTAINABLE TECHNOLOGIES, test and certification methods adapted to the peculiarities of IT technology for industry applications.
But in order to combat cyber threats, it will be necessary to continue to develop new approaches that take into account the peculiarities of regional and sectoral implementation of ICT equipment and ICT solutions.