In May 1940 the French army huddles in its bunkers in the Maginot line, a rigid defensive barrier of bunkers, machine gun nests and artillery positions. It had been constructed along the Franco-German border after WWI to avoid a repeat of the horrors of trench warfare. The French were confident the Maginot line was impregnable. It probably was, but the Germans just went round the side. Once they got behind the Maginot line, the French had no defence in depth. The mighty French army collapsed in six weeks.
“In the constant arms race between cyberattack and cyberdefence, the cyberdefenders, like the French army in the 1930s, tend to be preparing to fight the last war.”
Company directors are increasingly concerned about the dangers of cyberattacks. The damage of data theft or other attacks is not only economic. It can also destroy a company’s reputation, and its clients’ confidence. Yet the disproportionate emphasis on perimeter security is reminiscent of the Maginot line. The hackers simply go round the side, and once in too often find there is no defence in depth. They are able to wander freely through the company’s systems as the German tanks were able to roam across France 76 years ago. Moreover, the compartmentalization of most companies, where cybersecurity is seen only as the responsibility of the techies, rather than of the company as a whole, recalls the hopeless fragmentation of the French government in crisis.
Companies cannot just depend on technical measures to protect them from cyberattacks. In the constant arms race between cyberattack and cyberdefence, the cyberdefenders, like the French army in the 1930s, tend to be preparing to fight the last war. The advantage is with the attack. Apart from developing defence in depth, companies need to develop more forward strategies to identify and deter potential hackers. They need to generate enterprise resilience that will allow them to adapt to cyberattacks and ensure business continuity. They need to develop collaborative working strategies, both within the company and with other companies and government, to ensure more effective responses to cyberattack. Finally, they need to implement effective communications strategies to ensure that the public (including their clients) is on their side in the event of an attack, and not that of the hacker. All these elements need to be brought together in a coherent and holistic strategy. In other words, companies need to develop a Cyber Diplomacy Strategy, which complements and reinforces the technical solutions.
Business Diplomacy adapts the techniques and mindset of the diplomat to the needs of companies in managing the political, social, economic and geopolitical risks and opportunities in an increasingly volatile international business environment. Cyber Diplomacy applies these techniques and mindsets to the specific challenges in cyberspace focusing on the analysis of the risks and opportunities confronting a company and the broad range of stakeholders who shape how those risks and opportunities impact on the company’s operations. It develops networks of information and influence among these stakeholders and then constructs coalitions of the willing to protect and promote the company’s commercial interests. Cyber Diplomacy strategies are essential to generating enterprise resilience and assuring business continuity.
“Organisations are increasingly not only wanting to understand how attacks are being carried out so that they can defend against them, but are also interested in the who, what, when, where and why.”
Cyber Diplomacy strategies can support cybersecurity in 6 areas:
- “Hacker profile” analysis of the company: Adversaries include state actors and non-state actors; their skills and capacities are wide ranging, from amateurish hacks using simple tools to highly sophisticated operators. Their motivations vary widely, as do the levels of resources they have to pursue their objectives. An analysis of the activities, profile and reputation of a company can help identify the kinds of hackers who might attack a company and their motivations. This can be reinforced through scraping information (data mining) from hacker (and activist) blogs and chat-rooms. Software has been developed to support the latter.
- Anti-hacker strategies: Adversaries will perform malicious activities as long as they perceive that the potential results outweigh the likely effort and possible consequences for themselves. If the motivation of the hacker is non-monetary (e.g. ethical or political) Cyber Diplomacy strategies can be developed to reduce the company’s vulnerability to attack. These can include developing networks of influence and information among relevant activists and NGOs. These can be used to assess the likelihood of attack, reduce the negative profile of the company, divert attention onto other companies (who may be worse), reach out to the hackers or isolate and marginalise them within the ethical or political communities where they seek respect and recognition.
- Public Diplomacy strategies: A major problem for a company is that public opinion, and its own stakeholders (including its clients), will blame the company for the results of any hack, rather than the hackers themselves (Ashley Madison is a case in point). Hackers seem able almost to achieve a kind of Robin Hood status in the public mind. Marketing or communication campaigns after a hack are doomed to failure. More effective are public diplomacy strategies, using the full range of public and digital diplomacy techniques, designed to shape the political and social environment in such a way that when a cyberattack is launched the public, including the company’s stakeholders, are already siding with the company against the hacker.
- Collaborative working strategies aimed at government and other companies: collaboration between governments and other companies in fighting cyberattacks remains inadequate. There is a need to recognise that as technology cross-connects the risks as well as the benefits are increasingly interconnected. Too often companies react to a cyberattack taking pleasure at the misfortunes of a rival. Companies can use networking and coalition-building to promote the collaborative practices with both governments and other companies that promote a more effective defence against cyberattacks.
- Collaborative working strategies within the company: in too many companies, cybersecurity is left to the technical experts. Protective agencies within organisations often lack strategic influence, operating independently of one another, conflicting over areas of responsibility and resources. Vital information is not shared across the company. Individual employees do not “own cybersecurity,” not seeing it as their responsibility. By insisting on a holistic approach which integrates communication, corporate reputation and public affairs departments together with cybersecurity, Cyber Diplomacy strategies break down these silos, improving cyber management across the company.
- Business Continuity: through developing networks of influence and information among key stakeholders, companies can enhance their business continuity in the event of a cyberattack, minimising the damage, financial or reputational, that a hack can entail, and ensuring a resumption of operations as soon as possible.
Organisations are increasingly not only wanting to understand how attacks are being carried out so that they can defend against them, but are also interested in the who, what, when, where and why.
“Cybersecurity is not just the preserve of the technical experts, but the responsibility of all departments and all individual employees, from the Board downwards.”
Cyber Diplomacy strategies are no more a one-stop solution than technical cybersecurity, any more than diplomacy can deliver world peace without the support of armed force. They complement and reinforce each other. Businesses must learn that cybersecurity is not just the preserve of the technical experts, but the responsibility of all departments and all individual employees, from the Board downwards.
Cyber Diplomacy strategies focusing on culture, information and communication, by promoting effective networking and collaborative working practices across the organisation, supply chain and external environment, offer a holistic approach to enhancing the effectiveness of technical cybersecurity and increasing the company’s resilience against hacks.
Aurora Partners work with organisations to:
- Anticipate, reduce, discourage or divert malicious activities and protect reputation through the development of dense contact networks of information and influence and the formation of coalitions. Example stakeholder groups include customers, suppliers, outsourcers, competitors, industry sector bodies, regulators, governments, academic institutions, community groups and media.
- To develop a forward-looking, systematic approach that creates structure and provides training for those involved, to manage an abnormal and unstable situation that threatens the organisation’s strategic objectives, reputation or viability.
- Improve collaboration across the organisation and the supply chain to improve situational awareness, unity of purpose and decision making. The formation of effective partnerships undermines the siloed behaviour that can result in divisive, cultural and behavioural barriers that are detrimental to a resilient culture.
- Develop a culture that promotes openness and transparency encouraging knowledge sharing in terms of intelligence, events, trends, contingency plans and opportunities for improvement.
- Engineer cybersecurity considerations into policy and strategy development, projects and end to end business operations ensuring appropriate methods are used to select and manage suppliers.
For more details on how Aurora Partners could benefit your business please visit our website at www.aurorapartners.co.uk or get in touch via firstname.lastname@example.org
Aurora Partners |Applying Peripheral Vision
Keeping an eye on today. Developing a view of tomorrow
Enterprise Resilience – Managing Risk & Maximising Opportunities