The headline raised the question:
Wars Are Blurring Lines Between Corporate and National Security
The article dealt primarily with physical security of critical items and areas, and it touched on cyber security. There are other areas, though, where responsibility among corporate management teams, police forces, and government, whether military or civilian agencies need to be sorted out.
There’s the question of supply chain security, an enemy nation embargoing Critical Items in the supply chain of a nation’s important corporation, whether that corporation is economically important or is an important defense establishment supplier. Even here, the responsibility is mixed. It’s on the military to defeat the embargo (and the political leadership to engage in the related diplomatic engagements while giving the military the tools with which to act). It’s on the corporate management, though, to adjust its supply chain to eliminate the embargo and to do anticipate other high-risk dependencies and make the adjustments necessary to preempt those dependencies. Where the dependency can be eliminated through domestic production, vis., of raw materials, it’s on the nation’s political leadership to remove regulatory and other roadblocks so that domestic production can be done.
There’s also the question of cyber security. Here, a breach of a corporation’s cyber security should be taken as evidence, though not of proof, of corporate management’s criminal negligence. This sort of thing is too obvious an area of weakness for corporate managers to miss or to decline to commit the resources either to block proactively, or to fight and repair successfully and promptly a breach. Here, also, it’s on those managers to make public the breach, what was affected, and who was affected, in fine to spread the word for the benefit of others.
Adding to the complexity, companies now need to protect the data networks that serve as gateways to critical infrastructure. Hackers increasingly target not just computer files to steal information but also systems managing vital functions like building access and factory control, remotely causing physical damage or enabling espionage.
To which I add: vital functions of communications and financial systems, inserting sleeper malware, to be triggered during a crisis or in association with a direct attack to shut down critical nodes in those systems’ infrastructure and erase the data in financial systems, as well inserting the sleeperware into water distribution, national electricity grids, fuel pipelines, with a view to shutting those down or causing their catastrophic failure.
Addressing the question of primary responsibility, Marc Glasser, ex-DHS Chief of Chemical Security US Department of Transportation and the Department of Homeland Security:
The private owner can invest in redundancy, monitoring, and repair capacity, but only governments and militaries can really deter, patrol, attribute, or respond to hostile state activity[.]
Not entirely. That’s all true as far as it goes, but it only goes to reactivity. It’s the responsibility of corporate managers, military leadership, and politicians to act proactively in their spheres to anticipate and move to protect avenues of attack and to block attack attempts.