The black hole of cybersecurity spending

Here’s what you need to know this week:

• State affairs: Is spending on cybersecurity disappearing into a black hole?

State-by-state: 

• Amazon faced a mandatory vaccine dilemma
• Facebook unfairly protected its elite users 
• Google may have to tackle more efforts at unionisation
• Apple won a sort-of victory against Epic Games
• Tencent had to allow competitors into its “walled garden”

A recent wave of high profile hacks like those of SolarWinds and the Colonial Pipeline have put cybersecurity spending on the agenda for almost all businesses. The concern though, is that the cybersecurity bill keeps rising whilst the protection that companies actually get is falling by the minute. 

Microsoft recently said it would increase its cybersecurity investment by 300 per cent over the next five years, committing a total of $20bn to improving protection against hacking. Brad Smith, president of Microsoft, said the spending on “security related activities” comes in response to ever more sophisticated threats that require ever more sophisticated defences. 

We spoke to Joe Hubback, a managing director at cybersecurity firm ISTARI, about the factors that contribute to this situation – where spending on security is going up alongside losses to hacks and ransomware. He explained that businesses faced four key issues:

• Security solutions are mis-sold in a “market for lemons” where buyers don’t know what they are getting. Ninety per cent of industry representatives Hubback has studied don’t get the value for money they were expecting from their cybersecurity protection purchase in terms of an actual security effect (which can be tested by putting the system in a laboratory scenario and subjecting it to malware attacks).
• The rapid digitisation of the business world has left lots of organisations behind. For more than 40 years, the processes that support business (communications, payment, advertising) have been moving online and that means the risk landscape has been getting bigger and bigger. Companies are exposed on more fronts, and protection needs to cover more angles than ever before. 
• The problem is getting more and more complex. Some households will have ten vulnerable devices; some businesses will have ten thousand. Many have not yet updated, patched or replaced their older systems. Like a 70s classic car that still runs but has no seat belts, legacy digital infrastructure is still in use and wide open to modern day attacks. 
• It’s not an amateur’s game anymore. Hacking and ransomware attacks have been fully professionalised and industrialised; they are driven by a sort of entrepreneurial spirit, and all the terms favour the hackers. The economic incentives to hack are huge. 

Companies like Microsoft and the other tech states can announce increased spending on a huge scale, and will develop their own internal security solutions. For many smaller businesses the threats are much less addressable, and services need to be bought from outside providers. The cybersecurity story is really just beginning; the more we look, the more we realise it’s already happening all around us.

On 30 September Tortoise is hosting a Cyber Summit to discuss how we can stay ahead of cybercrime in a digital age. Do join us here.

Amazon is facing its own public health policy dilemma. It was a pioneer in installing Covid-19 testing centres at its warehouses; it is now removing them. Amazon employees have accused it of kowtowing to Covid skeptics, but the quandary facing America’s second-largest private employer, as Bloomberg puts it, is how to keep its facilities Covid-free without sparking a mutiny among workers over mandatory vaccines. While the majority of the adult population in the US have received at least one dose of a vaccine, rates of vaccine hesitancy are highest among Black and Hispanic communities. Almost half Amazon’s US workforce is from those ethnic groups, which the KFF have shown to be up to 9 per cent less likely to have had a vaccine than white counterparts.

Facebook is a state which promises equal access to anyone with an email address. But that doesn’t mean it treats all its citizens the same. In fact, millions of VIP users are shielded from the company’s normal enforcement process, according to leaked documents obtained by the WSJ. Neymar, the international football star, was initially allowed to show nude photos of a woman who had accused him of rape to tens of millions of his fans. Such a violation would have typically led to sanctions for regular users. A 2019 review of Facebook’s policies found such favouritism was widespread and “not publicly defensible”.

Google remains a labour rights battleground. We reported last week that it was facing a rising tide of employee activism, and that the “old-fashioned” approach of unionisation may be making a comeback. Maxim Baru, Communications Officer at International Workers of the World (IWW), explained to us that big tech companies have always had creative reactions to the organisation of workers, and that anti-union tactics would only get more inventive and harsh. From the hiring of industrial psychologists, to increasingly compartmentalised working environments in which workers feel connected – but are in fact legally and administratively isolated – Google has looked to stem the collective bargaining power of its employees. This has involved limiting action to high-profile stunts that make a splash on social media, but do not change underlying power structures within the company.

“Sectoral collective bargaining” is more common than you might think, even if you’ve never heard of it. It’s a type of labour union agreement that covers an entire sector and its workers, rather than just a single company and its employees. There are some in New Zealand, Iceland and the UK, and recently a collective of media companies has set its sights on negotiating with Facebook and Google over revenue sharing as a group, so it has more bargaining power. Such an agreement in Silicon Valley could shift the balance of power in workers’ favour and establish a legal foothold that they could leverage. The leaders of the tech states would presumably seek to block this sort of proposal, just as they’ve thrown lobbying muscle behind opposition to US legislation on compensating independent publishers. Joe Biden called for action on collective bargaining at the start of his presidency; but he had electricians, auto workers and teachers in mind, not necessarily the citizens of US tech states.

The epic battle between Apple and, er, Epic has come to an end with a judge ruling that Apple must allow other forms of in-app purchase apart from just its own. On the face of it the judge’s order is a defeat for Apple, since it opens up a new avenue for purchases on the iPhone. But the 185-page judgment is actually more complicated. First, the appeals process will likely cause delays, so don’t expect changes any time soon. Second, the judge didn’t order Apple to cut the 30 per cent fee it takes on app sales. Third, and most important, the judge upheld the App Store’s overall structure as legal. All of which helps explain why it’s Epic that’s appealing the ruling.

The “walled gardens” of China’s technological paradise are tumbling down. For years, both Tencent and Alibaba had blocked links to other internet companies (a practice intended to stop users from migrating to rival services). This meant that services like WeChat were self-contained experiences – domains within which China’s tech giants had total control over influences and content. In the most recent chapter of China’s ongoing techlash, the Ministry of Industry and Information Technology (MIIT) has told companies (Tencent included) that their link-blocking practice needs to stop, and that they need to open the market to competition.

Thanks for reading,

Luke Gbedemah
@LukeGbedemah

Alexi Mostrous
@AlexiMostrous