Cyberspace: a new buffer zone and the rise of the CISO Politicus.

In the previous century, Internet started out as an open network, enabling scientists to exchange information. Internet nowadays is a zone of conflict and disinformation, where actors attack each other without attribution and social media is being used to influence democracies and public opinion. And now even the very fabric of cyberspace is being weaponised. This requires new leadership from CISO’s (Chief Information Security Officers).

Internet as a free zone

Internet as a commercial zone

Information security professionals were getting familiar with protecting businesses in that economic zone, by learning from what it took to secure businesses in the real world. By developing capabilities like fraud detection and DDoS defenses and many others to protect the businesses they worked for, while adversaries translated criminal modus operandi from the physical world to cyberspace.

With the increase of the cyber-economy, nation states felt the need to extend their control over it. The rise of bigtechs, that used session management in Internet to build profiles of people and earn huge amounts of money, also showed how Internet can be misused to rally large groups of people and influence democracies. Nation states tried to regain control over cyberspace by extending their legal frameworks to cyberspace with for example data residency requirements. And some, like the european countries, tried to protect values like privacy by creating strong regulatory frameworks like GDPR.

Internet as a buffer zone

I think cyberspace is now being used as a bufferzone between nations. It is a zone where countries can make offensive moves towards other nations without initiating war and without attribution. Companies should realise that their strategies to do business in cyberspace (“become digital”) mean that they move their business to a buffer zone, to a war zone. And that when nations impose sanctions onto other nations, those sanctions are often executed by companies in cyberspace. This holds in particular for the financial industry, that often implement sanctions by blocking payment transactions to individuals or to countries as a whole. That means that companies not only do business in a buffer zone. It also means that companies are actually making the offensive moves. They are the troops. It is important that companies realise that their digital strategies can make them targets in geopolitical conflicts.

Security professionals working for those companies need to figure out how to protect their companies, their data and their customers in that new zone, realising that their companies can be weaponised and their customers and suppliers can and will be weaponised. This new Internet is not a benign zone, not an economical zone. It is a buffer zone where wars are staged. And now the fabric of cyberspace itself (its protocols and its governance) is being weaponised by state actors too. For example by deleting domains for the global DNS systems, changing routing tables and untrusting certificate authorities. It is like, in old fashioned wars, generals would conguer territory by changing the flow of rivers or the positions of mountain ranges to gain an advantage over the enemy.

What new capabilities do we need to add to Internet to allow information (and hence people, processes and activities, like businesses) to be safe? What new defence mechanisms or tactics do CISO’s need to deploy? The situation in Ukraine clearly shows that speed is of the essence. The time to act is now.

From CISO Universalis to CISO Politicus

So what to do? It is wise to, again, look at the real world. Information security professionals should learn basic military tactics like deception, disinformation, traps, pincer movements, false flag operations, and start designing cyber equivalents. It is time to mature cyberspace, to make it fit for the role it is going to play next. Internet has grown from a benign science zone, to an economic zone and is now acting as geopolitical buffer zone. Information security professionals play a pivotal role for our national security and need to start building defenses.

Information security professionals must become fluent in and connected to the political game. They should get acquainted to military strategies and intelligence. They should assume a pace-setting attitude towards resource allocations. No longer business decisions only should drive security investments and priorities. External and political developments must do that too. CISO’s will need to translate those to requirements that should be treated on par or above discretionairy business requirements. Companies should realise that a digital strategy, means they can become sanction enforcement points in a war zone and hence become target of choice for adversaries. This changes the security game significantly and companies in vulnerable industries (like financials) should adapt their corporate governance to allow for better security decision making that reflects this new situation.

CISO’s will be important leaders in this new governance. CISO’s should drive this change. For them to be effective leaders, they need to extend their skillsets with geo-political knowledge and tactics.

A CISO already needed to combine a wide spectrum of knowledge domains, becoming a true homo universalis. Now CISO’s need to grow again: from CISO Universalis to CISO Politicus.

further reading: follow me, so you will not miss my upcoming 3-part blog on The Dynamics of Information Security!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Martijn Dekker

Martijn is a PhD, top-executive, scientist and CISO with more than 25 years of experience pushing the limits of information security.