What the COVID-19 pandemic teaches us about cybersecurity – and how to prepare for the inevitable global cyberattack

cyber

(Credit: Unsplash)

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Nicholas Davis, Professor of Practice, Thunderbird School of Global Management and Visiting Professor in Cybersecurity, UCL Department of Science, Technology, Engineering and Public Policy & Algirde Pipikaite, Project Lead, Industry Solutions, Centre for Cybersecurity, World Economic Forum


COVID-19 shows that the world is at great risk of disruption by pandemics, cyberattacks or environmental tipping points.

  • We should prepare for a COVID-like global cyber pandemic that will spread faster and further than a biological virus, with an equal or greater economic impact.
  • The coronavirus crisis provides insights into how leaders can better prepare for such cyber risks.

Most of the world is currently experiencing highly atypical living conditions as a result of COVID-19. At the height of the pandemic, more than 2 billion people were under some form of lockdown, and 91% of the world’s population, or 7.1 billion people, live in countries with border controls or travel restrictions due to the virus.

It would be comforting to think this is merely a “blip” interrupting an essentially stable state of affairs, and that the world will return to “normal” once medicine and science have tamed the virus.

Comforting – and wrong.

 

COVID-19 is not the only risk with the ability to quickly and exponentially disrupt the way we live. The crisis shows that the world is far more prone to disturbance by pandemics, cyberattacks or environmental tipping points than history indicates.

Our “new normal” isn’t COVID-19 itself – it’s COVID-like incidents.

And a cyber pandemic is probably as inevitable as a future disease pandemic. The time to start thinking about the response is – as always – yesterday.

To start that process, it’s important to examine the lessons of the COVID-19 pandemic ­– and use them to prepare for a future global cyberattack.

Lesson #1: A cyberattack with characteristics similar to the coronavirus would spread faster and further than any biological virus.

The reproductive rate – or R0 – of COVID-19 is somewhere between two and three without any social distancing, which means every infected person passes the virus to a couple of other people. This number affects how fast a virus can spread; the number of infected people in New York state was doubling every three days before lockdown.

By contrast, estimates of R0 of cyberattacks are 27 and above. One of the fastest worms in history, the 2003 Slammer/Sapphire worm, doubled in size approximately every 8.5 seconds, spreading to over 75,000 infected devices in 10 minutes and 10.8 million devices in 24 hours. The 2017 WannaCry attack exploited a vulnerability in older Windows systems to cripple more than 200,000 computers in 150 countries; it was halted by emergency patches and the accidental discovery of a “kill switch”.

The cyber equivalent of COVID-19 would be a self-propagating attack using one or more “zero-day” exploits, techniques for which patches and specific antivirus software signatures are not yet available. Most likely, it would attack all devices running a single, common operating system or application.

Since zero-day attacks are rarely discovered right away – Stuxnet used four separate zero-day exploits and hid in systems for 18 months before attacking – it would take a while to identify the virus and even longer to stop it from spreading. If the vector were a popular social networking application with, say, 2 billion users, a virus with a reproductive rate of 20 may take five days to infect over 1 billion devices.

Lesson #2: The economic impact of a widespread digital shutdown would be of the same magnitude – or greater – than what we’re currently seeing.

If cyber-COVID mirrored the pathology of the novel coronavirus, 30% of infected systems would be asymptomatic and spread the virus, while half would continue functioning with performance severely degraded – the digital equivalent of being in bed for a week. Meanwhile 15% would be “wiped” with total data loss, requiring a complete system reinstall. Finally, 5% would be “bricked” – rendering the device itself inoperable.

The end result: millions of devices would be taken offline in a matter of days.

The only way to stop the exponential propagation of cyber-COVID would be to fully disconnect all vulnerable devices from one another and the internet to avoid infection. The whole world could experience cyber lockdown until a digital vaccine was developed. All business communication and data transfers would be blocked. Social contact would be reduced to people contactable by in-person visits, copper landline, snail-mail or short-wave radio.

A single day without the internet would cost the world more than $50 billion. A 21-day global cyber lockdown could cost over $1 trillion.

Total cost impact of 1 day without the internet in the world
Just one day without the internet would cost the world more than $50 billion.
Image: NetBlocks

Cyber lockdown would also introduce novel challenges for digitally dependent economies. During the 2020 Australian bushfires, power outages and damage to mobile phone infrastructure gave citizens a newfound appreciation for battery-operated FM radios. But if cyber-COVID ravaged a country, which radio stations would still operate without digital recording and transmission systems? Would states like Norway, which has completed its transition to digital radio, be able to roll back?

Lesson #3: Recovery from the widespread destruction of digital systems would be extremely challenging.

Replacing 5% of the world’s connected devices would require around 71 million new devices. It would be impossible for manufacturers to rapidly scale up production to meet demand, particularly if manufacturing and logistics systems were affected. For systems that survive, there would be a significant bottleneck in patching and reinstallation.

The geographic concentration of electronics manufacturing would create other challenges. In 2018, China produced 90% of mobile phones, 90% of computers and 70% televisions. Finger-pointing about the source and motive of the cyberattack, as well as competition to be first in line for supplies, would inevitably lead to geopolitical tensions.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum Platform for Shaping the Future of Cybersecurity and Digital Trust aims to spearhead global cooperation and collective responses to growing cyber challenges, ultimately to harness and safeguard the full benefits of the Fourth Industrial Revolution. The platform seeks to deliver impact through facilitating the creation of security-by-design and security-by-default solutions across industry sectors, developing policy frameworks where needed; encouraging broader cooperative arrangements and shaping global governance; building communities to successfully tackle cyber challenges across the public and private sectors; and impacting agenda setting, to elevate some of the most pressing issues.

Platform activities focus on three main challenges:

Strengthening Global Cooperation for Digital Trust and Security – to increase global cooperation between the public and private sectors in addressing key challenges to security and trust posed by a digital landscape currently lacking effective cooperation at legal and policy levels, effective market incentives, and cooperation between stakeholders at the operational level across the ecosystem.Securing Future Digital Networks and Technology – to identify cybersecurity challenges and opportunities posed by new technologies and accelerate solutions and incentives to ensure digital trust in the Fourth Industrial Revolution.Building Skills and Capabilities for the Digital Future – to coordinate and promote initiatives to address the global deficit in professional skills, effective leadership and adequate capabilities in the cyber domain.

The platform is working on a number of ongoing activities to meet these challenges. Current initiatives include our successful work with a range of public- and private-sector partners to develop a clear and coherent cybersecurity vision for the electricity industry in the form of Board Principles for managing cyber risk in the electricity ecosystem and a complete framework, created in collaboration with the Forum’s investment community, enabling investors to assess the security preparedness of target companies, contributing to raising internal cybersecurity awareness.

For more information, please contact us.

How can we prepare for cyber-COVID?

The COVID-19 pandemic provides insight into how leaders can prepare for such a “fat tail” risk:

1. Widespread, systemic cyberattacks are not just possible or plausible; they should be anticipated. As we have seen with COVID-19, even a short delay in the response can cause exponential damage.

2. New Zealand’s success in fighting the pandemic proves that early, decisive actions and clear, consistent communication increase resilience. It’s impossible to prepare for every potential risk, but both the public and private sectors should invest in scenario exercises to reduce reaction time and appreciate the range of strategic options in the event an attack occurs.

3. COVID-19 has revealed the importance of international, cross-stakeholder coordination. Cooperation between public and private sector leaders is also critical, particularly when it comes to mitigation. The Centre for Cybersecurity at the World Economic Forum is just one example of an organization addressing systemic cybersecurity challenges and improving digital trust across institutions, businesses and individuals.

4. Just as COVID-19 has pushed individuals and organizations to look to digital substitutes for physical interactions, government and business leaders should think about the inverse. “Digital roll back” and continuity plans are essential to ensuring organizations can continue to operate in the event of a sudden loss of digital tools and networks, as Maersk learned during the NotPetya cyberattack in 2017, which took out 49,000 laptops and printers and wiped all contacts from their Outlook-synced phones. A necessary part of the digital transformation is having sensitive and important information stored and accessible in physical, printed form.

But perhaps the most important lesson: COVID-19 was a known and anticipated risk. So, too, is the digital equivalent.

Let’s be better prepared for that one.

the sting Milestone

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

The AI doctor won’t see you now

Refugees in Greece: MEPs demand solidarity, warn about impact of health crisis

Righting a wrong: UN Fund helps thousands of sex abuse survivors rebuild their lives

Data is the fuel of mobility. Don’t spill it for nothing

First EU collective redress mechanism to protect consumers

Study: Trade supports over 36 million jobs across the EU

World Food Day: here’s what the UN is doing to fix ‘intolerable’ wrong of hunger

Most people on the internet live in this country

1 in 7 people would choose not to fly because of climate change

Schaeuble wants IMF out and bailouts ‘a la carte’ with Germany only to gain

Brexit: European Commission publishes Communication on preparing for the UK’s withdrawal from the EU

The ECB must extend its money stimulus beyond 2018: Draghi reckoning

Logo Mania: A call to action to our crisis of connection

MWC 2016 LIVE: Qualcomm looks to pick up Hamilton’s winning ways

Berlin ‘orders’ the EU Parliament to compromise

Is it too soon to hope for a tobacco free Romania?

Trying to cure bank cancer with analgesics

UN sees progress in fight against tobacco, warns more action needed to help people quit deadly product

Our present and future tax payments usurped by banks

Gender equality: an issue much talked about but less acted upon

Health spending set to outpace GDP growth to 2030

Commission makes it easier for citizens to access health data securely across borders

How Britain’s backyard bird feeders are shaping evolution

Worldwide UN family celebrates enduring universal values of human rights

Can Eurozone’s uncertain growth answer the challenges that lie ahead?

Why the most important tool in healthcare is trust

Is the ECB ready to flood Eurozone with freshly printed money?

Is continuous sanctioning the way to resolve the Ukrainian crisis?

State aid: Commission approves €1.2 billion French “Fonds de solidarité” scheme for small enterprises in temporary financial difficulties due to coronavirus outbreak

EUREKA @ European Business Summit 2014: Innovation across borders – mobilising national R&D funds for transnational innovation in Europe

Violence will not deter Somali people in their pursuit of peace, says UN chief, in wake of lethal attacks

Thursday’s Daily Brief: Climate crisis and food risks, fresh violence threat for millions of Syrians, calls for calm in Kashmir

Foreign investment to be screened to protect EU countries’ strategic interests

This is what Belgium’s traffic-choked capital is doing about emissions

How COVID-19 could open the door for driverless deliveries

First do no harm. Why healthcare needs to change

Can green bonds help us manage climate risk?

The world wide web is 30. Here are 8 things you should know about it

These are the countries where most adults still don’t have a smartphone

Peer-to-peer learning: a way to develop medical students’ trainings

The eyes of Brazil and the world turn to the largest rainforest and largest biodiversity reserve on Earth #PrayForAmazonia.

3 ways governments and carmakers can keep up with the future of transport

What we can learn from Asia’s courts of the future

Iraq: Education access still a challenge in former ISIL-controlled areas

The impact of refugees on the European healthcare system

Parliament votes reform for better European Co2 market but critics want it sooner than later

The European Union and the United States reach an agreement on imports of hormone-free beef

#TakeYourSeat at the UN Climate Change Conference: a way for all people to join the global conversation

Bullheaded Madrid authorities confront Catalonia with force

Draghi to lay his print on long term ECB policies prior to exiting next year

Why will Paris upcoming “loose” climate change agreement work better than the previous ones?

Is Data Privacy really safe seen through Commissioner’s PRISM?

Marking Sir Brian Urquhart’s 100th birthday, UN honours life-long servant of ‘we the peoples’

Tsipras doesn’t seem to have learned his “almost Grexit” lesson and Greece faces again financial and political dead end

How India is harnessing technology to lead the Fourth Industrial Revolution

Here’s why the world’s recovery from COVID-19 could be doughnut shaped

4 bold new ways New York is going clean and green

Tusk fights back while charismatic Boris goes against everybody in Brussels pushing the UK to leave the EU now or never

From a refugee camp to Davos: one Co-Chair’s story

Ongoing insecurity in Darfur, despite ‘remarkable developments’ in Sudan: UN peacekeeping chief

More Stings?

Advertising

Comments

  1. sheena handerson says:

    Thank you for sharing some tips that we can use in shifting our cybersecurity new normal

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s