Part 2: Risks in Focus:
2.4 Digital Disintegration
While cyberspace has proved largely resilient to attacks and other disruptions so far, its underlying dynamic has always been such that attackers have an easier time than defenders. There are reasons to believe that resilience is gradually being undermined, allowing this dynamic of vulnerability to become more impactful.
First, the growth of the “Internet of Things” means that ever more devices are being connected online, touching many more parts of life and widening both the potential entry points for and impacts of disruption. Second, there is ever-deepening complexity of interactions among the many aspects of life that are dependent on connected devices, making those impacts potentially harder to predict.
Together, these twin trends demand new thinking about global governance of the Internet. Yet the prospect of achieving this has been undermined by recent revelations about the extent to which national security organizations are shaping cyber policy and conducting espionage and attacks, eroding trust among the very stakeholders whose collaboration will be necessary to avert a conceivable “Cybergeddon”.
Offence vs Defence in Cyberspace
Cyber risks are not new. It was written in 1988 that “espionage over networks can be cost-efficient, offer nearly immediate results, and target specific locations … insulated from risks of internationally embarrassing incidents.”28 Warnings about a “cyber Pearl Harbor” extend back to 1991.29 However, although online espionage and crime remain daily issues, cyberspace has so far been resilient to truly disruptive infrastructure attacks, those that could break systems or societies and not just pilfer information.
Cyber incidents have so far tended to have effects that are either widespread but fleeting (such as the Morris Worm, which took down an estimated 10% of the early Internet) or persistent but narrowly focused (like the 2007 attacks on Estonia). No attacks or even failures have been both widespread and persistent. This is due to robust standards and networks, high levels of investment and the ability of the technical community to flock to and overwhelm disruptions (such as undersea cable outages). Such feats are possible only due to the open and participative structure of the Internet, driven by non-state actors such as incidence response teams and service providers.
Nonetheless, risks to the Internet continue to grow more serious for one key reason: attacking others in cyberspace (breaking into or disrupting their system) has always been easier than defending them. The offence has had the advantage over the defence. This dynamic is in part historic: the Internet was built for resilience rather than security, since everyone using it in the earliest days was trusted. But the practical underlying dynamic – an attacker needs only to find a single way through defences at a single point in time, while the defender must defend all vulnerable points forever – increasingly threatens to undermine that resilience.
Many companies use a “red team”, or penetration testers, to try to break into their own online systems to improve their security. This practice dates back to at least 1979, when the ARPANet had not yet become the Internet and TCP/IP protocols were not yet standard. As one report put it back then: “Few, if any, contemporary computer security controls have prevented a [red team] from easily accessing any information sought.”30 The same remains true today, and cyber risks will likely continue to get more serious, year after year, until global stakeholders can upturn this underlying dynamic or restore trust.
This is not impossible. In physical warfare, the dynamic between attackers and defenders has flip-flopped with inventions such as the machine gun and the tank. It will, however, be made more difficult by the online world’s increasing interconnectedness and complexity.
Interconnectedness, Complexity and Systemic Risks
A threat to the Internet increasingly means a threat to everything. Every part of the world’s societies and economies uses the same underlying infrastructure, the same hardware, software and standards with billions of devices connected to the Internet, from simple e-book readers to electrical distribution networks.31
In the past, cyber attacks typically had only a limited effect because they broke only ones and zeroes or things made of silicon. Organizations under attack might have a bad week, but after that they generally could execute business continuity plans, rebuild computers and use data from securely backed-up vaults. However, projects such as the Smart Grid – online connection of electrical power generation and transmission – are increasing the possibility of cyber attacks breaking things made of concrete and steel.
As Rod Beckstrom, former President of Internet Corporation for Assigned Names and Numbers (ICANN), puts it: “Everything that is connected to the Internet can be hacked, and everything is being connected to the Internet.”32 This growing hyperconnectivity raises the prospect of disruptions having systemic impact. Previous publications from the World Economic Forum have highlighted that interdependence introduces new vulnerabilities and opportunities for failures cascading from unexpected directions.33 This can have far-reaching impacts: “When the shock to the system is greater than what the system can tolerate, the number of functions the system can perform may decrease dramatically.”34
What kinds of disruption are possible? Cyber risks are often summarized through the acronym CHEW – crime, hacktivists, espionage and war.35 But there are other risks in cyberspace that could have systemic impacts. For example, a large cloud provider could suffer an Enron- or Lehman-style failure virtually overnight.
Environmental triggers could also easily play a role, especially given the inherent fragility of the underlying physical infrastructure. A long-dreaded earthquake on the San Andreas fault could devastate the world’s technical centre of Silicon Valley. A solar super-storm could cause substantial outages of national grids, satellites, avionics or signals from global navigation satellite systems (GNSS). The growing mass of “space junk” in orbit around the earth also poses a threat to GNSS.
A surprising number of critical systems rely on GNSS, including emergency 911 calls, ATMs and other financial infrastructure, and both wired and wireless communications networks.36 Wireless is fast becoming the vital “last few metres” of Internet connection, and there are growing concerns that government sell-offs of the radio spectrum may have made it more vulnerable to interruption. The World Radiocommunication Conference in 2015 will analyse the extent and potential consequences of this nascent risk.
Disruption to the critical systems that rely on GNSS could have significant cascading effects while workarounds are found for systems that now depend on hyperconnectivity, since fewer and fewer people now remember the old pen-and-paper ways of doing things. Risks arising from hyperconnectivity urgently require multistakeholder collaboration, but trust among stakeholders is under pressure.
The Role of National Security Organizations
Recent months have seen a series of revelations about the online role of national security organizations. The militarization of cyberspace was already common knowledge: over 30 nations have a published cyber warfare doctrine, with 12 having formal organizations (such as the US Cyber Command).37 However, wider understanding of the extent to which national security organizations have allegedly been using the Internet for espionage now threatens repercussions that may make it more difficult to prevent widespread attacks, or contain them when they occur.
For national security organizations, the dynamic of attackers having the advantage over defenders brings advantages of being able to spy anonymously on their adversaries. However, by the same logic, nations are also vulnerable to the use of such tactics by others. Immediate benefits to national security come at the price of more long-term cyber risk for interconnected societies and economies.
An increasing erosion – or even eventual breakdown – of international trust seems a natural consequence. A lack of trust and confidence helped to accelerate the financial crisis (such as when nations limited the amount of help their banks could give to subsidiaries in other nations) and could prove similarly disastrous when dealing with international cyber shocks.
There are already signs that revelations about the role of national security organizations have exacerbated risks of fragmentation of the Internet, which could lead to an overall erosion of the factors that led cyberspace to be so transformational in the first place. In the early days of the Internet, the interests of industry, governments and society largely converged. Now that the stakes are higher, these interests are diverging and conflicting, which can lead to suboptimal solutions, reduced innovation and investment, and a risk of a fragmentation of the Internet; for example, through the imposition of strong national boundaries where none currently exists.
This trend is already apparent, most clearly with the approach China has taken, but also with reports that the US government may have leveraged US-based IT and telecom companies as part of national security surveillance efforts. As nations are increasingly distrustful of the US government not to look at their data if it is stored in or transits that nation, they are more likely to follow the lead of Brazil or the EU to consider erecting laws to ensure that data on their citizens does not leave their own jurisdictions.
Concerns about the US hosting ICANN, the main governance body for the Internet, could further fuel a Balkanization of the Internet. This trend is also apparent in corporate “walled gardens” that attempt to lock users in or restrict what software can be run in the walled environment, and provisions by governments to block preferential market access to IT firms in other countries.
The main casualty of US spying allegations may not be US relations with Germany or Brazil, but people’s trust in their government’s integrity on online privacy. Young people around the world, disillusioned with traditional politics and authorities as explained in the previous section of this report, may increasingly see governments as an online aggressor to be confronted. Behaviour such as online spying that national governments and the Cold War generations might see as business-as-usual are likely to be seen as much more personal affronts today.
This complex interconnection of issues touches on multiple interacting layers – standards, infrastructure, data and derived knowledge – which have outpaced the adaptive ability of the world’s governance response. Certainly the governance approaches will have to change, which could have a profound effect on the value that society could and should expect from the Internet in a more hyperconnected world.
The Worst-case Scenario: “Cybergeddon”
While it is possible for the balance of advantage between attackers and defenders to flip, it is also possible for it to become more pronounced. A future in which attackers − whether hackers, organized-crime groups or national militaries − have an overwhelming, dominant and lasting advantage over defenders could be just one disruptive technology away.
Attackers in this future could achieve a wide range of effects with little input, making large-scale, Internet-wide disruptions easy and common. The Internet would cease to be a trusted medium for communication or commerce and would be increasingly abandoned by consumers and enterprises. Cyberspace would no longer be divided between attackers and defenders but between predators and prey.
Worse yet, this situation could become entrenched as the increasingly fragmented nature of the Internet stymies attempts to reach global agreement on new, more secure technologies or standards. Cooperation among nations or non-governmental organizations would become similarly useless either because there is rampant mistrust in creating newer security standards or because attackers are ubiquitous, relentless and triumphant. A technology company has explored this future in a scenario called “Insecure Growth”: “This is a world in which users – individuals and business alike – are scared away from intensive reliance on the Internet. Relentless cyber attacks driven by wide-ranging motivations defy the preventive capabilities of governments and international bodies. Secure alternatives emerge, but they are discriminating and expensive.”38
This future has also been called a “Cybergeddon”.39 The next generation could grow up with a cyberspace that is less open, less resilient and fundamentally less valuable than the one existing today. The most transformative technology since Gutenberg would regress, to the loss of societies, economies and humanity. Piecemeal, individual solutions generally fail to address the underlying systemic issue: the mismatch between attackers and defenders. The world will not be able simply to secure, risk-manage or information-share its way out of this situation to tip the balance of advantage towards defenders.
Even if international trust were to be rebuilt, attackers would still retain the advantage and new solutions would need to be found. Global stakeholders should be under no illusion that bigger budgets, more information-sharing or more regulation will make much difference. To shift the advantage to the defenders will require new thinking, and soon.
A Question of Trust
Increasingly, there is recognition that the growing role of cyberspace is not only a technical and geopolitical concern but also presents serious risks to economic well-being. While the failure of critical online infrastructure represents a systemic risk that could impact global growth, so does a large-scale loss of trust in the Internet. Stakeholders may need to move beyond traditional solutions, with fresher ideas that can scale and move away from a national security mindset.
Thinking of cyberspace in economic terms offers several advantages. Economic cooperation and recognition of the gains from global trade has provided a positive platform to promote global international relations, rather than focusing on narrow national interests and protectionism. This can be directly applicable to cyber risks. Protecting the “common good” of the Internet creates strong economic incentives among the youngest generation, the “digital natives”.
Of course, the economic frame is more than an analogy. Many corporations already think of cyber risks in terms of reputational and stock-price impacts, raising the issue to the strategic level that an effective strategy requires. Some countries, too, have taken explicit steps to position themselves as safe places to do business in the digital age, integrating cybersecurity with capacity building.
Many of the gains already seen from globalization would not have been possible without the Internet. Much of the innovation and promise of growth foreseen in the coming years is also predicated on an Internet as integrated as it is today, and similar levels of trust. These innovations are occurring at all levels, from entire industries (e.g. the “connected car”) to individual entrepreneurs in emerging and developing economies around the world.
The economic perspective does not preclude other perspectives. Geopolitical, military and technical dialogue will still need to continue. But to the extent that stakeholders can recognize the tremendous gains from a stable, secure and resilient Internet, the space for constructive discourse can be expanded and a useful context provided for discussions on protecting cyberspace.
A critical element in advancing this discussion will be improving the collective ability to measure the economic impact of cyber risks, at all levels – within individual businesses, nationally and globally (see Box 2.4). Effective methods for measuring and pricing cyber risks may even lead to new market-based risk management structures, which would help in understanding the systemic interdependencies in the multiple domains that now depend on cyberspace.
Box 2.4: Towards Measurement of Cyber Risks
As constant digital connectivity becomes the new norm in economies and societies, there is a need to “normalize” cyber risks. A critical step in advancing the collective capacity to manage systemic risks will be to develop methodologies to measure and price these risks. Efforts to quantify such risks are needed, and in some cases have started, at multiple levels.
At the enterprise level, moving towards a risk-based approach for dealing with cyber threats and vulnerabilities will require improved methods to deal with such risks in line with broader enterprise risk management practices of the kind discussed in Part 2.5. Many organizations are already attempting to evolve their internal practices in this regard, and collaboration among companies to share ideas can also be observed.
A number of challenges must be overcome in such efforts. Not least of these is capturing the full range of potential vulnerabilities – connected supply chains, outsourcing and other factors make the idea of the “enterprise network” somewhat fluid – as well as determining the scope of impact, on stock prices or reputation, for example.
Given the implied value of “intangibles and goodwill” threatened by cyber events, there would seem to be considerable opportunity for the nascent cyber risk insurance market to evolve and mature. While insurance companies are no strangers to underwriting events with a high degree of uncertainty, improved and standardized methods to capture and account for risks at the enterprise level would clearly aid the development of this market. Other non-insurance, risk-transfer markets could also be imagined; some central banks have begun to consider potential systemic risks posed by cyber attacks.
Research has also started on understanding the macroeconomic impact of cyber risks on national competitiveness, GDP and growth. Countries’ ability to drive competitiveness through technology has been documented by the Forum’s Global Information Technology Report for many years, while other studies have focused on the Internet’s contribution to national GDP. However, there are emerging research discussions on specifically measuring a country’s readiness or capacity to deal with cyber risks, as well as the economic impact of slowed business investments due to concerns over such risks.
Finally, further research is required on the impact of concerns about cyber risks on global trade flows and output. Security concerns can lead to, or be used to defend, protectionist positions that can have a negative impact on trading relations. Should such concerns result in a fragmented policy landscape or the Balkanization of the Internet, global trade will suffer.