What the COVID-19 pandemic teaches us about cybersecurity – and how to prepare for the inevitable global cyberattack

cyber

(Credit: Unsplash)

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Nicholas Davis, Professor of Practice, Thunderbird School of Global Management and Visiting Professor in Cybersecurity, UCL Department of Science, Technology, Engineering and Public Policy & Algirde Pipikaite, Project Lead, Industry Solutions, Centre for Cybersecurity, World Economic Forum


COVID-19 shows that the world is at great risk of disruption by pandemics, cyberattacks or environmental tipping points.

  • We should prepare for a COVID-like global cyber pandemic that will spread faster and further than a biological virus, with an equal or greater economic impact.
  • The coronavirus crisis provides insights into how leaders can better prepare for such cyber risks.

Most of the world is currently experiencing highly atypical living conditions as a result of COVID-19. At the height of the pandemic, more than 2 billion people were under some form of lockdown, and 91% of the world’s population, or 7.1 billion people, live in countries with border controls or travel restrictions due to the virus.

It would be comforting to think this is merely a “blip” interrupting an essentially stable state of affairs, and that the world will return to “normal” once medicine and science have tamed the virus.

Comforting – and wrong.

 

COVID-19 is not the only risk with the ability to quickly and exponentially disrupt the way we live. The crisis shows that the world is far more prone to disturbance by pandemics, cyberattacks or environmental tipping points than history indicates.

Our “new normal” isn’t COVID-19 itself – it’s COVID-like incidents.

And a cyber pandemic is probably as inevitable as a future disease pandemic. The time to start thinking about the response is – as always – yesterday.

To start that process, it’s important to examine the lessons of the COVID-19 pandemic ­– and use them to prepare for a future global cyberattack.

Lesson #1: A cyberattack with characteristics similar to the coronavirus would spread faster and further than any biological virus.

The reproductive rate – or R0 – of COVID-19 is somewhere between two and three without any social distancing, which means every infected person passes the virus to a couple of other people. This number affects how fast a virus can spread; the number of infected people in New York state was doubling every three days before lockdown.

By contrast, estimates of R0 of cyberattacks are 27 and above. One of the fastest worms in history, the 2003 Slammer/Sapphire worm, doubled in size approximately every 8.5 seconds, spreading to over 75,000 infected devices in 10 minutes and 10.8 million devices in 24 hours. The 2017 WannaCry attack exploited a vulnerability in older Windows systems to cripple more than 200,000 computers in 150 countries; it was halted by emergency patches and the accidental discovery of a “kill switch”.

The cyber equivalent of COVID-19 would be a self-propagating attack using one or more “zero-day” exploits, techniques for which patches and specific antivirus software signatures are not yet available. Most likely, it would attack all devices running a single, common operating system or application.

Since zero-day attacks are rarely discovered right away – Stuxnet used four separate zero-day exploits and hid in systems for 18 months before attacking – it would take a while to identify the virus and even longer to stop it from spreading. If the vector were a popular social networking application with, say, 2 billion users, a virus with a reproductive rate of 20 may take five days to infect over 1 billion devices.

Lesson #2: The economic impact of a widespread digital shutdown would be of the same magnitude – or greater – than what we’re currently seeing.

If cyber-COVID mirrored the pathology of the novel coronavirus, 30% of infected systems would be asymptomatic and spread the virus, while half would continue functioning with performance severely degraded – the digital equivalent of being in bed for a week. Meanwhile 15% would be “wiped” with total data loss, requiring a complete system reinstall. Finally, 5% would be “bricked” – rendering the device itself inoperable.

The end result: millions of devices would be taken offline in a matter of days.

The only way to stop the exponential propagation of cyber-COVID would be to fully disconnect all vulnerable devices from one another and the internet to avoid infection. The whole world could experience cyber lockdown until a digital vaccine was developed. All business communication and data transfers would be blocked. Social contact would be reduced to people contactable by in-person visits, copper landline, snail-mail or short-wave radio.

A single day without the internet would cost the world more than $50 billion. A 21-day global cyber lockdown could cost over $1 trillion.

Total cost impact of 1 day without the internet in the world
Just one day without the internet would cost the world more than $50 billion.
Image: NetBlocks

Cyber lockdown would also introduce novel challenges for digitally dependent economies. During the 2020 Australian bushfires, power outages and damage to mobile phone infrastructure gave citizens a newfound appreciation for battery-operated FM radios. But if cyber-COVID ravaged a country, which radio stations would still operate without digital recording and transmission systems? Would states like Norway, which has completed its transition to digital radio, be able to roll back?

Lesson #3: Recovery from the widespread destruction of digital systems would be extremely challenging.

Replacing 5% of the world’s connected devices would require around 71 million new devices. It would be impossible for manufacturers to rapidly scale up production to meet demand, particularly if manufacturing and logistics systems were affected. For systems that survive, there would be a significant bottleneck in patching and reinstallation.

The geographic concentration of electronics manufacturing would create other challenges. In 2018, China produced 90% of mobile phones, 90% of computers and 70% televisions. Finger-pointing about the source and motive of the cyberattack, as well as competition to be first in line for supplies, would inevitably lead to geopolitical tensions.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum Platform for Shaping the Future of Cybersecurity and Digital Trust aims to spearhead global cooperation and collective responses to growing cyber challenges, ultimately to harness and safeguard the full benefits of the Fourth Industrial Revolution. The platform seeks to deliver impact through facilitating the creation of security-by-design and security-by-default solutions across industry sectors, developing policy frameworks where needed; encouraging broader cooperative arrangements and shaping global governance; building communities to successfully tackle cyber challenges across the public and private sectors; and impacting agenda setting, to elevate some of the most pressing issues.

Platform activities focus on three main challenges:

Strengthening Global Cooperation for Digital Trust and Security – to increase global cooperation between the public and private sectors in addressing key challenges to security and trust posed by a digital landscape currently lacking effective cooperation at legal and policy levels, effective market incentives, and cooperation between stakeholders at the operational level across the ecosystem.Securing Future Digital Networks and Technology – to identify cybersecurity challenges and opportunities posed by new technologies and accelerate solutions and incentives to ensure digital trust in the Fourth Industrial Revolution.Building Skills and Capabilities for the Digital Future – to coordinate and promote initiatives to address the global deficit in professional skills, effective leadership and adequate capabilities in the cyber domain.

The platform is working on a number of ongoing activities to meet these challenges. Current initiatives include our successful work with a range of public- and private-sector partners to develop a clear and coherent cybersecurity vision for the electricity industry in the form of Board Principles for managing cyber risk in the electricity ecosystem and a complete framework, created in collaboration with the Forum’s investment community, enabling investors to assess the security preparedness of target companies, contributing to raising internal cybersecurity awareness.

For more information, please contact us.

How can we prepare for cyber-COVID?

The COVID-19 pandemic provides insight into how leaders can prepare for such a “fat tail” risk:

1. Widespread, systemic cyberattacks are not just possible or plausible; they should be anticipated. As we have seen with COVID-19, even a short delay in the response can cause exponential damage.

2. New Zealand’s success in fighting the pandemic proves that early, decisive actions and clear, consistent communication increase resilience. It’s impossible to prepare for every potential risk, but both the public and private sectors should invest in scenario exercises to reduce reaction time and appreciate the range of strategic options in the event an attack occurs.

3. COVID-19 has revealed the importance of international, cross-stakeholder coordination. Cooperation between public and private sector leaders is also critical, particularly when it comes to mitigation. The Centre for Cybersecurity at the World Economic Forum is just one example of an organization addressing systemic cybersecurity challenges and improving digital trust across institutions, businesses and individuals.

4. Just as COVID-19 has pushed individuals and organizations to look to digital substitutes for physical interactions, government and business leaders should think about the inverse. “Digital roll back” and continuity plans are essential to ensuring organizations can continue to operate in the event of a sudden loss of digital tools and networks, as Maersk learned during the NotPetya cyberattack in 2017, which took out 49,000 laptops and printers and wiped all contacts from their Outlook-synced phones. A necessary part of the digital transformation is having sensitive and important information stored and accessible in physical, printed form.

But perhaps the most important lesson: COVID-19 was a known and anticipated risk. So, too, is the digital equivalent.

Let’s be better prepared for that one.

the sting Milestone

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

Migration has set EU’s political clock ticking; the stagnating economy cannot help it and Turkey doesn’t cooperate

South Asia can become an innovation hub. Here’s how

Why a global recession isn’t inevitable

What does artificial intelligence do in medicine?

The benefits of a cashless society

Japan must urgently address long-standing concerns over foreign bribery enforcement

Coronavirus: Commission proposes to activate fiscal framework’s general escape clause to respond to pandemic

A Valentine’s Special: giving back, a dialogue of love

If on a summer’s night: is UK businesses’ “new deal” the only key to the “best of all worlds”?

World Retail Congress Dubai 2016: Retail’s night of nights

Virus Coronavirus: No time to die

Chart of the day: This is what violence does to a nation’s GDP

Palestine refugees’ relief chief warns Security Council money to fund Gaza operations will run out in mid-June

Africa-Europe Alliance: Four new financial guarantees worth €216 million signed under the EU External Investment Plan

European Junior Enterprises to address the significant skills mismatch in the EU between school and employment

What happiness can teach us about how we measure human development

Celebrities are helping the UK’s schoolchildren learn during lockdown

Taking fast road to ‘e-mobility’ central to a sustainable future: COP24

US-China trade war is a ‘lose-lose’ situation for them and the world, warn UN economists

This digital currency could build a more sustainable global economy

UN relief chief urges Security Council to back aid delivery, more funding for millions of Syrians hit by harsh weather

EU to finance new investment projects with extra borrowing; French and Italian deficits to be tolerated

Could the fourth wave of globalization help to end epidemics?

EU adopts rebalancing measures in reaction to US steel and aluminium tariffs

UN chief welcomes start of Church-mediated national dialogue in Nicaragua

It’s time for global businesses to accept local responsibility

WHO working to save lives following powerful earthquake in Albania

Parliament demands ban on neo-fascist and neo-Nazi groups in the EU

We won’t win the online security war without people power

Grave concern over escalating humanitarian crisis, casualties, displacement across northwest Syria: UN

Banks can fight financial crime. But we can’t do it alone

China-EU Summit on 16-17 July 2018: “Work together to address common challenges”, by China’s Ambassador to the EU

Juncker Plan exceeds original €315 billion investment target

Rising inequality affecting more than two-thirds of the globe, but it’s not inevitable: new UN report

25 years on from genocide against the Tutsi, UN Chief warns of ‘dangerous trends of rising xenophobia, racism and intolerance’

How cities, not states, can solve the world’s biggest problems

Mergers: Commission prohibits proposed merger between Tata Steel and ThyssenKrupp

Microplastics have been found in Rocky Mountain rainwater

Mali: Two peacekeepers dead after dawn attack, several injured – UN Mission

Russia and the West to partition Ukraine?

RescEU: MEPs vote to upgrade EU civil protection capacity

Professional practices of primary health care for Brazilian health and gender inequality

Universities need strategic leadership. Here’s what it looks like

The health of the human being in coexistence with a transformative biosphere

Voices of Afghan women ‘must be heard at the table in the peace process and beyond’ UN deputy chief tells Security Council

Managing and resolving conflicts in a politically inclined group of team members

Telemedicine and the Brazilian reality

UN’s Grandi slams ‘toxic language of politics’ aimed at refugees, migrants

G20 to Germany: Abandon miser policies

German elections: Is Merkel losing ground or Shultz is winning?

EU paves the way for a stronger, more ambitious partnership with Africa

‘An unprecedented fiscal response’ – political and business leaders on managing the coronavirus crisis

Urgent action needed to address growing opioid crisis

I have a rare disease. This is my hope for the future of medicine

Bill Gates’ top 10 breakthrough technologies of 2019

Eurobarometer: protecting human rights tops citizens’ list of EU values

Global aid appeal targets more than 93 million most in need next year

Help prevent children ‘from becoming victims in the first place’, implores Guterres at campaign launch

Don’t let the virus quarantine your mind –Ways to strengthen “Mental” immunity

The developing countries keep the world going

More Stings?

Advertising

Comments

  1. sheena handerson says:

    Thank you for sharing some tips that we can use in shifting our cybersecurity new normal

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s