DEV Community

Green I/O

#35 - Cybersecurity and sustainability: friend or foe? with Mary Prokhorova and Michael J. Oghia

⚙️Cybersecurity and sustainability do share a complex relationship! 
The two approaches share commonalities, such as grappling with resistance from teams and executives and prioritizing resilience, but they also seem to split in notable ways such as constant updates in cybersecurity impacting bloatware and equipment obsolences. 

🎧In this episode Gaël Duez invited two experts on the field, Mary Prokhorova from InDevLab and Michael Oghia from Datacenter Changemakers, to discuss the nuances of cybersecurity and sustainability’s relationship.

🔎Some few takeaways from their conversation are:
💡the critical role of IT infrastructure in modern business processes
💡importance of protecting critical infrastructure to avoid environmental damage and societal impacts
💡significance of investing in digital infrastructure to support the green revolution and highlighting the impact of climate risks on both physical and digital security

❤️ Subscribe, follow, like, ... stay connected the way you want to never miss an episode!

📧 Once a month, we deliver carefully curated news on digital sustainability packed with exclusive Green IO contents in your mailbox, subscribe to the Green IO newsletter here

📣 Green IO next Conference is in Singapore on April 18th (use the voucher GREENIOVIP to get a free ticket) 

Learn more about our guest and connect: 


📧 You can also send us an email at greenio@duez.com to share your feedback and suggest future guests or topics.   


Mary and Michael's sources and other references mentioned in this episode: 




Transcript


Gaël Duez 00:00
Hello everyone. Welcome to Green IO with Gaël Duez. That's me. Green IO is the podcast for responsible technologists building a greener digital world one byte at a time. Every two Tuesdays, our guests from across the globe share insights, tools, and alternative approaches, enabling people within the tech sector and beyond to boost digital sustainability. Because access and transparent information is in the DNA of Green IO, all the references mentioned in this episode, as well as the transcript, will be in the show notes both on your podcast platform and on our website greenio.tech, cybersecurity and sustainability it has been a while since I decided to have a dedicated episode on the complex relationship between the two. On one hand, the two approaches share some common features, such as not always. Being an easy sell to teams or. Executives, or their common emphasis on resiliency. On the other end, there are some areas where they seem to go the opposite direction. Security requires regular updates, having an impact on both bloatware and equipment obsolescence, resident equipment increases the environmental footprint of infrastructure, and so on. Quite a lot to cover in this episode, so I wanted to bring two experts on board, Mary and Michael, with different angles of approach. Mary Prokhorova is the founder and CEO of InDevLab and also the co-founder of Servi5, which is specialized in cybersecurity products. She's based in Ukraine, where she can unfortunately experience firsthand and on a daily basis the vital importance of cybersecurity. Mary has a specialized education in software design and development and is currently pursuing a Ph.D. in software and cybersecurity. So right on the spot with our topic. Michael Oghia is a consultant, editor, and ICT sustainability advocate working within the digital infrastructure, internet governance, and media development ecosystem, currently as a Partnerships Manager & Co-producer, at Datacenter Changemakers at Datacenter Forum. In a nutshell, he knows a lot about sustainability, infrastructure, and resiliency. And a fun fact, he was one of the first persons I connected to almost three years ago when I started my journey into sustainability. It was obvious to me that I wanted him on the show at some point and voilà. Better late than never. Welcome both of you to the show. Thanks a lot, Mary. Thanks a lot, Michael, for joining Green IO today.

Michael J. Oghia 02:40
It's my pleasure. Thank you so much for inviting me, and indeed, it's been a long time coming, so I'm very grateful to finally be here with you.

Mary Prokhorova 02:52
Yeah, thank you. Nice to meet you all.

Gaël Duez 02:55
Okay, so to start maybe unwrapping all the different topics, Mary, what do you think about the parallel I draw between cybersecurity strategy and sustainability strategy not always being the top priority and the way teams will handle it? It's important, but it's obviously less important than delivering or providing new features or whatever. Can you comment on this? Do you agree? Because you've got a lot of experience with different companies, is it something that you've noticed also or not that much? 

Mary Prokhorova 03:29
Of course, I agree. I think that cybersecurity will be a part of sustainability. The main focus will be on sustainability, sustainability for a working model, for general organization development, and general impact on this world. I mean, not only like ecological impact, I mean like something more that organization could bring to our people. Maybe it's also mind-changing. It's also focusing on more important things for our nature. But the general sustainability will also based on security tools. If we are talking about sustainability, for example, for critical infrastructure, if we are talking about electric station or about heatric electric station, we're also about talking about how it works with IT infrastructure. And do we have a risk if something breaks from IT infrastructure, this infrastructure still works and will have not any ecological strategy for nature. It's, for example, from my side, from my experience, I have situations when cybersecurity and it infrastructure have a very big impact on manufacturing. In this part of Europe. We have a lot of manufacturing that work, for example, with windows, with plastic, with different tips. And the station was next something went wrong in infrastructure. And all this manufacturing was stopped. I mean, logistics was stopped, and production was stopped. A lot of plastic was broken. And do you know how much plastic they need to utilisate more than one ton per day? So you understand how much trouble it is for nature and you don't know how to reduce this plastic. So it's also about how infrastructure could and cybersecurity could influence to general production and general ecological questions.

Michael J. Oghia 06:14
I completely agree with Mary's point there, and I wanted to say something very similar in my remarks throughout this episode as well, that there are many different ways that we can kind of paint this argument. Where is the intersection between cybersecurity and sustainability? And one of them that Mary just mentioned is very prominent, which is that if you are a, whether it is a business or a factory if you are struck by an attack, depending on what you're doing or what you're making, you might be then left with a lot of waste or a lot of byproducts that you cannot then produce, you cannot use. So what do we do with that? So I think that's a very specific element that is kind of relevant to this intersection, but that is definitely one of them that I had thought of as well. And if you think about this from many different angles, if you think, okay, well, if you're a factory producing something, let's say, related to plastics, as Mary mentioned, that could be a source of waste. But everything that requires something to be fixed, anything that requires something to be addressed, that is additional carbon emissions, that is additional resources being used to fix a problem that didn't need to happen. It only happens because of often malicious actors, whether state or non-state. And thus it's just one more layer to our very complicated, complex world that we live in that I think is very relevant to this discussion.

Gaël Duez 08:00
I fully agree. And actually, that was an angle I didn't pay attention to before. I was focusing a lot on resiliency and critical infrastructure, like Mary said, on electric power plants. But I never pay attention to it. Yes, actually, when you've got a cyber attack that could create a lot of waste and byproducts that you absolutely do not want. Okay, let's deep dive into this resiliency approach. Because I think sustainability and cybersecurity are very much related when it comes to resiliency. Mary, maybe you want to elaborate a bit on this one.

Mary Prokhorova 08:34
Yeah, yeah, for sure. I also want to focus too that modern business having its part inside. And it's a very nice point to focus on because if we are talking about digital, business development, about business growing, we are also talking about IT infrastructure and IT systems development and growing for this business. And all our modern business is growing with their internal IT system. It doesn't matter whether is it an on-premise solution or a SaaS solution, is it Microsoft Office or your customized CRM system. So if you want to grow, you need to also to develop your IT part. And if you do not secure your IT part, you will not secure your business processes. These business processes are based on all these IT tools. I mean like CRM, like Riverside podcast recording, like email, like your personal data in social network, et cetera. So that's why it's very nice to understand for business how much part they have in these business processes. And what's the influence of this IT part on their modern IT process and for future IT processes? Why I also mentioned about future, because we are right now in era of artificial intelligence and the part of this artificial intelligence will be more bigger each day. And also we need to understand where we could use this tool for our business automatization, digitalization, et cetera. And where we need to protect our data from this big smart machine. What I want to say, is if we want to grow, if you want to make a sustainable business, you will use IT tools, IT instruments, IT platforms and sustainable IT infrastructure. If you want to build sustainable IT infrastructure, you will need to focus also on security questions. When we are talking about increasing security for each organization, first we are talking about hardware and about IT infrastructure, about cloud, about servers and about networks. So if we are talking about companies that have their own IT solution for the market, we're talking about software security. Also, we need to be sure that this software is also secured from internal and external attacks. So if we are talking about how to check this software, you need to provide a cybersecurity audit or penetration testing. Penetration testing is the method when you try to hack this software. And there are three methods like black box, gray box, and white box. And they depend on how much information about this system that you want to hack. How much information do you have? If you have low information, it's a white box. If you have nothing, it's a black box, a gray box. It's a mixed something.

Gaël Duez 12:39
Have something, not the gray box, just Mary, sorry to interrupt you. Just to make sure to understand. Gray box is more the situation where you want to assess the exposure to an internal threat. Like an employee having access to some information, but not all information. When you use the gray box situation, is it this kind of situation that? Do you want to test?

Mary Prokhorova 13:02
Yes, it's one of the cases. Only one, because Gray box was used also with employees that were in your company and that lived in one or two years and tried to hug you because they are not happy. It's a real case when your previous employers do have not good thoughts and they are not happy and they are connected with your enemies and trying to hug you and provide them corporate information about your general structure.

Gaël Duez 13:45
And let's start with maybe one example, which is the bring your own device question. We know in sustainability that the more we mutualize, the better it is. But obviously, when you start with this first layer and actually this fifth layer that Mary described, using that much personal equipment might be good for the planet, might be good for the environment, but that causes some issues with cybersecurity. So we see this tension between cybersecurity and sustainability. Sometimes they're fully aligned and sometimes they're a bit opposite. What are your take on it?

Michael J. Oghia 14:18
Okay, this is a good question because I don't see bringing your own device as it could be incompatible with sustainability, but it doesn't necessarily have to be. It doesn't mean that the company let's say, or whatever entity doesn't have any options, they can choose a partner like Fairphone or refurbish older devices that could work, for instance. I think I definitely understand that there is often perceived as a trade-off between sustainability and cybersecurity, but I don't think there necessarily has to be. There is a neutral way forward in some ways. But I think also recognizing that as something that Mary said, which I think is very important, too, that sustainability and cybersecurity go hand in hand. And they're very complementary in many ways, because the more you're investing in your own cybersecurity, the more you can also think about how you're making your organization sustainable and resilient. And so, yes, going back to the bring your own device question, that's a big question. And I can't say, aside from what I've already said, that I have a specific solution to that because I've never technically worked on that. I would say it really depends also on the needs of the company or of the entity in question. But I would also really suggest then that if let's say, a CTO is saying, no, there is no way that I'm allowing my employees to come in with their own devices, I would then say, okay, well, is there a way that we could provide refurbished devices? Is there a way that we could provide some kind of, maybe we can go and buy devices that are already manufactured or whatnot, so that we're essentially creating less demand for new products, something that's already been made? If you go get a phone, for instance, that was manufactured three years ago, even if that's new to me, that's less wasteful than being like, okay, we're going to provide you with the latest iPhone or whatever, or the latest Android. On the other hand, too, getting a refurbished device can also come with its own positives, such as a lot of times, older devices have a lot fewer bugs because those bugs have already been worked out. So perhaps there are already good security patches and whatnot. But then again, I also recognize that security is a constant cat-and-mouse game where just because you're on top of things, well, somebody is trying to get right ahead of you. So this is a complex question that I think each company or each organization needs to step back and think, well, what are our options?

Gaël Duez 17:24
So it's interesting because what you're saying is obviously, if you need to invest in redundant equipment or if you cannot allow your employees to bring their own device, it will come with the cost, and you can mitigate this cost with refurbished equipment, et cetera. On the other hand, what you also say is in general and the devil is in the details, but in general, the older the better in terms of cybersecurity. So this kind of sentence that you hear all the time, how we need to update, we need to update, we need to upgrade. Because for cybersecurity reason I think it's not that obvious, isn't it?

Mary Prokhorova 18:06
I was born in a family who have a small own business with computers. And with all this equipment I was growing between monitors, between hearts, like video cards, mother plates, et cetera. So my first toy was this hard storage. And my parents were very deeply involved in hardware. And they talk like news, not mention it like the better. And also they mentioned it like if you buy a new device, you will receive new bugs and new issues and you will not use this device a full power. Currently, I'm working in cybersecurity and its field and I could say that they were right. But if you come back to your question, the truth in the middle, you don't need to waste your time for ten or 20 years to renovate your equipment and software. But it does not make sense to run for the latest update. Because also if you are talking about hardware, for example, personal devices, we have artificial absolutions. If I could correct when we need to buy the new stylophone to the new droid, more new laptop, et cetera. But also we receive this hardware with new software that has a lot of bugs, and a lot of new issues. And it does not make your job, your work easy. You will meet a lot of these tips and very fucking bugs in each device. But also I have met in my practice, I couldn't say names because it's a government structure. When they still work in 2015 with equipment that was bought in 1990 years, all these computers and the light test version of the operation system was Windows 97. And they still work. It's not a zoo, it's a park of moments, really stone era.

Gaël Duez 21:15
Interesting that you mentioned Windows because that's a big debate among cybersecurity, security, and sustainability communities about them stopping the maintenance of Windows 10 pretty soon for security reasons. And we're talking about millions, dozens of millions of equipment that might not be compatible anymore. So what you're both saying is that it's actually not the best way to enforce cybersecurity. We know that it's definitely not the best way to enforce a sustainable world. But it might also be a bit counterintuitive to say that it's not the best move to enforce better security for Windows users. Am I right about Windows eleven?

Mary Prokhorova 22:03
Currently, I see a lot of mistakes in the current system, and my colleagues are also trying to work on this system, on their personal devices. And they have a lot of questions and a lot of proposals on how to fix it. And the biggest one is to drop down and stop Windows 10 and stop any updates from Microsoft for a half year. It's also about sustainability. Sustainability for your personal work because if you can't work with your laptop, with your operational system, and to provide any your digital products, it's not useful, it's not sustainable, maybe.

Gaël Duez 22:56
Michael, so we talked about resiliency from one angle, which is the environmental impact of a cyber attack, for instance. But they are much more about resiliency than just this. Could you maybe explain a bit more? Why are you both a resiliency expert and a sustainability expert when it comes to its infrastructure? How do you mix the two in your professional life?

Michael J. Oghia 23:20
This is a great question because I see resiliency as being one of the core ways that cybersecurity and sustainability interact. So how is that the case? One is that infrastructure security is really critical to, for instance, the energy transition. So this is one thing that we need to take into account. You're asking me kind of, how do I see this coming together? The Nord stream attacks in 2022 are a great example of what happens when there is a significant attack, whether it's cyber or physical, on infrastructure that leads to environmental damage, essentially a detrimental impact on the environment. So in this sense, critical infrastructure resiliency is absolutely important. And of course, cybersecurity, to me, includes physical security, and it includes the more technical, let's say software-based kind of security, where, okay, how do we protect our hardware, how do we protect ourselves from software-based attacks? But also, if somebody is trying to cut a submarine cable between two countries, that is also what I would consider a cyberattack. We can debate the semantics or the nomenclature as much as we want, but that, to me, is really relevant for a few reasons. One is because when infrastructure is damaged, alternatives have to be found. If energy infrastructure in particular is attacked, then that means that alternatives have to be found. So let's say a lot of solar is coming online. It is attacked via a cyberattack. In other words, let's say that solar provider is not investing in their cyber resilience, and cybersecurity, then that solar plant might go offline, which means what happens? We might have to start a coal plant. So, do you know what I'm trying to say? In other words, if we're not investing in making ourselves secure, then we have to find alternatives to meet demand. And because the energy companies are prime targets because they have a lot of.

Gaël Duez 26:07
Money.

Michael J. Oghia 26:10
Because they're so critical to society, ransomware gangs, for instance, have been targeting them a lot. And it just means, for instance, that we need to think about how our infrastructure fits into the larger place in society and how protecting them is really vital. Because it's not just about keeping a company online to protect its own stock price or things like that, which is fair enough, but it's also about, well, again, if we're not using solar energy because we can't access it for a week, that means that we're probably relying then on fossil fuels, which are easier to ramp up within an energy system or whatnot. These are the ways that I see cybersecurity as really interacting with or really intersecting with sustainability. Sustainability is the sustainability considerations, being the impact of cyberattacks, the lack of investment in cyber resiliency, and ultimately kind of creating instability that then leads to situations that have not necessarily been planned for or damage to the environment and damage to society.

Gaël Duez 27:29
But that's super interesting. And as you say, there's a lot to unpack. But there is also another angle that I'm wondering how interesting it is, which is building resilient IT systems is also good in the face of climate risks. My point is, that good old SMS should be way more resilient sometimes than authentication via an apps, for instance, because it requires 3G, 4G, 5G, or whatever. And what about climate risk? Do you believe that climate risk is also something that will require us to build a more reliable, more resilient IT system or not?

Michael J. Oghia 28:17
Well, yes, for many reasons. One is that we talk a lot about the green revolution. We talk a lot about the digital revolution. Digital and green revolutions go hand in hand, and you really can't have one without the other. Why? Because much of the green revolution is powered by, for instance, IoT devices. Internet of Things. The Internet of Things is notoriously insecure, which means that the more that we invest in the green revolution, the more we need to also invest in the digital revolution to make sure that they can stay on par with one another. So that's one way that I think there's a bit of a climate risk. Number two is obviously physical infrastructure, which, again, may not fall under a more traditional definition of cybersecurity, which tends to focus on, okay, but are our computer systems more resilient? Is the code less exploitable by malicious actors? That's a very tight definition, a very narrow definition of cybersecurity. But I consider cybersecurity also. Well, what is happening? What about the physical security of our infrastructure? So I remember a few years ago, I saw an article floating around about how a lot of the subsea landing stations on the coasts are at risk of being inundated by water with rising sea level because of rising sea levels. It just goes to show how the environment is very much obviously connected, very intricately connected to the digital and the cyber components. And so as we face more climate risk, as we face more sustainability challenges, it's going to impact the digital either at the physical security layer, such as with coastal or undersea infrastructure, or it's going to impact potentially, let's say, the digital layer, the cyber layer, or whatever you want to call it, the software layer because we're going to be relying on more and more devices to help us manage the increasingly complex system that we're using to deal with the 21st century. But yet that system might be deeply insecure because of the kinds of devices that we're relying on. So, again, that's why it's complex because a lot of these pieces fit together, but they're not always necessarily being given the same kind of weight.

Gaël Duez 31:13
And, Mary, is it something that you agree with, having a broader definition of cybersecurity to incorporate also all the infrastructure and all these new risks?

Mary Prokhorova 31:23
I could only support Michael. And if you are talking about also cybersecurity, we understand that cybersecurity protects all our know-how, all our digital assets, and tips. We need to focus on saving our products from different streets, not only from a human, but maybe from not special destroying, because it's also 100 of service computing people's minds and general coding, design, et cetera. So if we are talking about sustainability and resilience for people at all, we also need to secure their knowledge.

Michael J. Oghia 32:23
I want to mention two things that I think are really relevant to this conversation. One is that we spoke about waste, but there is also something to say that we haven't focused that much on, which is that the lack of cyber resilience, the lack of real cybersecurity protection for especially critical infrastructure providers, is deeply important to the environment. Why? We already have examples where environmental pollution is either being caused or could be caused by either the hacking of something like a dam, a hydroelectric dam, I mean, or, for instance, in 2021, hackers infiltrated a water treatment plant in the US state of Florida, which allowed them to change the chemical levels of the water supply remotely. Thankfully, that was found and addressed before it could cause any damage. But these kinds of attacks on water and wastewater treatment plans are happening elsewhere in the US. It's happened in Australia, it's happened in Israel. And so

Michael J. Oghia 33:37
there is precedence for this, not to mention other attacks that have happened in Iran and elsewhere. So that is seriously something to think about, that a facility could be compromised and that can lead to water, soil or air pollution and other, and not just pollution, but serious toxicity, toxic release, that could really seriously damage communities and its surrounding environments. So this is something to consider that this is a very real and present threat at the more macro level to the infrastructure in general. Now, something that I would like to say to also support some of the things that Mary has discussed from a company point of view, is that I think companies, in particular, must-see cyber resilience as closely connected to their environmental, social, and governance strategy. This is absolutely something that impacts their bottom line. It impacts the people who work at their organization as well as their clients, their customers, and their community in that way. And it really comes down to making sure too, that a company can speak to regulators, can speak to shareholders and say, look, we are taking this very seriously and we are protecting and preserving the value of our company and the stability of the society that we are contributing to by taking this seriously and by really protecting our data, protecting our systems and protecting, obviously, one of the most important things that they have, which is their customers trust in them as provider or as a vendor.

Gaël Duez 35:33
So we're reaching the end of our episode, a very rich and complex episode. I think that the word complex must have been said at least two dozen times. But this is a reality of the world, and this is a reality of cybersecurity and sustainability. So before we stop, I would like to ask you my traditional question, which is, would you share a piece of positive good news about sustainability or maybe about cybersecurity, your choice?

Mary Prokhorova 36:05
In the last year, I have seen a lot of startups with very interesting concepts that merge cybersecurity, sustainability, and green technologies. I mean, also new concepts for data centers, for computing centers where they have a close ecosystem, for cooler water heating, for citizen computing, and all this very interesting part for world data centers where they not only heat our environment, but they provide some new warm water for customers. I also say very interesting project about equipment utilization, I mean hardware storage utilization, because it's a very important point about data destruction when you want to destroy very high-level security data, you need to destroy equipment. And I saw a very interesting concept and working machine and working equipment where they destroy all this equipment in dust, like real dust. And it's very interesting and very nice for our environment also and for general reducing. So I saw that a lot of startups, and most of them are from Europe, are thinking about new nature and new communication between digital equipment and nature. And all these startup founders are very young generation people, up to 35. And also I see very interesting concepts from schoolers, from very young guys like 15, 18 years old. And it's very nice to see such smart minds who are thinking about sustainability not only for business processes but for more long-term periods. So as for me, it's nice news. It's nice news that we are working not only on the digital ecosystem, but we trying to connect our digital ecosystem of this equipment part with our physical world and to make this whole ecosystem much smarter, much more sustainable, and much more from an ecology angle safety.

Michael J. Oghia 38:51
So two things I'll just very quickly reply to Mary, Gaël and then I'll reply to your question. But I have to say, Mary, I completely agree with you. I do agree as well that cyber risk and cyber resiliency are becoming more of a front-of-mind topic across the ecosystem. And I think it's really good that people are starting to recognize, or I can't say people are starting to recognize, but I'm glad that companies, especially governments, are saying, yes, this is really a priority and it's something that we're going to be putting resources toward. And I hope that continues to answer the question that you posed. Gaël, I have to say in general, especially on the sustainability side, I skew more toward the pessimistic than the optimistic when it comes to bright notes and whatnot. But there are a few. First, I would be remiss if I didn't say that there are a lot of really interesting things happening on both the security side and the sustainability side within the Nordics. I've been working on the Nordics for the past two years. The Nordic data center sector is growing exponentially and it's combining a lot of really good natural features, such as its cold climate, with really good people who are working on things like integrating data center heat waste into the district utility grids, who are working on a lot of innovation. So the Nordic data center sector is something that I think is really a bright spot for that intersection between sustainability and security. But then I think the second that is also a bit of a bright spot is the rollout of renewable energy and more serious conversations about nuclear energy as well, especially in Europe. I don't see renewables and nuclear as being opposed. I see them as complementary. And obviously one of the kinds of common denominators across the energy sector, whether it be renewables or nuclear, is security. Cybersecurity is physical security. So I think for me I hope that there will be continuous positive momentum. I would rather be pleasantly surprised and wrong versus correct than live with the impacts of my pessimism, which is a very much worse world to live in.

Gaël Duez 41:33
Oh, thanks a lot, both of you. That's a very nice closing statement. Michael, thanks a lot. And thanks for joining Green IO. A lot of insights are being shared today on a topic that I'm not that familiar with. So I thank you for your time.

Michael J. Oghia 41:46
Thank you for having us.

Mary Prokhorova 41:47
Gaël, thank you for the invitation. 

❤️ Never miss an episode! Hit the subscribe button on the player above and follow us the way you like.

 📧 Our Green IO monthly newsletter is also a good way to be notified, as well as getting carefully curated news on digital sustainability packed with exclusive Green IO contents. 

Episode source