Welcome to this week’s edition of Not in Dispatches, where we dive into the geopolitics of cybersecurity.

Cybersecurity threats are growing for both governments and businesses.

Bad behaviour in cyberspace is on the rise. Extortion techniques are getting more sophisticated. And denial-of-service attacks are becoming larger and more complex.

Each year, data compromises are becoming more frequent, as the world becomes increasingly dependent on IT systems. And bad actors – whether hostile foreign intelligence agencies, sophisticated organised crime groups, hackers-for-hire, “hacktivists”, or petty digital thieves – are getting craftier.

In last year’s list of annual threats produced by the European Union Agency for Cybersecurity (ENISA), Ransomware, malware and “social engineering threats” topped the risks for business. Threats against data, denial of service attacks and phishing also appeared, as did misinformation, disinformation, and supply-chain attacks. Who knows what 2023, let alone next year will bring.

Share Geopolitical Dispatch

Victims and perpetrators.

The victims of cyberattacks, as many readers would be painfully aware, are rapidly growing in number.

Government agencies holding sensitive information remain particularly juicy targets and reported 24% of all cyber incidents over 2021-22.

Just last week, news broke that Japan’s main cybersecurity agency had been hacked by Chinese cyber spies for years (as analysed in our Daily Assessment).

Earlier, the Stuxnet cyberweapon developed by the United States and Israel caused substantial damage to Iran’s nuclear program. And ministries holding vast stores of personal data have become as tantalising to cyber criminals as a bank vault to Bonnie and Clyde.

Corporations, however, are the main target.

Digital service providers, unsurprisingly, have been most subject to attack in recent years, representing 13% of reported incidents. But banking and finance (9%), health (7%), transport (4%), and energy (4%) have also had to maintain particularly strong defences.

Private companies owning or operating public infrastructure are often in the firing line. The Colonial Pipeline, one of America’s largest and most important fuel corridors, went from obscurity to infamy after being attacked by the DarkSide cybercriminal gang and being forced to shut down for several days, causing blackouts and heavy economic losses.

Companies subject to attack can suffer serious impacts – and not just via compromised digital systems or stolen data.

Major attacks can cause massive reputational damage and direct financial harm. When TalkTalk, a UK telecommunications firm, admitted that the personal details of over 150,000 customers had been exposed, it lost over 100,000 clients and around a third of its value.

However, other companies, like Microsoft, have suffered little reputational damage (and have only grown their market capitalisation), despite governments and hackers repeatedly exploiting their systems’ vulnerabilities.

While most cybercriminals are motivated by money (e.g., groups like DarkSide) and some by ideology (hacktivists like Killnet or Anonymous Sudan), state-sponsored attacks are often about geopolitics.

Cyber espionage, whether directed at enemy governments or companies, is often used to steal intellectual property, sensitive data, or classified information. States spend much more employing The IT Crowd than they do James Bond. After all, the combination of sophisticated tools being available and massive amounts of information being stored online often means that signals intelligence (SIGINT) can be more effective and efficient than human intelligence (HUMINT).

Geopolitical motivations are often more ambitious than stealing state secrets.

Cyber has clear military applications and has been used extensively on the battlefield in Ukraine in pursuit of territorial conquest. Recently departed Wagner chief, Yevgeny Prigozhin, infamously ran the Russian troll factories that attempted to manipulate the US elections. By stoking divisions and resentment in an already polarised electorate, Progozhin’s creatively-named Internet Research Agency spearheaded a major effort to weaken Russia’s main adversary.

Share Geopolitical Dispatch

A cyber arms race.

Rapid technological advances, including through artificial intelligence and quantum computing, are triggering a global cyber arms race.

The competition for cyber supremacy is real. Today, the balance of power in cyberspace does not neatly reflect that in “the real world”. While the 2022 National Cyber Power Index ranked the geopolitical heavyweights of the UN Security Council’s Permanent 5 – the US, the UK, France, China and Russia as the most powerful cyber nations – it also placed Australia, the Netherlands, North Korea, Vietnam and Iran in the top ten.

But as cyberspace becomes an ever more important terrain of competition – and as the cyber and “real words” increasingly fuse – cyber capabilities, both offensive and defensive, will form a greater part of a nation’s power.

As with conventional military power, each country has its own particular strengths.

China outperforms in industrial espionage and online monitoring of its own citizens. Russia leads in infiltrating critical infrastructure systems or cyber-enabled information operations. And the CIA warns that North Korea “continues to adapt to global trends in cybercrime by conducting cryptocurrency heists”, which help it fund its nuclear military program.

Cyber diplomacy.

As cyber weapons become more advanced and geopolitics more heated, states have also increased their efforts to shape international rules governing security in cyberspace.

Since 2004, governments have been debating how to regulate cyberspace at the UN, with major norms agreed in 2013. Discussions have unsurprisingly split along familiar geopolitical lines, with three blocs emerging.

First, there are those favouring a global and open model of internet governance paired with a culture of accountability (mostly democratic states like the US, the EU and Australia). Second, there are those favouring a sovereign and controlled internet without accountability checks (more authoritarian states like Russia, China and Iran). And finally there are the 50 or so in the digital deciders camp (whose votes – as they have been on issues from climate to Ukraine – have been up for grabs).

Divisions reached absurd proportions in late 2018 two parallel groups were set up, one Western-led and one Russia-led, discussing exactly the same issues but coming from very different perspectives.

Until recently, UN voting patterns have looked eerily similar to those of the Cold War, with each camp aiming to create international rules reflecting their own domestic methods of internet regulation and cyber warfare.

Russia and China, for instance, have argued that existing international law is insufficient to govern cyberspace and new categories of cybercrimes should be added – like promoting fake news and calling for terrorism, political destabilisation or secession. Western governments typically see this as both unnecessary and an incorrect legal interpretation but, more fundamentally, as a smokescreen for authoritarian states to entrench a right to surveil their population, censor the internet and create a global “notice and takedown” system.

A middle ground, however, may be emerging – albeit in a different specialised committee of the UN.

France has been leading diplomatic efforts to move beyond these fractured debates and instead create a permanent UN mechanism by 2025 to help states improve their capacity to behave responsibly in cyberspace. With 157 states from all regions and political persuasions supporting its UN resolution to begin these talks, there is greater appetite to focus international discussions less on creating treaties and more on developing practical ways to secure cyberspace based on existing rules.

Share Geopolitical Dispatch

Cue the private sector.

And there is an equally growing consensus that the private sector needs to be on board.

Leonard Rolland, Head of International Cybersecurity Policy at the French Ministry of Foreign Affairs, who chairs the UN negotiations, told Geopolitical Dispatch that it is important to give companies a voice in our discussions.

“On the one hand, they have a unique know-how, own much critical infrastructure that needs to be kept safe and can bring expertise to help states secure cyberspace,” Rolland says.

“On the other hand, they have a particular responsibility, for instance not to sell IT products that can easily be hacked, or worse, that can be used to conduct cyber-attacks”.

The UN talks build on the Paris Call on Security in Cyberspace, launched by Emmanuel Macron in 2019.

This developed a multi-stakeholder code of conduct to define the responsibilities of the private sector. Its key aims are to ensure products and services put on the market are secure by design, to avoid conducting offensive operations in cyberspace, and to not commercialise offensive cyber tools that make cyberspace less stable and secure.

Recognising the role of the private sector, any company can join the Paris Call community.

Cyberspace -– like any terrain – is subject to geopolitical ambitions, rivalries and diplomatic efforts to shape the rules that govern it. And as power balances shift, state coalitions evolve, and new rules are written, companies would be wise to not only update their anti-virus software but also their geopolitical risk monitoring systems.

What better way than to continue reading Geopolitical Dispatch. We hope you are enjoying these Not in Dispatches and our Daily Assessments. If so, we would really appreciate it if you could share with any friends, colleagues or cybercriminals you think may enjoy our work.

Best,

Michael, Cameron, Damien, Yuen Yi, Andrea and Kim.

Emailed each weekday at 5am Eastern (9am GMT), Daily Assessment gives you the strategic framing and situational awareness to stay ahead in a changing world.