Technology is radically changing the nature of terrorism and state-to-state rivalry. The global picture is complex but risk managers have a key role to play – PR Officer at Airmic, Jessica Titherington reports. Managing geopolitical risks was once about anticipating and preparing for physical disruption in volatile regions of the world and understanding how this may impact the business environment. Not an easy task by any means, but one in which risks were visible, easy to define and played out on a global stage.
Not so any more. Geopolitics has moved into a new era, one that is more complex, harder to define and that is dangerously dominated by cyber. It operates on many levels, including state terrorism, the dark web, control of the internet and state competition for technological dominance. And above all it is hugely unpredictable.
These were some of the key messages emanating from Airmic’s Geopolitics Academy Forum in April, hosted by Lloyd’s, in which experts from the fields of terrorism, cyber security, risk management and insurance debated the challenges of geopolitical risk in a cyber era.
“The current moment we’re living in feels incredibly uncomfortable geopolitically. For the last 50 or 60 years, we’ve been in our comfort zone created by US-Russian bi-polar stability and a pro-business environment,” explained Charles Hecker, senior partner at Control Risks. “We’re not there anymore. The bottom line is unpredictability and we don’t know quite where we’re going.”
Cyber power becomes power
At a state-to-state level, geopolitics is being played out via an undefined technology race, delegates heard. “States are increasingly aware that technology will give them a strategic advantage in the twenty first century,” said cyber expert Jamie Saunders, visiting professor at UCL who previously led the National Crime Agency’s work on cybercrime. “That’s nothing new but in the last five years they are not just seeking military advancement but trade and security advantage.” Indeed, according to James Arroyo, director of the Ditchley Foundation, “another great age of technology is emerging” which is creating a “renewed urgent competition among states”. China, for example, is making huge investments in artificial intelligence (AI) and bio-engineering capability. The global powers increasingly believe that if you can get ahead now, “you’ll stay ahead for a very long time. Technology has changed the playing field.”
Control of the internet
One area this is playing out is the control of the internet – including content, rules of conduct and security. As cyber stretches into all areas of state competition, including advanced weapons, the risks to a state of being “switched off” is a big threat, explained Mr Arroyo: “Cyber power is in danger of becoming power.” Until recent years, the private sector has dominated the direction and control of the internet, with governments by and large observing from a distance. This is no longer valid, argued Emily Taylor, CEO of Oxford Information Labs, who warned that “we’ve been fooled into thinking technology is neutral.”
According to Ms Taylor, who or what controls the internet does not matter if everyone shares the same values and trusts one another. However, it is now clear that states with different – and sometimes opposing – motives, want to shape the internet and technology to their advantage. “Governments are no longer buying the narrative that it’s nothing to do with them.” The global concerns about the development of 5G infrastructure by Chinese corporation Huawei, and the extent to which the Chinese government is involved, is a case in point. As AI and the Internet of Things become ubiquitous, the 5G infrastructure that will support it will penetrate all areas of life at an individual and state level. Countries such as the UK, Canada, the US and New Zealand currently disagree on the extent to which potential Chinese involvement in a key 5G supplier could pose a security and data risk to other countries.
The internet: magnifying terrorism
Cyber is also playing a growing role in global terrorism, delegates herd. Mr Arroyo explained that although there is a “lull” in terrorist activity, the key drivers are still there and it will “mutate and re-emerge”. For example, we have not yet seen a cyber terrorist attack, but with many young, tech-savvy terrorist recruits coming through the ranks, “we may see this emerge”, he warned.
The internet is the “perfect partner for magnifying terrorism,” according to Mr Arroyo. Social media in particular enables terrorist organisations to spread ideals and recruit far more quickly than in the past – a tactic employed with great effect by Isis in particular. Indeed, it is not confined to Islamic terrorism: the tragic attack on the New Zealand mosque in March, for example, was filmed live on a Go Pro via the internet: “These things will pile up in dark corners of the web and will be a terrible inspiration for terrorists”. Meanwhile, encrypted technology such as WhatsApp facilitate global terrorist networks and makes planning attacks easier, and the huge amount of publically available information, such as satellite images, makes reconnaissance more efficient.
“Counter-terrorism is therefore a big data problem,” Mr Arroyo explained. The difficulty for the global community is the trade-off between privacy and checks and balances. Social media firms “need to do more”, according to Mr Arroyo, and regulation has almost become “inevitable”; however, freedom of speech must be protected he stressed.
Risk management: preparing not predicting
For the risk management community, understanding how the forces at play manifest themselves at a business level is a challenge. The risk manager’s core role, according to Neal Croft who is heading the Willis Towers Watson Geopolitical risk initiative, is to be a “facilitator”. The organisations most successful at tackling geopolitical risk address it through understanding, preventing and protecting this risk using multi-functional teams across their businesses, and it is the risk manager’s job to bring the key people together. “This is a team sport, and the risk manager should enable key discussions and the right approach,” Mr Croft added. It’s not about predicting what might happen, but about ensuring the businesses is thinking in the right way, added Mr Hecker of Control Risks. “It’s not about getting it right all the time but you have to get the company’s head in a mind-set where it is anticipating events and risks. You may not be right, but the chances are you won’t be too far off.”
John Ludlow, Airmic CEO, offered practical advice for risk managers, including setting up awareness sessions with senior executives, developing an intelligence-led and threat-based capability, and building multidisciplinary teams. He also stressed the importance of knowing who to speak to in government to keep abreast of developments, especially regulation. “Once you understand the risk, managing it becomes basic risk management: planning and preparation; prioritising threats and creating a mitigation strategy; technical surveillance of systems; and incident monitoring.”