Fotimmz - Fotolia
Governments are being urged to put aside their political differences to collaborate on cyber security defence amid evidence that cyber attacks have caused the global economy more damage than hurricanes, floods and other natural disasters.
Last year was the worst on record for natural disasters, causing an estimated $300bn worth of damage, yet the losses from cyber crime in 2017 are expected to be far greater at about $1tn, according to figures released by the World Economic Forum (WEF) last week.
The WEF, which runs the annual summit of world leaders, businesses, academics and non-government organisations, is backing the creation of a Global Centre for Cyber Security, which is claimed to be the first organisation to tackle cyber security on a global scale.
The forum’s advisers warn that the cost of cyber crime to the global economy could soon reach $500bn a year – approaching the GDP of Switzerland, which stood at $659bn last year.
Ransomware including WannaCry, which was based on leaked National Security Agency hacking tools, caused devastation in the UK’s National Health Service and in companies around the world. It was followed by Petya and NotPetya, which caused more chaos.
A successful attack on a major cloud provider could cause damage in region of $120bn – somewhere between the cost of Hurricane Sandy and Hurricane Katrina, said John Drzik, an adviser to the WEF and president for global risk and digital at Marsh, an insurance broking and risk management company.
Cyber crime is the risk most likely to intensify in 2018, said Drzik. Yet the infrastructure and planning that governments and companies have put in place for environmental risks far exceed the resources put into cyber defence.
Experts at the WEF argued that governments have an unique opportunity, as the global economy recovers, to tackle a range of global threats, including cyber attacks, that could cause catastrophic problems if left unchecked.
“Leaders can take advantage of this upswing to address many of those risks,” said Margaret Drzeniek Hanouz, head of economic progress at the WEF.
Risk of cyber conflict
Countries such as the UK and the US have been open about their development of offensive cyber capabilities, and the next global conflict will certainly involve the use of cyber weapons alongside conventional weapons.
More than 93% of the experts consulted by the WEF’s Global risks report believe there will be more political and economic confrontation among the major world powers this year.
“It does not have to be military conflict, it could be trade, it could be cyber, it could be other forms of conflict, but I think cyber is one that is likely to grow as an avenue of conflict,” said Drzik.
Hackers route their attacks through multiple servers in multiple countries, making it notoriously difficult to attribute the source of any attack with any degree of accuracy.
A misdirected counter-attack, aimed at the wrong target, could precipitate a rapidly escalating cyber conflict, which could, in turn, escalate into armed conflict.
Early warnings of cyber risks
The planned cyber security centre, announced during the WEF summit, will go further than existing cyber security initiatives by extending collaboration internationally, said Richard Samans, a member of the WEF’s managing board.
“Most of the information-sharing initiatives you have seen so far are in-country,” he said in an interview with Computer Weekly. “In Europe, you have a regional framework, but there has never been a global framework. And in certain sectors there is information-sharing with the public sector, but it is the international aspect of it that is new.”
Based in Geneva, Switzerland, the cyber security centre will operate as an independent organisation, under the auspices of the WEF. It will have Interpol as a strategic partner, and support from UK telecoms provider BT.
The WEF aims to establish what it claims will be the first global platform for governments, businesses, experts and law enforcement agencies to collaborate on cyber security risks.
The growing use of artificial intelligence (AI), the internet of things (IoT) and robotics in finance, healthcare, telecommunications and transport has given cyber crime prevention a new urgency – and the risk of a “digital dark age”, the WEF argues.
Proposed projects include an independent library of best practices in cyber security, developing an agile regulatory framework on cyber, and acting as a laboratory to give governments and businesses an early warning of future cyber security scenarios.
Gavin Patterson, chief executive of BT Group, said of the initiative: “We believe that closer, cross-border collaboration between the public and private sectors, in the form of sharing threat information and best practice, is critical if we are to succeed in combating cyber crime.”
Global risks more interdependent
The task is made more urgent because global risks are increasingly interconnected. Last year’s cyber attacks damaged private sector computers, but they impacted the operation of government, and had knock-on effects for society and the economy.
Cyber attacks, when combined with economic instability, natural disasters, growing debt and rising inequality, could, according to the WEF’s Hanouz, push the world over a brink.
And “fake news” poses a serious risk if, for example, people start to believe propaganda that climate change is not a real issue, and that, in turn, influences national policies on global warming.
“We are increasingly reaching a tipping point across a number of systems that cold really bring the systems to a brink, and could potentially have systemic and catastrophic consequences for humanity and the economy,” said Hanouz.
One example of the growing interdependency is the exponential growth in internet control of infrastructure and physical devices. The number of internet connected devices now stands at 8.4 billion, which is already more than world’s human population of 7.3 billion – and the number of devices is projected to grow to 20 billion by 2020.
“That just widens the attack surface for companies to potential attacks,” said Drzik. “The use of artificial intelligence and other emerging technologies is also leading to greater cyber exposure to companies.”
Responding to cyber attacks
For Alison Martin, group chief risk officer of Zurich Insurance Group, people and password protection are still the weakest link in cyber security. “We have to be smarter and we have to get ahead of the curve and look at what risks people are exposed to and how we can mitigate them,” she said.
Organisations spend $3.5bn a year on insurance premiums covering a few billion dollars of risk and the market is growing, particularly outside the US.
One measure of how far companies need to go to address cyber security is the relatively small scale of the cyber insurance market. Individual companies can get up to $1bn of cover, and the coverage of cyber risks has expanded to include risk of property damage, critical infrastructure and business interruptions.
By 2020, premiums for cyber security risks are expected to reach $10bn, but compared to the property insurance market, it is still relatively small compared to the size of the risk, said Drzik.
Where insurance companies can rally add value, he said, is by offering a risk assessment service to help businesses understand where they are exposed.
The General Data Protection Regulation (GDPR), which comes into force in May this year, has led companies to re-examine a lot of their cyber security, which has had a beneficial impact.
Businesses need to be more focused on how they respond to cyber attacks, as wells as preventing them, said Drzik.
“Most businesses that are based in natural disaster zones have very extensive business continuity plans,” he said. But only about one-third of companies have an incident plan to respond to a major cyber attack. And with corporate debt-equity ratios double those in 2010, businesses are more vulnerable to any sort of disruption.
“This is an environment in general where businesses could face a lot of shocks, cyber and non-cyber,” said Drzik.
As organisations become more interconnected, a cyber attack on a company’s suppliers or customers means that one organisation’s security depends on the security of others, at a local and global scale.
But will it work ?
While growth in the world’s economies may present governments with an opportunity to pool their resources through the WEF’s Global Centre for Cyber Security, the political landscape makes co-operation more difficult.
The election of Donald Trump as US president heralded his country taking a more insular approach to politics, which led, among other things, to the US pulling out of the international Paris Agreement on climate change.
Add to that the growth of fake news, propaganda and political unrest in many parts of the world, and it is clear that the WEF’s cyber crime centre will have its work cut out to create the multinational agreements needed to keep up with cyber crime.
“Where risk is borderless, you do need co-operative work to create solutions,” said Drzik. “And this type of friction between unilaterally orientated powers creates a very unsettling environment for it.”
High-impact, high-probability risks in 2018
Extreme weather events, natural disasters and the failure of attempts to mitigate climate change are among the most serious and likely risks facing the world in 2018. Last year, for example, was one of the hottest on record, and solutions are not yet in place to address continual rises in temperature. Biodiversity and ecosystem collapse is another worry. For example, 75% of Germany’s insect population has been lost over the past 25 years.
Despite an upturn in most global economies – with the possible exception of the UK, which is feeling the consequences of Brexit – there are underlying concerns that a build-up of debt may have long-term negative consequences. Economists were worried about the level of debt in 2007 and today that debt has doubled. The build-up has been seen across all the G20 economies, especially in Asia and China. Inequality has grown in more than half of countries, raising the risk of political instability.
Technology, employment and social stability
There is a strong connection between unemployment, under-employment and profound social instability. But this year it has become clear that technological advances, such as AI and automation, are also having an effect. That could amplify problems in the global economy, which has seen living standards failing to rise, equality growing, and wages remaining stagnant.
Source: Margareta Drzeniek Hanouz, head of economic progress, World Economic Forum