How international relations impact threat landscape - or the story of Kaspersky
I recently started a professional journey into cybersecurity with a course, and there are many reasons for that. One, as an anthropologist whose work and research are in part on human behaviour, human rights and technology, it actually makes sense to learn as much as is at all possible, including by, in a way, participant observation; two, cybersecurity is a growing field, and I believe that we focus on the threat landscape too narrowly, too technically - it can and does come down to social and cultural impacts in a far more extensive way than we like to think -, so I want to be as aware as possible of both sides of the coin, to make my own work more useful to others; three, I actually think that looking through the cybersecurity glasses can be useful for other disciplines too. Just look at this simple phrase...threat landscape. In cybercrime, it is the entirety of what threats may lie out there. (Geopolitical situation is often included, but, to me, far too little discussed, especially given that it is becoming arguably more and more relevant.) This is beautifully applicable to crime in general as well; whether we talk about victimisation or complex matters like hate crimes, the phrase can be used to create a succinct description rather than a long one. Business? Consider threat landscape from office culture perspective : what threats exist for harmonious work? Is is bullying, lack of communication, psychologically unsafe environment? What about crisis management? Well, often enough, the reason we don't plan ahead is because the threats do not look real enough, even though it can be helpful to prepare. And using a clear phrase (such as threat landscape) can, I think, help drive home the point that there are, in fact, real threats out there that can affect you. (I may come out of that class with a cybersecurity certificate, but even just being able to look at things through a new lens is priceless. And yes, that is also part of why anthropologists are so interested in participant observation.)
But another thing that I ended up considering that is very much a matter of threat landscape is how and whether international relations impact cybersecurity in itself...and the Kaspersky case is a brilliant example.
Kaspersky is a Russian company, and thus affected by the geopolitical (and socio-cultural, where social and cultural aspects feed into a geopolitical stance and may inform action) situation globally and, I would not hesitate to suggest, locally. In spaces where government gets actively involved in everything without need (this need being for instance recognised criminal activity or human rights violations, which, in a way, should also be considered criminal activity), it tends to be hard for businesses as well as citizens to operate without its involvement, and I cannot imagine a potential resource like a cybersecurity company to be left untouched. This week, Kaspersky, which had generally been considered a good cybersecurity company in terms of quality (I actually had some of their writing in my course work just last week), suddenly "updated" users in the US without their express permission. This, of course, led to various feelings among the users, from suspicion to annoyance. Above all, however, it should lead us to sit for a moment and ask ourselves what security is and how and who affects it today.
All of us, everywhere, depend on someone else's knowledge at various points of our daily lives. When we cross the street, we count on the system of traffic lights working and being maintained correctly and on drivers being cautious in addition, so that we can cross safely. When we visit a doctor, we trust that their knowledge and honesty will keep us safe and/or make us better when we are ill. At work, we trust our colleagues, sometimes in different companies across the world, to work diligently and honestly because our own work is just a part of the process. And when it comes to security of any kind, we trust - or should be able to trust - tech companies building our computer firewalls, cybersecurity doing additional protection and, ultimately, governments and its branches (including law enforcement) to be honest, free from crime, protective of all human rights, actively willing and available to help us in need without bias, and overall have a system that is clear on what constitutes a real crime, online and offline. (Looking at you, UN's cybersecurity argument.) And all this said, consent, in particular when we have little knowledge to inform it, can be more of a platitude than a real decision - when my doctor, my internet provider, my computer provider, and ultimately my cybersecurity provider, ask if I consent to whatever they tell me needs to be done or is about to happen (such as an update or treatment), do I truly have a choice, or do I not? I lean towards the second. Refusing an update may lead to negative consequences, such as my computer, internet, cyber protection not working right; refusing a treatment may also mean consequences physically. And no - I do not have, in many of these cases, an alternative option, nor do I necessarily have information that would allow me to figure out if an alternative could exist, or how much I agree with any of this. We consent to many things because we have to, and because we do not have a feeling or information that we can do otherwise.
That's all fine and well, as long as we are consenting to someone or something that is reliable, safe and honest. But, whether or not the panic over the way Kaspersky treated their customers is valid (ie did they just not honour clear communication as much as they could vs was their behaviour highly questionable for reasons of security), the case does raise a matter of ease with which cybersecurity could be exploited in case of shall we say licit but illegal (licit because it is done by eg official bodies, countries, businesses vs hackers, and illegal because it would still constitute a cybercrime) as well as illicit (hackers, organised crime, terrorists) abuse of such services. If Kaspersky had such full control of their clients' computers so easily, others could do so too. A cybersecurity company could be used by a hostile government is exists under, or decide to branch out under its own power into criminal waters, or be infiltrated by hackers, and our security would be up for grabs.
Now, you're probably saying, this threat has existed for a while. Yes. The threat of all crime has existed as long as humans have, to take a very bleak view, and it merely evolved to reflect the technological advancements we have made. That said, it is arguably the first time our world is so dependent on and intertwined with technology that it is becoming interesting and reasonably feasible for hostile forces to, with a very simple process, create massive damage to someone else...as we have seen to some extent with cyber attacks on hospitals and other places. Cybersecurity, then, is a part of an ongoing, evolving war of sorts, and it is a war that can be fought with great ease.
Let's play with the Kaspersky incident for a moment as an exercise.
Say that a company is ordered by a hostile government to do exactly what Kaspersky did and, more importantly, could do : utilise their access to their clients to implement a strategic move. This could mean disabling cybersecurity in general; planting viruses; spying; and probably many other things I haven't as yet even thought about. In physical effect, this move could strike a decisive blow against not only strategically important bodies of the "enemy" (eg government buildings, computers, etc) but also wider society adjacent to it : one could disable traffic, communication, hospitals. In short, one strategic move could very effectively disable an entire country.
This is hair-raising to say the least...it is the stuff of dystopian nightmares. But it also has deeper meaning for international businesses. Because when someone has a lot of power over you in potentia, you will be very careful in picking and choosing who that someone is. Which is great, in theory. But what about practice?
Becoming choosy about who we do business with isn't new. For those of us who saw at least a portion of the Cold War, it was once a daily reality; and even today, governments especially are often careful about whether they enter into a partnership with a foreign business or not. That said, from the perspective of pure diversity, this can be a reductive way of viewing a potential business partner : it opens us up to bias, suggesting that safety comes from closer to home and its opposite from abroad. (We know from plenty of sad human historic experiences that that isn't always the case.) And in some ways, this can become a self-fulfilling prophecy : what happens when a region is abandoned economically? It is arguably opened up to more crime, including organised crime. This crime becomes a part of it. Its de facto governance. And it is very, very difficult to recover from that and change things around.
On the other hand, we cannot, in fact, control what our chosen partners do to the extent where we could actually be safe. A sudden political change; a coup; a loss of a territory, even just for a while, to terrorists, are just some of the ways one could suddenly end up with challenges that were not expected when we first struck up a mutually profitable business partnership. In other words, security is an illusion, and we must be cognisant of this.
Do international relations impact the threat landscape? They absolutely do. Is there an easy solution to avoid being impacted? If there is, the technical knowledge about this will have to come from those who have made the tech side of cybersecurity their life. But there is something we can do that is purely anthropological...that is, social and cultural and behavioural. We can be aware that the threat exists, and learn to work around it. This means more education all around - everyone, from children onwards, should understand that cybercrime isn't just a virus, or falling for phishing, but that it can have real and very impactful consequences in the physical world at any point. It means practicing for scenarios, including as a society. When I was a child, fire and earthquake drills were a normal thing in my environment, and many countries choose to educate their citizens about them to this day. In the US, the changing physical threat landscape has led to active shooter drills, and I predict that, given the rise of internationality of hate crime, availability of weapons on the black market and the 3D printing of more and more effective guns, not to mention vehicle and various bladed weapons attacks, they may become a thing elsewhere in the world soon, with a twist to adjust for space-typical weapon use (eg where bladed weapons are more often used, that should be noted in how one prepares). Technology is such a part of our life, is so pervasive, and can so easily be weaponised, that we need to consider it actively in our preparations for crises, whether they are "simple" crime, terrorism, organised crime or, indeed, a new type of warfare.