Federal agencies and contractors alike face increasing cybersecurity, fraud, sanctions and supply chain risks stimulated by geopolitical events. An organization doesn’t need to be a participant, even an indirect one, in geopolitical conflict to have exposure to risk.
Experts at Guidehouse say an important strategy to mitigate risk is to simply have knowledge of the dynamics of geopolitical issues and effects they throw off.
“We really believe our clients need to understand, assess and be able to address that environment,” said Guidehouse Partner Rodney Snyder. “And therefore, be able to operate safely and optimally.” He cited a broad range of risk factors, including terrorism, state-sponsored or sanctioned cyber attacks, fraud and economic sanctions nations use against one another.
Snyder said it’s important to understand that sanctions don’t end with the headline-grabbing countries like Russia and China.
“The extension of sanctions continues,” he said. Geopolitical events spread “into other parts of the world, and well beyond sort of just the wartime situation, or something like terrorism or drugs. It’s very important for companies or agencies to know who else in the supply chain that [sanctions] impact.”
Noted Patrick McArdle, another Guidehouse partner, “The mere fact that I’m a U.S. company operating in another country does not mean I’m not subject to the sanctions.” He said sanctions occur within a larger context of export controls, foreign investment restrictions and restrictions on certain specific commodities or equipment. For example, China restricts certain minerals crucial to semiconductor production, while the U.S. might prevent chip-making equipment from reaching China.
If it all sounds complex and difficult to navigate, that’s because it is.
“And that’s kind of our job,” said Guidehouse Partner Marianne Bailey. “That’s where we come in” to help clients see what’s going on. “We are exposed to [the risks]. We do understand them,” Bailey said. Too many organizations “don’t even dive that deep to really understand the landscape that they’re working in, the breadth of it.”
Companies and public sector organizations alike have been dealing with supply chain issues since the onset of the pandemic. Geopolitical occurrences, Bailey said, make deep supply chain knowledge crucial. The defense industrial base, she said, extends to many thousands of companies. Defense components must therefore know the answers to key questions.
“Where are they getting those parts from? Where are they getting those components from,” Bailey said. “Are they getting them from a place that they’re supposed to be doing business with?” Adversaries, she added, spend years preparing to slip into the DIB, and “they know the supply chain better than we do, better than our clients know it.”
Multiple protections needed
Nearly every risk has a cybersecurity component. This means organizations must move past a strictly compliance mode of thinking when dealing with cybersecurity, the Guidehouse partners said.
“Today, to a cyber person, compliance is like step one,” said Bailey. That’s because cyber practitioners often aren’t aware of the totality of their risks, she said. “Most … breached organizations, even government organizations, were meeting their compliance.”
“You definitely need more than just the compliance department,” added McArdle. He said that often, the compliance people recommend software to mitigate a cybersecurity risk. “Well, if the technology team that’s implementing that doesn’t have a good grasp of what that technology is actually intended to capture, it may not be set up in the way that it was intended.” McArdle added, “The whole enterprise needs to operate as a single unit.”
To fully guard against the range of threats, agencies need complete visibility into all of their digital assets, including sensitive data in commercial cloud service providers. In fact, Bailey said, cloud “makes things more complicated, because assets are much more dispersed. And organizations lose track of where their data is, who has access to their data, who’s touching their environment.”
Along with visibility comes the need for specific measures, including multifactor authentication and ICAM – identity, credential and access management. And, as per detailed regulation, implementation of zero trust architectures.
McArdle warned that even properly configured ICAM systems are vulnerable to new attack methods created by artificial intelligence. He cited the use of voice recognition as one factor in multifactor authentication systems.
“With generative AI, [hackers] have been able to capture your voice, and then the bad actors have been able to use that to gain access to various accounts,” McArdle said. Hackers often use this application of AI for financial fraud.
He added, “We have been working with a number of clients implementing machine learning around some of their historical fraud patterns, developing algorithms that identify those in a more efficient manner.” He said that approach “gives investigators more time to focus on certain vulnerabilities.”