Why You Should Care About Cyber Geopolitics
“Anytime you have a geopolitical conflict now you see its reflection in cyberspace” Kenneth Geers, NATO Cyber Centre Ambassador
What is Cyber Geopolitics?
Traditional geopolitics focuses on the study of space, which is considered as a stake. Geopolitics put in light the power at stake on a territory. Thus, the focus on territoriality, people, and networks are central to the analysis of geopolitics.[1] Nevertheless, in cyberspace, some of these concepts, such as the territoriality or sovereignty are difficult to capture, as they are no longer tangible.
Cyberspace, which is a network, is the newest battlefield to join the ranks of sea, air, land, and space where the same power issues exist. As put by Karl von Clausewitz, while “war is thus an act of force to compel our enemy to do our will”, the powers in competition in the cyberspace are looking for the same advantage as in the traditional fields: influence. Therefore, the notion of cyber geopolitics is still closely associated with power, which is a multiform concept (e.g. soft power and hard power), evolving and complex. [2]
To put it simply, cyber geopolitics is the study of cyberspace considered as a stake. Therefore, there is the research of power and influence in this digital world, with all the intertwined realms such as the economy, diplomacy, and energy. Plus, cyber geopolitics is closely related to data, the research and collection of it as information is power and cyberspace offers a new frontier to capture it.
Keep in mind that we are living in a digital era in which a new, lucrative, and fast-growing commodity has gained tremendous importance: (big) data. As explained in a series of articles published by The Economist, big data is the new driver of growth and change, and by extension power and influence, like oil was in the last century.[3] Before, countries wage war to access those resources, nowadays they are in competition to access to big data. Big data is based on the four V’s: volume, velocity, variety, and value.
Essentially, it is an extremely large amount of digital information being processed very rapidly.[4] This data can be, for example, turned into thousands of different scores or values and used for analysis regarding the business of the user.
Thus, although there are some differences between traditional geopolitics and cyber geopolitics such as the notion of frontier or territory, some fundamentals stay the same such as the research of influence and power but moreover is the wish of control the flow for example the flow of resources like oil and gas but also the control of the flow of data. Infrastructures are the backbone of the flow of data. There is a stake of power and digital sovereignty and rivalry exist at a different level: states, companies, organizations, and individuals to control the flow of data, norms, security, and diffusion of a model of thought.
Like naval strategist Alfred T. Mahan said in his famous “The Influence of Sea Power Upon History,” national prosperity and power depend on the control of world’s sea-lanes: Whoever rules the waves rules the world.[5] In the 21st century, whoever rules the data rules the world.
Why should a security leader/CISO care?
Different threat actors can target companies: script kiddies, hacktivists/cyber terrorists, criminals and state-sponsored actors. By far, state-sponsored are the most dangerous ones as they perform APT (Advanced Persistent Threats) which are long-term, stealthy, complex and targeted cyber-attacks using a combination of techniques and tools.
In cyber geopolitics, information continues to be a backbone of decision-making. As information is power, the more of it, the better the decision. Therefore, state-sponsored groups are craving for data and companies can be the target of these well-skilled groups as a direct source, a proxy or collateral damage. This is why CISOs need to be aware of the geopolitical and cyber geopolitical context of their company.
There are numerous examples where private companies have been impacted by states cyber diplomacy or tensions. In 2007, Estonian banks and public infrastructures experienced a DDoS attack on online services. Then, in Ukraine, a variety of domains were targeted by elaborate and complex cyber-attacks (diplomatic, business, military, social, political and critical infrastructure). In 2017, the US government banned the use of Kaspersky products within its network. The current Huawei issue is the most recent examples of cyber geopolitics where geopolitics are mixed with politics and economics.
The impacts of a cyber attack are:
Legal
- Government fines because you breached a rule or a law
- Class action lawsuits by your clients because you did not protect their data
Financial
- Business stoppage because you cannot continue your service while being hacked
- Forensic investigation to understand what happened
- New software/hardware to buy to restore your service
Reputation
- Loss of public credibility
- Loss of clients for companies
- Loss of data/know-how for institutions and companies that can be copied or reused
- Loss of information that is reused or resold
- Loss of identity that can be reused for malicious acts
- Blackmail to manipulate you
- Layoffs of responsible persons
What should they do about it?
There is a need to understand that investing in cybersecurity is a way to ensure the business’ continuity. A cyber incident will ultimately happen anyway, the question to keep in mind is “are we prepared?”. The ultimate aim is to have the necessary resilience to absorb the impact of the cyber attack/incident to continue the daily business, protect the company’s crown jewels and customers.
Thus, an equal focus is needed on the TPP triad (Technology, Process, People). Investment on these three pillars will ensure the best readiness and resiliency. There is a need for equilibrium to be able to support the business and avoid the negative impact of a cyber incident.
Will things get worse in the future?
Yes. This is because the time/effort vs. benefits is always in favor of a cyber attack. Companies are more and more connected and shifting their businesses to the cloud, which increases the amount of data that is hosted outside their internal perimeter, which offers new possibilities for hacking.
Cyber geopolitics and, to another extent, cyber warfare through cyber attacks highlights asymmetry and advantages of offense towards defense as cyber defense is really expensive (think about the technologies, the processes to put in place and the people needed to be trained). Malware is cheap to develop or buy and the attack surface of a target is always wide if we consider the network of a large company or state. There will always be a vulnerability to exploit because a patch is not managed properly, an employee looks for convenience and does not follow the security process, or because of a zero-day for example.
Moreover, it is way cheaper and more efficient to launch a cyber-attack at a company where innovation and R&D is a driver of its business to steal blueprints or commercial secrets that invest millions on R&D without being sure that they will pay off. Finally, the rivalry between states, such as the USA and China, will not diminish and tensions between regional hegemons will allow for more cyber-attacks especially since there are no real consequences to cyber attacks as no international authority is policing these acts.
“Cyber warfare is not going to deliver defeat or victory. But is going to play an increasingly important, even literally vital, role as an enabler and force multiplier for the modes of warfare that do draw blood and break things.”[6]
[1] LASERRE Frédéric, GONON Emmanuel, MOTTET Eric. “Manuel de géopolitique : Enjeux de pouvoir sur des territoires”, 2ème édition, Armand Colin, Paris, 2016, p. 15
[2] VERLUISE Pierre. “Géopolitique – La puissance : Quels sont les fondamentaux”, www.diploweb.com, 10 nov 2013, https://www.diploweb.com/Geopolitique-La-puissance.html
[3] The Economist. “Data Is Giving Rise to a New Economy”, The Economist, May 6, 2017
http://www.economist.com/news/briefing/21721634-how-it-shaping-up-data-giving-rise-new-economy
[4] LUTERBACHER Celia. “What’s the Big Deal About Big Data?”, Swissinfo, June 15, 2017
https://www.swissinfo.ch/eng/explainer_what-s-the-big-deal-about-big-data-/43219660
[5] MAHAN Alfred Thayer, “The Influence of Sea Power upon History: 1660-1783” Little, Brown and Company, Boston, 1890
[6] Gray S. Colin, « Another Bloody Century : Future Warfare», Phoenix, 2005, p. 328