When someone says, “I’ve got something I want you to see that’s unhackable,” there’s usually a catch. It’s a photograph of a computer, right? Or a sculpture. Or a computer on the floor with its plug pulled out of the wall.
But Scott Coleman wasn’t kidding. There really is technology that’s unhackable. But there is a catch. It’s not a regular computer. Some people may see that as a problem; others see it as a solution.
Coleman is the VP of marketing at Owl Cyber Defense, and he recently conducted a briefing about the company for TAG Cyber analysts. He began with a Coronavirus analogy that centered on safety.
In today’s world, people are distancing, isolating and separating themselves in order to stay protected. The delivery companies are providing a one-way service so that the general population doesn’t have to go out to get their goods. Instead, they receive them remotely. This is the same principle that Owl’s technology uses to protect the U.S. government and critical infrastructure around the world. By physically separating digital assets (databases, intellectual property, intelligence) and equipment (turbines, refineries, pumps), the company that owns them becomes invulnerable to attack.
However, Coleman continued, in this ever-connected, always-on world, information needs to be shared and devices need to report on their activity, whether to a customer, HQ or the cloud. Still, like the Covid delivery method, the best way to keep assets safe is to physically isolate them while allowing data to flow one-way: out of the secure network to those that need it.
How They Work
Owl Cyber Defense was founded in 1999 and is now headquartered in Danbury, Conn. The technology that it’s been using for decades is called a data diode. Data diodes enable a secure transfer of data across network boundaries, with absolute assurance that nothing can get back into the protected network.
Imagine a flashlight sending light to a solar panel. The flashlight can send light and the solar panel can receive it, but the solar panel cannot send light back and the flashlight cannot receive it. In a data diode, light (data) is sent over a fiber optic cable, but there are no components to send light back. This guarantees that, unlike a firewall, a data diode can’t be hacked.
They’re used anywhere people care about the security of their network, data and devices. Examples include financial services, transportation, manufacturing and critical infrastructure like nuclear power plants, hydroelectric stations, substations, telecommunications equipment and oil refineries. They’re also used extensively to transfer information for government programs, which can include classified and confidential information—or the kind of information that lawyers need to protect for their clients.
Why is the one-way transfer so important? Unlike a firewall, which restricts but ultimately allows data to flow in and out of networks—and creates threat vectors into networks that are exploited every day—a one-way transfer completely seals off access, Coleman explained.
Two-way communication is convenient and allows for tremendous flexibility, but it also makes computers vulnerable to unwanted intrusion.
When Lawyers Find Them Useful
Data diodes, on the other hand, are secure. But they don’t satisfy every business need. For example, a highly transactional, two-way operation like a cash register, which may need to check balances for debit cards and to authorize credit card charges, requires two-way communication. However, once those transactions have been processed, Coleman said, they should be segmented and isolated so that hackers can’t access stored personal information like credit card and PIN numbers.
Data diodes are great at locking away data that should never be released (as in a data vault), and at protecting a repository from intrusion while data is being shared. Lawyers may want to pass client information into a secure space, for instance, that can only be accessed by designated individuals who are preparing for a trial. The data diode can deliver it without fear of a hack, Coleman said.
He cited one example that involved Owl’s XD Bridge, which is normally used by the federal government, but in one instance was used to secure source code that was key evidence in a class action lawsuit. The equipment was leased for seven years, he said, as the case made its way through the legal system. Each side was able to read the code when necessary, but could not remove or change it. It was critical that the original evidence could not be tampered with or modified.
When you think about all the dangers that software introduces into the picture, Coleman continued, you realize all the headaches that a hardware-only environment deletes. No firewalls with configurations that need to be updated. No zero-day vulnerabilities to worry about, no security patches to attend to. And no ransomware attacks. It’s hardware that can run for years without intervention and without fear that it is no longer secure because of a new virus or a human mistake in the configuration.
While prices can vary widely depending on the amount of traffic, most customers outside of the government use solutions from the low end of the spectrum because, unless you’re protecting a whole nuclear power plant, data transfer requirements tend to be fairly low. A low end solution that should easily satisfy most law firm data transfer requirements, Coleman said, would start at around $5800. Those units can drop as low as $3000 if a customer is buying 50 or more for something like a pipeline or large refinery.
Larger, faster units can run $15,000 or more for facilities that manage lots of data and require interfaces to many devices.
For lawyers, the value equation is less about better cybersecurity—everyone needs that. It’s more about how your organization conducts business, manages its network and whether it properly segments data to allow access only to those who have a need to know, Coleman said. And then it’s a matter of whether the diode, with both strengths and limitations, can best accommodate those needs.