Cyber Geopolitics and You

by Mario Solis Burgos

geopolitics, cyber threats, the CISO, and the Board

What’s happening now is that the ever-existing power struggles and conflicts that usually take place on land, sea, air, and space are now taking place as well in the network of Cyberspace. 

As Carl von Clausewitz said, “War is merely a continuation of politics by other means”, so state actors naturally look to influence and exert their power and domination, as they always have, in Cyberspace as well, first through (cyber geo) politics and later, if necessary, through (cyber) wars. 

In laypeople terms, cyber geopolitics deals with the study of cyberspace as a field where political power struggle and efforts to maintain hegemony take place. Naturally, then, state actors will seek to exert power and influence in it through the use of economic pressure, diplomacy, negotiation, the domination of strategic sectors, and cyber conflicts. It is ultimately a competition for land, energy, and resources taken into the network of Cyberspace. 

But, what would be the equivalent of land, energy, and resources in Cyberspace’s power struggle? Cyber Geopolitics is very closely linked to big data. Collection and leverage of data, information, knowledge, and wisdom grant you power (at least in theory), making Big Data the new oil. Cyberspace offers a unique and whole new cyber oil field to be exploited. 

Remember when countries used to go to war over oil and other energy resources? I am sure you do since they’re still going at it as I write these lines. However, and in addition, nowadays they are competing as well, ever so more fiercely, to access Big Data resources. This is the field where the next wars will be fought, most industry experts and analysts believe. 

Among the usual suspects, we have cybercriminals, hackers, and state-sponsored actors, the last ones are by far the most dangerous ones, given that they have the capacity and resources to perform what is called APTs or Advanced Persistent Threats. APTs are long-term, stealthy, and highly complex and targeted cyber-attacks that used a powerful combination of different techniques and tools.

As big data is the new oil, information continues to be the main pillar of decision making in any enterprise. Information is power, says the old adage. The more of it you can get your hands on, the better the decision making, in theory. Consequently, state sponsor actors pro-actively seek to capture valuable data, which in most cases is -not so well guarded- in the hands of businesses and companies. This is why a CISO needs to be aware of the cyber geopolitical environment and context in which her company operates.  

In his book Cyber Threat, Cyber Geopolitics and Security expert MacDonell Ulsch explains it clearly: “The cyber threat is a board of directors’ issue. Yet when some senior executives and board members hear the word ‘security’ or ‘technology’ there is a disconnect. They think it’s not their issue. Let the technology people deal with it. Let the security people deal with it. Although there is evidence that this perception is changing, we have a long way to go. The word ‘cyber’, they are starting to get.” 

Understanding and Investing in cybersecurity should be a Board issue because it is a way -probably the most important way, to ensure the business’ continuity. A breach or cybersecurity incident will happen anyway, and the one important question to keep in mind is “are we prepared for it?”. It is unfeasible for a business to have 100% Resilience against cyber attacks. That is being impenetrable. A more sensible aim would be to have a high level of resistance to attacks, that is to be able to absorb the impact of the cyberattack and be able to continue operating the business (business continuity), protect the company’s major assets, and protect its customers’ data and privacy. 

“How do you get people in the workplace to pay attention to information security? Answer: Make it personal and tell them what’s in it for them. The question may then be asked: how do you get the board of directors and executive management interested in information security? The answer is much the same. Make it personal and tell them what’s in it for them. Effectively managing risk is personal. Information security is personal. We don’t always interpret it that way, but it is.”

“The Chief Information Security Officer (CISO), in tandem with others, will have to create this momentum, along with the general counsel, chief risk officers, and others. “The focus of information security and cyber risk management is heading in the right direction.” according to M.J. Vaidya, CISO for Americas at General Motors and an adjunct professor at New York University’s School of Engineering. “The role of the CISO is clearly changing and growing, “ he says. “The CISOs of today have to embrace ambiguity, focus on risk, build relationships throughout the organization, gather intelligence, and consistently innovate.” from the book Cyber Threat.  MacDonell Ulsch 

What the future holds in terms of the development of cyberspace is basically unpredictable. However, it is clear that our security response and approach must be a collective and global one, spanning across sectors and industries, government and private enterprises, the CISO, and the Board. The threat is imminent and action must be taken now.