Cyber attack is new global risk

Every year, the World Economic Forum (WEF), produces a Global Risks Report, highlighting the key themes across the world that present risk to our economies or daily life. This year, for the first time, Information Security features right at the heart of the report.

Now in its seventh issue, the Global Risks Report is drafted by the WEF’s Risk Response Network (RRN), which provides an impartial platform to map, monitor and mitigate the the risks that it identifies. Each year, the WEF tracks fifty risks across five main categories – Economic, Environmental, Geopolitical, Societal and Technological. In 2012, 469 experts and industry leaders were surveyed, and were asked to look at a ten-year threat horizon, assessing the severity of each risk on a five point scale. This year, three main risk cases were identified:

• Dystopia, a constellation of discal, demographic and societal risks signalling a dystopian future for humanity
• Inability of existing safeguards to protect us from risks arising from emerging technology, resource depletion and climate change
• Hyperconnectivity, making us vulnerable to cyber threats and digital disruptions with a shift in power to less resourced actors.

Cyber attack featured as the fifth most likely risk in the 2012 report, the first time in five years that a technological risk has featured in the top five. The last time, in 2007, “Breakdown of critical Information Infrastructure” featured as the most likely risk, though it was soon knocked out of the top five by a series of economic risks after the global credit crisis in 2008.

Hyperconnectivity

Information Security issues were captured within the Hyperconnectivity risk case, which refers to a constellation of threats centred around the failure of critical infrastructure. The threats include Cyber Attacks, massive data fraud or theft and large scale digital misinformation, all of which were considered to be low likelihood but high impact risks. Cyber attacks identified by the WEF included complex, high cost, sabotage and espionage attacks – usually the domain of governments and corporations – through to low cost subversive attacks, often perpetrated by pressure groups like the Anonymous hacking network.

Suggestions

WEF made four suggestions to world leaders to help reduce the risks that had been identified:

Realign incentives. Currently the risk of cyber attack is talked up by security vendors, and talked down by most other corporations, who rarely admit being a victim. It is therefore almost impossible to determine the true level of risk. Incentives must be realigned to encourage victims to speak out.
Multistakeholder collaboration. Corporations have no incentive to help secure anything but their own network. Governments and the private sector must work together, recognising that insecurity anywhere is a threat to the rest of the system.
A market for exploits. All systems have vulnerabilities, and in addition to improving the standard of software at release time, there will always be a need for patching. At the moment there isn’t a large enough incentive for ‘white hat’ hackers to test for vulnerabilities in commercial software. Until a regulated market exists for exploits, the sale of vulnerability information on the black market is a risk.
Development of social norms in cyberspace. Actions which are not socially acceptable in the real world – theft, industrial espionage – are readily and open conducted in cyberspace. A discussion on the roles of accetable engagement for corporate esiponage is required, and social research is required to understand why social norms from the real world do not carry over into the online world.

The full WEF Global Risks Report 2012 can be downloaded as a PDF here.