According to a new report released by the World Economic Forum, failure to improve cyber security on a global scale could cost the world economy trillions of dollars in economic value and lead to more frequent cyber attacks.
The report, Risk and Responsibility in a Hyperconnected World, written in collaboration with McKinsey Company, examines the need for new approaches to increase resilience against cyber attacks.
Released this week during the poshy World Economic Forum Annual Meeting in Davos-Klosters, Switzerland, the report draws on knowledge and opinions derived from over 300 global executives, government figures, civil society and experts from different business sectors.
According to statistics cited by the World Economic Forum, technology trends such as cloud computing and big data have the potential to create between $9.6 trillion and $21.6 trillion in value for the global economy. However, the reports notes, if attacker tactics outpace the capabilities of defenders, more destructive attacks will result and spark a wave of new regulations and corporate policies that could slow innovation with a massive economic impact.
Aerial photo from the new, futuristic and stylish Intercontinental Hotel in Davos, Switzerland. The Annual Meeting 2014 of the World Economic Forum will take place in Davos from January 22 to 25, 2014. (Image Credit: World Economic Forum)
The report outlined three different scenarios for how things could look in 2020, based on the conceivable value created from innovations in technology that could be affected by global organizations’ ability to defend against cyber attacks.
In what some may suggest is a casting of fear, uncertainty and doubt (FUD), the report illustrates a scenario where the frequency of attacks significantly escalates, and international cooperation to combat the proliferation of cyber weapons proves elusive. As a result, the report predicts that government “cyber resilience regulations” would become more directive, and disturb adoption of innovative technologies. Under this scenario, the World Economic Forum projected that much as $3 trillion in value created by adopting these technological innovations would remain unrealized.
In a less gloomy scenario, if attackers retain an advantage over defenders, but defenders are able to respond to cyber threats reactively, but successfully, adoption of innovative technologies would slow—but not to the level as the scenario above. Under these conditions, the threat level increases incrementally as more sophisticated cyber weapons leave defenders behind attackers. In this scenario, as much as $1.02 trillion in value from technological innovation would be left unrealized over the next five to seven years, the report said.
In a best-case scenario, the report suggests that proactive action and successful cooperation between the public and private sectors would limit the proliferation of cyber weapons and attack tools, build institutional capabilities and stimulate innovation. As a result, technological innovation would be enabled, “accelerating digitization and creating significant economic value over the remainder of this decade.”
According to those interviewed for the report, large institutions often lack the facts and processes to make and implement effective decisions about cyber resilience.
“Most large institutions do not systematically understand which information assets need to be protected, who are their attackers, what is their risk appetite or which is the most effective set of defense mechanisms,” the report explained.
While resources need to be allocated to cyber security, the report found that security spending and effectiveness do not always go hand and hand.
Companies that spend more on “cyber resilience” do not necessarily manage cyber risks in a more mature way—many are just throwing money at the problem, the report said.
“Developing resilience to cyber risks in our economic and social systems is not a question of simply building walls for security,” said Alan Marcus, Senior Director and Head of Information Technology and Telecommunications Industries at the World Economic Forum USA. “There are trade-offs to be made with other goals we wish to value, such as privacy, growth, innovation, and the free flow of goods and data. But to make good decisions, we need better data.”
To protect against the strategic and economic effects of such costly attacks, the report outlines ways to build awareness, understanding and action with top public and private sector leaders. It also assesses the economic impact of concerns around cyber risks and proposes a global framework aimed at coordinating collaboration and provides a capabilities based-roadmap for businesses and governments.
Organizations need to prioritize information assets based on business risks and integrate cyber resilience into enterprise-wide risk management, the report said. Additionally, organizations should differentiate protection based on importance of assets, develop deep integration of security into technology environment and deploy active defenses to uncover attacks proactively.
Security teams also need to work with business leaders to gain a better understanding of business risks, such as intellectual proprietary, and to set appropriate priorities to the underlying information assets.
“Cyber resilience is an enterprise risk, and must be managed like one,” the report said. “Assessments of risks from cyberattack must be integrated with other risk analysis and presented at relevant management and board discussions. Cyber resilience implications must be integrated into the broad set of enterprise governance functions such as human resources, vendor management and regulatory compliance.”
“There needs to be a fundamental change in the way we protect ourselves from cyber attacks. Check-the-box compliance-based approaches simply don’t work anymore,” said James Kaplan, a Partner at McKinsey Company. “Companies and public institutions need to build cybersecurity capabilities that are scalable, deeply integrated into the broader IT environment and focused on addressing the more important business risks.”
In the public sector, leaders should establish a comprehensive, transparent national cyber strategy that integrates procedures across all policy domains and ensure that law enforcement and the state have a comprehensive and flexible legal code and capabilities to take action when needed.
“Cyberattacks have the potential to change the nature of warfare and international relations, almost past the level of the Cold War,” said the CIO of a European aerospace and defense company.
In a November 2012 forum, Kaspersky Lab chief Eugene Kaspersky said governments still don’t understand how dangerous cyberweapons really are. Kaspersky suggested that nation-states will have different reasons for resorting to cyber-terror tactics than hacktivists, and that traditional terrorists will also be a player.
“The next 10 years we’ll see more and more attacks,” Kaspersky said. “I’m afraid that other states will join the game. We’ll see much more sophisticated attacks.”
Cyber events are changing the nature of interstate relations, and nations should establish a national cyber doctrine to define and express their positions on the use of cyber resilience tools and weapons for national purposes, the World Economic Forum report suggests.
The 40-page report from the World Economic Forum includes additional survey data on cyber resilience capabilities, and provides a 14-point roadmap for collaborative actions that organizations can take to gauge their current level of cyber risk capability and improve their readiness.
The World Economic Forum’s Risk and Responsibility in a Hyperconnected World Project is a global, multi-industry, multi-stakeholder endeavor to improve cyber resilience, raise business standards and contribute to a safer and stronger connected society. Today, the partnership comprises more than 100 signatories.
The full report from the World Economic Forum is available here.
Managing Editor, SecurityWeek.Previous Columns by Mike Lennon:Target Breach Has Cost Credit Unions Nearly $30 Million: AssociationNieman Marcus Says Hackers Stole Details of 1.1 Million Customer Credit CardsImproved Cyber Security Could Save Global Economy Trillions: World Economic ForumVMware Expands Mobility Offerings With $1.54 Billion Acquisition of AirWatchCisco Revamps Security Training Programs, Adds Cybersecurity Specialist Certification
Tracking Law Enforcement