Resilience is critical.
While much of the conversation in Davos centered around Europe’s refugee crisis, cybersecurity dominated the agenda. At a dozen public and private sessions, CEOs and heads of state focused on three trends:
Cyber attacks against critical infrastructure are coming
In just two years, the threat posed by cyber attacks has increased exponentially.
In 2014, tens of millions of credit cards were stolen from large retailers. While embarrassing, the damage from these attacks was limited because banks immediately cut off the cards and consumers weren’t held liable for fraudulent charges.
In 2015, there was an even more damaging attack: the social security breach. Hackers wanted to access a piece of data that could not be readily changed—and you only get one social security number. Tens of millions of SSNs were misappropriated from health care companies and the Office of Personnel Management.
As frustrating as the incursions of 2014 and 2015 have been, 2016 may be characterized by something more concerning still: cyber attacks on critical infrastructure.
Just weeks before Davos, a successful cyber attack on Ukraine’s utilities disabled a substantial portion of the country’s electric grid. According to the Department of Homeland Security, the form of malware deployed in the Ukrainian attack, dubbed “Black Energy,” has also been seen in the U.S. Within days of the attack, General Michael Hayden, who served as director of both the NSA and the CIA, warned “of a darkening sky” over the U.S. power grid.
According to Lloyd’s of London, a sophisticated cyber attack on the power grid in the northeastern U.S. could cause $1 trillion in damages. As a measure of comparison, the 2011 earthquake and tsunami in Japan caused $300 billion in economic damages, while the price tag for Hurricane Sandy was $100 billion.
As if that were not sobering enough, a report issued last week by the Nuclear Threat Initiative in the run-up to Davos asserted that civilian nuclear plants in 20 different countries are potentially vulnerable to cyber attacks.
The public and private sectors need to link arms to address the new cyber reality
Recent headlines spotlighting a bitter feud between the government and tech industry around whether to allow a backdoor to encryption seemed a world away from the discussions in Davos. On multiple occasions, government leaders and business executives pledged greater collaboration and mutual support. This newly cooperative tone is based in pragmatism and reflects a simple conclusion from leaders on both sides of the public-private equation: No one is immune to cyber attacks, and we are all in this together.
A year ago, the World Economic Forum established a cyber crime task force to bring government and industry closer together. Chaired by the former head of the Swiss police, the Steering Committee included the secretary general of Interpol, the director of Europol, and numerous corporate executives. To the pleasant surprise of those involved, U.S. Attorney General Loretta Lynch showed up in Davos this year and embraced the recommendations articulated by the task force for a public-private partnership to address cyber challenges.
Two asks were repeatedly made during this year’s meeting. First, the government asked industry to be more forthcoming in sharing information about attempted attacks. Government officials emphasized this point because the vast majority of critical infrastructure ( e.g., transportation systems, telecommunication networks, chemical plants, and dams) in the U.S. and Europe is owned and operated by the private—not public—sector. It was telling that Admiral Rogers, the commander of United States Cyber Command, recently said that we’ve got to do a better job of helping the private sector work with the government.
Congress’ recent passage of the Cybersecurity Information Sharing Act, which provides important liability and privacy protections, was hailed as a constructive step to encourage the sharing of cyber threat indicators. The challenge in realizing the law’s promise will be to implement a machine-readable platform that can distill and disseminate warnings in real time.
In turn, the second ask came from business leaders, who pressed the government to put greater emphasis on prosecuting hackers who perpetrate cyber attacks rather than blaming the companies that are victimized by them. One financial executive commented that when a bank is robbed at gunpoint, law enforcement comes down hard on the criminal—not the bank. In addition, industry wants the government to be more forthcoming about providing attack “attribution,” or who launched the attack. Companies want to know whether attacks on their networks were conducted by countries or independent hackers.
Breaches are inevitable, so resilience is critical
The theme of this year’s Davos was “Mastering the Fourth Industrial Revolution,” that is, the rapid expansion of cyber-physical systems and the Internet of Things.
This focus was well-placed. Everything is connected now. Robots perform critical tasks, and artificial intelligence mimics human cognition. Although these advances in technology present tremendous opportunity to society and business, there was a growing chorus in Davos that these interconnected innovations could open the door to making cyber breaches more frequent and more severe. It is simply not possible at this time to accommodate the proliferation of devices and applications necessary to meet the demands of consumers in the new economy while maintaining impenetrable security.
Accordingly, experts advocated embracing the concept of cyber resiliency. Businesses, governments, and NGOs should assume they will be breached and focus on maintaining continuity of core operations. That way, when they encounter a cyber attack, networks are resilient enough to make sure patients are treated, power is generated, and commerce flows.
To achieve cyber resilience, each organization must answer a simple question: What do you have to lose? That is, what are the specific data, applications, or systems that are essential to conducting operations? Answering that question with precision will enable businesses to begin developing a cyber security posture that is able to protect core functions while under duress.
Attacks on critical infrastructure are the new front in the battle for cybersecurity. At Davos, global leaders laid the framework for addressing this emerging threat. Now, businesses must turn ideas into action and ensure the Fourth Industrial Revolution meets its vast potential to drive global good.
Peter J. Beshar is the executive vice president and general counsel of Marsh & McLennan Companies, Inc.