Terry Gerton We talk a lot about cyber on this show. We have a lot of folks who are deeply engaged in doing cyber every day. And I think it’s easy, certainly it is for me, to slip into thinking about cyber as a technical problem. NCC Group has just released its fifth edition of the Global Cyber Policy Radar, and I think it tries to make a case that this is not just a technical problem. Tell us how you all approach the cyber security space.
Kat Sommer It’s a really good point because, yes, you’re right, traditionally. We look at cyber, or people have looked at cyber, as a technical issue. What we’re trying to work out in the Global Cyber Policy Radar is the way in which that conversation has shifted. And it’s shifted in two ways in our view. One is cyber has very much become an instrument of geopolitics. And we talk about the geopoliticalization of cyber. And the other way in which we talk about it is that cyber has moved from the IT back room into the board agenda now, because of the way in which governments around the world, regulatory authorities around the world are now holding boards and senior executives responsible for cyber security and cyber resilience outcomes.
Terry Gerton Let’s take those in each in their own conversation, this idea that cyber is now a tool of international diplomacy. What does that mean in terms of offensive and defensive strategies and how are you seeing governments move?
Kat Sommer I think the context for a lot of that is that we live in a very digital world nowadays, so the foundations of our economies, the foundations of societies are basically driven by digital technologies now, which means the cyber security and cyber resilience of those technologies underpinning everything that we do has become more easily disruptible. The way in which governments used to think about cybersecurity, cyber resilience was from a preventative point of view. So if you look at a lot of regulations that we’ve seen published over the last couple of years, they’re very much focused on putting minimum baseline cybersecurity requirements in place, really getting organizations to try and prevent a cyber breach as much as humanly or technologically possible. Nowadays, there has been a very clear shift of, I think primarily led by the US administration, actually, about governments looking at disrupting adversary behavior. So rather than just focusing on building up the walls of defense, it’s being more forward in trying to disrupt adversary behavior, going on the offensive, as it were, and the way in which we’re seeing that shift play out in particular is that that is no longer just a state action that is happening, but there are increasingly governments looking towards the private sector to help those efforts and help that undertaking. That’s to an extent not always been the case but when we talk about a whole of society approach and in cyber we talk of our public-private collaboration, public- private partnership. Up ’til now that’s primarily focused on intelligence sharing or information sharing, we feel like we’re now moving to a point where governments might well ask a private sector operator of critical infrastructure to take part in an offensive cyber operation.
Terry Gerton That’s a pretty significant shift in roles, responsibilities, and outlooks. When you think about that, integrating cyber capabilities into broader military and geopolitical strategy, where do you see the risks around coordination, escalation and maybe miscalculation.
Kat Sommer It’s a really good point. And that is one that we make in the radar, one, that different countries are embracing greater offensive cyber capabilities, but doing so on a very national, very nation-state basis, part of the broader fragmentation of geopolitics that we’re seeing around the world. So there is necessarily an international consensus despite UN efforts to try and build one and try and build out the norms in cyberspace. So what might be acceptable in cyberspace in an offensive operations for one country isn’t necessarily the same for another country, which means the rules of the road are really unclear. That’s the one risk and the one risk of fragmentation. The other risk, particularly for private sector firms being asked to do that is being unprepared for that question to arrive. So part of the argument that we’re making is to say to firms, you might well expect your government to ask you to partake in an offensive cyber operation. What will your response be? Have you thought about the legal implications? If you’re a multinational, have you thought about the illegal implications in each of your operating jurisdictions? Have you thought about the morals, the ethics of that? Have you got a process that you will go through to decide whether you politely decline that request or whether you feel like it is acceptable to say yes to that request. So having done the pre-thinking before that request comes is a very important aspect and a very important recommendation that we’re making to organizations.
Terry Gerton Kat Sommer is group head of government affairs and analyst relations at NCC Group. Kat, you just began to touch on the private sector implications here. What are you seeing play out in terms of the responsibilities and the liabilities for private sector leaders and board members?
Kat Sommer It’s a really interesting question. And it touches upon, I guess, the other part in which we’re seeing cyber move out of the technical sphere into a broader area of responsibility. Up until now, we’ve always talked about cyber being the responsibility either of the IT manager or the chief information security officer. We’ve seen moves in pretty much most of the Western world by governments saying to company boards, to executive directors, to chief executives, what exactly is it that you are doing about cyber resilience? How are you ensuring that your organization is now a responsible cyber player, that you have got your house in order when it comes to cyber security? And part of that has been done through regulations. So the Network and Information Security Directive #2 in the European Union, for example, introduces the concept of director liability. And the various European Union member states have actually implemented that in their transposition. So there is now things like board members needing to undergo cyber security training and needing to prove that they have done that. So they know which questions to ask. We’ve seen in the UK, the chancellor of the exchequer write to FTSE 350 stock market-listed organizations, boards, chairs and chief executive, asking three simple questions about what they are doing with cybersecurity. And they have had I think about 50% of organizations respond to say, yes, we are on top of things. Thank you very much for asking. So that’s the shift that we’re seeing and the very clear expectation, the very clearly message by governments to those business leaders, organizational leaders is you can’t delegate that responsibility. You might delegate the execution of the technical detail, but if you get hit and you’re found to have been negligent in terms of the preparations, is your head on the chopping block rather than that of your head of security?
Terry Gerton Kat, this report was, I presume, predominantly prepared before ongoing operations in Iran and the Middle East began kind of in February. What are you seeing there that is supporting or refuting the thesis in your report?
Kat Sommer We believe that the argument of cyber having become a tool of statecraft and a tool of geopolitics is being supported by looking at the way in which cyber operations are being integrated into wider military operations. So rather than it being a separate domain, it is now part of a whole of state response and a whole-of-state action in those conflict situations.
Terry Gerton It’s one thing to watch munitions explode in ongoing operations, but cyber is this invisible, behind the scenes activity. How can leaders, military leaders, national agency leaders think about getting ahead of this, think about making it real? Who needs to be at the table for future plans?
Kat Sommer Really good question. I think I would go back to saying It is a whole-of-society response. It’s a whole of society effort. Making cyber real ultimately is the responsibility of everyone who touches parts of technology, parts of organizational response, parts of military operations. So one of the key elements to think about is finding that shared language and being able to ensure that everyone around the table, no matter what domain they represent, no matter what expertise they have, they understand the implications of a cyber attack, of cyber defense operations, of cyber offensive operations, so that there is a common ground from which decision making and conversation can take place.
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
