Here’s a question from the World Economic Forum (WEF):
“What if a cyber attack took over a government’s IT network, bringing an entire nation to its feet? Does this seem like a far-flung scenario? It isn’t. In April 2018, the small independent Caribbean nation of Sint Maarten faced a total public shutdown for an entire day. The previous month, the city of Atlanta was crippled by a ransomware attack that lasted two weeks and cost nearly $3 million.”
The WEF continues:
“In the US alone, Baltimore, Charlotte, Dallas and San Francisco have been victims of cyber attacks during the past year, following (ironically) a transition to smart city technology. Although the smart city concept has created more connected cities, the lack of cybersecurity preparedness often creates serious security vulnerabilities. So what can organizations seeking to advance to smart infrastructures, cloud networks and IoT environments do in the face of rising cyber threats?”
How bad is the threat? What can companies (and governments) do to prevent a digital apocalypse?
Digital maturity and inclusiveness are considered necessary assets in the global economy. Some countries are highly mature. Some are not. Layers of digital define just how mature a country is. The WEF has developed indicators of digital maturity. Countries like Singapore, Finland, Sweden, Norway and the United States are extremely mature. But countries like Chad, Burundi, Haiti, Mauritania and Madagascar are ranked very low. Which countries are the most vulnerable to cyberattacks? As suggested above, there’s an ironic relationship between maturity and vulnerability.
Multiple Single Points of Failure
Single points of failure can be identified and usually managed, often through redundancy. But what about all of the layers of digital technology we rely upon so completely? Data, applications and networks are far from secure. Worse, they depend upon each other and partner increasingly in the cloud – another rapidly growing source of vulnerability. The layers of digital technology we take for granted (and often never see) combined with the apps we download and love, create a vulnerability unimagined by the creators of any single point of failure. Result? There are multiple singe points of failure.
The number and nature of vulnerabilities to data, applications and networks is growing at an unprecedented rate. Distributed Denial of Services (DoS) attacks have steadily increased over the years. Data breaches are commonplace. Unsecured application programming interfaces (APIs), accidental and deliberate data losses, private, public and hybrid cloud vulnerabilities, and inevitable “insider” threats are all on the rise.
Unfenced Digital Prairies
Years ago – before cloud computing existed and before “personal computing” exploded – there were tools and techniques that could – if well-enough funded – prevent cyber disasters. While disasters still occurred, there was relative control of computing boundaries which usually began and ended at the corporate firewall. Today – and forever – there are no boundaries: computing occurs everywhere, all the time on servers housing data bases located around the world managing increasingly automated transactions. Can all these transactions can be tracked, managed and protected? What happens when artificial intelligence (AI) fully meets robotic process automation (RPA)?
The New Threat Actors Guild
If you ran a company (or a country) with minimal digital capabilities and you wanted to compete, what would you do? It’s as difficult to displace a company with huge market share as it is to militarily compete with an established world power. But it’s a lot less expensive to attack a network than build aircraft carrier groups or global digital supply chains. Companies and countries have incentives to hack, penetrate, disrupt and breach just as individual terrorists employ the same tactics. Disgruntled employees and political activists are also credible threats. Bad actors are everywhere.
The Inevitability of Combinatorial Risk
It’s difficult if not impossible to conclude that the rise in digital maturity will somehow result in the reduction of digital risk. Based on well-documented history, the opposite is so easily proved. Combinatorial risk isthe largest risk factor. Said differently, it’s impossible to control multiple uncoordinated risks and multiple single points of failure. Global social, economic, financial, political and even military systems prevent sustainable cooperation. Corporate competitiveness also prevents widespread, scalable cooperation. Arguably, many countries and companies rely heavily upon various forms of innocent-to-malicious digital espionage to compete.
Outcomes Have Arrived
When will national infrastructures be hacked? According to Tom Ball, writing in Computer Business Review, yesterday:
- “In December 2015 a massive power outage hit the Ukraine, and it was found to be the result of a supervisory control and data acquisition (SCADA) cyber attack. This instance left around 230,000 people in the West of the country without power for hours.”
- “A small dam in Rye Brook, New York … became the focal point of a serious nation-state concern, as the U.S. Justice Department claimed that it was as Iranian attack on U.S. infrastructure.Hackers succeeded in accessing the core command-and-control system, and they only used a cellular modem to do so. Although the attack hit in 2013, it was not reported on until 2016.”
- “Spanning 2015 and 2016, the SWIFT global messaging system which is used by banks to move money around the world, was used by hackers from North Korea. While this example does not pertain to the more visual examples of water and power, it can still prove absolutely crippling … the attack was linked back to a group called Lazarus who had links to North Korea.”
- “The New York Times released news of a join report from the FBI and Homeland Security regarding cyber attacks on a number of nuclear power plants across the country. The only plant named in the news was the Wolf Creek Nuclear Operating Corporation, based in Kansas.”
Many other attacks have occurred. Many more are occurring now. There’s no compelling evidence that cyber risk will shrink or that major – even catastrophic – cyber attacks can be avoided. Energy, healthcare, agriculture, manufacturing and transportation infrastructures will be attacked.
What about the corporate side? Look no farther than Equifax, Deloitte, British Airways, Verizon, T-Mobile, MyHeritage, Reddit, Uber, Target, Home Depot, FedEx and Yahoo, among lots of other companies that believed their cybersecurity was adequate, if not strong.
Can we avoid an apocalypse? Maybe, if the right steps are taken immediately and consistently, steps like governance, internal surveillance, software updates, internal and vendor auditing, education and training, and data asset protection, among many other steps that must be well-documented, well-respected and well-funded. If any of the current and emerging best practices are short-changed, a digital apocalypse will visit us all. A call to digital arms? Absolutely. A warning that we’ve under-invested in digital security? Clearly. It’s past time to take a hard look at existing and anticipated vulnerabilities and invest within and well beyond corporate and national perimeters. We must launch a permanent vigilance process that anticipates the unique, growing nature, depth and risk of a digital apocalypse. We must also pass the equivalent of a constitutional amendment that guarantees vigilance, expertise and funding. Corporate boards should do the same. It’s well past time.