Cyber attacks a top risk says World Economic Forum

Via Clerkendweller’s blog post about the 2012 edition of the Global Risks report from the World Economic Forum, Cyber attacks came in #4 among the top 50 global risks as a function of likelihood.

The report divides risks into five categories – Economic, Environmental, Geopolitical, Societal, and Technological. What I also found interesting is that within the Technological category, Cyber attacks scores highest as a function of likelihood and impact. See the chart below:

The report further defines “connectivity” as one of the “Three distinct constellations of risks that present a very serious threat to our future prosperity and security…” The report then goes on to identify the three types of objectives of cyber attacks using physical world “military strategy” and “intelligence analysis” analogies: sabotage, espionage, and subversion. Here are the examples they provide:

Sabotage

  • Users may not realize when data has been maliciously, surreptitiously modified and make decisions based on the altered data. In the case of advanced military control systems, effects could be catastrophic.
  • National critical infrastructures are increasingly connected to the Internet, often using bandwidth leased from private companies, outside of government protection and oversight.

Espionage

  • Sufficiently skilled hackers can steal vast quantities of information remotely, including highly sensitive corporate, political and military communications.

Subversion

  • The Internet can spread false information as easily as true. This can be achieved by hacking websites or by simply designing misinformation that spreads virally.
  • Denial-of-service attacks can prevent people from accessing data, most commonly by using “botnets” to drown the target in requests for data, which leaves no spare capacity to respond to legitimate users.

These do not map easily into our traditional method of categorizing threats as risks to confidentiality, integrity, and availability of information but may be useful because what’s really important is the focus on adversaries and the actions they take to threaten the confidentiality, integrity, and availability of our cyber assets.

Of course we need to focus on assets in the sense that we have to “harden” them to reduce the likelihood of a successful attack. But we cannot stop there due to the following.

The Connectivity case provides two axioms for the Cyber Age:

  • Any device with software-defined behaviour can be tricked into doing things its creators did not intend.
  • Any device connected to a network of any sort, in any way, can be compromised by an external party. Many such compromises have not been detected.
If these axioms are true, then we must go beyond hardening assets. We must also invest in technical controls that can detect obviously negative and anomalous behavior of assets.
Overall, a document well worth reading.