It's Time for Cybersecurity to Talk About Climate Change

BLACK HAT USA – Las Vegas – Wednesday, Aug. 9 – In a summer where extreme weather across the globe has intensified discussions around climate change and what to do about it, cybersecurity has been somewhat mum on the subject. But the reality is, there are plenty of steps that the infosecurity community can take in order to do its part.

That's the word from Chloé Messdaghi, head of threat research at Protect AI. In an interactive community session today at Black Hat USA, entitled "Climate Change and Cybersecurity: Building a Resilient Future," she laid out the relationship between climate change, cybersecurity, and promoting environmental sustainability, and lobbied for an ongoing industrywide discussion on the topic.

During the interactive Q&A, she covered five main areas where the industry can move the needle to cool the warming planet, including the carbon footprint of infosec, reducing energy consumption, sustainable procurement, protecting critical infrastructure from climate-related disasters, and supporting renewable energy systems.

"I really hope we can come up with some collective plans, from the private sector perspective, for tackling some of this stuff," she tells Dark Reading in an interview. "We need to acknowledge how we play a role in making things a little bit worse, in areas like the usage of data centers, and e-waste, and even our love for swag. And also, AI takes a lot of energy."

Making a Difference With Climate Initiatives

When it comes to where the cybersecurity industry can most immediately make a positive difference, Messdaghi cited electronics recycling and e-waste as relatively low-hanging fruit.

"Say your company is getting new laptops or new machines," she explains. "It's possible to donate those to a local school or library, for instance, instead of having them go into a landfill."

Marketing materials and giveaways for trade shows and other events is another area where the industry could see a quick green return on investment.

"People don't realize that when you go to a conference, the majority of the freebies and giveaways are all made from plastic — even the T-shirts that you think are cotton," she says. "It's plastics everywhere when it comes to swag. And of course, we still need to do sales and marketing, but there are ways to be better about it — whether that's sourcing goods locally instead of exporting them to international shows or offices, or paying attention to what things are made of."

While many vendors do have sustainability programs, it's important to make sure they're not just lip service, she adds.

"There is this thing called greenwashing, when companies will have sustainability reports, but if someone were to ask questions and poke holes, they would find that the ESG [environmental, social, and governance] rating is not equal or equivalent to what they're actually doing."

Messdaghi acknowledges that addressing some of the other areas of concern, such as reducing security companies' data center footprints and energy consumption that goes along with powering the cloud and running processing-intensive artificial intelligence programs, will be tougher to get going on.

"There aren't frameworks in existence for making green changes, there aren't regulations or standards when it comes to climate change and cybersecurity. So until we have something like that, I don't see us changing things where it becomes so easy for everyone implement."

Cybersecurity Needs to Talk Climate, Loudly

One of the main positive changes that Messdaghi would like to see sooner rather than later is the development of a robust, vocal open dialogue between industry stakeholders on climate change.

"We just don't talk about it," she says, "beyond corporate announcements of sustainability pledges. But the reality is that climate change is also a risk management issue," as floods and excessive heat and other natural disasters take out facilities and create operational chaos that threat actors can exploit. "There are more than a couple of ways to push for this."

She adds, referencing climate change denial and the chilling effect that controversy around the topic sometimes engenders, "It's going to take a whole of industry effort, and we are going to have take this out of the political realm eventually. Nobody actually disagrees that cybersecurity in general takes a lot of energy. There shouldn't be a political position on that, any more than there's a position on the temperature at which water boils."

She notes, "I do have hope that the people that attend the talk will also become vocal about the need to change. It has to happen."