Geopolitical Cyber Risk: Going Beyond the Industry and Region

UPDATE: The templates used in this blogpost are now available for download here!

When organizations assess threats relevant to them, they frequently try to pinpoint threat actors focusing on their industry and region. This method of limiting the research scope is typical. However, the question arises: are industry and region sufficient criteria for research scope? To comprehend this, a closer examination of intelligence requirements is necessary. We will explore this concept through a hypothetical example.

Disclaimer: The following example, designed to demonstrate intelligence planning, is purely fictional.

Located in Ukraine, TechNovelties is a firm that specializes in producing custom parts, catering to a wide range of clients in this area. It supplies a critical component for the UAVs of a Turkish defense industry client. Here is what is known about the relationship between these two companies:

• The company TechNovelties, based in Ukraine, is responsible for producing an essential part for the Armed Unmanned Aerial Vehicles (UAVs) that are made by the Turkish firm SkyDefend Innovations.
• A portion of these UAVs from SkyDefend is incorporated into the arsenal of the Turkish Armed Forces.
• Additionally, some of these UAVs are exported to Pakistan, where they are added to the Pakistani armed forces’ inventory.
• Pakistan aims to use these UAVs to counterbalance certain military threats posed by China.

Given this information, it is reasonable to assume that the Ukrainian firm TechNovelties would be a target of espionage efforts from numerous countries.

In the context of cyber defense planning, the immediate inclination might be to investigate cyber espionage groups that focus on European technology companies. Yet, if we reverse our perspective and ponder which nations could be intrigued by the information held by TechNovelties, we gain a different insight. This requires us to reflect on the medium and long-term foreign policy, economic, and military goals of these countries.

From this perspective, several possible scenarios emerge (note that this is not meant to be a comprehensive list):

• Given its hostile relations with Ukraine, Russia might be interested in TechNovelties, especially because it exports to defense industry companies, making it an attractive target for Russia.
• SkyDefend Innovations, a customer of TechNovelties, produces UAVs that are slated to be part of the Turkish Armed Forces’ (TSK) arsenal, presenting a potential threat to Turkey’s neighboring nations. The capability of these Turkish UAVs to shift the balance of power in the Aegean Sea is a known source of concern for Greece. In pursuit of insights into Turkey’s UAV production capabilities and the quantity of UAVs in the TSK’s arsenal, Greek intelligence might try to infiltrate TechNovelties to determine the annual volume of parts supplied to SkyDefend Innovations.
• The effective use of UAVs manufactured by SkyDefend Innovations by the Azerbaijani military in the recent Nagorno-Karabakh conflict is well-documented. Consequently, Armenian intelligence could be interested in acquiring the technical specifications of the components made by TechNovelties, aiming to devise electronic warfare strategies to counter the UAV capabilities of Azerbaijan.
• India, viewing the UAVs acquired by Pakistan as a potential threat, may consider infiltrating TechNovelties, paralleling Armenia’s approach.
• Targeting the Asian market, French companies are intent on selling their drones to Pakistan’s armed forces. To support this aim, French intelligence might attempt to penetrate TechNovelties to further leverage this entry point into SkyDefend Innovations’ systems, thereby uncovering the prices at which SkyDefend sells its UAVs to Pakistan.
• For several years, Taiwan has been aspiring to develop UAV production capabilities. As a result, any entity (along with their suppliers) involved in manufacturing this technology would naturally be of interest to Taiwanese intelligence.

Yet another cyber pew pew map

It becomes evident that what is broadly termed ‘cyber espionage’ can actually serve a range of different intelligence requirements. In this example, which is far from being comprehensive, we identified espionage activities meeting roughly three specific intelligence needs:

1. In nations where UAV capabilities are posing a threat, there’s a need to determine the number of UAVs held by a rival country and to understand the technical characteristics of these UAV components (Military Intelligence).
2. In nations striving for dominance in the UAV market, there is a necessity to obtain the trade secrets and intellectual property of competing UAV manufacturers (Economic Intelligence).
3. In nations aspiring to develop UAV manufacturing abilities, there is a demand for detailed knowledge about this technology (Scientific & Technical Intelligence).

The type of threat landscape mentioned above is not actually something caused by the company itself, but rather a landscape arising from the customers to whom the company supplies its products. Therefore, every new customer, supplier, or market that a company enters introduces additional threats, influenced by the specific nature of its business activities.

Without a thorough understanding of intelligence planning and utilization of geopolitical analysis, relying exclusively on region and industry for your research will fall significantly short in pinpointing threats relevant to your organization. An effective threat model should determine whether anything an organization possesses concerns the political, economic, scientific, and military objectives of other countries, and it should also catalog the potential risks that arise from such alignments or conflicts.

I’ve formulated the following questions to assist organizations in creating this catalog as part of their risk assessment process. Please be aware that in the table below, “I” actually refers to the company.

Nation-state activities in cyber

Throughout their history, states have principally striven for three objectives in their conflicts: military superiority, diplomatic deterrence, and information dominance. The rise of the internet has expanded this struggle into the cyber realm, meanwhile significantly incorporating civilian elements in this conflict. Now civilian sectors can easily find themselves in the crosshairs of military objectives alongside the conventional military-defense targets. Therefore it is necessary to comprehend the dynamics of these inter-state struggle.

The nation-state use of cyber intrusions/attacks can be categorized into three broad types: espionage, denial, and coercion. This categorization deliberately leaves out the use of cyber intrusions for propaganda or deception, as these activities are inherently covert and therefore extremely difficult to accurately pinpoint.

Cyber Espionage

As mentioned earlier, nation-states often engage in cyber espionage to meet a wide range of intelligence needs. Over time, intelligence gathering has branched into specialized sub-disciplines, each catering to the unique requirements of different fields. Your organization is likely to become a target for intelligence agencies if it concerns any of the domains illustrated below.

Wheel of espionage (pun intended)

While many of these areas are quite specialized, three of them concerns a broad spectrum of organizations: political, military, and economic espionage. Hence, it is useful to examine one’s own activities through the lens of an intelligence agency, using a set of questions like the ones I have provided earlier.

Another key aspect is differentiating between strategic collection and tactical collection efforts. It’s widely known that intelligence collection is guided by specific needs, named as Intelligence Requirements. This principle stems from the traditional discipline of intelligence, so it’s reasonable to believe that intelligence agencies function in a similar manner. Some of these requirements aim to address immediate, short-term gaps, while others are meant to aid long-term policy goals. As a result, the focus and methods of intelligence collection can shift based on these differing needs.

1. If a target can provide information valuable for long-term goals, or can provide information the agency is in constant need, or can satisfy multiple intelligence requirements simultaneously, then it is likely to be a focus of strategic collection efforts. Such targets will likely face persistent intrusion attempts unless an alternative information source is found by the intelligence agency.
2. Conversely, if the intelligence need is immediate, (e.g: during diplomatic crises, internal security investigations, or active conflicts) or if the information is of a tactical nature, then the target is likely to be a focus of tactical collection efforts. Depending on the urgency and criticality of the information needed, advanced event-based capabilities[*] like zero-day exploits might be used. This is less common in strategic collection, as the need for information is long-term and can often be met from multiple sources.

Mapping it all together

Creating a map of your organization’s geopolitical cyber risks is challenging but extremely rewarding. It enables security leadership to better comprehend how certain business decisions might expose your organization to different cyber risks, allowing them to proactively prepare. Let’s now construct a map using the fictional example provided at the start of this post. It would look like something like this:

I trust you found this post helpful. It was focused on the espionage aspect of cyber intrusions. In the next post, I’ll delve into their military and diplomatic applications, further aiding our geopolitical risk assessments. Before you go, make sure to check out my previous post, where I discussed the various motivations behind cyber attacks in a more general context: Making Sense of Cyber Attacks.

See you in the next one!