It sounds like the far-fetched plot of a summer potboiler. The US government announces it is initiating an ambitious program to counter the biggest cybersecurity risk of the next general election: Foreign hacker-agents using malware to infect local voter-registration databases in order to manipulate, disrupt, or destroy the upcoming US presidential election. That is not the premise of the latest airport best seller, however, but an actual US government announcement just made about the 2020 election.
Nor is it a strictly political risk, far removed from the everyday business of the boardroom. In recent months, many boards briefed on cybersecurity have been advised that the covert operations of foreign governments are a bigger risk these days than loner hackers working from a basement. That’s because hostile nations don’t just steal industrial and personal secrets. Their mission is often to create maximum political and economic disruption.
Benjamin Dubow, president and chief technology officer at Omelas—a DC-based technology and security firm tracking the digital mischief and manipulation of foreign governments—explains that China’s cyber efforts in the West generally focus around stealing intellectual property, to bolster its own military-industrial complex. Russia’s cyberwar is, by contrast, more about creating economic and political chaos. “Tripping up American companies, making the American economy weaker, achieves [Russia’s] geopolitical goals,” Dubow says.
The US industries most likely to be targeted by such nations, say security experts, are financial services, technology, defense contracting, media, utilities, and firms working on major infrastructure projects. Awareness of such risk is rapidly rising in boardrooms. Eric Hippeau, a BuzzFeed director and a managing partner at the venture-capital firm Lerer Hippeau, has for example been briefed that “the more dangerous players these days are the nation-states—China, Russia, and Iran—that make it their business stealing people’s secrets,” he says. “It’s complex.”
That’s partly because nation-driven cyberattacks are often indirect, multifaceted, and frequently not noticed until long after the damage is done. Consider Britain’s imminent departure from the EU. Brexit is not just going to massively disrupt the British economy, it’s going to hurt the interests of every multinational doing business in Europe, and analysis conducted by Omelas illustrates how the Russian state materially shaped the vote’s outcome and helped create the resulting chaos.
While the BBC produced 97 videos explaining Brexit and its issues to the public in the six months leading up to the referendum, RT—Russia’s English-language 24/7 state news agency—and its affiliates produced a staggering 656 clips posted on the UK’s leading video-hosting platform. The balanced BBC videos were viewed 3 million times, a fraction of the 23 million views the Russian propaganda received, and the Russian videos further received 11 likes for every single one the BBC received.
Kirsta Anderson, a senior client partner in the London office of Korn Ferry, says that all companies and sectors need to be thinking at the highest level about their position on such security issues. If a company blocks Russian or Chinese operations in the West, that company could very well have trouble doing business in those fast-growing markets. So does the company’s board fall back on its stock position of staying out of politics? The lesson from Brexit, Anderson says, is that that may no longer be a viable option when that position “becomes the equivalent of enabling these bad actors to wage economic war, which, in the long run, undermines the companies themselves.”
Still, there’s no need for directors to panic or exaggerate the risk, says seasoned board member Eric Hippeau. Boards certainly need to be trained in cybersecurity and be aware of how their firms are vulnerable. “But ultimately, if you look at the various ways your company could be attacked, it’s not that complicated,” he says. “There are four or five buckets. You don’t have to become an expert. You just have to be aware of how your firm could possibly be breached.”