Cost of ineffective and uncoordinated action on cyber-risks continues to rise

In 2015, Zurich Insurance Group and the Atlantic Council warned that the annual costs of cyber disruptions was beginning to outweigh the benefits of doing business in a connected world and that a failure to act could have a USD 120 trillion impact on global GDP by 2030.¹ That prediction is already beginning to look conservative, as the cost of cyber-attacks rises and the risks multiply.

The Global Risks Report 2018 (GRR), published by the World Economic Forum in collaboration with Zurich Insurance Group and other leading institutions, warns that: “Cybersecurity risks are also growing, both in their prevalence and in their disruptive potential.² Attacks against businesses have almost doubled in five years, and incidents that would once have been considered extraordinary are becoming more and more commonplace. The financial impact of cybersecurity breaches is rising, and some of the largest costs in 2017 related to ransomware attacks, which accounted for 64% of all malicious emails. Notable examples included the WannaCry attack—which affected 300,000 computers across 150 countries—and NotPetya, which caused quarterly losses of USD 300 million for a number of affected businesses.”

“Another growing trend is the use of cyber-attacks to target critical infrastructure and strategic industrial sectors, raising fears that, in a worst-case scenario, attackers could trigger a breakdown in the systems that keep societies functioning.” In October 2017, the U.S. Department of Homeland Security issued a joint Technical Alert with the FBI warning of a “multi-stage intrusion campaign by threat actors targeting low security and small networks to gain access and move laterally to networks of major, high value asset owners within the energy sector.”³ A cyber-attack, presumably by another state, has also been blamed for a power failure in Kiev, Ukraine on December 17, 2016, the latest of a string attacks since December 2015.⁴

Caught in the botweb

The growth in connected devices in recent years is making it easier than ever for attackers to infect large numbers of devices at a time, allowing them access to the data on those devices or to, as part of a botnet, attack other computers or devices.

In a new section on potential Future Shocks, the GRR also warns that the proliferation of “AI weeds”, algorithms driven by artificial intelligence, could “choke off the Internet”. It is estimated that up to 15 percent of twitter accounts, or about 48 million users, are bots.⁵ Separately, a study by website security provider Imperva Incapsula found that 51.8 percent of all website traffic in 2016 was generated by bots, with nearly a quarter of all traffic coming from so-called “impersonator bots”, that mimic user identities to bypass security measures.⁶ These are frequently used in DDOS attacks.

One risk is that governments and businesses could act to close off parts of the web and exclude countries seen as posing the greatest risk. This would ultimately disrupt global digital trade and disadvantage some economies, particularly in the developing world, with geopolitical consequences such as rising nationalism, inequality and protectionism. On December 14, 2017, the U.S. Federal Communications Commission repealed the country’s strong Net Neutrality Laws, allowing Internet service providers to speed up, slow down or block content.

Key recommendations

Recognizing the threat, the World Economic Forum and its partners have published recommendations for governments and businesses to help mitigate the worst cyber-security risks and to create the most value of our shared digitals commons.

For governments, these Recommendations for Public-Private Partnership against Cybercrime include  measures to share data and for best practice, cross border collaboration on governance and regulation, education and further measures to encourage digital innovation and entrepreneurship.⁷ Separately, the forum’s working group on The Future of the Digital Economy and Society has published a cyber-risks tool kit to help businesses build resilience to digital hazards.⁸ The tool kit identifies 10 key principles through which corporate boards can take responsibility for building cyber-resilience and drive a culture of digital innovation and risk awareness across their organizations.

Central to both advisory notices is the notion that effective mitigation of cyber-risks relies on a high state of preparedness and close cooperation between governments, business and civil society. The interconnectedness of global information systems means that a data breach in one source could have systemic consequences across the entire digital ecosystem, which means that everybody has a stake in risk prevention and mitigation.

Public and private institutions need to work in partnership to develop flexible yet effective governance standards that operate consistently across borders to address risks where, and preferably before, they arise rather than where the consequences of cyber-attacks are felt. Businesses need to put cyber-risks at the top of their agenda and plan for specific cyber scenarios within their own organization as well as those of their key suppliers and other entities on which the depend.

Companies need to remain agile and alert to the changing nature of cyber threats. To secure themselves, firms need to think beyond their own IT infrastructure and consider six additional aggregations of cyber risk: counterparties and partners, outsourced and contract, supply chain, upstream infrastructure, disruptive tech and external shocks. Finally, all the management consultancies and security firms helping companies deal with the growing threat emphasize the need for top leadership to actively oversee cyber threat prevention. States, particularly the big powers, need to temper their inclination to see cyber as a tool for hurting opponents. Secure and functioning cyber networks should be seen as advancing prosperity. Governments are in the best position to map out needed measures across industries and for securing critical infrastructures, such as power grids. Investments in technologies and strategies to deter cybercrime should be a priority for both government and business.

¹ Risk Nexus: Overcome by cyber-risks; Zurich Insurance Group and The Atlantic Council, September 2015 - https://www.zurich.com/en/knowledge/articles/2015/09/overcome-by-cyber-risks
² The Global Risks Report 2018; Zurich Insurance Group and The World Economic Forum, January 2018 - https://www.zurich.com/en/knowledge/articles/2018/01/the-global-risks-report-2018
³ Alert (TA17-293A) Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors, US-CERT, October 20, 2017 --  https://www.us-cert.gov/ncas/alerts/TA17-293A
⁴ Ukraine's power outage was a cyber-attack: Ukrenergo, Reuters, January 17, 2017
⁵ Online Human-Bot Interactions: Detection, Estimation, and Characterization; Onur Varol,1,* Emilio Ferrara,2 Clayton A. Davis,1 Filippo Menczer,1 Alessandro Flammini1 1Center for Complex Networks and Systems Research, Indiana University, Bloomington, US 2 Information Sciences Institute, University of Southern California, Marina del Rey, CA, US; 2017
⁶ BOT Traffic Report, 2016; Imperva Incapsula, January 2017 - https://www.incapsula.com/blog/bot-traffic-report-2016.html#
⁷ Recommendations for Public-Private Partnership against Cybercrime; The World Economic Forum, April 2016
⁸ Advancing Cyber Resilience: Principles and Tools for Boards; The World Economic Forum, January 2017