A new era of Great Power Competition (GPC) between the United States, China and Russia now dominates international politics – and the security impacts to the private sector are significant. Nation-state cyber-attacks on privately owned critical infrastructure, foreign espionage to steal intellectual property, and malign foreign investments are just a few of the tactics shaping the 21st-century battlefield.
To survive and thrive, businesses need to step up their game. They must reject traditional, stove-piped approaches to corporate and cybersecurity and embrace a new security and resilience model emphasizing strategic intelligence, consistent C-suite engagement, and cross-organizational integration. Enterprise Security Risk Management (ESRM) provides a helpful starting point for this transformation.
How We Got Here
It’s helpful to acknowledge that we have recently entered a new epoch in geopolitics to understand the new global threat environment and its implications for private sector businesses. For reference, we can simplify the timeline of the last eight decades of international security (from a U.S. perspective) as follows:
- Cold War (1947-1989)
- Post-Cold War / Interwar (1989-2001)
- War on Terror (2001-2018)
- Great Power Competition (2018-Present)
While private sector companies were exposed to Cold War risks (e.g., national expropriation of overseas assets) and War on Terror risks (e.g., terrorist bombings of Western-branded hotels), the daily impact of those conflicts on most businesses was contained. In contrast, the new era of GPC has brought businesses squarely into the fray.
What is GPC?
GPC occurs when the world’s largest and most powerful countries come into conflict—either hot or cold—with one another. This has happened repeatedly for thousands of years: Greece / Persia, Athens / Sparta, Britain / Russia, the U.S. / U.S.S.R, and so on.
Today’s GPC is a conflict between the United States, China and Russia – with Russia functioning as a junior partner to China. President Joe Biden has described the contest as one between democracy and autocracy. Alternatively, it can be viewed as a conflict between reigning powers (the West) who wish to preserve the rules-based world order created after the Second World War and insurgent powers (an “axis of upheaval”) who wish to create a different international system.
Why it Matters to the Private Sector
In this modern-day GPC, a few factors have coalesced to drag many businesses into the conflict. First, many private sector companies have built their organizations and supply chains on the foundation of globalization. However, GPC is leading to a breakdown in globalization – forcing U.S. and Western companies to weigh the risk of continuing to do business in or with America’s chief strategic adversary, China, and other foreign countries of concern.
Second, information technology is more pervasive and integral to business than ever. This IT backbone provides a large attack surface for hostile nation-states who wish to advance their geopolitical objectives. Whether to steal sensitive data or sabotage critical infrastructure, China and Russia are exploiting private sector companies’ dependence on IT for their nefarious aims.
Third, the nature of war is evolving. Whereas most businesses may have had little exposure to international security issues of years past unless they operated in conflict zones or politically sensitive industries, virtually all businesses are now considered viable targets by our adversaries. China and Russia leverage gray zone tactics – such as cyber-attacks, disinformation operations, and deniable sabotage – against private sector businesses as much as against national governments.
Impacts to Companies
An exhaustive accounting of GPC-related impacts to private sector companies in the last few years would be much too lengthy for this article. We can examine six real-world examples of different types of GPC impacts to prove the point and elucidate the risks to readers.
Cyber: A Chinese state-sponsored hacking group known as Volt Typhoon has compromised privately owned critical infrastructure companies intending to launch disruptive or destructive cyber-attacks in the event of heightened geopolitical tensions or military conflict with the United States.
Physical: Russia has waged a sabotage campaign against defense industrial companies in Western Europe that have supplied Ukraine. This includes suspected arson against factories and assassination plots against at least one defense industry executive.
IP Theft: A Google employee stole proprietary AI trade secrets from the company and used them to advance Chinese AI development.
Malign Foreign Investment: A Chinese government-backed company bought a large stake in a U.S. aircraft startup and then exfiltrated the sensitive technology to China.
Overseas Employee Compromise: Bain & Company and Mintz Group – two U.S. firms with operations in China – were raided and had their employees detained, respectively, signaling heightened Chinese willingness to act against Western corporate interests in the country.
Supply Chain Risk: Duke Energy was pressured to remove Chinese-made CATL batteries from its facilities over concerns that the Chinese technology could have backdoors that would enable China to compromise the U.S. energy system in the event of a conflict.
ESRM as Antidote
As these examples demonstrate, the range of GPC-related risks to companies is broad. No single countermeasure will suffice to mitigate them. While the latest tools in intelligence, cybersecurity, physical security, insider risk, travel security, employee safety, due diligence, and supply chain analysis will certainly help address these challenges, they are no substitute for a strategic approach to security risk management.
Therefore, ESRM provides a logical starting point for businesses concerned with these risks. ASIS International’s Guideline states, “ESRM is a strategic approach to security management that ties an organization’s security practice to its overall strategy.” It is a framework that can help private sector companies advance a broad approach to mitigating security risks across a wide range of disciplines, “including physical security, cybersecurity, information security, loss prevention, organizational resilience, brand protection, travel risk, supply chain security, business continuity, crisis management, threat management, fraud risk mitigation, and workplace violence prevention.”
Applying ESRM’s Foundational Principles to GPC
ESRM has four foundational principles: holistic risk management, stakeholder partnership, transparency, and governance. Each of these is well-suited to helping companies enhance their security posture in the context of GPC.
Holistic risk management helps companies break down stovepipes between various security and risk functions—such as cybersecurity and physical security—and address multi-modal adversary attack strategies (e.g., China using a company insider to compromise an IT network to create physical destruction to operational technology).
Partnerships with stakeholders facilitate the maximal information sharing and coordination of GPC risks across internal business units and external partners, such as the Federal Bureau of Investigation, Department of Homeland Security, State Department, Commerce Department, Intelligence Community, and U.S. military.
Transparency emphasizes the need to make honest and fact-based risk decisions as part of security risk management. GPC issues are prone to both hyperbole (“China will invade tomorrow!”) and minimization (“We’re not big enough to be a target…”), increasing the risk of miscalculation in the security process. Critical analysis subjected to open critique is essential for reducing these miscalculations.
Finally, governance ensures executive and organizational buy-in to mitigate these security risks. In the same way that no single tool can solve this problem, neither can a single security department without the support of the C-suite and the board. Effective governance systems support an organization-wide approach to these strategic challenges.
Your ESRM GPC Checklist
For security leaders eager to begin applying ESRM to mitigate GPC-related risks, I have developed a simple checklist based on ASIS’s ESRM Guideline. I encourage one hour for an initial whiteboarding session – alone or with your team – to work through the five areas below. For additional context, reading the Guidelines in full may be helpful before conducting the whiteboarding session.
- Mission & Vision: What does your organization do? How does this fit into the GPC context?
- Core Values: What are your organization’s core values? How will these be implemented in a world that may force you to pick a side?
- Operating Environment: What is your physical, non-physical, and logical operating environment? How might this expose you to GPC risks?
- Stakeholders: How are you engaging with relevant stakeholders, both internal (e.g., GR, Comms) and external (e.g., FBI, DHS, State)?
- Risk Management Cycle: How are you continually identifying, prioritizing, and mitigating GPC risks?
After the session, turn your notes into a one-page memo on the subject that you can use to begin a conversation with key stakeholders, including senior management. The objectives of those conversations should be to 1) draw attention to GPC and the risks it could pose to your organization, 2) solicit feedback from stakeholders on assets and risks of greatest concern to them, and 3) position yourself as a trusted advisor on these issues.
In a typical corporate security department – where time is short and resources are low – it can be overwhelming to think about setting time aside for this kind of strategic work. It is necessary to challenge that instinct. According to ASIS’s recent study on security risk management, time spent on strategy by senior security executives is directly correlated with the organization's risk management effectiveness. It behooves security leaders to set aside an hour to set their organization up for continued success in this dangerous era of world history.
