What CISOs Need to Know About Geopolitical Risk
InfoSec and Geopolitical Risk are Inextricable
Behind every enterprise security risk assessment, security governance meeting, or security policy is a contemplative CISO working to avert a crisis.
The way we do this as CISOs is by understanding the threat landscape. What is out there that can hurt us? What measures should we take to shield ourselves from those threats?
Understanding the Global Threat Landscape
If you think about it on a basic level, there is no greater threat than uncertainty. As a CISO, you’re faced with a choice between taking command of a threat or ignoring it.
Following the conventional wisdom of “know your enemy,” taking command means getting a grasp on potential attack patterns – this reduces uncertainty.
You may not know whether or when an adversary will strike, but at least you know what kinds of weapons he has in his arsenal and how those proverbial weapons could hurt you.
Similarly, with geopolitical risk, a responsible CISO takes command by understanding the global threat landscape, getting a grasp on potential harm at a macro level – this reduces uncertainty.
You may not know whether or when a geopolitical event will occur, but at least you know what activities could happen and how they could impact your company.
Businesses and their infrastructure are getting swept up in international affairs at a rapidly increasing rate. Corroborated by numerous studies conducted on the topic, at least half of executives surveyed now cite geopolitical uncertainty as a major risk to their business.
We see competition or animosity between nation-states playing out via the theatre of cyberwar. Think of companies as innocent civilians – you don’t have to be at the front lines or even have a stake in the conflict to be caught in the middle.
Earlier this year, the DHS, FBI, and Britain’s National Cyber Security Center issued a joint warning alerting the private sector that Russian state-sponsored cybercriminals commonly exploit compromised routers (belonging to victims with no connection to the political conflict) to carry out spoofed man-in-the-middle attacks. This method allows the malicious actors to remain on the victim’s network to conduct espionage and intellectual property theft activities.
This attack pattern amply exemplifies the entanglement of cybersecurity and geopolitics, but we can see even further evidence by the correlation between attack frequency and specific geopolitical events.
Case in point, the weekend after US strikes on Syrian chemical weapons facilities earlier this year was marked by a 2000% percent increase in Russian internet trolling activity, according to the Pentagon.
The strikes came on the heels of the highly publicized nerve agent incident, both events expediting what was already a quickly worsening relationship between Putin and the US/UK – now playing out in the cyber arena as well.
Take a closer look at state-sponsored cybercrime, and it’s clear that Russia is far from being the sole perpetrator; regimes from China, North Korea, former Soviet republics, and many others have supported attacks – whether directly or by the willful turning of a blind eye.
Armed with the knowledge of which States are carrying out these attacks, how, why, and onto what kinds of targets, as a CISO, you can start assessing the likelihood of this type of threat by asking yourself whether your company fits the profile of these victims. One way to find out is through a Geopolitical Risk Assessment.
The threat of espionage was alluded to above in the context of adversarial diplomatic relations, but objectives can also be strictly economic with foreign theft of intellectual property.
This cannot be treated in isolation as a technological or simply criminal phenomenon. Doing so is completely unhelpful to understanding the threat motivation here and identifying your own exposure to this threat.
Aside from the rather stark cases such as US military drone technology theft that is then sold on the black market to arms dealers, often intellectual property is stolen for a competitive advantage. The goal is to expedite and cheapen a company’s emergence into an industry in their home country.
Bay Area-based startups in particular continue to struggle against theft by Chinese cybercriminals of IP in the form of source code or proprietary algorithms.
As a CISO, we recommend that you evaluate your business model. Are you maintaining a platform or producing a tool that a company from another country may want to reproduce?
If you are a CISO at a pharmaceutical company, for example, are your trade secrets (i.e. drug formulations) well-protected? At large, it is crucial to ask ourselves whether the IP underlying our product could be attractive to someone from an emerging economy seeking a shortcut and operate accordingly.
Geopolitical risk is not only about high-profile international events, conflicts, or shifts, it also encompasses social risk at the most fundamental level. Even if they don’t use this term, the meaning behind it is something that any CISO knows is at the center of information security: the human.
The InfoSec industry has historically gotten this wrong by mischaracterizing the human threat and antagonizing employees rather than empowering them.
We’re starting to see a change, and the notion of social risk helps rectify this by taking a more macro view on the human threat including its motivating factors. Rather than fostering mistrust between CISO and employee, social risk helps a CISO understand the root causes of employee decisions and their behaviors.
To understand how threats to information security are related to social risk, think of Human Resource Security and Security Awareness Training, central and interwoven parts of InfoSec.
Is there a correlation between insider threat and the socioeconomic conditions of your workforce (including contractors)? Answering this question requires reflecting on the motivations behind employee misconduct, or “malicious intent.”
For example, we can associate a higher likelihood of employee theft for pharmaceutical factories located in neighborhoods with higher crime rates, especially narcotic gang activity. We are not just talking finished or raw materials, but as mentioned previously, the drug formulations are a type of IP that is under the purview of CISOs.
To take another example, labor trends and the competitive landscape for attracting and retaining talent can play a role in the effectiveness of your ISMS. One of the most notable cultural shifts in recent years is how employees see themselves. Self-identification as free agents plus the related reality of increasingly high turnover means lower loyalty to the employer.
This cultural trend is most visible in the technology industry but is seeping into other traditional fields as well. Whether it’s an unintentional or intentional insider threat, less company loyalty presents a clear social risk for CISOs.
Vendor Risk Management
Geopolitical risk is perhaps most pertinent with respect to one of the areas that sits in the top row of every CISO’s priority list: Third Party Risk.
In general terms, supply chain and vendor dependencies are inherently susceptible to global risk as tribulations are often linked to geopolitical activities like corruption or natural disasters.
This is especially true for those in the manufacturing industry which can be most directly impacted by geopolitical activities such as the US tariffs on Canadian, Mexican, and European steel and aluminum from May of this year.
A pragmatic mitigation strategy against supply chain disruption is geographic diversification. To bring it back to your role as a CISO where supply chain goes beyond the physical provisioning of goods, you can apply parallel logic to assess impact on your organization’s information security.
What are the major information security risks in your procurement of the given vendor?
Confidentiality: If they have access to your data, are they handling that properly?
Integrity: If they provide or manage information upon which you depend, how do you know that you can rely on the accuracy of what you receive?
Availability: If they are a critical vendor, and the functionality they provide you with goes offline for some time, how detrimental would that be for you?
Now, overlay these CIA triad considerations with the element of uncertainty due to geopolitical risk. Think about how many of your company’s vendors are either based overseas, conduct some of their operations overseas, or contract their own vendors (i.e. fourth parties) who are overseas. Presumably, geographic diversification would help you here as well.
It should come as no surprise that every company struggles to stay abreast on vendor risk in the first place. Even if they’re succeeding at reviewing every new vendor, what about monitoring regularly thereafter?
Taking command of geopolitical risk in this context expands the list of “Ifs” for supply chain disruption, unlocking a much-needed perspective on vendor security.
Operationalizing Geopolitical Risk
It is generally thought that geopolitical risk considerations belong at the senior executive level. Certainly, GPR is important to major corporate strategic decisions and problem-solving, but not exclusively so.
Geopolitical risk applies up and down the organizational chart, and as guardians of information security, CISOs have a responsibility to draw these linkages and get a grasp on the uncertainty of macro global threats.
Key Takeaways of Geopolitical Risk for a CISO
Being a responsible CISO means getting a grasp on potential attack patterns by understanding the global threat landscape in order to reduce uncertainty.
At least half of executives surveyed now cite geopolitical uncertainty as a major risk to their business, and indeed, we see competition or animosity between nation-states playing out via the theatre of cyberwar at an increasing rate.
A geopolitical risk assessment will help you identify whether your company fits the profile of a state-sponsored attack or espionage target.
One facet of GPR is social risk, which helps a CISO understand the root causes of employee decisions and behavior with regard to information security.
In third party risk, CISOs should overlay the CIA triad considerations with the element of uncertainty presented by geopolitical risks such as supply chain disruption due to corruption, natural disasters or tariffs.
GPR is not limited to the executive level; it applies up and down the organizational chart.