Adrian Davis: Is the free market failing cyber-security?

News by Max Metzger

Dr Adrian Davis of (ISC)2 spoke to SC about how cyber-security will affect all of our lives in the coming decade and how it can't be left up to the market to decide how.

Dr Adrian Davies of (ISC)2 says he wouldn't use those “dramatic words” exactly, but as all things and all people become connected, the terms of that world can't be left up to the free market to decide.

Davis, currently managing director of (ISC)2 for the EMEA region comes to this debate with more than a few credentials. His former positions have included the Principal Research Analyst at the Information Security Forum of PWC and he currently maintains a position as the co-editor at the International Standards Organisation. So SC doesn't take his predictions about what's to come lightly. 

“If you think about contract law between businesses, if you think about medicine, there's always been a period when something new or something different happens and for a period of time everybody's trying to get to grips with it.”

This, more or less describes the world now; we are confronted with a bounty of new technological opportunities and though unsure how to go about using them properly, have settled on the fact they must be used: “In that interregnum there are very few rules and regulations and organisations and individuals can drift to the minimum which could be nothing.”

For some things that “have such a great impact on economies, individuals and societies having no framework in place could be very damaging.” But in what way? Tens of thousands of names being stolen from a mid-sized company's database can be harmful, but threat to life and livelihood isn't at the front of our minds when we remember the TalkTalk breach.

But there will come a day when that is exactly the case, says Davis. He's not talking about scare stories like airplanes being blown out of the air by hackers either. “I'm talking about simple things like getting food onto the shelves, things like payroll, the ability for people to find their way around cities”. The problem is that technology has become so tightly woven into the very fabric of day-to-day existence for people and organisations, that a small failure can quickly become a big problem.

The next ten or so years, says Davis, we will see that risk expand with, among many other things, the digitisation of health: “Technology is going to revolutionise a lot of health, not just healthcare but the whole health industry and at that point you really are talking about people's lives.”

For example, plenty of doctors use tablets and medical apps to diagnose patients. If you have an incorrect diagnosis tree, then you could end up with a lot of misdiagnosed patients. “As we digitise our personal lives,” says Davis, with health apps, Fitbits and more, “any failures could be quite damaging”. 

Take, for example, someone who might use a Fitbit to monitor their heart rate. “Forget the hackers”, says Davis. “We need to make sure we're building technology in such a way that it is reliable, it is safe and it is secure.”

As much as we might like to believe in the infinite intelligence of the market and the forces of consumption that drive it, “It's our view that right now the free market, freewheeling approach that we've seen in regard to the internet might not be the best way to reap the benefits of the internet.” 

There are, says Davis, “times when free markets do fail and there is a necessary point at which frameworks need to be introduced to make them work better”.

We don't need an iron fist of coercion exactly, Davis is keen to point out, but rather frameworks which encourage good behaviour as opposed to merely punish: “We need this framework where people can start to make considered decision and one that actually rewards the right decisions.”

The recent directives passed by the EU admittedly contain some carrot and a lot of stick. The GDPR's potential four percent fine on global revenue will hit the unlucky company that incites the wrath of regulators, very severely.

Legislation isn't specifically what Davis is looking for either, which tends to take a long time to be drawn up and passed. Even when it's passed, the problem which it was meant to solve has morphed into new and different problems. Regulation on the other hand “can react to changing circumstances in a better timeframe than a legislative process”.

Best practice is more along the lines of what Davis is talking about. The UK is not doing too bad, schemes like Cyber Essentials lays out an easy way for companies to secure themselves and the government has been very open about how it's developed its advice, says Davis.

For lessons in the cyber-security of the feature, we should look to cars and trains. The health and safety aspect for these industries “is about stopping very large bits of metal getting into accidents where people could be injured”. If the regulation takes into account harm to life, limb and livelihood, if “everything has a certain level of security, a certain level of protection then we all benefit and then we can focus on the more difficult issues because we're working from a position of strength".

What might it take to get to that point? It took plenty of hacking before the Computer Misuse Act came into being, so might it take some kind of significant event to force these kinds of measures through. “Part of me hopes we don't get to that point,” says Davis, “that we don't have some sort of massive failure somewhere along the line that is to do with the failure of technology and then we have a knee-jerk reaction where everything gets shut down.”

Then again, that's why we need frameworks, and regional frameworks at that, says Davis. Seeing as the connected world takes no heed of the border that the physical world supplies, these frameworks need to be international. The problem is, “when it comes to cyber-security you're only as good as the weakest link in your cyber-security chain... If we have the problem where other governments aren't taking it seriously then it degrades the level that the UK government are trying to help organisations reach.”

That's why, says Davis, (ISC)2 welcomes “having regional frameworks and ideally even more than that, having something that at least gets everyone in the region up to a certain level we think is a great idea”. 


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews