Snow-Blinding Threats and Unprecedented Technological Advances: Puts Corporate Insecurity in the Spotlight
By Robert Liscouski, Contributing Author / March 14, 2025
Robert Liscouski is the Founder and Chairman of Quantum Computing, Inc., a company specializing in advanced security solutions. He has over 30 years of experience in enterprise security and risk management, including roles as Assistant Secretary for Infrastructure Protection at the U.S. Department of Homeland Security and Director of Information Assurance at The Coca-Cola Company. Robert is also the Co-Founder and Chairman of the National Child Protection Task Force, where he focuses on mitigating and managing physical and cybersecurity risks.
Throughout his career, Robert has been a thought leader and expert in assessing and managing security risks. He has served on various boards and advisory committees, including the Center for Strategic and International Studies and the National Center for Missing and Exploited Children. His extensive experience and dedication to enhancing security measures have made him a respected figure in the field of national security and risk management.
A rapidly disruptive environment is felt by companies at home and around the world. Add to this economic variability, advanced technologies, geopolitical uncertainties, and cross-border competition impacted by unprecedented changes. U.S. companies, their boards, and shareholders are facing snow-blinding challenges. Today’s risk landscape offers dimensional complexities never seen before.
Threats are evolving at a greater and unprecedented rate than the U.S. government’s ability to adapt in providing a secure business environment. Adversaries—whether they are organized hostile nation-states, terrorist organizations, or organized criminal groups—have shifted their focus from governments to private and publicly traded companies at home and worldwide. Their intent has evolved from pure financial gain to strategies aimed at U.S. economic instability and social unrest.
Consequently, U.S. companies must significantly up their resilience game if they want to become self-reliant in protecting IP, treasury, and, of course, shareholder value. Without demonstrated performance in building a corporate security strategy, institutional investors, customers, and employees will lose confidence. Loss of confidence is a loss of competitive advantage.
Escalating Threats
As technology advances, bad actors gain leverage over corporate security strategies. Consider some factors relating to this escalating threat, depending on where a company is with deploying its capitals (technology, talent, and more). They include:
Infrastructure—energy, communications, financial, etc.—is becoming more interdependent to perform to expectation. This means that it must be more reliant on technology to operate, manage, and deliver results.
Technology is advancing more rapidly than our ability to understand it, let alone deploy it to protect our infrastructure. Technologies exist today that we could only imagine a short while ago. If we have the capabilities to employ them, assume that well-funded and well-organized opponents have them as well.
Artificial Intelligence is highly capable and deployable in a variety of attack vectors and by a variety of users. Many continue to advocate that it is a generation away from “singularity,” but that doesn’t mean that it isn’t employed in its current stage of development. The key is that bad actors already have the capacity to weaponize the technology itself. Historically, access to weapons of mass destruction was only within the reach of nation-states or, more recently, well-funded terrorist groups.
A Brief History: Technology as a Weapon for Geopolitical Dominance
In the past, weapons such as nuclear arms and mass bio-agents required sufficient capital and infrastructure to make them very difficult to obtain, let alone deploy. Today, artificial intelligence and the ubiquitous virtual connectivity barriers of entry have been removed, giving opponents access to the mass weaponization and deployment of destructive and exploitative technologies.
This will resonate even more as quantum technologies become more market ready.
Historically, the bad guys have always held the advantage because they knew when, where and how they would conduct an attack. That advantage has only exponentially increased based on access to emerging technologies. Many of them are yet to be clearly understood; however, they are widely available.
Shortcomings of U.S. Politics in Maintaining Policy Priorities
Our government admits that based on ineffective policies and priorities, it is facing more challenges than it has resources. Former FBI Director Christopher Wray characterized his view of the current threat from China this way:
China, driven by the Chinese Communist Party’s dangerous actions, is a multi-pronged assault on our national and economic security, making it the defining threat of our generation.
China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities. If or when China decides the time has come to strike, they’re not focused solely on political or military targets. We can see from where they position themselves, across civilian infrastructure, that low blows aren’t just a possibility in the event of a conflict. Low blows against civilians are part of China’s strategic plan.
Cyber is not the only PRC threat we face. The PRC cyber threat is made vastly more dangerous by the way they knit cyber into a whole-of-government campaign against us. They recruit human sources to target our businesses, using insiders to steal the same kinds of innovation and data their hackers are targeting while also engaging in corporate deception—hiding Beijing’s hand in transactions, joint ventures, and investments—to do the same.
The PRC has a bigger hacking program than every other major nation combined. In fact, if each one of the FBI’s cyber agents and intelligence analysts focused exclusively on the China threat, China’s hackers would still outnumber FBI cyber personnel by at least fifty to one.
China, Russia, and Their Shared Intentions
Both nations have issued public statements that their goal is to attack U.S. and Western critical infrastructure. Their goal is to degrade our quality of life and generate civil unrest and violence directed at the federal government.
Iran maintains similar objectives, although it has not gone public with this.
China, Russia, and Iran currently use third-party criminal enterprises to carry out their cyber and physical attacks upon critical infrastructure. This strategy of employing proxies to exact their harm allows them to maintain plausible deniability and thereby offers them cover in avoiding a U.S. or NATO military response. Russia has engaged in many low-level attacks in Europe in response to increased NATO engagement in the Ukraine war.
The Threat Landscape as a Risk Multiplier
While multi-vector, coordinated threats are increasing and becoming more complex, the U.S. government has attempted to focus on high-threat priorities with increasing difficulty as the volume of threats has multiplied. Threats are so severe that if the U.S. government was able to focus on the highest priority threats, the lower priority threats would be just as deadly.
National security and law enforcement previously lacked the leadership and sufficient resources required for moderate—nevertheless—highly needed success. Because of this, self-reliance is needed if the private sector expects to sustain itself. The disappointing fact is that if you dial 911, it is highly likely no one will answer.
What’s Needed to Be a Successful Company
Successful companies—today and in the future, even more so—must have the best solutions and know how to capitalize on them. This is a core requirement for companies who want to win at protecting themselves while preserving and increasing shareholder value.
Success, however, is costly and requires commitment to the goal. It is not simple either; however, here are steps that companies can take to protect themselves and their shareholders.
It starts with leadership.
Efforts to protect their enterprises—regardless of how small or big—start with CEOs taking threats seriously. No longer can they sit by and say that it won’t happen to them—hope is not a strategy. In the realm of cybersecurity, EVERYONE is a victim, now or in the times ahead. Don’t be the punchline in the standing joke about leadership and cyber threats that reads, “There are two types of companies in the world today – those that know they have been hacked and those that don’t know it.” Every enterprise, employee, device, database, and more has been hacked. We see the headlines so often we have become immune to them.
Along with CEO leadership, where there is a board of directors, remember that the board makes decisions as a fiduciary on behalf of the company and its shareholders. To meet this test, broadly speaking, the board must provide insight, advice, and leadership for important objectives such as:
Protecting the interests of shareholders
Managing risk
Engaging with stakeholders
Corporate Governance and the SEC Requirements
The Securities and Exchange Commission has recently enacted a ruling requiring public companies to report on material cyber breaches. The SEC has gone to the extent of requiring public companies to have qualified cyber risk expertise to advise their directors and to establish a Risk Committee. Risk Committees serve to assist the board in its oversight of management in meeting its responsibility to implement an effective global risk management framework reasonably designed to identify, assess, and manage company reputational cyber risks. Risks relating to finance, legal, and operational activities are addressed through the board’s overall governance responsibilities, including the Board’s Audit, Compensation, and Nomination Committees.
Many companies have yet to incorporate this guidance into their daily operations. Candidly, while the SEC ruling is well-intended, it has the effect of punishing the victims rather than stopping and prosecuting the actual perpetrators. Again, this is because the government is challenged to effectively perform given limited resources. The SEC approach is looking at only one dimension of threat, specifically cybersecurity-related threats. Our adversaries are looking at innovation driven assaults while we are looking at protecting traditional and conventional thinking.
Survive and Thrive
Companies need to start to understand that traditional approaches might have been effective in part, but they certainly won’t succeed in this current threat world. Our adversaries are looking to exploit every possible vulnerability to converge on the outcome—disruption, IP theft, competitive advantage, financial gain, or enterprise destruction, depending on their specific objectives.
The financial and commercial worlds have always rewarded companies that can adapt, evolve, and become resilient to unanticipated disruptions.
Such will continue to be the case, especially for companies that recognize threats are not just evolving but have evolved and are now evolving through a new generation of tools.
Company leaders need to make more conscious decisions to survive and thrive.