Opinion: The Real Cost Of Cybersecurity
Cybersecurity matters more than ever, and the cyber-threats faced by companies and critical infrastructure are increasing exponentially. The frequency of cyberattacks has increased significantly in the past five years, and the events in Ukraine have exacerbated anxieties for our national defense assets and companies. KPMG’s Global CEO Surveys continue to indicate that cybersecurity risk is a top concern. Cyber-crime, supply chain security, critical infrastructure integrity and cyberresiliency impact a company’s bottom line and have long-term effects on operations and reputations.
The aerospace and defense industry faces among the highest levels of targeted activity from a wide range of national intelligence agencies, organized crime and bad actors, along with daily attacks from clandestine state actors conducting active cyberespionage. But the ecosystem that must be protected has never been more complex. It includes complex heterogeneous fleets of aircraft, vehicles, ships and spacecraft—along with their electronics and onboard systems—as well as communications networks and critical information to ensure that the craft remain intact. The ecosystem extends deep into the supply chain, upward to customers and out to the individual operators using the equipment, systems and solutions that security experts design, develop and manufacture.
Whether the strategy is to preempt, defeat or deter malicious cyberactivity, the use of artificial intelligence (AI) algorithms in support of “zero-trust models” will be necessary to future integrated security environments. Gone are the days of closed, trusted networks. Future solutions will require significant investment to harden edge devices, increased AI capabilities and preemptive tactics based on a “zero-trust” model where all devices and users continuously authenticate themselves using digital cryptography. This provides a consistent way to access data, validate information, transmit it to a platform, process and collect it and retransmit information back to the cloud for storage. If the network is compromised, it will route around the compromised nodes. If the platform becomes compromised, it will remove itself from the network to minimize impact and reconstruct the network. In this way, future systems will always assume a hostile environment. Every communication, device and flow will be authenticated and authorized as dynamically and as close to real time as possible.
But the true costs of cyberresiliency are vastly underestimated in most forecasts. In a December 2020 report on U.S. Defense Department software development and cybersecurity practices, the Government Accountability Office found that 47% programs that had failed to conduct vulnerability assessments experienced more schedule slippages and cost increases. The need for resiliency will create demand for solutions to meet the complex requirements of cyberresilient enterprises, supply chains and fleets, as well as their underlying systems, networks, infrastructure and information.
Another huge challenge: The industry faces a global shortage of nearly three million cyber-security professionals. Despite demand for talents such as data security, risk identification and management, threat detection, cybercompliance and network security architecture, few schools embed cyberskills into their electrical and computer engineering programs. The public and private sectors need to incentivize academia to incorporate cyberskills training in science, technology, engineering and math related programs.
Organizations and professionals need to ensure that cyberteams have a seat at the table at all stages of conceptualization, design, development, manufacturing and operations. Those teams must be the immune system protecting the health of the future business supply chain and end-customer environment, with an agility of thought and action that recognizes the speed at which cybercriminals operate.
Future cyberteams should assemble cyberaware communities that can cross-communicate and work together quickly to meet issues head on. The chief information security officer cannot do it all and often does not have the authority to respond quickly enough. New partnerships are necessary. Organizations will need to address the security deficit, align their objectives, evolve the security team, enhance engineering skills and improve their supply chain and procurement capabilities. Above all, past assumptions about resilience need to be challenged.
Jono Anderson is a KPMG deal advisory and strategy partner who leads growth and innovation strategy. Jim Adams is a KPMG deal advisory and strategy partner and is the U.S. aviation, aerospace and defense industry leader. Michael Gomez is a KPMG partner advisory principal who leads the cybersecurity strategy and governance practice. Rik Parker is a KPMG leading advisor in enterprise information, risk management and cyber-program strategy. The views expressed are those of the authors alone and do not represent those of KPMG.
The views expressed are not necessarily those of Aviation Week.