The latest edition World Economic Forum’s Global Risks Report takes a dim view of our hyper connected world. At the group’s annual meeting in Davos, Switzerland, members wrestled with the consequences of ubiquitous Internet connectivity, concluding that groups or individuals with few resources are capable of launching attacks with devastating consequences for both commercial and geopolitical powers.
The threat of ‘cyber attacks’ was ranked the fourth of 50 global risks with the highest likelihood of occurring, after ‘severe income disparity,’ ‘fiscal imbalances,’ and ‘rising greenhouse gas emissions.’ This marks the first time since 2007, when the ‘breakdown of critical information infrastructure’ made the list, that network security has seen such relevance in the report.
Internet security is now an example of a public good in which “costs are borne privately, but benefits are shared,” the seventh annual edition of the report claims.
The arena of cyber security is vast, ranging from petty crime and mischief-making to the shutting down of critical systems and the triggering of kinetic warfare. Within the report’s technology category, Survey analyses highlighted critical system failures as the most concerning and central issue. Unfortunately, empirical evidence on cyber security is scant, according to the report. Much of the research that has been done has been carried out by a handful of companies in the business of selling Internet security solutions – a potential bias that encourages skepticism in and already skeptical industry.
The report split potential cyber attacks into three areas: sabotage, espionage, and subversion. The first two require relatively high levels of technical sophistication and are often the work of major corporations, nation states, and elite hackers. (Consider the cases of Stuxnet and GhostNet.) Subversion on the other hand needs only to undermine trust, and thus can be carried out by nearly anyone with a computer, like in the case of daily attacks carried out by the Anonymous Internet collective.
The problems of Internet security are many. While vendors talk threats up, the victims of attacks remain silent (though the SEC is tryihng to change this). This paradox makes it exceptionally difficult to gauge the gravity of these threats and create investment plans to address them.
The report criticizes the resources devoted to security as inadequate and says well-intentioned actors – whether governments, corporations or individuals – need to find ways of identifying flaws and deploying fixes before malicious actors find and exploit them. As an example, ‘bug bounty‘ programs are a step in the right direction, the report says.