The World Economic Forum (WEF) has been producing an annual global risk report since 2006. Released ahead of the annual meeting in Davos, the report uses data from private insurers, government publications and academic studies to rank the most catastrophic potential global risks for the upcoming year. The WEF2019 global risk report has named cyber attacks and data breaches as the fourth and fifth most serious risks facing the world, the second year in a row in which these threats have been present in the top five.
Though they have each moved down one space from the 2018 global risk report, cyber attacks and data breaches had generally been outside the top 10 of the global risks landscape in previous years. They are currently considered the most serious man-made global catastrophic risks short of climate change mitigation failures.
A general increase in hacking and data theft are part of this surge in concern about cyber attacks in the WEF2019 report, but the biggest factor in moving the needle so dramatically was the high-profile attacks carried out by nation-states in the past two years. For example, the report in July of last year that Russian hackers gained illicit access to the control rooms of United States power companies was cited as a specific high-profile threat. Though nothing came of it, a spokesman for the U.S. Department of Homeland Security went on the record as saying that the hackers had the ability to “throw switches” had they desired.
A spike in nation-state deployment of ransomware, a rash of high-profile data breaches involving personal identity information, and the use of social media as a new form of proxy warfare are also contributors to the newfound prominence of digital threats to the world.
To put it all in perspective, the WEF2019 global risk report estimates that cyber attacks will do more damage (from an insurance perspective) than man-made environmental disasters and infectious disease, about the same amount of damage as ecosystem collapse, and just a little less than natural disasters and water crises in the coming year.
Underprepared for chaos
The WEF2019 global risk report specifically mentions that world governments tend to be underprepared for all of these different types of cyber attacks.
One issue is that cyber attacks take place on an emerging, non-traditional battlefield. State-sponsored attacks are carried out largely with impunity. Even states that have formally friendly relations seem to be constantly probing and attacking each other, with little to nothing in the way of repercussions outside of the digital realm when they are caught out. It is still unclear at what point (if any) a digital attack would trigger some sort of economic sanctions or traditional military response for many countries.
These cyber attacks also impact civilians in a way that traditional warfare is usually not expected to. Individuals and businesses are now the targets of disinformation, propaganda campaigns, blackmail, financial loss, loss of vital utilities and exposure of sensitive personal information.
The main concern that the WEF2019 report keeps coming back to is economic damage. Targeted attacks on the power grid could potentially knock electricity out to large areas of a country for days at a time, causing a dangerous panic and also wiping out economic activity in the affected areas. And something like the Equifax breach of 2017, which exposed the sensitive financial data of the majority of the adult American public, could potentially undermine an entire economy in the right circumstances.
Economic damage is the immediate concern, but a perhaps even greater threat is waiting in the wings. The increasing proliferation of smart devices not only creates a vastly expanded network of openings for potential cyber attacks, but also creates the possibility of causing physical damage from behind a remote computer.
The Internet of Things: A crisis waiting to happen?
Smart devices are already fairly common in both homes and businesses throughout the developed world. There is an ongoing push to connect more and more devices to the internet, but unfortunately there is not an equal commitment to securing them properly.
The problem with the IoT has been apparent since the 2016 Mirai botnet attack, which took out a number of very popular websites for several hours. Smart device manufacturers are in a hurry to cash in on a new market, and some are not concerned enough with security while doing it.
Smart devices tend to be relatively easy to penetrate; they often have no password access, or a default password that can’t be changed. Regular patching for vulnerabilities is also not a concept that is even on the radar yet for many manufacturers.
These poorly-secured devices represent potential easy access to corporate or industrial systems in which they are present. The WEF2019 global risk report specifically mentions the possibility of cyber attacks that compromise infrastructure originating from hacked smart devices. While these devices might seem like they serve small and insignificant functions, they are a potential means of illicit access to whatever larger network they are connected to.
What the future holds
The experts cited in the WEF2019 global risk report are bearish on other aspects of digital security beyond these large-scale cyber attacks and data breaches.
Of those surveyed, 69% felt that the weaponized use of “fake news” would also increase in 2019. And 64% felt that individuals will be more frequently subject to personal identity theft, and 63% felt that more potentially embarrassing or compromising internal company information will be leaked to the public than in the past. One of the most significant factors in the increased prominence of all of these threats is the development of sophisticated AI that can automate and relentlessly optimize them.
The main takeaway from the WEF2019 global risk report for companies is that investment in cybersecurity and digital emergency preparedness plans is of vastly increased importance going forward to decision makers, at least on par with preparation for other catastrophic events like fire and extreme weather. Cybersecurity strategies need to cover the full spectrum of possible attacks and events that could cause a crippling blow to a company’s operations.