Goldilock: raising the cyber drawbridge

The global cybersecurity market is forecast to enjoy considerable growth through the rest of the devade. Credit: Shutterstock/Michael Traitov

What happens if an organisation is forced to turn off their network due to cyber threats? It is a daunting prospect, but all too familiar in a world operating through the internet.

Cyber resilience is not just about preventing your network from being compromised with a layered defence, it is also about empowering an organisation by allowing it to have more control over its network – to determine its connection to cyberspace arbitrarily.

A British cybersecurity start-up, Goldilock, established in 2020, aims to innovate the layered defence of sensitive digital assets by giving organisations more agency to respond to threats proactively and reactively. The company’s patented, non-IP controlled (without internet dependence) solution, which it calls ‘Drawbridge’, is a physical hardware device that enables a physical disconnection of digital assets and networks remotely, making them inaccessible to adversaries.

In early September, Goldilock announced that it had secured a $1.7m seed round led by New York Angels and Harvard Business School Alumni Angels of Greater New York. The funds represent the confidence for the start-up’s physical network segmentation approach, which Tom Hirschfeld, a member of both investor groups, said “delivers a level of safety unmatched by any other solution on the market”.

Of course, such a product will prove useful to the global defence industry, due to the sensitive nature of the data that organisations must manage. This recently prompted Goldilock to appoint General Sir Chris Deverell, the former UK Joint Forces Commander (now Strategic Command), as its strategic adviser for defence.

In an exclusive interview, Deverell explored the questions government and commercial organisations must ask themselves when safeguarding their data; where Drawbridge fills the gap in cybersecurity; the vulnerabilities of the Internet of Things (IoT); and gave some specialist advice to start-ups when approaching government procurement agencies.

Typically, most organisations have cyber security protocols and procedures, a base level security capability to protect its intellectual property.

“I am sure that those procedures and protocols cope with a lot of things, but I am less sure that they have thought about turning off the network,” Deverell noted. “Usually because it’s such a nightmare to do: the act of doing it, which server controls, which bit of the network, etc.”

In contrast, Drawbridge sits among the customer’s security stack as another layer of defence, ready to disconnect their assets remotely. However, Deverell also points out that institutions and companies protecting their data must think about their security procedures more closely. 

“The complication that companies, defence departments and the like need to think about is, how do I adjust my processes to recognise the fact that I now have this additional layer in my layered defence?” Deverell explained.

Deverell said that the presence of Drawbridge as a kill-switch within a stack subsequently forces people to think about the cybersecurity issues at hand.

“How many organisations have thought through what happens if we turn our network off? Now they already have that potential need, but they haven’t necessarily described a process. Who needs to know? Who decides? Under what circumstances do we do this? What else do we have to do if we do this? What’s our balance between risk and availability?” Deverell detailed.

“These are questions that every organisation should be going through but don’t often do. But I think the presence of the Drawbridge will create that opportunity.” 

The world is becoming increasingly integrated, and this comes with some weaknesses from a cybersecurity perspective. According to Deverell, connectivity is not confined to computers, laptops, and servers, but also include a range of “operational devices” that connect to the internet in order to supply data about performance and availability of systems.

This sparse network of devices is known as the IoT, which is an umbrella term used to describe the use of connected sensors and systems to control and monitor the environment, and the things and people that move and act within it. 

GlobalData’s thematic intelligence report on the Internet of Things in Defence (2023), details that IoT applications in defence are wide-ranging, to include health monitoring, augmented reality, remote training, gaining situational awareness using drones, vehicle management, target recognition and many more.

Smart sensors can be used on military equipment to give data on system health and whether maintenance is needed. Israeli Aerospace Industries, a global defence supplier, and Odysight.ai, an Arizona-based predictive maintenance company, recently developed a health monitor system for UH-60 rotorcraft. This system of systems helps reduce operating costs and downtime for military equipment as the sensor can predict when a breakdown is imminent.

However, this IoT proliferation has also raised concerns. Interoperability and increased information sharing make cybersecurity more of a threat, as there are increased access points for hackers, and the interconnected nature of IoT means any attack could have devastating consequences.

Nonetheless, GlobalData estimates global enterprise IoT market revenues will reach $1.2trn by 2027; the market is forecast to grow at a compound annual growth rate of 15.1% between 2022 and 2027.

“A lot of its systems are connected over the internet via the IoT,” Deverell continued. “Traditionally, the devices that are used for this task are far less protected from a cybersecurity point of view than your MacBook and let alone a website, so they are very vulnerable as a result.

“You can use relatively simple code in many cases to take control of devices that can often be really important to critical national infrastructure, water systems, traffic systems, air traffic control, hospitals. A lot of these things use the IoT too to move data around, so they understand the status of their systems. The IoT area is an area of great vulnerability.” 

Previously, Deverell served at the heart of the UK Ministry of Defence (MoD) in Joint Forces Command, now known as Strategic Command: a service that manages allocated joint capabilities across the three main Armed Forces (British Army, Royal Navy, and Royal Air Force). This cross-disciplinary domain includes the digital realm, in which a lot of modern warfare is taking place.

As Joint Forces Commander, Deverell said that he saw “a lot of the threats that were present”, experience which, even though he retired in 2019, was still relevant.

“Broadly, all that’s happened in the intervening period is that the threats have increased,” Deverell maintained. “Threats come from hostile states and from non-state actors, some of those non-state actors are essentially protected by hostile states.

“So, if they’re a state actor, that biggest need or desire is espionage. They want to discover things about us by penetrating our networks, without us knowing that they’re there and exfiltrating data from our networks.”

Threats were not confined to governmental agencies or departments but included the full scope of the defence industry.

“If you’re a manufacturer of Britain's next generation of armoured vehicle you will have in your network, data, you will have a lot of information, classified information about that armoured vehicle, and that is of use to the enemy,” Deverell said.

Goldilock will also stand to benefit from Deverell’s government perspective as he advises the start-up on best practice when pitching concepts to the MoD, which is known for its inclination toward larger, more trusted industrial partners.

“It is true, that Departments of Defence generally, and this is not just a comment about the UK but of all Western Departments of Defence, and I daresay non-Western as well, it is true that they are used to dealing with large prime contractors,” Deverell explained.

Given this, startups and smaller contractors often find it difficult to navigate the labyrinthine corridors in defence procurement, which, according to Deverell, is why such companies turn to people such as himself in order to help navigate this process.

“The first thing I tend to teach start-ups is not to get too enthused about innovation money because there’s a valley of death between research and development and being in service. So, recognise innovation money for what it is: it’s useful, and it’s an initial step on the road, but you do need to go further and secure core programme contracts,” Deverell stated.

With the cost of global cybercrime will reach $10.5trn annually by 2025, and cybersecurity revenues reaching $344bn worldwide by 2030, the opportunities for companies operating in this sector appear considerable, if the right connections and understanding of defence can be garnered.