The role of transparency in digital trust

Lack of understanding around the need for transparency

Understanding that transparency creates vulnerability begs the question, "How much transparency do we need before we can trust another business with our private and valuable data?"

To date, many users have trusted social media companies that have a record of selling private data. The lack of transparency on how social media companies may use consumer data and the dangerous effect it may have on democracy is underscored by the Cambridge Analytica fiasco.

A lack of consumer understanding about the impact of their decisions has enabled opacity to be the status quo. With GDPR, Europe introduced legislation recognizing that data belongs to the person the data describes. Individuals have the right to ask questions such as, "How did you get my data?" They also have the right to say, "This data is incorrect," and "Please remove any data you have stored on me."

In the U.S., few laws prevent the sale of private information; they are either specific to verticals such as healthcare or exist as a patchwork of loosely defined privacy requirements on a state-by-state basis.

As businesses consume more and more cloud services, the reliance on third parties has increased. This results in greater risk and need for due diligence and visibility into the vendor's use of the organization's data. Business owners are responsible for the security of their data. Choosing to use SaaS does not remove that responsibility. It is, therefore, important to understand not only the data privacy legislation related to collecting data, but also how exactly data is stored, accessed and protected. Blind faith in an organization's appropriate use of data is not only unwise, but it could also be dereliction of fiduciary duties.

Transparency for the greater good

Understanding that all organizations make mistakes and that we will see those mistakes if the organization is transparent raises the question: How large does a mistake have to be before all trust is destroyed?

For instance, in the 2019 Capital One breach, approximately 100 million individuals in the U.S. and approximately 6 million individuals in Canada were affected. As investigations of the attack revealed more information, Capitol One has been transparent and shared what went wrong and what security controls could mitigate the risk. This transparency has prevented the next Capital One-style breach and helped the community protect itself.

SolarWinds is another important breach to be aware of. Russian state actors are believed to have injected code into the continuous integration/continuous delivery (CI/CD) pipeline that enabled a backdoor into SolarWinds clients. SolarWinds had a large footprint in the U.S. government sector, so this was not just a breach, but a possible threat to national security and U.S. democracy. More than 18,000 SolarWinds customers potentially installed the malicious updates, but reportedly, fewer than 100 were hacked.

Through the backdoor, hackers accessed SolarWinds' customer IT systems, which they then used to install malware to spy on other companies and organizations. The SolarWinds attack has been the most successful known infiltration into the U.S. government and has caused an enormous loss of trust in SolarWinds. The stock, as of August 2022, is down 34.7% year to date, down 46.1% over the past 12 months and down 70.2% over the past five years.

Since that infiltration, SolarWinds said it now has three code repositories that enable the company to not only do security checks, but comprehensive integrity checks of code. SolarWinds' share price has fallen dramatically, but the reality is few vendors have learned from the SolarWinds attack and put in integrity checks to prevent a similar breach.

The lack of trust in SolarWinds is, therefore, not reflected in the security controls the community requires from software companies that might well be the next SolarWinds -- and that is deeply troubling. Failing to learn from mistakes more quickly might help explain why, according to ISACA's "State of Digital Trust 2022" report, only 11% of respondents said they are completely confident in the digital trustworthiness of their organization, and only 23% answered confidently that their organizations measure their levels of digital trust among their customers.

It is also worth noting that the initial vector of attack for the most expensive global malware attack, NotPetya, was a backdoored server belonging to Intellect Service, a company that makes a file-sharing application app used as a component in accounting software M.E.Doc. An unknown attacker used the backdoor to deliver malware embedded in an M.E.Doc software update.

The similarity of the last two attacks highlights the fact that we should put both security and integrity checks into the CI/CD pipeline. They should become audit requirements. Additionally, a company that shares how its security controls failed and its remediation efforts may mean it is worth trusting over a company unwilling to prove how it won't fall victim to a similar attack.

The argument that there must be transparency for trust to exist means consumers have a right to understand the processes and have insight into the details of how a vendor manufactures the software used to run businesses, as well as how it handles and uses that data. The danger of SaaS is that businesses can be lulled into thinking they're outsourcing not only the infrastructure, but also their responsibility for the data. That is simply not true. The ultimate responsibility always lies with the business. It is up to businesses to demand transparency before implementing SaaS.

The industry must reward and recognize vendors that come forward and help the community understand what security controls were missing and how they can improve security posture so the past does not repeat itself.

About the authors
Sushila Nair is vice president responsible for security service offer creation at NTT Data's Chief Digital and Strategy Office. NTT Data Services is a digital business and IT services leader headquartered in Plano, Texas. Nair previously served as CISO for 10 years and has over 30 years of experience in computing infrastructure, business and security. An experienced cybersecurity thought leader, she has worked in diverse areas across telecommunications, risk analysis and credit card fraud and served as a legal expert witness. She also worked with the insurance industry in Europe and America on methods of underwriting e-risk insurance based on ISO 27001. With numerous articles, she is vice president of the ISACA Greater Washington, D.C., chapter board and is part of the ISACA Emerging Trends Working Group. Nair is regularly featured in global technical events and in the press. She plays an active role in supporting best practices and skills development within the cybersecurity community.

Nate Abbott is a product and technical marketing specialist with over a decade in the cybersecurity field. He specializes in messaging and content strategy and has a knack for turning dense, technical information into easily digestible material.