Trust issues

Some cybersecurity professionals suggested the speech didn’t reflect the realities of today’s enterprise cybersecurity struggles, with no acknowledgement that there no longer exists anything that can be blindly trusted.

Mike Isbitski, a cybersecurity consultant and former Gartner analyst, said Blinken’s references to trusted vendors and governments are naive from a cybersecurity perspective. 

“Who is friendly and who is authoritarian? They look the same. A trusted supplier can suddenly go rogue,” if they are the victim of an insider attack or the victim of a cyberthief or espionage agent, Isbitski said.

Isbitski noted, for example, that there is nothing to prevent a hostile foreign agent from getting a job with a major hardware manufacturer. “Recruiting processes don’t check for that. Nothing is trustworthy. It’s not acknowledging the digital supply chain risk. That vision of having a trusted supplier list is unfeasible.”

Chris Hetner, cyber risk advisor to the National Association of Corporate Directors (NACD) and a former cybersecurity advisor to the chair of the Securities and Exchange Commission, said he found Blinken’s speech trying aggressively to be comforting. “He doesn’t want to scare the community and say that we’re screwed, but we are,” Hetner said. 

Hetner also questioned whether even American vendors can legitimately claim to be entirely trustworthy. “If you’re Microsoft, Amazon, or Google, your platform is absolutely being used by untrustworthy entities,” Hetner said. “Consider ransomware as a service on AWS. There is nothing to prevent that, so what is he saying? AWS has no idea who is on their cloud.”