Catastrophic Cyber Risks: Press Briefing Notes
Science Media Centre, London in April 2013
by Dr Sally Leivesley
Managing Director, Newrisk Limited (www.newrisk.com)
Advisor on catastrophic risk to companies and governments
Member of the Register of Security Engineers and Specialists, ICE
Catastrophic Cyber Risks:
Conflicts, crime and mischief are increasingly being played out in cyber space. There are inherent risks both through the growth in interconnectedness and to the controls of systems that store, transfer and develop knowledge through networks of electronic, computer-based and wireless systems. Most significantly there are vulnerabilities within the language of security (encryption). A foreseeable end game is being played by nation states, organised groups and asymmetric non state entities to breach encryption and this will open systems to manipulation, interrogation and control.
- Cyber space is now the platform and the pathway for many of the top risks posed to national security, international relations and public well-being. Systemic risk management of smart cities, intelligent buildings, machine to machine communications (including global navigational satellite systems) and the public’s use of devices linked to the internet all require new forms of international cooperation. Cooperation is essential for integrating security design across top risk factors and creating systems for stabilisation. Critical national infrastructure including power grids which also have inherent vulnerabilities to natural disasters such as solar storms require catastrophic risk management based on systemic design and international cooperation in the risk management of cyber space.
- Cyber space has become the front line in emerging conflicts - North Korea and Iran are two key players in cyber warfare when faced with international resistance to their nuclear weapons development programmes. Threats to the financial sector, media communications and to nuclear facilities are currently being played out in cyber space with attacks from North Korea on South Korean critical infrastructure. There have been recent attacks on banks and media communications, and proactive steps have been taken by South Korea across all its nuclear facilities to remove internet access from critical reactor controls and to limit insider sabotage by closing off all USB port access.
- Systemic risks are increasingly evident with the growth in the connections of systems to cyber space and the world’s dependency on the ‘internet of things’. There are advances in fast mathematical analytical capacity and exploitation of human factors by hostile nation states attempting to breach encryption. The security of cyber space for business transactions is systemically degraded with growth in links between critical infrastructure upstream and downstream to cloud services. There is a demand for fast big data access and this will increasingly blur the boundaries between public, hybrid and private cloud to create much more open access because of the business appetite. Cloud is delivering wealth to businesses but it may create an open and ungoverned cyber space.
- Control systems and systems of systems which are more complex operations create the potential for a single vulnerable point in critical infrastructure. In industry, the loss of control can be catastrophic and the inherent danger of hazardous sites is illustrated in the scale of the recent West Texas fertiliser plant explosion. Although fire was the cause of this incident the loss of systems controls can create similar uncontrolled effects. The dark control rooms of Fukushima following the 3/11 disaster also highlighted the devastating consequences of loss of control and of access to data. Denial of access to a control system or penetration and takeover can result in mass casualty incidents and loss of public well-being.
- International governance in the near term would be possible if an institution such as CERN, which was granted observer status to the UN General Assembly in 2012, had a role equivalent to the one played by the International Atomic Energy Agency in nuclear monitoring and global nuclear safety standards. This would help to establish agreements for e-border management, international standards and oversight and there could be a National Security Council response if the security of states was threatened through cyber space.
- A fast track reduction of systemic risk would also be assisted by the formation of an international strategic scientific ‘cyber-hub’ populated by scientists from within national space agencies and academic institutions along with operational scientists from critical national infrastructure industry sectors. A joined-up virtual scientific hub can pool capacity and deliver fast-track systemic risk reduction through innovative strategic solutions, especially conceptual work on stabilisation for when systems become unreliable through any causal pathway. Research off-line as well as a real-time accessibility for nations to a scientific cyber-hub could accelerate solutions and balance the risk of systems failures in a world that is becoming increasingly dependent on operating in cyber space.
- In the long term, a ‘post-encryption society’ is required to compensate for breaches in encryption. This is a challenge for long term academic research into novel systems for security and for a secure means of transmission that would generate stability for systems linked to cyber space. It would also provide the public with communications and personal data that could remain private. The utility of the current system would remain but as a legacy system for non-critical structures, data and communications traffic.
Footnotes for Clarification:
- Catastrophic risk is the risk to critical functions of a system that will cause the system to move into an unstable state.
- Catastrophic failures are generally an unusual combination of factors that come together at a point in time to impinge on a critical function which cannot be recovered thereby causing the system to become unstable.
- Cyber space is a risk dimension used in calculating catastrophic risks and it covers any environment and factors within the environment that may impinge on a cyber-operation at any point in time – it can include states of energy, humans, physical space, and objects impinging on the storage, transfer and knowledge development through networks of electronic, computer-based and wireless systems As we see with the ‘internet of things’ risk linkages can develop between an almost infinite range or combination of objects, persons or activities anywhere in the world.
- CERN - the European organisation for nuclear research is universally respected and works with academic institutions throughout the world.