Cybersecurity and the Four Pillars of Digital Trust

By Unisys | April 27, 2018

The federal government is rapidly progressing through a digital transformation that’s making agencies more connected, data-driven and mobile-friendly on behalf of the citizens they serve. Across government, mission outcomes are increasingly supported by convenient citizen-facing services, mobile devices, the Internet of Things (IoT), cloud-based infrastructures, mobile platforms and intelligent, AI-driven decision-making. Unfortunately, this next-generation environment is prompting a crisis of “Digital Trust” as agencies struggle to achieve a holistic understanding of the security risks that face an ever-more-complex IT ecosystem. Put simply, an expanding digital universe expands the ways bad actors can exploit weaknesses to infiltrate networks and compromise systems. Born out of deep experience and numerous use cases with our clients, Unisys has come to view Digital Trust as something earned along multiple, concurrent dimensions. As we’ll see, federal agencies must learn to simultaneously develop and rely upon trusted devices, trusted services, trusted connectivity and – especially – trusted identities. Unisys refers to these as the Four Pillars of Digital Trust.

New Ground Rules for Cybersecurity
The fast-changing security picture forces all of us within IT and across society to face a reckoning with outdated assumptions and escalating threats. The focus is shifting from simply protecting your network, and augmenting or replacing perimeter security with identity services and encryption, to protecting information wherever it goes. Protecting not just the physical infrastructure, but the data, connections and user identities that make up today’s vast information landscape. It’s a modern reality shaped by three crucial dynamics that agencies must understand and accept.First, Gartner and other analysts have noted that security today is not just about preventing problems or avoiding breaches altogether but more about business resilience and managing operations during a breach. Second, the IT security assets and capabilities needed to address today’s threats are difficult to acquire and maintain in-house for most organizations. In the words of Global Cyber Alliance President and CEO Phil Reitinger, “if you’re not in the IT business, get out of the IT business.” Finally, it’s unrealistic and unfair to rely on end users as the backstop for system security. Steven Chabinsky, former Deputy Assistant Director of the FBI Cyber Division, succinctly said, “cybersecurity should not be the responsibility of the users of technology.”

Understanding the Four Pillars of Digital Trust
With this as the new reality, the new formula for cybersecurity rests on a comprehensive model for Digital Trust across the four interrelated and complementary pillars. A successful strategy will include: 

• Trusted Devices - The variety of endpoints at the edge of the network continues to grow – from computers, mobile personal digital assistants that are now fully capable general purpose mobile computers, self-service kiosks such as ATMs and physical security sensors; to intelligent devices in industrial control systems, Internet of Things (IoT) sensors, actuators, and gateways, even medical devices. Organizations that rely on this expanding array of devices for convenient, agile and seamless operations must ensure that each is implemented and operated to an appropriate level of trust for its intended 
• Trusted Services - We must engage outside partners for IT solutions that are powerful, flexible and scalable enough to meet today’s mission objectives. Migration from on-premise data centers to hosting on the automation-driven infrastructure provided by a commercial cloud provider can be facilitated by an agency depending on practices validated by the FedRAMP Joint Authorization Board. Virtually, all organizations depend on external providers for cybersecurity services such as threat signature updates, so it is imperative that they can trust that feed and other managed security services. At the application layer, we depend on software services, increasingly complex micro-services and executing on distributed platforms that are invisible to the user. A typical e-commerce mobile phone app relies on backend services in the cloud to provide accurate information. Those services in turn rely on the mobile client application to provide data with known provenance and authenticity. Just as today’s Industrial Control Systems depend on trusted service connections to monitor and control functions for control centers, the geographically distributed smart environments of tomorrow will capitalize on artificial intelligence (AI) to deliver instructions and updates via a trusted service to semi-autonomous smart devices.
• Trusted Connectivity - To protect the confidentiality, integrity and availability of communications across all elements of the digital ecosystem, Trusted Connectivity is essential. Ideally this is end-to-end encrypted communications across an untrusted network with a private channel between any two endpoints (server, workstation, mobile device, IoT gateway, intelligent sensor, ICS/SCADA control station, etc.) managed automatically via a distributed trust model so that operators can manage safeguards efficiently at the level of a community of interest. As an example, Trusted Connectivity in an agency might automatically implement encryption across the network between servers and client devices for those associated with a certain business function. For a pipeline automation system, it would secure communications between the system control centers and all the sensors and actuators at the pump, valve control, branch and transfer stations along the pipeline
• Trusted Identity - This is the lynchpin for mission success in cybersecurity. That’s because the nature of identity itself has evolved beyond simply verifying the identity of a user at a computer or smart phone. Trustworthy identity management goes beyond in-person proofing to trusted identities in cyberspace, across the internet, via email, and when activating intelligent agents. Where fingerprint and other biometrics can increase convenience and reduce impostor risks when integrated in well-designed systems, there’s now a constellation of IoT devices and intelligent objects that also must be able to operate under a verifiable identity. One of the challenges of distributed AI and semi-autonomous systems – those that act on commands from somewhere else – is that trusted identity now involves making sure commands are coming from the right control authority.

Identity Management in an AI World
Let’s illustrate the modern challenge around Trusted Identity with a not-so-hypothetical threat scenario, one that was depicted in the 2017 film Fate of the Furious, the eighth installment in The Fast and the Furious franchise. A super villain named Cipher hacks remotely into multiple cars outfitted with self-driving technology – essentially fooling the onboard AI systems with commands to crash through guardrails and run red lights in crowded city intersections. If Hollywood is thinking up such catastrophes, you can bet that terrorists are doing so as well.Self-driving cars rely on distributed intelligent control systems – real life hacking could be achieved by impersonating the digital identity of a traffic control system the car may be communicating with, or overriding the signals from the sensors used to measure proximity or speed. Similar control authority spoofing could be used to trick a military drone into dropping a payload on friendly forces instead of an adversary. Sometimes alteration sensitivity of the data feed is sufficient to cause great harm: imagine false weather data that causes aircraft to head into unsafe conditions. Especially when weapons systems or safety-critical functions are involved, identity management is the key prerequisite to prevent the unthinkable from happening.

​​Making Digital Trust a Reality
What should agencies seek in building solutions to ensure Digital Trust amid such challenges? The answer is to find service providers who address the full breadth of security requirements. Your service provider search checklist should include:

 

• IT systems resilience through world class risk management and threat targeting;
• Success in delivering value from deep learning while understanding distributed AI and intelligent sensors;
• Physical-logical converged security systems to diminish risk;
• Biometrics, behavioral analytics and other tools for managing distributed trust;
• Expertise in automated data center infrastructure operations and refactoring applications for micro-services and cloud, including access management across hybrid environments.

All of these are necessary to inform progress towards a trusted IT enterprise that can address tomorrow’s digital environment challenges. Thankfully, Unisys understands the issues in each of these spaces making us uniquely qualified to provide comprehensive and scalable solutions for Digital Trust. Our Integrated Security clients include dozens of federal agencies and foreign countries – with projects ranging from secure cloud migration, data center consolidation and industrial-grade IoT security; to customs and immigration threat targeting systems, financial industry fraud detection and enterprise transformation, and advanced technologies such as biometrics and blockchain for identity management and travel security. It’s no coincidence that governments around the world have hired us to provide consulting and security support for the G-20 summit, Super Bowl, World Cup and the two most recent Olympic Summer Games. Those are just a few examples of how clients look to Unisys the moment Digital Trust becomes mission-essential.