News: 1730190548

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Five Eyes nations tell tech startups to take infosec seriously. Again

(2024/10/29)


Cyber security agencies from the Five Eyes nations have delivered on a promise to offer tech startups more guidance on how to stay secure.

The Five Eyes nations – Australia, Canada, New Zealand, the UK and US – are best known for their unusually close intelligence-sharing arrangements and joint commitments to defend each other's interests. But in October 2023 the group participated in a [1]summit at which they outlined the extent of the threat posed by Chinese IP theft and delivered five principles to "better inform innovators around the types of threats we face and what they can do about it."

Those principles were not rocket science:

Know the threats – understand the potential vulnerabilities that might put your product or innovation at risk.

Secure your business environment – create clear lines of ownership around the management of security risks in a business. Appoint a security lead at board level who factors in security considerations into decisions and initiatives.

Secure your products – build security into the front end of your products by design. This will help protect your IP, make your products more marketable and ensure your products don’t become a supply chain vulnerability.

Secure your partnerships – make sure the people you collaborate with are who they say they are and can be trusted with your IP.

Secure your growth – be aware of security risks as you expand, such as hiring new people into positions of trust and managing risk around entering new markets.

More than a year later, member nations' infosec agencies have expanded on the principles with a joint campaign that offers advice on how to put the principles into action.

In the UK, startups can reference a three-page [2]infographic [PDF] or video. Canada has delivered a [3]guide for tech investors .

[4]

New Zealand has done rather better with a 33-page [5]advisory [PDF] that offers basic procedures for improving security and responding to incidents.

[6]

[7]

The United States delivered [8]five documents , including one that outlines risks that are prevalent during travel abroad. That document recommends ensuring phones can be remotely wiped, employing on-device encryption, and considering only carrying essential data while travelling.

[9]Five Eyes tell critical infra orgs: Take these actions now to protect against China's Volt Typhoon

[10]Five Eyes nations warn Moscow's mates at the Star Blizzard gang have new phishing targets

[11]Australia building 'top secret' cloud to catch up and link with US, UK intel orgs

[12]Five Eyes intel chiefs warn China's IP theft program now at 'unprecedented' levels

Australia has served up a [13]Secure Innovation Placemat [PDF].

The wide variance in the documents is by design: each Five Eyes nation chose its own approach, although the campaign is a coordinated effort that is billed as "consistent and consolidated advice reflecting both the globalized and interconnected tech startup ecosystem as well as the global nature of the security threats startups face." And everybody uses placemats.

Whether this advice will break through the "move fast and break things" culture that many startups nurture is anyone's guess. The Register has reported on security and resilience troubles in the early years at [14]Uber and Lyft , [15]GitLab , and [16]at OpenAI .

[17]

It might take more than PDF checklists to prevent similar issues in future. ®

Get our [18]Tech Resources



[1] https://www.theregister.com/2023/10/18/five_eyes_china_espionage/

[2] https://www.npsa.gov.uk/sites/default/files/2024-08/si-digital-ipdf-quick-start-guide-interactive-v8.pdf

[3] https://www.canada.ca/en/security-intelligence-service/corporate/publications/secure-innovation-investors.html

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZyDAWf9jyF4FcyWCI7VRBQAAAEg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[5] https://www.nzsis.govt.nz/assets/NZSIS-Documents/Secure-Innovation-Security-Advice-for-Emerging-Technology-Companies.pdf

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZyDAWf9jyF4FcyWCI7VRBQAAAEg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZyDAWf9jyF4FcyWCI7VRBQAAAEg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[8] https://www.dni.gov/index.php/ncsc-what-we-do/secure-innovation

[9] https://www.theregister.com/2024/03/20/five_eyes_volt_typhoon/

[10] https://www.theregister.com/2023/12/08/five_eyes_star_blizzard_warning/

[11] https://www.theregister.com/2023/12/07/australia_top_secret_cloud/

[12] https://www.theregister.com/2023/10/18/five_eyes_china_espionage/

[13] https://www.asio.gov.au/system/files/2024-10/Secure%20Innovation%20Placemat.pdf

[14] https://www.theregister.com/2015/10/09/lyft_uber_hacking/

[15] https://www.theregister.com/2017/02/16/gitlab_responds/

[16] https://www.theregister.com/2024/07/08/infosec_in_brief/

[17] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZyDAWf9jyF4FcyWCI7VRBQAAAEg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[18] https://whitepapers.theregister.com/



As long as security is

Guy de Loimbard

Playing second fiddle in the business it will often be overlooked.

In my experience to date, Security is seen as a cost centre and is reluctantly funded in some organisations, in others, it's front and centre and is well funded and invested in as business leaders see the indirect benefits.

To be fair, the guidance is a solid place to start, but the messaging is often not getting through.

If you're going hell for leather in the tech space, security is not the first thing that is being considered.

Five Eyes

Anonymous Coward

The Physical eye, the Heavenly eye, the Wisdom eye, the Dharma eye, and the Buddha eye. Right?

Re: Five Eyes

Anonymous Coward

No, it's an organism with five eyes, one head and half a brain.

Re: Five Eyes

Mentat74

Does this organism's head happen to reside in it's rectum ?

Again

Doctor Syntax

Given that Barnum's rule applies to startups more or less by definition then such advice will have to me offered again and again.

Clear the laundromat!! This whirl-o-matic just had a nuclear meltdown!!