Defense Secretary Gen. Jim Mattis said on June 15, “We are witnessing a world awash in change, a world beset by the reemergence of great power competition, and we define the categories of challenges as urgency, power, and political will.”
This description of the geopolitical landscape also defines the current state of cybersecurity, and highlights its pivotal role in the massive shift in a large and diverse group of malicious, state-sponsored competitive strategies against U.S. companies.
Concurrently, this risk must be recognized as permeating all aspects of the enterprise and presenting an unprecedented systemic risk.
Every company, regardless of industry or size, is a target of unprecedented risk. In my own work, which focuses on addressing these threats, we define “risk” in terms of probability and consequence; we also manage it in direct and indirect terms. If your business, your suppliers, or your customers rely on the internet, data systems, international banking systems, energy and transportation infrastructure, or any other feature of the interconnected world, then your probability of being attacked is near 100 percent, and consequences may be dire if you are unprepared.
These attacks may come directly, concentrated narrowly against your company, or they may be indirect, affecting the supporting infrastructures that you and your customers depend on.
Every organization, its employees, and our citizens are being methodically challenged unlike any other time in history. If you have trade secrets, innovation, intellectual property, or sensitive data or operations, you are clearly at risk are targeted for unprecedented theft or disruption. U.S. companies, due to their preeminent position in the world’s economy, have been at the target of a massive competitive shift on a scale never contemplated by those who have been accustomed to the protections of international law.
When the dust of the disruption of the new era in global competition settles, there will be clear winners and losers, and potentially significant corporate extinctions. The winners will be those Chief Information Security Officers (CISOs) and C-level executives who took early decisive action against risk—those who recognize that they need to urgently exercise their own power and will to protect their enterprise—today.
Unprecedented risk is risk that permanently shifts the balance of power in the market as it diminishes the competitive advantages of every targeted company. Over time, the cumulative effect is severe, destroying individual companies while disrupting markets, damaging the economy, and weakening our national security.
The primary issue with unprecedented risk for most leaders is the concept that “they don’t know what they don’t know.” If C-suite and board leaders aren’t aware that the game has changed or don’t understand the details of the new competitive strategy being used against them, they can’t compete effectively by responding in time with the correct counterstrategy and tactics.
When connecting the dots—analyzing intelligence, networking with other experts, mining media reporting, and mapping the outcomes of myriad attacks—it becomes clear that adversarial nation-states (China, Russia, Iran, and North Korea, among others) have driven this shift and engaged in mostly under-the-radar events, carefully avoiding actions that would trigger an overt response from U.S. leaders or international institutions.
The overarching strategy is to disrupt the global legal and economic system established by the United States after World War II, and replace it with a system dominated by a few corrupt, autocratic governments. This shift creates unprecedented risk rooted in lawlessness, in the form of highly pervasive economic espionage, information warfare, economic warfare, and cyber warfare, to name only a few.
Unprecedented risk encompasses an increasing exposure to all forms of risk (financial, reputation, strategic, operational, market, legal, survival) while quietly and permanently destroying future competitiveness of American organizations.
The significance of the game-change was underscored recently by FBI Director Christopher Wray, who said on July 19, “China is the broadest, most challenging, most significant threat we face as a country.”
Much of this shift to unprecedented risk has been instigated by cloaking unprecedented economic espionage under other, more peaceful guises like “fair trade” and “collaboration” (estimated $5 trillion each year in total value of stolen American innovation, trade secrets, and intellectual property) aimed at permanent global market domination. Information warfare targets the weakening of political strength, popular trust in core institutions, citizen culture, and resolve.
Russia has dominated the headlines recently by enacting information warfare with election hacking and social-media manipulation. Economic warfare seeks to control and disrupt markets, distort pricing, manipulate demand, and generally undermine competition. Cyberwarfare today is predominantly conducted by nation-states with highly efficient access, theft, and control, based on plausible deniability and recognizing no rules.
These methods are a few of the more than 100 utilized by our trading partners and economic adversaries of U.S. companies and are underscored in the media every day. Allowed to continue unabated, the cumulative effect of unprecedented risk is expected to be the single most significant global event of this century.
Understanding and Winning Against Unprecedented Risk
“Digitization changed everything,” DHS Assistant Secretary for Cybersecurity Jeanette Manfra said at the DEFCON cybersecurity conference on Aug. 14.Defending against unprecedented risk requires a shift in corporate strategy and cybersecurity strategy to include ongoing adversarial strategy and tactics. Even after years of increased cybersecurity spending, attacks doubled in 2017 alone, with well over one-third being successful, illustrating the risk gap that must be addressed by this internal shift.
A hacker only needs to be successful once, while each organization and their suppliers must be successful in protecting their assets 100 percent of the time.
Cyberwar has been correctly termed “the forever war”: we are irreversibly and increasingly dependent on cyber technologies to remain competitive; however, that dependence comes with a disproportionately large risk. The cyber industry’s compounded failings and approach to cybersecurity necessitate an immediate paradigm shift in every organization.
Albert Einstein is credited as saying, “We can’t solve problems by using the same kind of thinking we used when we created them.”
Cybersecurity ceased being an information technology-only function years ago. Today, cybersecurity is a strategic cultural and policy change that must be led by the CEO and board. It is a strategic imperative that must be understood and managed across the enterprise: from the C-suites, board, and shareholders, to the rank and file. Proactive senior leadership involves clearly understanding the genesis of this threat, being engaged in building full corporate awareness, developing asymmetrical threat training, and leading execution against the asymmetrical strategies and tactics of our adversaries.
Leaders understand that any new approach must address the fact that all risks (financial, reputation, strategic, operational, market, legal, survival) are interconnected and must be addressed as an ecosystem, as potential adversaries have done for decades.
We must recognize that we now live in an era of uneven, ruthless, state-sponsored global competition. Many executives don’t understand the totality of the new forces they are forced to deal with.
An informed leadership gains the knowledge edge required to participate successfully in the modern uneven global competitive model. All senior leaders must urgently make the shift in how they think about modern global competition and that requires recognition of the new reality, a new planning process, a new operational framework, and decisive execution.