Cyberspace: a new buffer zone and the rise of the CISO Politicus.
In the previous century, Internet started out as an open network, enabling scientists to exchange information. Internet nowadays is a zone of conflict and disinformation, where actors attack each other without attribution and social media is being used to influence democracies and public opinion. And now even the very fabric of cyberspace is being weaponised. This requires new leadership from CISO’s (Chief Information Security Officers).
Internet as a free zone
Internet started out as a benign zone. Endpoints were mostly universities, and simply the fact you had access to a console connected to Internet, meant you were an authorised and a trustworthy user. Internet was a free zone, everyone that had access was trusted and shared a common set of values and ideas. The primary task of the network was to provide access and ensure availability and integrity of data. The governance of the protocols that built up Internet was open, loosely organised in ways that may look naive nowadays.
Internet as a commercial zone
Internet changed at the beginning of this century, when companies discovered this technology and started to deploy “e-commerce” services. Quickly, people found out that Internet was not safe. Practically none of the internet protocols (DNS, telnet, gopher, SMTP, etc) used any authentication at all and spoofing was easy. Engineers started to glue authentication and other security layers on top of the internet protocols. Even newer protocols like HTTP did not have proper security. And hence HTTPs, FTPs, DNSSEC and cryptographic solutions were added like SSL. The Internet needed a drastic redesign and enriched protocols. The addition of cryptography, identity and access services and session management solutions (like cookies) meant Internet became a reasonable safe economic zone by translating its core strengths (integrity and availability of data) to confidentiality of data. This enabled companies to do business and allowed for managing liability and trust in commercial value chains.
Information security professionals were getting familiar with protecting businesses in that economic zone, by learning from what it took to secure businesses in the real world. By developing capabilities like fraud detection and DDoS defenses and many others to protect the businesses they worked for, while adversaries translated criminal modus operandi from the physical world to cyberspace.
With the increase of the cyber-economy, nation states felt the need to extend their control over it. The rise of bigtechs, that used session management in Internet to build profiles of people and earn huge amounts of money, also showed how Internet can be misused to rally large groups of people and influence democracies. Nation states tried to regain control over cyberspace by extending their legal frameworks to cyberspace with for example data residency requirements. And some, like the european countries, tried to protect values like privacy by creating strong regulatory frameworks like GDPR.
Internet as a buffer zone
What we see now is that governance of cyberspace is a topic of concern for state nations, as more and more of their economies, infrastructures and law enforcement activities are executed in cyberspace. The ability to govern cyberspace has become a matter of national sovereignty. And even more recent, cyberspace has become a zone of geopolitical consequence.
I think cyberspace is now being used as a bufferzone between nations. It is a zone where countries can make offensive moves towards other nations without initiating war and without attribution. Companies should realise that their strategies to do business in cyberspace (“become digital”) mean that they move their business to a buffer zone, to a war zone. And that when nations impose sanctions onto other nations, those sanctions are often executed by companies in cyberspace. This holds in particular for the financial industry, that often implement sanctions by blocking payment transactions to individuals or to countries as a whole. That means that companies not only do business in a buffer zone. It also means that companies are actually making the offensive moves. They are the troops. It is important that companies realise that their digital strategies can make them targets in geopolitical conflicts.
Security professionals working for those companies need to figure out how to protect their companies, their data and their customers in that new zone, realising that their companies can be weaponised and their customers and suppliers can and will be weaponised. This new Internet is not a benign zone, not an economical zone. It is a buffer zone where wars are staged. And now the fabric of cyberspace itself (its protocols and its governance) is being weaponised by state actors too. For example by deleting domains for the global DNS systems, changing routing tables and untrusting certificate authorities. It is like, in old fashioned wars, generals would conguer territory by changing the flow of rivers or the positions of mountain ranges to gain an advantage over the enemy.
What new capabilities do we need to add to Internet to allow information (and hence people, processes and activities, like businesses) to be safe? What new defence mechanisms or tactics do CISO’s need to deploy? The situation in Ukraine clearly shows that speed is of the essence. The time to act is now.
From CISO Universalis to CISO Politicus
It is important CISO’s realise that they are part of geo-politics. It is no longer enough to acertain identity and integrity of actors. CISO’s need to be aware that the other party can be a weapon in geo-political conflict (even when that party is trustworthy themself). And CISO’s must realise that the objects they are protecting can be used as a weapon too and hence reassess the probability of being a target of choice of adversaries. And as many cyber weapons are inprecise, the risk of collateral damage is also there and higher than before. Above all, CISO’s need to build resiliency to protocol poisoning, as one can no longer rely on the integrity of the protocols of Internet themselves. Cyberspace itself has become a weapon.
So what to do? It is wise to, again, look at the real world. Information security professionals should learn basic military tactics like deception, disinformation, traps, pincer movements, false flag operations, and start designing cyber equivalents. It is time to mature cyberspace, to make it fit for the role it is going to play next. Internet has grown from a benign science zone, to an economic zone and is now acting as geopolitical buffer zone. Information security professionals play a pivotal role for our national security and need to start building defenses.
Information security professionals must become fluent in and connected to the political game. They should get acquainted to military strategies and intelligence. They should assume a pace-setting attitude towards resource allocations. No longer business decisions only should drive security investments and priorities. External and political developments must do that too. CISO’s will need to translate those to requirements that should be treated on par or above discretionairy business requirements. Companies should realise that a digital strategy, means they can become sanction enforcement points in a war zone and hence become target of choice for adversaries. This changes the security game significantly and companies in vulnerable industries (like financials) should adapt their corporate governance to allow for better security decision making that reflects this new situation.
CISO’s will be important leaders in this new governance. CISO’s should drive this change. For them to be effective leaders, they need to extend their skillsets with geo-political knowledge and tactics.
A CISO already needed to combine a wide spectrum of knowledge domains, becoming a true homo universalis. Now CISO’s need to grow again: from CISO Universalis to CISO Politicus.
further reading: follow me, so you will not miss my upcoming 3-part blog on The Dynamics of Information Security!