By Andrea Little Limbago, SVP Research & Analysis, Interos
The technological explosion of the last few decades has not been accompanied by a similar modernization of global digital policies and standards. Discussions of a dynamic threat environment dominant security discussions with acknowledgement that the digital regulatory environment has more or less remained stagnant. However, thanks to a shifting geopolitical environment and renewed framing of data as a fundamental source of power, a sea change is underway.
Borders do exist on the internet, as ongoing regulatory shifts determine how data is protected or accessed and varies significantly from one country to the next. These opposing forces of data protection and government-mandated data access are reshaping data risks depending on an organization’s global footprint, including its extended supply chain. Second, industrial policy is back in style, as geopolitical shifts and concerns over untrustworthy technologies are leading to a range of prohibitions regarding what technologies are restricted or allowed within an organization’s tech stack – and that of their supply chain.
As digital transformation continues to upend business processes, these regulatory shifts further add to the complexity. The natural inclination may be to turn inward during such global transformations, but that would be a mistake. No single organization can build resilience against these dynamic shifts alone. Instead, collective resilience can help organizations better navigate the new normal of data traps, digital borders, and technology exclusions.
The Rise of Data Traps
In describing ‘data traps’, British Intelligence Chief Richard Moore warned, “If you allow another country to gain access to really critical data about your society, over time that will erode your sovereignty, you no longer have control over that data.” This risk not only is true for governments but for the private sector, including the data risks introduced through their supply chain ecosystem.
For the most part, unauthorized data access by some form of a ‘malicious actor’ is the fundamental data risk. But what happens when the access is authorized through legal mandate? In a growing number of countries, there are legal requirements for data access in return for a physical presence and access to that market. Digital authoritarians – governments who deploy a range of digital tactics for information and data control – increasingly pursue legal paths toward data collection and access. Under the auspices of national security, government-mandated data access is the latest tool in the toolbox for many (largely authoritarian) governments who are legalizing government access to data upon request. Unlike the trend among many democracies that have a transparent judicial process for data requests, many new laws lack the judicial review and oversight.
China’s Personal Information Protection Law (PIPL) and Data Security Law combine to enforce strict guidelines about data storage and data flows, but do not preclude data access by the government. Cambodia’s data surveillance legislation permits monitoring on internet activity, intercepting and censoring digital communications, and collecting, retaining, and sharing personal data. And although Kazakhstan has failed at least three times in its implementation of a required government digital certificate that would allow the government to intercept all HTTPS traffic, Mauritius is now contemplating the same strategy, illustrating the spread of these programs into democracies as well. The era of borderless data is over and is giving rise to data traps abroad.
Technology Exclusions & Technospheres of Influence
Since Russia’s invasion of Ukraine, the United States has sanctioned over 600 Russian companies, while security firm Kaspersky was added to the FCC’s list of software they say poses a national security threat. This comes on the heels of the unprecedented wave of over 350 Chinese companies U.S. sanctioned between 2019-2020, the majority of which are tech companies. The United States is not alone in this renewed implementation of industrial policy. Across the globe, there is a geopolitically-driven bifurcation between trusted and untrusted technologies that is creating divergent technospheres of influence which present significant implications for cybersecurity and digital transformation.
The mandated exclusion of Huawei is perhaps the most prominent example of governments prohibiting a major technology supplier. Australia first excluded Huawei and ZTE in 2018, while many other countries have banned or introduced obstacles since then, including Sweden, France, Estonia, and most recently Canada in May 2022. In the United States, Huawei is one of five Chinese companies (along with Dahua, Hikvision, ZTE, and Hytera) and their affiliates that are prohibited under Section 889 of National Defense Authorization Act (2019) from being in the tech stacks and supply chains. In response, China has its own ‘Unreliable Entity List’. And while governments continue to introduce regulatory shifts on 5G, the competition over 6G is well underway, illustrating the tight coupling of technology, national security, and an increasingly splintering regulatory environment along geopolitical fault lines.
Of course, digital transformation during a time of growing technological divides is not only complicated but expensive. According to one assessment, it will cost US small carriers $1.8 billion to ‘rip and replace’ existing Huawei and ZTE equipment from their networks. A German estimate predicts an even larger cost, closer to $3.5 billion for their largest telecom provider. Acknowledging these significant costs – especially for small and medium businesses – the FCC approved a $1.9B replacement plan in 2021. However, in February 2022, this estimate ballooned to $5.6B in requests through the Secure and Trusted Communications Networks Reimbursement Program.
Given these significant costs for compliance, hyperconnectivity across supply chains, and divergent technospheres, no single organization can fully ensure its own resilience and security. Instead, there must be a shift in mindset toward a collective response among partners and like-minded organizations during such disruptions and uncertainty.
Toward Collective Resilience
Collective resilience captures this notion of strengthening defenses across an organization’s entire supply chain ecosystem by pursuing strength in unity and providing collaboration and support to elevate the most insecure links within highly interdependent systems. At a strategic level, there has been a decisive movement toward collective resilience following Russia’s invasion of Ukraine. There has been unprecedented and swift collaboration in the cyber domain among governments, the private sector, and the security industry. The Cybersecurity & Infrastructure Security Agency’s (CISA) Shields Up campaign is remarkable in the speed and depth of extensive public/private sector collaboration and collaboration with allies.
This kind of collaboration must extend and persist beyond Shields Up and account for the digital regulatory sea changes underway. Given the one-two regulatory punch of growing global data access risks due to data sovereignty policies as well as technology-focused sanctions, there are significant advantages from defensive collaboration on the path toward trusted networks and secure supply chains. These benefits are only compounded when layering in the widespread geopolitical shifts underway. From incident response planning to information sharing to collaborative red teaming, there is no shortage of areas where joint planning and collaboration can strengthen an organization’s entire supply chain ecosystem.
The perimeter has long been dead; now it’s time to redefine security through collective resilience. The security strategies of the past are insufficient for the new normal and the geopolitical competition over technology and data. As CISA explained, protecting the nation’s infrastructure requires a collective, coordinated effort. Whether it is avoiding data traps abroad or complying with technology exclusions at home, organizations are only as resilient and secure as the weakest link in their supply chain and it will require a collective effort among like-minded partners to navigate the ongoing transformations of the new normal.
About the Author
Andrea Little Limbago is a computational social scientist specializing in the intersection of technology, national security, and information security. As the SVP of Research and Analysis at Interos, Andrea leads the company’s research and methodology regarding global supply chain risk, with a focus on globalization, cybersecurity, and geopolitics. Andrea is a Co-Program Director for the Emerging Tech and Cybersecurity Program at the National Security Institute at George Mason, an industry advisory board member for the data science program at George Washington University, a non-resident fellow at the Atlantic Council’s GeoTech Center, and a board member for the Washington, DC chapter of Women in Security and Privacy (WISP). She has taught conflict studies and political economy in academia, was a technical lead in the Department of Defense, and has worked at several cybersecurity startups integrating social science fundamentals into analyses and models on attacker trends, human-computer interaction, digital authoritarianism, security and privacy regulations, and security culture. Andrea earned a PhD in Political Science from the University of Colorado at Boulder and a BA from Bowdoin College. Andrea can be reached online at @limbagoa and at our company website http://www.interos.ai.