What the COVID-19 pandemic teaches us about cybersecurity – and how to prepare for the inevitable global cyberattack

cyber

(Credit: Unsplash)

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Nicholas Davis, Professor of Practice, Thunderbird School of Global Management and Visiting Professor in Cybersecurity, UCL Department of Science, Technology, Engineering and Public Policy & Algirde Pipikaite, Project Lead, Industry Solutions, Centre for Cybersecurity, World Economic Forum


COVID-19 shows that the world is at great risk of disruption by pandemics, cyberattacks or environmental tipping points.

  • We should prepare for a COVID-like global cyber pandemic that will spread faster and further than a biological virus, with an equal or greater economic impact.
  • The coronavirus crisis provides insights into how leaders can better prepare for such cyber risks.

Most of the world is currently experiencing highly atypical living conditions as a result of COVID-19. At the height of the pandemic, more than 2 billion people were under some form of lockdown, and 91% of the world’s population, or 7.1 billion people, live in countries with border controls or travel restrictions due to the virus.

It would be comforting to think this is merely a “blip” interrupting an essentially stable state of affairs, and that the world will return to “normal” once medicine and science have tamed the virus.

Comforting – and wrong.

 

COVID-19 is not the only risk with the ability to quickly and exponentially disrupt the way we live. The crisis shows that the world is far more prone to disturbance by pandemics, cyberattacks or environmental tipping points than history indicates.

Our “new normal” isn’t COVID-19 itself – it’s COVID-like incidents.

And a cyber pandemic is probably as inevitable as a future disease pandemic. The time to start thinking about the response is – as always – yesterday.

To start that process, it’s important to examine the lessons of the COVID-19 pandemic ­– and use them to prepare for a future global cyberattack.

Lesson #1: A cyberattack with characteristics similar to the coronavirus would spread faster and further than any biological virus.

The reproductive rate – or R0 – of COVID-19 is somewhere between two and three without any social distancing, which means every infected person passes the virus to a couple of other people. This number affects how fast a virus can spread; the number of infected people in New York state was doubling every three days before lockdown.

By contrast, estimates of R0 of cyberattacks are 27 and above. One of the fastest worms in history, the 2003 Slammer/Sapphire worm, doubled in size approximately every 8.5 seconds, spreading to over 75,000 infected devices in 10 minutes and 10.8 million devices in 24 hours. The 2017 WannaCry attack exploited a vulnerability in older Windows systems to cripple more than 200,000 computers in 150 countries; it was halted by emergency patches and the accidental discovery of a “kill switch”.

The cyber equivalent of COVID-19 would be a self-propagating attack using one or more “zero-day” exploits, techniques for which patches and specific antivirus software signatures are not yet available. Most likely, it would attack all devices running a single, common operating system or application.

Since zero-day attacks are rarely discovered right away – Stuxnet used four separate zero-day exploits and hid in systems for 18 months before attacking – it would take a while to identify the virus and even longer to stop it from spreading. If the vector were a popular social networking application with, say, 2 billion users, a virus with a reproductive rate of 20 may take five days to infect over 1 billion devices.

Lesson #2: The economic impact of a widespread digital shutdown would be of the same magnitude – or greater – than what we’re currently seeing.

If cyber-COVID mirrored the pathology of the novel coronavirus, 30% of infected systems would be asymptomatic and spread the virus, while half would continue functioning with performance severely degraded – the digital equivalent of being in bed for a week. Meanwhile 15% would be “wiped” with total data loss, requiring a complete system reinstall. Finally, 5% would be “bricked” – rendering the device itself inoperable.

The end result: millions of devices would be taken offline in a matter of days.

The only way to stop the exponential propagation of cyber-COVID would be to fully disconnect all vulnerable devices from one another and the internet to avoid infection. The whole world could experience cyber lockdown until a digital vaccine was developed. All business communication and data transfers would be blocked. Social contact would be reduced to people contactable by in-person visits, copper landline, snail-mail or short-wave radio.

A single day without the internet would cost the world more than $50 billion. A 21-day global cyber lockdown could cost over $1 trillion.

Total cost impact of 1 day without the internet in the world
Just one day without the internet would cost the world more than $50 billion.
Image: NetBlocks

Cyber lockdown would also introduce novel challenges for digitally dependent economies. During the 2020 Australian bushfires, power outages and damage to mobile phone infrastructure gave citizens a newfound appreciation for battery-operated FM radios. But if cyber-COVID ravaged a country, which radio stations would still operate without digital recording and transmission systems? Would states like Norway, which has completed its transition to digital radio, be able to roll back?

Lesson #3: Recovery from the widespread destruction of digital systems would be extremely challenging.

Replacing 5% of the world’s connected devices would require around 71 million new devices. It would be impossible for manufacturers to rapidly scale up production to meet demand, particularly if manufacturing and logistics systems were affected. For systems that survive, there would be a significant bottleneck in patching and reinstallation.

The geographic concentration of electronics manufacturing would create other challenges. In 2018, China produced 90% of mobile phones, 90% of computers and 70% televisions. Finger-pointing about the source and motive of the cyberattack, as well as competition to be first in line for supplies, would inevitably lead to geopolitical tensions.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum Platform for Shaping the Future of Cybersecurity and Digital Trust aims to spearhead global cooperation and collective responses to growing cyber challenges, ultimately to harness and safeguard the full benefits of the Fourth Industrial Revolution. The platform seeks to deliver impact through facilitating the creation of security-by-design and security-by-default solutions across industry sectors, developing policy frameworks where needed; encouraging broader cooperative arrangements and shaping global governance; building communities to successfully tackle cyber challenges across the public and private sectors; and impacting agenda setting, to elevate some of the most pressing issues.

Platform activities focus on three main challenges:

Strengthening Global Cooperation for Digital Trust and Security – to increase global cooperation between the public and private sectors in addressing key challenges to security and trust posed by a digital landscape currently lacking effective cooperation at legal and policy levels, effective market incentives, and cooperation between stakeholders at the operational level across the ecosystem.Securing Future Digital Networks and Technology – to identify cybersecurity challenges and opportunities posed by new technologies and accelerate solutions and incentives to ensure digital trust in the Fourth Industrial Revolution.Building Skills and Capabilities for the Digital Future – to coordinate and promote initiatives to address the global deficit in professional skills, effective leadership and adequate capabilities in the cyber domain.

The platform is working on a number of ongoing activities to meet these challenges. Current initiatives include our successful work with a range of public- and private-sector partners to develop a clear and coherent cybersecurity vision for the electricity industry in the form of Board Principles for managing cyber risk in the electricity ecosystem and a complete framework, created in collaboration with the Forum’s investment community, enabling investors to assess the security preparedness of target companies, contributing to raising internal cybersecurity awareness.

For more information, please contact us.

How can we prepare for cyber-COVID?

The COVID-19 pandemic provides insight into how leaders can prepare for such a “fat tail” risk:

1. Widespread, systemic cyberattacks are not just possible or plausible; they should be anticipated. As we have seen with COVID-19, even a short delay in the response can cause exponential damage.

2. New Zealand’s success in fighting the pandemic proves that early, decisive actions and clear, consistent communication increase resilience. It’s impossible to prepare for every potential risk, but both the public and private sectors should invest in scenario exercises to reduce reaction time and appreciate the range of strategic options in the event an attack occurs.

3. COVID-19 has revealed the importance of international, cross-stakeholder coordination. Cooperation between public and private sector leaders is also critical, particularly when it comes to mitigation. The Centre for Cybersecurity at the World Economic Forum is just one example of an organization addressing systemic cybersecurity challenges and improving digital trust across institutions, businesses and individuals.

4. Just as COVID-19 has pushed individuals and organizations to look to digital substitutes for physical interactions, government and business leaders should think about the inverse. “Digital roll back” and continuity plans are essential to ensuring organizations can continue to operate in the event of a sudden loss of digital tools and networks, as Maersk learned during the NotPetya cyberattack in 2017, which took out 49,000 laptops and printers and wiped all contacts from their Outlook-synced phones. A necessary part of the digital transformation is having sensitive and important information stored and accessible in physical, printed form.

But perhaps the most important lesson: COVID-19 was a known and anticipated risk. So, too, is the digital equivalent.

Let’s be better prepared for that one.

the sting Milestone

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

EU citizens disenchanted with Economic and Monetary Union over rising poverty and high unemployment

Living to 100: why we should plan for more sushi, chocolate and work

This South Korean company has built a 5G search and rescue airship

Deep science: what it is, and how it will shape our future

WEF Davos 2016 LIVE: “If we do not do properly the Paris agreement, then all 16 remaining goals will be undermined”, UN Secretary General Ban Ki-moon cautions from Davos

COVID-19: Single market must emerge stronger from the crisis, say MEPs

Africa Forum aims to boost business, reduce costs, help countries trade out of poverty

Lessons from the Global Entrepreneurship Index

Over 820 million people suffering from hunger; new UN report reveals stubborn realities of ‘immense’ global challenge

More Germans are swapping planes for trains because of climate worries

Towards a European Republic

Apple® logo (copyright: Apple)

Apple takes further step into music: EU Regulators formally approve its planned Shazam acquisition

Over 1 million health consultations provided in Yemen in 2019: UN migration agency

Women lose most from the climate crisis. How can we empower them?

EU budget deal struck with Parliament negotiators

More than just a phone: mobile’s impact on sustainable development

Member States and Commission to work together to boost artificial intelligence “made in Europe”

Deeper reforms in Germany will ensure more inclusive and sustainable growth

Six ways to cut through the Middle East’s geopolitical fog

Black Lives Matter – for Pakistan’s Sheedi community too

In rural Bangladesh, solar power is changing lives

The hidden risk of virtual reality – and what to do about it

Here’s what keeps CEOs awake at night (and why it might be bad news for your next job)

‘Growing alarm’ over Fall Armyworm advance, with cash crops ‘under attack’ across Asia

State aid: Commission approves €30 billion French subordinated loan scheme to support companies affected by the coronavirus outbreak

‘Complacency’ a factor in stagnating global vaccination rates, warn UN health chiefs

EU: Centralised economic governance and bank supervision may lead to new crisis

MEPs adopt new Fisheries Partnership with Morocco including Western Sahara

5 reasons why biodiversity matters – to human health, the economy and your wellbeing

‘Stealing’ food from hungry Yemenis ‘must stop immediately’, says UN agency

Canada has created an Arctic conservation zone almost as big as Germany

Parliament to vote on new European Commission on 27 November

Our food system is no longer fit for the 21st century. Here are three ways to fix it

Mobile 360 Africa 11-13 July 2017

Climate change recognized as ‘threat multiplier’, UN Security Council debates its impact on peace

EU Budget 2019 to focus on young people

China-EU Trade and Economic Relations in Numbers

Brussels waits for the Germans to arrive

Protector or polluter? The impact of COVID-19 on the movement to end plastic waste

4 ways to make your wardrobe more sustainable

The Franco-German axis considers that all EU needs now is more armaments

Safer products: stepping up checks and inspections to protect consumers

EU economy: Between recession and indiscernible growth

Palm Oil: With Malaysia cracking down on production, what’s the alternative?

How health privatization increases health inequities

How smartphones can close the global skills gap for billions

Britain’s Brexit election is its most volatile in memory – and 3 other superlatives about the snap poll

A Sting Exclusive: “Asia-Pacific response to COVID-19 and climate emergency must build a resilient and sustainable future”, by the United Nations Under-Secretary-General

France fails again the exams. Kindly requested to sit in on Commission’s class

Trust in OECD governments back at pre-crisis levels as governments seek to be more open and engaged

Community Manager – 1289

European Defence Fund: €205 million to boost the EU’s strategic autonomy and industrial competitiveness

EU Trust Fund for Africa: new migration-related actions to protect vulnerable people and foster resilience of host communities in North of Africa

7 key challenges for the future of ASEAN – and how to solve them

UN working ‘intensively’ to stop Ebola in eastern DR Congo, following second case in major border town

UN food relief agency airlifts aid to DR Congo province hit by Ebola outbreak

My disability, my identity

The world is failing miserably on access to education. Here’s how to change course

Climate change is exacerbating hunger in some of the world’s poorest countries. And those most at risk are the least to blame

FROM THE FIELD: ‘Eco-warriors’ fight climate change in South Africa

More Stings?

Advertising

Comments

  1. sheena handerson says:

    Thank you for sharing some tips that we can use in shifting our cybersecurity new normal

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s