How to Account for Geopolitics in Your Cyber Risk Analysis

In October 2016, the company Dyn fell victim to a cyber attack that had cascading effects on many large service providers in the US. The purpose of the attack remains unclear; neither money nor confidential information were stolen. But clearly, the demonstration of force and thereby strategic effect was huge, so much that some pundits were looking at the attack as a “dress rehearsal” for bigger things to come.

Increasingly, companies are subject to cyber attacks with political motivations. Whether it is an attack on an electric grid or the control systems of a steel mill, private companies of all sectors can be an easy remote target for politically-motivated cyber attacks related to complex geopolitical conflicts in which they don’t take part. They can be attacked by states, mafias, patriot hackers or terrorists who seek to conduct strategic influence, demonstrate capabilities or frighten populations, often with a huge media impact. As a result, companies can suffer severe damages to their information systems and substantial direct and indirect costs. This strategic shift has major implications for the way private companies should assess cyber risks and cooperate with the public sector. Businesses need support and expertise to reinforce their understanding of the geopolitical underpinnings of the cyber landscape. The question is how to integrate this dimension into their risk analysis models.

A vast majority of companies already have an efficient Risk Management organization in charge of analyzing cyber risk exposure. Even though this difficult process has significantly improved over the last few years, it often remains a purely internal exercise that does not leverage external intelligence. Companies need help and expertise to integrate geopolitics into their risk analysis. This requires two steps:

  • Encourage academic research and public-private dialogue in order to develop this expertise. Study attack campaigns (share sensitive data, work jointly on attribution). Share knowledge and methodologies in order to integrate the cyber component into spatial context analysis and measure exposure to politically motivated cyber risk. This includes cartography of infrastructures, access and control over data flows, strategies of influence, power relationships between actors (Internet and service providers, governments, non-state actors, intermediation platforms, contractors, etc.)
  • Operationalize this expertise and develop information sharing with peers. Create incentives to overcome obstacles, work on scenarios, develop cyber crises exercises with a geopolitical component involving participation of state actors (defense, diplomacy, agencies for the security of information systems). Information sharing could be institutionalized through a Threat Intelligence Platform supported by a public-private partnership.

For companies, this collective effort would lead to an improved cybersecurity posture and allow for optimized spending and risk transfer strategy. It would lead to a better share of responsibility and liability between companies and states. Companies would be better equipped to foster and influence the elaboration of adapted norms of responsible behavior for states and possibly sanctions to raise the transaction costs for the attackers and deter such behavior.

A better knowledge of the geopolitical underpinning of the cyber threat landscape, including potential attacker identity, motives and skills would deny them some advantages of cyber attacks (i.e. impunity and relative facility). In the long run, impacts of cyber threats would be likely to decrease globally.