The emergence of digital technologies has transformed just about every element of our lives. It has enabled countless new business models, reinvigorated entrepreneurial spirits and spurred the development of thousands of new products and services. There is no doubt that connected digital systems improve our lives.
But digitization has also created new vulnerabilities. Just ask senior executives of Home Depot, Target, Anthem, or JP Morgan about the risks of employing cyber systems to manage customer data. Each company had the records of tens of millions of their customers stolen. And it’s not just customer data that’s at risk. After Sony Pictures was hacked, confidential information about employees and production plans were posted online. The hackers also tried to intimidate the company’s sales channels when it posted a vague threat against theaters showing the movie The Interview.
But cyber risks can be much bigger than data or identity theft. Cyber attacks can disrupt the operations of digital systems. Las Vegas Sands, a global casino company, suffered a wiping attack that crippled the company’s operations. Twitter, PayPal and Spotify have had their services disrupted by hackers. And Saudi Aramco had roughly 30,000 computers destroyed by a hacktivist group called the “Cutting Swords of Justice.”
And these are just a few of the known cyber attacks. On July 8, 2015, the websites of United Airlines, the New York Stock Exchange, the Wall Street Journal, and popular financial blog site Zero Hedge were all shut down for supposedly “technical reasons.” Coordinated cyber attack? Sure seemed like one to me. There are probably thousands of similar cases.
Cyber risks can be much bigger than mere data or identity theft.
The same technologies that enable us to rapidly order an Uber or to instantaneously download the latest book by Michael Lewis can also empty our bank accounts or steal our identities. In short, cyber is a two-sided coin. About two years ago, Richard Danzig, former US Secretary of the Navy, delivered a speech he titled “Surviving on a Diet of Poisoned Fruit.” In it, he noted the very systems that enable wide scale collaboration and information sharing also allow for unprecedented intrusion. Cyber systems, he stated, both nourish and poison us.
Consider the case of Estonia, arguably the most connected country in the world. The small country was an early adopter of many e-government initiatives. It was the target of a 2007 cyber attack in which hackers effectively disabled the entire country, disrupting systems used by Estonian banks, ministries, broadcasters, newspapers, and even the parliament.
Last week I had the opportunity to speak with and listen to retired four-star Air Force General Michael Hayden, former head of the Central Intelligence Agency and the National Security Agency, at an event organized by First Republic Bank in Boston. Hayden’s message: We don’t fully appreciate the magnitude of the transformation that cyber systems are enabling. But it’s urgent that we do, and that we do so rapidly.
Hayden suggested we treat cyber as an entirely new domain, just as the military has done. Doing so will allow corporate boardrooms and IT managers to focus on managing cyber risks more effectively. To help us rethink risk management in this new domain, Hayden pointed to the three primary factors driving risk: the threat environment, vulnerabilities in our defenses, and the consequences of an intrusion.
The threat level can be thought of as our level of participation in the cyber domain and the number of type of hackers who may want to inflict harm. If we had zero participation in the domain, we wouldn’t have any risk. But it’s not a binary consideration: A company’s HR systems, for instance, could digitally store all employee records except for social security numbers. And it’s also possible to monitor threat risk by understanding and monitoring likely attackers. In fact, some cyber security firms are beginning to offer such services.
Most of our cyber risk management efforts are targeted at minimizing vulnerabilities. Citing FireEye’s Kevin Mandia, Hayden noted that most of our efforts are focused on developing stronger defenses, firewalls and the like. And while worthwhile and generally effective, no amount of effort will ensure penetration-proof protection, he noted. The probability of hackers getting through cyber defenses will almost certainly be greater than zero for some time to come.
Minimizing the consequences of cyber attacks, however, is a big opportunity. It requires a company and its IT managers to be self-aware and focus, as Hayden noted, on resilience, response and recovery after an attack. Today, it often takes months for organizations to identify that an attack even took place. By focusing on rapidly identifying an intrusion and limiting its impact, organizations have the ability to greatly reduce the risk of catastrophic effects resulting from cyber attacks.
The stakes are simply too high for cyber risk management to not get the attention it deserves. Cyber attacks have the potential to generate massive destruction and widespread loss of life. Think I’m being overly dramatic? Think again.
Earlier this year, German utility RWE disclosed it had identified a virus implanted by hackers in the software that manages the movement of fuel rods at one of their nuclear power plants. It was caught and contained quickly. But in October, International Atomic Energy Association (IAEA) director Yukia Amano confirmed cyber attacks have targeted nuclear power plants, noting that non-critical operations had been disrupted. The impact of a cyber attack that disabled safety and control systems at a nuclear facility could be enormous.
Further, Leon Panetta, former Secretary of Defense, has warned that cyber attacks “could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals…they could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.” And last year, director of National Intelligence James Clapper bluntly stated that although an attack was not immediately likely, the United States “must be prepared for a large, Armageddon-scale strike that would debilitate the entire U.S. infrastructure.”
We need to think about cyber risk management more broadly, as General Hayden recommends. Danzig had it right: We’re drinking a nourishing poison. And while we should obviously minimize threats and address vulnerabilities, the blunt reality is some cyber attacks will be successful. So if we are to truly enjoy the nourishment digital systems provide, we better not allow the poison to kill us.