Cyber Political Risk Post Mortem
A year and a half ago, my Political Risk professor assigned us a paper as if we were an analyst hired to assess the potential risks for a sector exposed to a potential threat. I chose the topic, “why should startups care about cyber risk?” The class drew heavily on the work of Ian Bremmer since it was taught by an adjunct who worked at the Eurasia Group. One of our text books, The Fat Tail: The Power of Political Knowledge for Strategic Investing, provided a framework to analyze political risk. Try as I might, I could not find a way to fit cyber political risk into one of the categories of risk outlined in the book. In the past, international corporations and investors have looked at six sources of political risk: regime type, ideology, constraints, policy changes, elections and exogenous factors. For example, if you run a company with a mine in the Central African Republic, you may be worried about regime change or you may be worried about the current regime enacting constraints to your business. All states have political risk. States that democratically elect their leaders have election risk. States with byzantine systems of government, balancing various factions and institutions, may change ideologically or shift on some issue of policy. Is cyber political risk exogenous? Is it election risk? Is information warfare an ideological risk? Where does it belong?
Not only is it difficult to define how to analyze or categorize cyber political risk, but what makes it different from cybersecurity? Many people’s worst case scenario for political cyber risk looked like direct manipulation of vote totals or a shutdown of the power grid. Yes, those would both be terrible, but computer networks are resilient and, for now, fragmented. We usually think of cyber risk in terms of damage, downtime and financial loss. Pure vandalism, it turns out, is not the worst case scenario. It is more valuable to steal banking information to trade on than it is to change the bank account data, because our systems are not built on technology, but social and legal norms. Banks can roll back a fraudulent transaction and do so because we have contracts, courts and laws. Before this election many computer experts were searching for their keys under the lamp post, where the light is. We lacked imagination about what could be done with information warfare.
How did so many smart individuals, at the tops of their technical fields, focus on the wrong threat? First, they may not be wrong in the long run. Risk of a nuclear meltdown or some other cyber kinetic catastrophe is still real. Second, the West is handicapped by our values and beliefs. Fortunately, this weakness, is also our strength and a deep well of resilience that we can draw on in times of strife. It is easy to criticize our lack of foresight, so I will try to limit the 20/20 hindsight bias, but there were a few cases that warrant more attention.
In the run up to the Russian Georgian war of 2008, malware and denial of service software were spread to Russian cyber nationalists who then used the tools to vandalize and interfere with Georgian government websites and communications. Additionally, Georgian internet traffic was routed through Russia.
In response to the Arab Spring many governments stepped up their Internet censorship. Egypt, Libya, Tunisia, Syria and others were all subject to popular uprisings aided by new tools of social media.
The repeated cyber and information warfare throughout the Ukrainian Crisis should have been the biggest warning. There were physical consequences, the power grid attack, government computers rendered useless and potentially even destroying army weapons. Perhaps more important, was the information warfare campaign. Renaming parts of Ukraine, Novorossyia, organized misinformation campaigns and television propaganda broadcasting were used to great effect.
Russia, China and many other countries have been practicing information warfare domestically for much longer than the United States. The VCheka (All Russia Emergency Commission), founded in 1917, and the CDSA (Central Department of Social Affairs), founded in China in 1939, have been at this game since their governments were founded. The FBI was founded in the United States as a federal law enforcement institution more than a century after the country’s founding and the U.S. did not have a true intelligence function until 1942, the OSS (Office of Strategic Services), which was the predecessor to the CIA and focused on foreign intelligence.
While, the U.S. certainly isn’t behind in our ability to project power abroad, we have never truely understood the mindset of a country where truth and information are not viewed as objective and good. There is some validity to this world view, but it inherently leads to a disturbing outcome, the people are not to be trusted. We should not wholly adopt the cynicism and contempt of the populace that this jaded philosophy espouses, but if we continue to fail to understand it, we will continue to lack the imagination necessary to predict the next threat.