Nations and organizations like NATO faces three prominent cyberspace risks which cannot be easily coped with unless they become part of the root solution. These risks are a quantum-capable adversary, supply-chain compromises and the compromised or paralyzed IoTs. The importance of them arises from undeterred enemies.
One of these risks is a quantum-capable adversary who can decrypt encrypted communication to eavesdrop on critical data. Quantum computers may occur within five years. Because the breakthroughs in the quantum computer area are not linear, but logarithmic. So, this risk should be tackled as if a new kind of ‘Bletchley Park’ where an adversary silently reaches a quantum computer power in its basement will emerge within five years or sooner.
The other risk is supply-chain compromises. This risk originates from vendors, partners or other entities that are part of the procurement chain. Like SolarWinds and Mimecast hacks that affected many critical targets, nations, governments and organizations will not become isolated from direct or indirect effects of supply-chain compromises.
And the last risk is the compromised or paralyzed IoT (Internet of Things) devices used in the field or headquarters. IoT devices are one of the most vulnerable surfaces due to their inherent technical weakness and inadequate building blocks. Their underlying weak structure may also spread its security problem to its connected systems.
The Approaches at Both Operational and Policy Levels
Nations, governments or organizations can only tackle quantum-capable adversary by working in close collaboration with their allies who have enough resources, experience, and research & development activities in quantum computers if they have no such capability. Also, they should actively engage in post-quantum cryptography and quantum cryptography studies to steer them according to their needs. Otherwise, they will be subject to some new standards that may contain trapdoor or backdoor.
Nations, governments or organizations should regularly interfere and inspect the software development lifecycle of their suppliers and periodically audit them to prevent supply-chain compromises to some extent. All software libraries and open-source components used in any purchased applications or systems must be subject to their strict specifications. There should be a binding contract for all acquisition and procurement to let governments and organizations do on-site audit and inspection.
The underlying components of IoT devices should not be technically lightweight as in the commercial sectors. IoT devices should be in total isolation with a constrained plane where they cannot disrupt operational capability in case of an attack.
Quemadmoeum gladis nemeinum occidit, occidentis telum est
Finally, nations, governments, states and organisations will be facing a cumulative security problem within five years which will consist of economic, migration, environmental and energy crisis, along with cyberspace defense crisis like never seen before…
*The featured image on top of the page is from the “Conan, the Barbarian” movie. While showing the casting of a sword, it positions both the enigma of steel and the sword itself as an esoteric object.