Data Sovereignty and Cybersecurity
by Kumar Ritesh
To view data sovereignty through a narrow lens may stifle progress. It would be prudent to deploy forward-thinking and progressive cyber strategies as we march into a highly digital post-pandemic world. The pre-pandemic years usher a heady era of globalization, open systems, and interconnection. Collaboration between governments and businesses resulted in the globalization of supply chains which opened new markets and new business models.
Data sovereignty or data localization became a new buzzword as early as 2014 when cloud models facilitated the flow of data in and out of national borders. Not knowing exactly where and how data of its citizens and businesses are stored, consumed, and monetized created concerns for governments. Data privacy and protection becomes a point of contention when users’ private and confidential information is perceived to be accessible, ready to be examined and replicated by machines for user behaviour analysis, advertising, surveillance and other malicious objectives. The arrival of foreign ‘hyperscalers’, cloud companies such as Microsoft Azure, Google Cloud, Amazon Web Services (AWS) and AliCloud, exacerbated the situation as local businesses start subscribing to these services. This created tension among local ICT players who now have to compete against these large foreign cloud services providers. Data sovereignty, is thus, a loaded term and evokes a sense of nationalism and xenophobia (protecting local businesses and keep the foreigners out).
In the last six months, Covid-19 upended ‘business as usual’, and international relations are tested as governments look inwards to protect jobs and appease restive citizen groups. Data sovereignty has been a heated discussion topic when European states enacted GDPR. Over in Asia, countries with huge populations like India and Indonesia have been evaluating options to protect citizens’ data, and keeping data ‘on-soil’ has become the vernacular among politicians. And today, even as regulations are enacted to enforce data sovereignty, data privacy and protection can still be a thorny issue. Cyber threats and risks exist no matter where data resides – it is the execution of sound cybersecurity strategies that can effectively protect businesses and citizens’ data. Instead of the draconian, repressive and authoritarian approach to managing data under the pretext of ‘for the good of the nation’, we would be better off promoting an open system where innovation, trade and economic growth can flourish while ensuring private and confidential data does not fall into the wrong hands. Many nations face many common technical challenges when trying to mitigate risk in the face of conflicting priorities. The following cybersecurity strategies will help businesses untangle the web of confusion, remove the corrosive nature of reclusive mentality and start embracing connected and digital ecosystems confidently. Approach cybersecurity from the ‘outside-in.’
To minimize the fear of data breaches and cyber threats, adopt an intelligence-centric mindset. The adage ‘knowledge is power’ is more relevant than ever. Leaders need to understand the risks that are coming from the outside and be well equipped to handle adversaries before actual cyberattacks occur. A thorough understanding of who are the threat actors, what do they want, why are you an attractive target, when are they planning to launch an attack, and how do they intend to do so is essential to be able to mount an effective strategy to fend off attacks. A complete threat landscape view will give cybersecurity teams insights into digital risk, vulnerabilities, cyberattacks, hackers’ interest, early warning, out of band, malware, and phishing campaigns to gauge impending cyber threats and risks.
Adopt a Comprehensive Approach
Data sovereignty may keep data within the borders of a nation, but this does not keep threat actors and hackers out of companies’ crown jewels. Hackers continue to jump over the proverbial wall and gain illicit access into systems and databases. Cybersecurity teams need to deploy a holistic approach to managing data, and this requires strategic, management and tactical cyber-intelligence. This multi-layer deployment invokes not just security operations personnel but also risk and governance leaders. Corporate risk policy changes may be needed to ensure that cyber threats do not become cyberattacks.
Regulatory Environment Needs to Change
Governments may have enacted cyber laws, but many are proving to be difficult or impossible to enforce. There are a few areas which are within the circle of influence where relatively faster improvement can be made. One would be to make incident reporting mandatory. This will create a body of research data which can provide insights on threats to the nation and inform the government on strategies it can undertake to strengthen the nation’s cyber posture. Another critical area would be to impose mandatory risk and vulnerability assessment, at least biannually, on large enterprises. This will help identify threats early, and remediations can take place to close any cybersecurity gaps. The third approach would be to commence attack vector assessments at least once a year. These assessments will uncover new attack surfaces as businesses adopt new digital formats and build further supplier-partner-customer connectivity. A cyber reward culture can also be cultivated where the discovery of bugs and vulnerabilities are rewarded. This effort will uplift the cybersecurity community and promote a culture of knowledge sharing and joint solutioning.
People, Technology, Process and Governance
For many small and medium businesses looking to ensure cyber resilience, it is essential to build a basic level of cyber hygiene. The most important being ‘people’ where employees and individuals must be educated on cyber threats and risks. This is particularly vital given the prevalence of phishing attacks and social engineering hacking campaigns. From the technology perspective, businesses should incorporate layered defences with data and endpoint security, gateway-based security, automating scanning, monitoring and malware removal. Antivirus solution, data loss detection and protection, and VPN solutions should also be incorporated. When it comes to processes, businesses should perform threat profiling, creation of threat segmentation, zoning and risk containerization. Keeping the core content encrypted would be both prudent and necessary. The basic process of daily data backup would be an acceptable policy to adopt too. When it comes to governance, businesses should incorporate excellent cyber threat visibility and intelligence program to complete their cybersecurity strategy. Innovation, entrepreneurship, open systems, inter-connection – these are tenets that result in new growth possibilities. To view data sovereignty through a narrow lens may stifle progress. It would be prudent to deploy forward-thinking and progressive cyber strategies as we march into a highly digital post-pandemic world.