Nation State Cyber Threats: Facts or FUD?
Increasingly, governments are taking action to reduce the cyber risk from foreign technology firms. But is this justified — or based fear, uncertainty and doubt?
Over recent months, a consistent theme in the media has been the threat posed by Chinese security and network solutions. It’s unsurprising that the birth of China as a modern post industrial giant strikes fear into the hearts of many — particularly countries and companies who would rationally see China, or it’s industry, as a threat. It’s also entirely reasonable to assume that foreign agencies will use espionage to obtain a national advantage — after all, most countries have a long history of doing just that. China or Russia may well be less reserved about it than others such as the USA or Britain — but it is not new.
Nation state Cyber Security threats have crept upon us quietly over the last decade. Only in the last few years have governments started to openly acknowledge the systematic nature of the threat and the serious focus it requires.
The birth of cyber-regionalism that is now leading to separation of data flows, technology providers, and services was some time ago, yet only now is it becoming visible through national approaches to data privacy, government procurement, and economic policy. Russian internet controls, the split of Tiktok’s US operations, and the challenges of transferring data outside the EU under GDPR, all underline the emerging approach of levering data and technology policy for political, economic and social ends.
This then becomes a justification for greater investment in the cyber security arena, for public debate on more invasive defence measures, and often for reprioritisation of national defence programmes, to serve a very real, tangible defence against what is now an ever present and current threat.
However the nature of many current headlines makes it reasonable to conclude that too much of the current global cyber security agenda is now being sold on Fear, Uncertainty and Doubt — the same ‘FUD’ that the Information Security profession has spent the last few decades trying to shed.
The furore around Huawei is a perfect example — by virtue of its nationality the company has been blocked from bidding for contracts in several countries, and been subjected to such criticism that picking a Chinese security supplier must now seem to many western businesses like an act of treachery. Yet whilst there is every reason to be concerned about a new era of technological nationalism, there remains little or no hard evidence in the public domain to suggest that that the products of any one individual supplier demonstrate a threat.
Continuous espionage attempts have always taken place, and always will. The only thing that has changed is the means, and ease, of doing it. That does not justify escalating espionage attacks to the status of ‘war’ simply because they are committed with computers, but nevertheless does need to acknowledge that some systems could be leveraged to underpin cyber aggression against a designated target. To assess this risk, we need a more mature debate that moves away from FUD and towards an evidence based approach.
What is required to address the underlying threat is not a focus on fear, but a consistent resolve across governments to build security into the national business model at every step, in an evidenced and objective way. This is not an exciting answer. Security is like accountancy — invisible and boring when it works, all consuming when it’s doesn’t. Responding to cyber threats does not require a global panic, but simply the building of security into how we all operate organisations and live our lives, and the development by governments of high expectations across both government and industry.
Could a rational caution about nation state actors be going too far and closing the door to technology that could offer a competitive advantage? With not all the facts in the public domain it is a hard question to answer. Certainly however, any corporate IT or cyber security leader attempting to build a business case on the back of unclear or insubstantial evidence would expect a less than sympathetic hearing from their board.
The worry remains that some government agencies may play on fears that may appear unfounded, or at least unproven. By doing so, we risk undermining the case for national cyber security when it most matters — just as selling fear, uncertainty and doubt in business for decades has made it harder to sell worthwhile investment in cyber security today. Execs are tired of being told to hide under the table. Quite rightly, they want the facts.
The current low readiness to protect against cyber threats will not be solved by vast central programmes and costly cyber-weapons alone, but by rejecting cyber as a tool for economic protectionism, being as clear as possible about the evidence behind current threats, enforcing consistent expectations and by building awareness and technical competence into everything from primary school curriculums to the expectations for today’s corporate board members.
The strategic geopolitical cyber challenge will not be solved by FUD, but by education and transparency. The only question is how long it will take before we are ready to start down that path.
About the author
Matt Palmer is a recognised technology and cyber risk leader. He has led global technology and cyber security functions across banking, insurance and capital markets — often through change and M&A. He is director of boutique cyber strategy and risk advisory firm Cyberclaria, a board advisor to several fintech startups, and a board member of a financial services regulator. Both an accountant and a technologist, Matt has presented at many international conferences and was awarded Security Leader of the Year in 2018.