We Used to Worry About Hackers. Now It’s Our Own Trade Policies.

Written By

Marc Briggs

Published on

31 July 2025

It wasn’t part of the main stage agenda. In fact, it came out of a smaller breakout session on supply chain attacks at The-C2 conference. But the conversation that followed was one of those side-line discussions that stops you in your tracks, the kind that stays with you long after the session ends.

A few voices around the table, CISOs, COOs, supply chain specialists, started comparing notes on something that doesn’t typically show up on vulnerability scans or threat feeds: trade policy. And more precisely, how shifts in international trade relationships are introducing new, systemic risks into cyber security postures.

The more they talked, the more everyone leaned in.

Cyber Risk with a Diplomatic Passport

One of the delegates, responsible for security at a multinational manufacturing group, described how recent export restrictions on semiconductors meant that their key suppliers had to change up their hardware stack. That didn’t just raise operational issues. It opened a whole new set of questions about trust, visibility and unknown third-party technology suddenly sitting inside critical environments.

“It wasn’t just that the chips were different,” she explained. “It was that we had no idea who had touched them, what code they’d been compiled with, or what sort of telemetry they were silently sending back. It was a black hole in our assurance model.”

This kind of unplanned pivot, triggered by geopolitics rather than business needs, throws up a whole new attack surface. There was a clear sense in the room that this is a trend we’re going to see more of. And fast.

Fragmented Infrastructure in a Fractured World

The conversation moved quickly to the implications of a “splinternet” – not as an abstract concept, but a growing reality. Several participants shared experiences of operating in regions where data localisation rules and divergent encryption standards are not just inconvenient, but directly affect how and where you can defend your systems.

One cyber leader from a financial institution working across Europe and Asia described how internal tools had to be rebuilt to meet regional technical requirements. Not just the legal bits, but the deep architectural layers. It was, in his words, “like trying to run one business on three different versions of the internet.”

And the cost of all this fragmentation? It’s not just budget or engineering effort. It’s security. When regions wall themselves off, threat intelligence sharing suffers. Patch distribution slows. Vendor certification becomes patchy and inconsistent. Trust becomes conditional.

It’s Not Always a Breach, But It’s Still a Risk

What made this discussion especially striking was how it reframed the idea of a supply chain attack. Nobody had suffered a breach in the traditional sense. There wasn’t a foreign APT group at the gates or a zero-day exploit to patch.

But there were very real consequences.

One participant described how a rapid change in government procurement policy meant that a critical component in their software pipeline was suddenly unavailable. They had to replace it overnight with a local alternative that hadn’t been security vetted to their standards.

“No incident report, no IOC,” they said. “But it disrupted operations, introduced unknown code, and kept me awake for a week.”

In other words, a new kind of supply chain risk. One that doesn’t come from attackers, but from shifting international relationships.

What We Can Learn From These Conversations

This was never intended to be a geopolitical roundtable. But as is so often the case at The-C2, some of the richest insights come from the conversations on the margins. And a few clear lessons stood out:

  • Cyber security leaders need better visibility not just into their software and hardware vendors, but into the political and trade context those vendors operate in.
  • Resilience planning must include scenarios where trusted suppliers are cut off not by compromise, but by regulation or sanctions.
  • Security architectures should be designed with flexibility in mind, to cope with a world where tech stacks might have to change overnight.

And perhaps most importantly, there was a recognition that we need to keep talking about this. Because these kinds of risks don’t appear in audit logs. They surface in meetings with procurement, conversations with compliance, and – if we’re not careful – during incidents that no one thought to plan for.

Final Thought

It’s easy to think of cyber security as a discipline of code and configuration. But more and more, it’s being shaped by treaties, trade barriers, and statecraft. That might feel like it’s out of our hands, but it isn’t.

As security leaders, we have a role to play in making sure that the board understands this evolving risk landscape. We can’t prevent the world from getting more complex. But we can make sure our organisations are prepared for the knock-on effects.

What started as a side note in a breakout session might soon be central to how we think about resilience.