As global conflicts continue, cyber has become the fifth front of warfare. The world is approaching 50 billion connected devices, controlling everything from our traffic lights to our nuclear arsenal. We've already started seeing large-scale cyberattacks, affecting critical industries like oil and gas pipelines and hospitals. But we have yet to experience a truly catastrophic incident that would "break the Internet," disrupting financial markets, supply chains, and daily life.
Could it happen this year?
Single Points of Failure
The migration of public and private sector technology to cloud computing means that a large share of our infrastructure, financial systems, supply chains, healthcare, and other critical services are run by just a handful of companies: Amazon, Google, and Microsoft. On the hardware side of things, the story isn't much better. Just three companies — Palo Alto Networks, Cisco, and Fortinet — control more than 50% of the market for security appliances. The ripple effects of a successful attack on one of these companies would leave no part of the connected world untouched, including the security software intended to protect customers in the event of an attack, much of which runs on infrastructure provided by these same cloud companies.
For data center security experts, there is also another, far less digital, concern to deal with. Suspicious activity and attacks on US power stations hit an all-time high in 2022, with more than 100 attacks reported in the first eight months of the year alone. Data centers are massive buildings, consuming immense quantities of electricity. To cool their ultrahot servers and buildings, data centers use startling amounts of water. According to Google, its data centers used 4.3 billion gallons of water in 2021. If attackers disrupt the supply of power or water to Amazon, Google, or Microsoft's data centers in a coordinated fashion, they could compromise entire regions of their infrastructure, including backups.
Follow the Money
To put the cost of a catastrophic cyberattack in perspective, consider that in 2021, according to Swiss reinsurer Swiss Re, global economic losses from natural catastrophes such as floods, hurricanes, and wildfires reached $270 billion. This is a large number, but consider the fact that Merchant Machine estimates a global Internet outage would cost the global economy $37 billion a day in lost revenue.
Still, the economics of technology are not in favor of a more secure future. Enterprises, users, and adversaries all have competing monetary interests preventing more investment in security. Technology companies need to iterate and release updates quickly to keep pace with their competitors, and their customers are often not willing to wait — or pay — for extra security features or for all bugs and vulnerabilities to be resolved. Instead, consumers opt to buy insurance against these inevitable incidents, which may create another crisis of its own.
Insurance companies spend significant amounts of money simulating disasters and estimating their cost so that any single large loss would not do significant financial harm to the insurer. For a catastrophic cyberattack, the costs could reach beyond billions of dollars, meaning bankruptcy not just for the insurers but also the reinsurers, which would likely bring about a systemic financial disruption and a near market collapse on a scale dwarfing the financial crisis of 2008. The US government spent $85 billion to bail out AIG and prevent systemic financial system collapse, but the question this time is: Who bails out an insurer with global losses, and what happens when insurers are too cash strapped to pay out claims?
So, What Now?
We need to examine critical infrastructure security and ensure there are plans and fail-safes in place capable of withstanding an extended period of disconnect. Organizations migrating to cloud computing must reevaluate their need for data fidelity and whether on-premises storage is necessary. Security leaders should make catastrophic failure planning part of their risk management strategy, and ensure their vendors also have plans in place to mitigate the impact of a loss of cloud-hosted services.
On the regulatory front, if we have any hope of preparing for a global event, we need to evaluate the technical chops of regulators and legislators creating the frameworks intended to keep us safe, as well as the metrics we use to measure the financial health of the insurers and reinsurers on the hook. If the spectacular collapse of several blockchain companies in recent years, successful election meddling via social media, or explosion in ransomware attacks have taught us anything, it's that we must demand more of our elected representatives, and elect leaders who can help run the world of tomorrow. Similarly, regulators need to understand the companies and technologies they oversee.
There will be a reckoning in the connected world, and the only way our economy (and possibly society) will survive it is by working together to create a safer, more stable infrastructure.