It is unsurprising that a risk that evolves according to Moore’s law would continue to outpace the world’s ability to put cyber threats in check and privacy in focus. 2018 bore this out as GDPR came into force in the EU and cities like Atlanta were crippled by damaging ransomware, which has been all but automated and upgraded. Looking ahead, 2019 will surely bring an evolution of garden variety cyber threats, which continue to plague the world and in particular small to mid-sized businesses, which carry a disproportionate amount of risk and serve as back doors into larger enterprise systems. Additionally, key sectors such as critical infrastructure – or the commons on which markets rely – are massively exposed and woefully unprepared. Invariably, the New Year will bring new twists and turns in the cyber landscape, some cyber conundrums, however, stand out.
The first and probably the biggest gap in understanding the stakes of cyber risk management and digital transformation is the lack of a uniform valuation method for data. The result is that on the protective side of the equation the true stakes are unknown, while on the digital transformation side of the equation, data monetization efforts negate that data performs in an enterprise the way liquidity performs in a bank. In short, its true value and risk are only known when there is a line of claimants queuing up asking for their deposits back. As in years prior, this cyber conundrum will continue to evolve in 2019, leaving trillions in value at risk and billions in preventive and transformation investments with no accurate measure for ROI.
The second cyber conundrum that will continue to plague the world in 2019 is the technological talent gap. The more the world shifts from industrial production to technological and digital outputs, the mastery of code equals mastery of the universe. Scarcity of this prized talent is often taken for granted when all systems are operating on a normal basis. However, when a system is held for ransom by a technological attack, or worse yet, critical infrastructure is in the line of sight of a nation state actor armed with sophisticated cyber weapons, a lightly staffed and thinly resourced digital fire brigade is on call. Filling the talent shortage, which estimates show a shortfall in the millions, takes time, money and an evolving educational curriculum. More importantly, it is essential that this talent is viewed as an economy or industry wide shared service capability, rather than a source of competitive advantage, as the erosion of confidence in any one bank, for example, erodes confidence in all banking.
This leads to the third cyber conundrum to watch in 2019, which is that cyber resilience is all too often conflated as a competitive activity, rather than a shared service or pooled resource. The result, especially in a world with deeply interconnected supply chains and third-party relationships all predicated on having unfettered systems access, is a massive unmanaged vulnerability. As with all areas of resilience, a system is as strong as the weakest link and herein lies one of the greatest gaps in cyber protection. While we can tell how Target fared following its 2013 data breach, can anyone speak of the fortunes of the heating and cooling vendor that is largely blamed for being the backdoor into Target’s systems? Regulators and policymakers are invoking a blunt force and one-size-fits-all approach to third party and supply chain cyber risk management, which is increasing the cost and complexity for small firms (many of which are critical) to continue competing in many sectors. This is especially true in banking, national security and healthcare among others.
Adding to these weak links and our perennial propensity to fall prey to social engineering, the increasingly autonomous nature of cyber threats, which have always exploited technology and technological vulnerabilities and 2019 may very well mark a point of escalation. This is especially likely since once secret exploits like Eternal Blue, which was exfiltrated from the National Security Agency, NSA, and used in the delivery of the WannaCry ransomware dragnet, are being tinkered with, advanced and automated. As with all cyber threats, there are a lot of unintended consequences when these instruments are deployed, whether in offense or defense. Unlike ransomware attacks carried out by a human cybercriminal, which have greater than 90% recovery rates when demands are met, a bot or autonomous malware with no kill switch does not care about customer friendliness or collateral damage. Aged systems beyond their usable and patchable lifecycle, such as the SCADA systems used in critical functions for power grids, pipelines and many industrial controls, are particularly vulnerable.
Finally, begging questions about how vulnerable liberal democracies and their populations are to information warfare and psyops at scale, the cloud of institutional mistrust will only darken in 2019. Like with managing conflicts of interest, perception is reality when it comes to institutional trust, accountability and transparency. Many firms and many institutions, with democracy itself on the docket, have fallen prey to the trust deficit courtesy of a breakdown, misuse, abuse or distortion of data, privacy and information. In many ways we have only seen the opening salvo of the newest and most complex of the cyber threats to plague the world. It will surely continue to evolve in 2019 calling for entirely new standards of governance, accountability and transparency, particularly for bedrock institutions and functions, such as voting. In this emerging world, trust becomes the currency of choice.