War blurs the lines between corporate and national security

0
3
War blurs the lines between corporate and national security


Modern warfare is forcing a convergence between national and corporate security – and no one is sure who is responsible for the cost of paying to protect businesses.

Jebel Ali port, a major trade hub in Dubai, was attacked in the early days of the Iran war.

In its war with the US and Israel, Iran did not limit its attacks to military assets; It affected stranded oil refineries and tankers in the Persian Gulf, as well as petrochemical facilities, civilian airports, aluminum smelters, water-desalination plants and other industries. amazon data center. In recent years, Ukrainian power stations, American utilities, and undersea cables from the Baltic Sea to Taiwan have also become targets.

While civilian infrastructure has long been a target in wartime, an increasingly networked world means the military value of commercial assets is increasing. In the new age of warfare, businesses are finding that the facilities they designed for low cost and easy maintenance require greater security – and often security that traditionally only militaries have provided.

In unstable areas, some critical infrastructure, such as desalination plants and data centers, will need to be strengthened with layers of reinforced concrete, duplicated to provide backup or relocated underground at potentially significant cost. There is already debate between companies and governments over the new rules and potential costs.

In Germany, powerful unions representing private companies and municipal utilities have opposed new standards for physical security, warning that they could lead to financial ruin. The New Zealand government has faced opposition from industry groups over proposals to impose fines on critical infrastructure companies and their directors for cyber security breaches.

“We have been spoiled by peace for too long,” said Norman Heit, global corporate security and resilience director at telecoms giant Vodafone. “People don’t appreciate that physical security for businesses is as much a public good as defense.”

One sign of how the lines are blurring: The 32 countries of the North Atlantic Treaty Organization agreed last year that as part of a deal to spend 5% of economic output on defense and security, 1.5% would go to military-adjacent needs, including the security of critical infrastructure and networks.. Spending targets range from cybersecurity and industrial capability to the railroads, bridges and ports needed for military logistics. Progress on those efforts will be a focus when leaders gather for a NATO summit in Türkiye on July 7.

NATO’s top military adviser, Italian Admiral Giuseppe Cavo Dragone, said, “We need a broader concept of defense – defense is no longer just military.”

Adding to the complexity, companies now need to protect data networks that serve as gateways to critical infrastructure. Hackers are targeting not only computer files to steal information, but also systems that manage critical functions like building access and factory controls, remotely causing physical damage or enabling espionage.

We. In April officials warned that Iranian hackers were trying to disrupt U.S. drinking water systems by targeting computer devices that link hardware to software. A year earlier, suspected Russian hackers remotely manipulated valves on a Norwegian hydroelectric dam.

“Digital attacks on physical systems create physical problems,” said Gianni Cuzzo, chief executive of Axion, an Italian startup that embeds security software in microchips used in devices ranging from televisions to vending machines and ventilation systems.

Another challenge will be parsing jurisdiction and liability for assets that cross international waters or are damaged in war – such as subsea data cables or energy pipelines. Fighting between law enforcement and militaries is already complicating efforts.

When Russian drones became suspicious European airports raided Last year, governments struggled to clarify who should answer. Following a series of drone flights over industrial and security sites in Germany, the government earlier this year gave the military more powers to deal with drones in areas controlled by local law enforcement.

Mark Glasser, who worked on cybersecurity and infrastructure security for three decades at the U.S. Department of Transportation and Department of Homeland Security, said, “Private owners can invest in redundancy, monitoring, and repair capacity, but only governments and militaries can truly prevent, patrol, characterize, or respond to hostile state activity.”

As chief executive of California’s Port of Long Beach, Noel Hasegaba grapples with these concerns every day. He sees new technologies and their use by hostile, state-aligned actors redefining the threats facing the port, which is one of America’s busiest ports, handling $300 billion of cargo annually.

“Everything we do needs to be viewed through a security lens,” he said.

Few businesses are more old-world than ports, but cargo management has gone digital. Hasegaba launched a cyber-defense operations center in May to thwart thousands of cyberattacks every day that threaten computer systems and all devices connected to them.

“Five years ago, port security was mostly about people and freight. Today, it’s all about people, freight, software, hardware and airspace,” he said. “A cyber incident on Tuesday, a drone on Wednesday, a geopolitical shock on Thursday and they all touch the same asset by Friday.”

The scale of the threat is prompting calls to elevate responsibility for corporate security to the C-suite, in the same way that the financial turmoil of the 1990s pushed money managers out in favor of CEOs. In March executives and business-risk experts published a call to action in the Harvard Business Review titled “The Case for Appointing a Chief Resilience Officer.”

Supporters say those executives need to remain at the boardroom level because of the huge potential liabilities caused by business disruptions and the cost of complying with the new rules.

Companies say they need more clarity from governments on what protections and subsidies they will provide to help protect privately owned assets that serve the public interest.

Most governments do not provide incentives for companies to invest more than the minimum legal flexibility requirements. This will likely make it a field of competition between businesses, Vodafone’s Heit said, and companies that are able to invest will win out by touting their flexibility as a benefit to customers.

“If companies are expected to support the state to protect critical infrastructure, they need to be incentivized to do so,” Heit said. Vodafone and eight other telecoms-related companies last year called on European authorities and NATO to boost public support and government coordination in the security of undersea cables.

The rules have started changing. The EU adopted new measures following Russia’s full-scale invasion of Ukraine, requiring countries to reduce vulnerabilities. The national risk assessment and list of critical entities are due this month, but many states are behind schedule.

New proposed laws in the UK seek to increase penalties for undersea sabotage, updating codes that were laid down when telegraph cables were first laid in the 19th century.

In the U.S. and other parts of the world, new requirements are either being enacted or implemented, though often focused more on specific sectors like energy and finance than the economy as a whole, experts say. Congress established the Cybersecurity and Infrastructure Security Agency in 2018 to assist other government agencies and private sector organizations, but its budget and staff have been reduced in recent years.

The latest efforts echo what happened in response to the terrorist attacks of September 11, 2001, when airports designed for efficiency and ease of travel changed operations to prioritize security. The US reorganized the federal government and invested hundreds of billions of dollars in homeland security.

Now, almost every type of facility is a potential target. Iranian drone attacks in March destroyed data centers in the United Arab Emirates and Bahrain that were used for banking and other commercial purposes. They remain offline, part of a series of warning signs flashing around the world as increasing reliance on artificial intelligence makes data centers indispensable.

“These lessons are better learned now,” said Sam Winter-Levy, a fellow in the technology and international affairs program at the Carnegie Endowment for International Peace.

Write to Stephen Kalin stephen.kalin@wsj.com and on daniel michaels Dan.Michaels@wsj.com


LEAVE A REPLY

Please enter your comment!
Please enter your name here