30 August 2016

Virtual Threats, Real Consequences

Dante DisparteFounder and CEO of Risk Cooperative / Co-author "Global Risk Agility and Decision Making" (Macmillan 2016). 
August 26, 2016

While cyber risk continues to dominate headlines keeping many a board room, state house and situation room awake at night, those responsible for the physical infrastructure and the machinery that keeps a modern economy whirling are in for some sleepless nights as well. Virtual threats have real world consequences and the damage that can be wrought on tangible assets goes far beyond conventional cyber losses, which tend to affect computer systems and how software performs. With increasing frequency and severity, virtual threats are able to leap into the real world causing physical harm to infrastructure, electricity grids and other forms of property loss.

These threats emerge because of a volatile combination of acute and attritional threats combined with low levels of awareness and preparation. Acute threats emerge from deliberate acts carried out by hackers, cyber criminals or state sponsors of cyber warfare or terror, with the latter being the more sophisticated variety. The Stuxnet virus offers a rare glimpse into how sophisticated cyber warfare has become. Beginning 2010, Iranian nuclear centrifuges suffered irreparable physical damage because the Stuxnet cyber weapon caused them to spin at excessive rates triggering engine burnout. This attack set the Iranian Nuclear program back many years, buying vital time for other approaches, including diplomatic actions, to play out. While Stuxnet is a 6 year old technology and has likely been surpassed by cyber armaments with increasing sophistication and fields of damage, it marked a critical change in the nature of cyber warfare and something for which countries and companies alike must be prepared to confront.

Other acute cyber threats include the rise of business models being held for ransom. Akin to real world kidnappings, companies and government agencies are increasingly being hacked or, more commonly, their vital data is redacted precluding normal operations (which is increasingly likely in hospital groups) in demand of changes in conduct or monetary compensation. Sony Entertainment's cyber ransom over The Interview, an unflattering movie about North Korea's leader Kim Jong-Un, is perhaps the most famous example of a company's business model being held for ransom. Yet, like real kidnapping events, the incidence and nature of these attacks is woefully underreported and much more commonplace than it would appear. Part of what drives this underreporting is how organizations fear the compounding challenge of dealing with cyber ransom demands, while trying to avoid a public relations backlash. Case studies have shown that neither time nor omission favor bad news and greater standards of care and transparency are needed to begin combating this form of cyber risk.

Cyber ransoms break the pattern of silence that governs traditional cyber threats, where hackers can lurk undetected inside an organization's systems filching off critical data for many years. Cyber-attacks of this nature actively prey on the threat of disclosure, the release of sensitive information or intellectual property unless demands are met. The true cost and frequency of these ransom attacks are largely unknown, as many companies go it alone and are remiss to involve law enforcement. Typically lawyers and public relations firms make up the first line of defense in a corporate cyber ransom case. In order for organizations to get the upper hand, their defenses must include instinctive crisis response capabilities, honed through cyber fire drills involving senior leadership, the financial protection of insurance, alongside cutting edge pre-breach technology that evolves as rapidly as the threat matrix. Insider threats, motivated by so-called ethical hackers or disgruntled employees further litter the cyber battlefield with unseen landmines for which corporate governance, value systems, hiring practices and technology are the only defense. The now infamous Snowden NSA leak and the release of Mossack Fonseca's Panama Papers are but two recent examples of how insider threats can impact even the most secretive and well-guarded organizations.

Attritional losses are caused by combining woeful underinvestment in systems, critical infrastructure and redundancies, with a constant background of deliberate threats and inadvertent ones. Critical infrastructure is the white noise of a well-functioning economy. It is only missed in failure when there is a blackout, the internet slows down or is offline and systems fail. During the height of hostilities between Russia and the Ukraine, the Russians allegedly lodged a successful cyber-attack on Ukraine's electricity grid, sending more than 200,000 households into darkness while crippling up to 30 substations and their backup systems. A winter attack of this nature, gives new meaning to the concept of a cold war. This type of attack underscores the scale and sophistication of cyber threats and the ease with which they can effect physical assets on a national scale. The doomsday scenario of a large scale cyber-attack crippling financial markets or stock exchanges looks increasingly likely given the economic stakes and the relative ease with which hackers are absconding with billions of dollars from the financial system each year. The recent exploit of the SWIFT banking system, in which criminals got away with $81 million and attempted to transfer up to $850 million may very well be the warm up round of this type of financial crime.

Cyber risk is here to stay and it is a hallmark of a modern, interconnected economy. Completely shielding a company or country from this insidious threat means removing it from the lifeblood of the 21st century, spelling a slow demise. Cyber risk can be embraced - harnessed even - by those organizations that invest in the concept of resilience and staying ahead of this amorphous threat. While no system can be guaranteed as fail-safe, there are simple measures that can be taken to survive unwanted disclosure and stare down even the most wanton demands. The first, while somewhat simplistic, is having nothing to hide. After all, with the high velocity of the market, first mover advantage is assured by speed rather than intellectual property rights. The first and last line of defense against cyber threats are people and systems that are aligned to an organization's mission, values and defenses. Equipping all three to address the rapidly changing risk landscape is one of the pivotal challenges of our times.

No comments: