People interested in cybersecurity often ask me, what skill sets they should develop? Many of the obvious answers could be pulled right out of a CISSP study guide. For example, have an understanding topics like the CIA Triad, cryptography, and network architecture. Increasingly, new entrants should also have a basic understanding of threat actors and their tools. However, there are two very valuable skills, which are overlooked by many cybersecurity professionals: an understanding of geopolitics and a strong writing ability.
Geopolitics
Cybersecurity is a technical field, but there remains a need for humanities backgrounds within the field. After all cyber attacks don’t occur in a vacuum. People conduct them. These people are often acting on a desire for money, power, and/or influence. So what are geopolitics and how do they fit into cybersecurity?
Merriam-Webster defines geopolitics as “a study of the influence of such factors as geography, economics, and demography on the politics and especially the foreign policy of a state.” Basically threat actors’ decisions are influenced by their circumstances. That sounds obvious, but understanding geopolitics requires one to be familiar with the various circumstances of others around the world. Thus having an understanding of threat actors based on their geopolitics can be invaluable in cybersecurity.
To enumerate the point let’s look at hypothetical conversations involving three cybersecurity professionals with varying degrees of geopolitical awareness.
For the purpose of this example the executive and cybersecurity professionals work at American equipment manufacturing company.
No Geopolitical Awareness
Executive: Should the board be concerned about potential cyber attacks from Chinese hackers?
Cyber Professional #1: Yes, the board should be concerned. Everyday our threat intelligence feeds publish tons of reports about Chinese threat actors. They’re targeting American companies and they could easily be targeting us next.
Some Geopolitical Awareness
Cyber Professional #2: Yes, the board should be concerned. It’s well reported that China-nexus, threat actors target American companies with the intention of stealing intellectual property in order to advance economic growth. As an American manufacturing company we should be concerned that China-nexus threat actors will attempt to steal our advanced intellectual property.
More Geopolitical Awareness
Cyber Professional #3: Maybe, the board should be concerned. I would never say we shouldn’t be concerned about China-nexus threat actors. Their use of cyber espionage to steal intellectual property from American companies is well documented. This is especially true regarding equipment manufacturers like us. However, the question is how likely they are to target our company. We can gain some insight into the People’s Republic of China’s economic priorities from their most recently published 5-Year Plan.
According to the PRC’s plan for 2016 to 2020 the equipment manufacturing industries the Party is prioritizing are aerospace equipment, marine engineering equipment and high-tech vessels, advanced rail transit equipment, high-grade CNC medical tools, robotics, modern agricultural machinery and equipment, high-performance medical equipment, and advanced chemical machinery.
Does our firm have R&D efforts in any of those areas that my team isn’t aware of? If so, we should assess the need for additional security for those projects. If not, I would assess with moderate confidence that we don’t face any extraordinary risk of attack by economically motivated, China-nexus threat actors.
Merriam-Webster defines geopolitics as “a study of the influence of such factors as geography, economics, and demography on the politics and especially the foreign policy of a state.”
Of the three explanations the 3rd provided the most relevant context regarding the potential threat to the company in question. The difference had to do greater degree of geopolitical understanding, rather than technical knowledge.
Geopolitics in Action
Geopolitics is definitely useful to analyze the full scope of cyber threat intelligence. For example, look at Cylance’s recent research paper on a previously unidentified APT dubbed The White Company and their cyber espionage campaign targeting the Pakistani military. Rather speculatively attributing to a specific nation-state, Cylance opted to summarize the geopolitical situation involving Pakistan during the timeframe of the observed campaign. Cylance let readers draw their own conclusion about attribution, but it’s harder to speculate, if one is not at least moderately versed in geopolitics.
Writing
The other under-appreciated skill in cybersecurity is a strong writing ability. More specifically it’s the ability to write clearly, concisely, and in a convincing manner. Cybersecurity is full of smart, technically-proficient professionals. However strong writing skills aren’t exceedingly common. Writing skills might seem trivial until you’re required to share your knowledge of an incident, threat, or some other situation with a colleague, manager, or executive who’s not in the room with you. The larger the organization, the more likely that you will need to brief people in writing.
In crisis situations your organization’s executives are going to want updates—often in writing—so they can be shared and reviewed at a later date. To further compound the issue, you will likely have to alternate between describing situations to both technical and non-technical audiences. Just like any other skill set, writing requires practice. In the context of cybersecurity your writing often needs to inform or convince leaders. As I used to say as an U.S. Army Intelligence officer, “Being right doesn’t matter, if you can’t convince anyone you’re right.”
You don’t have to be Ernest Hemingway, but well-written reports improve the efficient communications of facts, events and opinions.
The need to craft well-written works arises more often, than new entrants to cybersecurity likely appreciate. Penetration testers write pentesting reports. Cyber intelligence analysts write threat intelligence reports. Security operations analysts write incident reports. I could keep going, but you get the point. You don’t have to be Ernest Hemingway, but well-written reports improve the efficient communications of facts, events and opinions. As well, they simply make everyone’s life a bit easier. I’m sure most cybersecurity professionals out there have been on the receiving end of a poorly written report that provided more questions, than answers.
The Way Forward
Cybersecurity isn’t a one size fits all career field. It hasn’t been so for a while. There’s an increasing diverse set of cybersecurity roles, which require different skills. There is certainly a need for geopolitical awareness and strong writing skills on most cybersecurity teams. While these skill sets are not exceedingly common in computer science, information systems, or cybersecurity programs, they are the staple of international relations, history, or political science programs.
There’s absolute value to recruiting well-rounded and non-traditional cybersecurity candidates, rather than seeking out exclusively highly technical candidates. If everyone on your cybersecurity team has the same background, you’re missing an opportunity to gain the additional skill sets that come with a diverse team.
For cybersecurity professionals, who don’t already have a strong foundation in geopolitics and writing, it’s never too late to start. Read about the world. Write a blog. An understanding of geopolitics and a strong writing ability are both skill sets that will benefit you in the future.
Stay vigilant.