The rise of cyber terror
PLAN OF ACTION
FERMA has been campaigning for businesses to change the way they operate in a bid to lessen the risks from cyber terrorism and attacks.
In its report, ’At the junction of corporate governance and cybersecurity’, the association called for organisations to set up dedicated internal cyber risk governance groups to better manage cyber risks, particularly as threats evolve.
The role of the group is to determine the potential cost of cyber risks across the whole organisation, including catastrophic risk scenarios, and to propose mitigation measures to the risk committee and the board.
The association recommends that these groups are chaired by the risk manager but operate across functions throughout the business. In addition to the risk managers, the group is to be composed of representatives of all key functions involved in digital risk, notably IT, human resources, communications, finance, legal and the data protection officer and chief information security officer.
FERMA president Jo Willaert says: “As recent attacks show, cyber risk is an enterprise issue that affects strategic aspects of the board’s mandate, including valuation, reputation and trust. The management of cyber risk has, therefore, become a corporate issue that should be reflected in the governance of the company.”
“Our recommended cyber risk governance model constitutes an innovative way for organisations to approach cyber security. It will allow the board of directors to demonstrate that cyber risks are managed on a rational and documented analysis of the risks across the organisation.”
But insurers also have a role to play, and their support should be factored into internal cyber governance structures.
Chris Burgess, UK cyber leader at AIG, says: “Whatever the scale of the attack – whether they affect critical infrastructure and halt vital services to the public; or a data breach that could damage consumer trust and tarnish brand equity – cyber attacks are now an inevitable risk for business, support services and core infrastructure, and governments.”
“Prevention, mitigation and response requires a strong coordinated approach, which brings all internal stakeholders in line – and which is further enhanced by the support of highly experienced cyber and IT experts.”
“There are critical providers whose value can be defined by the breath and depth of services that they can offer – expert consultations on effective preventative measures; 24/7 support during the response phase of an incident, including forensic investigations; PR and communications support to lesson the impact on brands and reputation; reliable risk transfers to indemnify losses; and robust claims management.”
“And this is where insurers can help. Through a standalone cyber policy, insurers can provide the added support to internal cyber governance structures to ensure they are fit for the cyber challenges of the future.”
The terrorism landscape is fast evolving,with perils moving away from large-scaleterror to lone assailant attacks targetingmass civilians in localised and publicareas. But one other potential shift thathas grabbed the focus of counterterrorism groups and governments is the likelihood of large-scale cyber terror attacks and the impact on civilians – both domestic and travelling employees.
The WannaCry ransomware, which infected the UK’s NHS and private healthcare in 2017, wreaked havoc on core services. One of the biggest impacts? Some 20,000 hospital appointments and operations were cancelled during the attack – 20,000 people were unable to receive medical attention.
Fortunately, little to no evidence has surfaced of serious or long-term harm to patients’ health following the attack, but WannaCry 2017 is indicative of how large attacks of this nature could spiral out of control and have potentially devastating impacts on human lives.
Employers who operate large international assignments must be cognisant of the risks of cyber threats to core infrastructure. Governments, researchers and counterterrorism groups continue to investigate attacks that could affect mass civilian populations. They all agree the threat of a potential cyber terror attack looms large.
As the Centre for Risk Studies at the University of Cambridge and Pool Re, warns in their joint report, Cyber terrorism: assessment of the threat to insurance: “Practices and predictions of terrorists acquiring destructive cyber capabilities date back many years. The National Academy of Sciences first warned of a ‘digital Pearl Harbor’ as early as 1990.”
While no such attack has materialised, the two companies go on to say: “Concerns over the potential movement of terrorism into the cyber sphere endure and, with the broadening of attack surfaces and growing technical capabilities of threat actors, the arrival of cyber terrorism seems ever more likely.”
The arrival of cyber terrorism
It is easy to see how such a scenario could become possible. Recent advancements have seen a proliferation of smart technology enter the market place – a trend described as the ‘Fourth Industrial Revolution’.
The internet of things, big data, automation, machine learning and artificial intelligence all converge to create hyperconnected networks and a continuum of digitalised operational functions across many industries. The upsides include greater efficiency, which can drive down costs and provide competitive advantage. The downside? An increase in vulnerability to cyber attacks as technologies create new and diverse security challenges.
“The risks are certainly increasing, as are the number of potential types of actors,” says Stuart Poole-Robb, group CEO at KCS Group, a cyber intelligence consultancy company. “As such, governments are spending more in terms of time, energy and, of course, money to thwart attacks.”
So, what would a cyber terror attack look like? “In its broadest sense, it is an act that is designed to cause panic or terror through damage and destruction,” he explains.
“However, it should not be confused with corporate or personal hacking for financial enrichment or industrial espionage, nor should it be confused with cyber-warfare against government or military assets.”
Instead, cyber terrorism can be described as: “A cyber attack against civilian information, data and systems by terrorist groups or agents related to nation states, whose primary purpose is to sew dissent and uncertainty. It can take many forms and the attack vectors are becoming more complex,” he adds.
For the Centre for Risk Studies and Pool Re, cyber terrorism is: “An act of politically motivated violence involving physical damage or personal injury caused by a remote digital interference with technology systems.”
Whatever the definition, as WannaCry indicated, large-scale cyber attacks to core infrastructure could halt vital services, have a direct impact on the public and cause panic and disruption.
But WannaCry is only one of several examples of attacks to vital infrastructure that have caused concerns among governments. The NotPetya attack, which first surfaced on 27 June 2017, is another example. The ransomware infected up to 12,500 machines in more than 60 countries, mainly in Eastern Europe. The attack affected critical infrastructure in several industries, including banking and financial centres; energy exploration and production; shipping; terminal operators and other support companies; and power generation facilities.
Concerns over the potential movement of terrorism into the cyber sphere endure, and, with the broadening of attack surfaces and growing technical capabilities of threat actors, the arrival of cyber terrorism seems ever more likely
In fact, A.P. Moller-Maersk – the world’s largest shipping company – estimated its losses to be in the region of $200m–$300m, primarily as a result of business interruption.
“As attacks of this type mature, the combined shocks of failing critical infrastructure and economic output put at risk through the unpredictability of international trade and business interruption will have far reaching ramifications,” says the Centre for Risk Studies at the University of Cambridge and Pool Re in their report.
A cyber-attack against civilian information, data and systems by terrorist groups or agents related to nation states whose primary purpose is to sew dissent and uncertainty. It can take many forms and the attack vectors are becoming more complex
As Poole-Robb concludes: “The boundary between government or military assets and private infrastructure companies is becoming blurred as more services become outsourced – causing many more vulnerabilities to a possible cyber terror attack.”