Fragmentation, transformation, and cyber risk.
The Internet continues to fracture as governments seek greater control of the data and information flowing across their sovereign borders, thereby splintering and dividing data flows, access, and risks along national and regional boundaries. The ongoing COVID-19 pandemic has accelerated this splintering, with a direct impact on cyber risks to both security and privacy. Driven by geopolitical and regulatory factors as well as emerging technologies, ‘techtonic’ shifts are transforming globalization into competing technospheres and forcing a reset on how enterprises must approach cyber risk to accommodate an increasingly fractured environment. The underlying factors (such as the three lines of defense model) associated with widely used risk management frameworks are still relevant during this transformation, but they are incomplete. As a recent Gartner report noted, “Traditional approaches fail because they can’t effectively deal with fast-moving and interconnected risks.” While understanding the full range of cyberattacks and existing compliance regulations remain foundational to assessing cyber risk, they insufficiently reflect the full range of risks surfacing from a reglobalized global environment. The splintering along geopolitical fault lines existed prior to the pandemic, and will define the ‘new normal’ of a post-COVID world with dramatically changed dependencies and even decoupling among technologies.
The emergence of opposing technospheres – reflecting digital authoritarianism on one extreme and digital democracy on the other – must not be viewed as a new Cold War. Instead, these technospheres indicate significant global transformations, where the weaponization of cyber intersects with the weaponization of trade. They also demonstrate how divergent perspectives on data protection, security, and privacy directly impact new cyber risks and vulnerabilities.
The original aspirations for a global free and open Internet directly conflict with the rising tide of digital authoritarianism. Internet freedoms have declined for nine consecutive years thanks to governmental use of digital information technology to steal, manipulate, and suppress data to achieve both domestic and foreign objectives. The Chinese model is increasingly adopted across the globe: it combines surveillance hardware and software with data regulations, widespread cyber-attacks, disinformation, and manipulation. Freedom of information threatens such regimes, those who leverage technology and law to manage information, track their citizens, and gain influence and control outside of their borders as well. Countries following this model amount to a growing technosphere guided by suppressive regimes with little consideration for security or privacy. Recent collaboration between China and Russia, and China and Iran, as well as far-reaching national cybersecurity laws in Vietnam, Thailand, and Turkmenistan, and the proposed law in Venezuela illustrate this technosphere as governments seek to acquire and control data.In contrast, there are emerging signs of a democratic counterweight that prioritizes digital security and privacy. The European Union’s General Data Protection Regulation (GDPR) came into effect in 2019 and provides the most widespread regulatory approach to data protection. It has inspired Federal dialogue and proposals in the United States, and prompted similar state-level regulations. This emerging technosphere is increasingly guided by the principles of trust and security. The United Kingdom recently announced a plan to create a ten-country democratic pact to establish a trusted 5G ecosystem, directly in opposition to Huawei due to concerns over its tight connections to the Chinese government. Many democracies are also prohibiting Chinese-based companies and applications – ranging from TikTok to surveillance firm Hikvision. This approach to trusted ecosystems extends into physical supply chains as well, with Japan offering financial incentives to Japanese companies who reshore from China.
These global dynamics directly affect cyber risk. Proving that ‘reasonable and appropriate data security measures’ are taken, which is often the metric used in data protection compliance, is simply not enough to handle the evolving threats and risks in a reglobalized world. Borders do exist on the Internet. As the diverging technospheres expand and become more entrenched, they will increasingly affect cyber risk.
There are four emerging and accelerating risks linked to the diverging technospheres:
- Internet blackouts cost the global economy $8 billion in 2019 and have affected over 30 countries as governments seek to suppress information;
- Government-mandated access to data across the globe as governments legislate access to any data within their sovereign territories upon request;
- Regulations and pacts focused on creating trusted networks, including prohibiting untrusted hardware and software within supply chain ecosystems;Digital supply chains and partner networks are increasingly an entry point for attackers.In a digital global economy, rules, regulations, and technologies directly determine the security, privacy, and protections of data.
Each of these are increasingly nationalized – and even weaponized – to reflect the values of governments across the globe. The pace of change will only accelerate as interdependencies, new technologies, and geopolitical transformations prompt a reset on how organizations manage digital security and privacy now and into the future. Cyber risk must evolve and integrate the new realities of this division into competing technospheres without losing sight of the foundational factors that remain relevant to cyber risk.
This presentation and research paper provide greater detail around each of these four factors and the ongoing techtonic shifts that are transforming globalization and reshaping the way enterprises must assess cyber risk.