The Geopolitics of Cybersecurity
With Black Hat over and DEFCON26 ramping up, cybersecurity is once again having a moment. Despite the many breakthroughs, and the potential dangers debated and tinkered with at these events, talk of (geo)political risk is minimal, and focuses mainly on the issue of attribution (such as figuring out which state sponsored a major hack). Polls indicate that 50 to 70 percent of executives name “geopolitical risk” as a top 5 concern for their businesses — and about the same proportion of executives list cybersecurity as a top concern as well.
For most people in the cybersecurity realm, the technical half of the equation is clear. But the geopolitical element is increasingly important, and less tangible to those who’ve spent their career in the digital realm. Location — geographic, and not just virtual — is critical to a successful cybersecurity strategy. Tariffs, sanctions, trade wars, and embargoes affect supply chains that are being unevenly transitioned to blockchains. Data regulations, like GDPR, govern the flow of information within and across national borders. Specific brands of hardware and software, like Huawei and ZTE, created in China are banned from certain US government sites. Geopolitical tensions are upending decades of status quo, and companies are struggling to understand how these issues affect them or expose them to greater risk. While major corporations can and do recover from major hacks and (geo)political crises, small and medium size enterprises could be hobbled or destroyed by them. Most political risk firms focus solely on major corporations, largely ignoring small and medium sized firms with smaller budgets for this insight, so there are few people to turn to for help. Despite the pace of change in the geopolitical realm, stunningly few acknowledge or address the nexus between cybersecurity and geopolitics, the challenges that lie before them, and the opportunities they let slip.
Bank vaults do not get robbed so bank robbers can practice their lock-picking skills. They are targeted for what the thieves expect to find inside them. What does this have to do with geopolitics and cybersecurity? Hackers — both state-sponsored and non-state, similarly choose their victims based on the data they believe they can steal. And they know companies’ data vaults are always “full”, and often poorly protected. Despite the fact that companies often know what data they collect, they understand little about its value to different types of nefarious actors, how much of it is shared with third parties, and the extent to which they are exposed — all because they largely ignore the element of (geo)political risk.
As followers of my work know, political risk is an oft-misunderstood concept that gets lost within a cloud of business buzzwords. It is most commonly misdefined as the risk faced by investors and companies operating in emerging and volatile markets. I take a different, and more robust approach, one that helps me advise my clients of both the risks and the opportunities. I define political risk as any change in a company’s business and security environment within a country. Similarly, geopolitical risk is any change in a company’s business and security environment that involves a cross border issue. I prefer the terms political and geopolitical flux, since these better capture that emphasis on change, allowing for the inclusion of positive developments, not just dangers.
Cybersecurity is best understood within the (geo)political flux umbrella — it is the need to safeguard digital assets from negative changes that can affect operations, and the chance to strengthen the ability to deploy digital assets better when opportunity strikes. By viewing cybersecurity as a vulnerability within a company’s exposure to (geo)political flux, companies can develop a much more cohesive approach to their cybersecurity strategies and practices, and more easily take advantage of opportunities. Practical steps include: identifying exactly what types of data you collect; understanding who else has access to it and for what purposes; performing due diligence on vendors and partners; reviewing outside access (such as to researchers and third party apps) on a regular schedule ; and training and testing employees to ensure best practices are followed.
Every member of a firm — from CEO to smallest vendor — has a role to play in cybersecurity, but typically only the CEO and a risk or threat manager worry about (geo)political flux. To use a cybersecurity metaphor, this is akin to having the CEO and risk manager use passwords, while all others access the same or related information with no security whatsoever. To better protect yourself, you need to know who is likely to target you, why, and how. Everyone in your organization must understand how they may exacerbate their exposure and what role they have in shoring up vulnerabilities. It’s not enough to just say everyone is being targeted all the time, since that sort of blanket acknowledgement yields precious little in terms of specifics to drive practical policies. You should be able to answer specific questions, but first you need to know to ask them.
These questions are often simple:
- Do we have information that someone could use to find unmapped sensitive sites, like military bases and personnel residences identified via Strava and Polar Flow’s geolocation data?
- Does our work with government agencies make us an attractive target for activists looking to publicize government misdeeds, or insurgents fighting the government?
- Do we have a cumbersome content management system, leading frustrated employees to use personal devices, email sensitive documents to their personal accounts, or upload them to poorly secured cloud storage sites that might be targeted by those looking for data on particular groups of people?
- Are employees half-listening to lectures on good operational security, and half-following them, avoiding hotel room WiFi only to use hotel lobby WiFi or unsecured lobby computers?
- Are employees or vendors leaving themselves vulnerable to not-to-sophisticated, but often successful, social engineering schemes?
And there are more complicated ones:
- Do we know if a foreign partner is linked to their government or organized criminal networks, or if a foreign vendor might be a front for a foreign intelligence service?
- How do we deal with the reality that all companies in China are required to share information with, and support the missions of, China’s intelligence services?
- Do we understand how our messaging service could be used as a way to spread heinous rumors, leading to violence and deaths, like Whatsapp in India?
- Is the judicial system in a country we just entered strong enough to allow us to prosecute those who hack our systems or steal our intellectual property?
- How do we ensure compliance with data demands by repressive governments, while protecting our consumers?
- Are we in compliance with GDPR regulations that require disclosure of breaches, and have we strengthened our own disclosure policies about reporting to the board, etc?
- How can we use our data to help solve wider problems where our users are located, such as by enhancing tech literacy, or helping users understand which data will likely be shared with, or demanded by the government?
All of these questions should be answered well before things start to go wrong. The best way to do all this, (and what I do in my practice) is using interactive simulations that allow everyone in a firm to grapple with crises or unexpected developments, as well as see, feel, and understand their role within the area of overlap between cybersecurity and (geo)political flux. Because they are tangible, and conducted at company headquarters, with individuals performing their real-world jobs, using their real systems, these experiences are much more effective than a report only a risk manager reads, or an employee handbook that is skimmed at best. These experiences stay with employees, and empower them to take initiative in identifying vulnerabilities, anticipating opportunities, and creating new, and better, best practices that people will actually follow. They then do more than safeguard their passwords and devices- they suggest and implement a spectrum of solutions to address vulnerabilities and strengthen capabilities.
As I like to say, crises have an expiration date. How one responds to a crisis can either speed up that date, or extend it. Interactive simulations, which help companies grapple with possible issues in a safe environment, help avoid reckless reactions, like we recently saw with McKinsey. As a top-five management firm embroiled in a corruption scandal in South Africa, McKinsey was already facing scrutiny, but when news broke of their work with Immigration and Customs Enforcement (ICE), anger spilled over. The firm’s leadership, clearly too hasty in their rush to respond, issued a sweeping statement claiming they would never again work with any group that violated its values. The statement came as a surprise to many, given McKinsey’s deep ties in China, where a repressive regime known for violating human rights and disappearing people who anger it. If the firm had truly involved the right people in their decision-making, they could have issued a better reasoned statement.
The goal of this work is not to predict or prevent every possible crisis or problem, but to have prepared for a large spectrum of possible events, with well-considered processes and responses ready to be customized to a particular situation. The experience allows everyone who participates to then create cohesive and well thought out approaches to the various types of flux the firm is likely to encounter, tailored from the perspective of each of their roles. Knee-jerk reactions or existing yet unacknowledged issues do not then further exacerbate a crisis, and everyone knows they have a role in the process. By having all employees engaged in the development of these procedures, and aware of their role in addressing the firm’s exposure to (geo)political flux, they are better empowered to succeed, and navigate the aftermath confidently, instead of feeling destabilized by the changing winds.
Milena Rodban is an independent geopolitical risk consultant and simulation designer. She is completing her first book, Geopolitical Flux. She can be reached via Twitter (@MilenaRodban) or email (firstname.lastname@example.org).