Would you mind distinguishing “Corporate” from “Sovereign” CyberSecurity sol
CyberSecurity systems are used to protect against unauthorized access to confidential data, but also within cyber-warfare – cyber conflicts between nations. As I was mentioning in previous articles, CyberSecurity is mainly a matter of Trust. Combining both statements, it is key for CISOs to distinguish when they want to protect against general hackers and malware threats, initiated by any individual/nation, from the need to protect specifically against foreign nations (which, of course, restricts furthermore the selection of adequate partners and technologies). In this last case, CyberSecurity solutions must be “sovereign” in addition to being efficient and affordable…
When a foreign technology is acquired by a company which headquarter is located in another nation, it does not make it a sovereign solution for such nation. Only another corporate solution. To consider it as “sovereign”, this company would need to a) have access to all of its source code b) have it inspected by a highly skilled personnel and c) avoid from using a code inspection solution belonging to the initial country… In most cases, this happens to be simply impossible.
However, storing sovereign data in a foreign cloud remains possible provided that it is encrypted by a trusted algorythm and that encryption keys are not accessible by such cloud admins. This is usually referred to as “Bring Your Own Key” (BYOK) or “Bring Your Own Encryption” (BYOE) mechanisms. It enables to distinguish “the content” from “the container”, which enables CISOs to grant access to many public cloud solutions (Google, Azure, IBM, SalesForce, Service Now, and many others!).
Nations should avoid from forcing their companies to use sovereign products and services for all possible purposes. Encouraging or forcing use of sovereign products whilst there is no need for it would result in the atrophy of their national cybersecurity market. Sovereign cybersecurity solutions are usually more expensive at equal performance and level of protection. It’s worth using them to secure critical, national infrastructure, not for general protection against more common threats.
In any case, don’t forget that you’ll always need to trust the nation from which most of your hardware and software originates, as you’ll never disassemble its code, and probably never have the necessary skills, budget and tools for that either. So choose your battles according to your means and risk objectives!