As global conflicts continue, cyber has become the fifth front of war. The world is approaching 50 billion connected devices, controlling everything from our traffic lights to our nuclear arsenal. We have already started to see large-scale cyberattacks affecting critical industries like oil and gas pipelines and hospitals. But we have yet to experience a truly catastrophic incident that would “break the internet,” disrupting financial markets, supply chains, and daily life.
Could it happen this year?
single points of failure
The migration of public and private sector technology to cloud computing means that much of our infrastructure, financial systems, supply chains, healthcare and other critical services are run by just a handful of companies: Amazon, Google and Microsoft. On the hardware side, the story is not much better. Only three companies, Palo Alto Networks, Cisco, and Fortinet, control more than 50% of the market for security devices. The ripple effect of a successful attack against one of these companies would leave no part of the connected world intact, including the security software intended to protect customers in the event of an attack, much of which runs on the infrastructure provided by these companies. same companies in the cloud.
For data center security experts, there is also another, far less digital concern to contend with. Suspicious Activity and Attacks on US Power Plants reached an all-time high in 2022, with more than 100 attacks reported in the first eight months of the year alone. Data centers are massive buildings that consume immense amounts of electricity. To cool their ultra-hot servers and buildings, data centers use staggering amounts of water. According to Google, its data centers used 4.3 billion gallons of water in 2021. If attackers disrupt power or water to Amazon, Google, or Microsoft data centers in a coordinated manner, they could compromise entire regions of their infrastructure, including backups.
follow the money
To put the cost of a catastrophic cyberattack into perspective, consider that by 2021, according to Swiss reinsurer Swiss Re, global economic losses from natural catastrophes such as floods, hurricanes and wildfires reached $270 billion. This is a large number, but consider the fact that the Merchant Machine estimates that a global internet outage costs the global economy $37 billion per day in lost income.
Still, the economics of technology are not in favor of a more secure future. Businesses, users, and adversaries all have competing monetary interests that prevent further investment in security. Technology companies need to iterate and release updates quickly to keep up with their competitors, and their customers are often unwilling to wait, or pay, for additional security features or for all bugs and vulnerabilities to be fixed. Instead, consumers choose to buy insurance against these unavoidable incidents, which can create another crisis of their own.
Insurance companies spend significant amounts of money simulating disasters and estimating their cost so that any single large loss does not cause significant financial damage to the insurer. For a catastrophic cyberattack, the costs could exceed billions of dollars, meaning bankruptcy not only for insurers but also for reinsurers, likely leading to systemic financial disruption and near-market collapse on a scale that would dwarf the financial crisis of 2008. the united states government spent $85 billion to bail out AIG and prevent the collapse of the systemic financial system, but the question this time is: Who bails out a globally losing insurer, and what happens when insurers have too little cash to pay claims?
And now that?
We need to examine the security of critical infrastructure and ensure that there are security plans and devices capable of withstanding an extended period of downtime. Organizations migrating to cloud computing must reassess their need for data fidelity and whether local storage is necessary. Security leaders must make catastrophic failure planning part of their risk management strategy and ensure that their vendors also have plans in place to mitigate the impact of a loss of cloud-hosted services.
On the regulatory front, if we have any hope of preparing for a global event, we need to assess the technical skills of the regulators and lawmakers who create the frameworks meant to keep us safe, as well as the metrics we use to gauge the financial health of insurers and reinsurers on the hook. If the spectacular collapse of several blockchain companies in recent years, successful meddling in elections via social media, or the explosion of ransomware attacks have taught us anything, it’s that we need to demand more of our elected representatives and elect leaders. who can help lead the world tomorrow. Similarly, regulators need to understand the companies and technologies they oversee.
There will be a reckoning in the connected world, and the only way our economy (and possibly society) will survive is by working together to create a more secure and stable infrastructure.
