Cybercrime damage costs are predicted to hit $6 trillion annually by 2021, however the Trump administration’s recent repeal of the Presidential Policy Directive 20 could see that number increase dramatically. Its repeal will aim to give the military much more autonomy in how and when it carries out a cyber-attack against foreign adversaries, including launching offensive first strikes. With this new posture, counterattacks are likely to increase along with the prospects of escalating cyber warfare and unintended consequences. Unlike the traditional wars of yester year, this new digital battleground will see collateral damage hitting right at the feet of America’s main street small business sectors – a concept our country is woefully unprepared for.
The Presidential Policy Directive 20, or as its often referred to PPD 20, was an Obama-era policy that required a thorough and rigorous approval process before any military cyber-attack could be carried out, including requiring the President to give the order. This process was akin to a nuclear strike order being given because the damage it could unleash had equal ramifications, but on the cyber theater, what military strategists refer to has the fifth domain. This more methodical counter-attack escalation process is particularly important with cyber threats, as the provenance of a cyber-attack can be easily hidden, triggering a counter-strike against the wrong party.
When the U.S. has gone to war in years past, particularly when there was a potential threat to the safety of its citizens, it has issued public safety announcements and educational campaigns. Looking as far back as World War II, to the Iraq war or as recently as the terrorist attacks of 9/11, our government or the Homeland Security Department have put out material to educate the public on how to protect themselves from possible attacks. Yet with this new edict, no such messaging has been issued. This is particularly troublesome given the broad reaching capabilities of the cyber risk landscape, and the crippling capabilities, both operationally and economic that such an attack could have.
This new “gloves off” military strategy will create an uptick of retaliatory attacks, many of which will seek out the weakest links in our digital infrastructure to gain access to more critical systems. This type of war has no clear winner, and damages are more challenging to assess. Unlike traditional warfare, a cyber-attack does not deal a deafening blow to our military’s resources. Rather when it is unleashed it has a seismic ripple effect that can reach the world over, creating pandemonium and general chaos at the very core of our societies. Recently, we saw the city of Atlanta suffer such an attack that left the city paralyzed. Even at the city level with extensive finances and a deep bench of expertise available, cyber criminals were able to gain access and effectively shut down its operations.
One of the weaker links in our cybersecurity surface are small businesses, particularly as many serve as downstream supply chain partners to defense contractors and larger enterprises. This can provide an intruder with access to critical systems and national security infrastructure via poorly protected networks. Verizon recently found in their 2018 Data Breach Investigations Report, that 58% of all cyberattacks target small businesses. Cyber criminals seek out targets that are easy to penetrate, even if the ultimate reward may not be as large as a more complex, and larger organization.
These attacks can prove costly for a small business to absorb, especially if they lack the resources or risk transfer tools, such as cyber insurance, to remediate the incident. According to the Ponemon Institute, the average cost for small businesses to clean up after being hacked is about $690,000 and, for middle market companies, it is over $1 million. Most small businesses do not have these kinds of funds readily available, and as a result the U.S. National Cyber Security Alliance has found that 60% of small companies that experience a cyber-attack, go out of business within 6 months following the attack. As a key driver of the U.S. economy, this fact alone should heighten the need to invest in developing the necessary resources and education platforms to train businesses on how to prepare for the pending attacks.
The damage and far reaching effects of such attacks have already been witnessed. The WannaCry and NotPetya cyber-attacks are two prime examples of the devastation which can be inflicted through a targeted cyber-attack. Between these two attacks, over $14 billion dollars of damage across 150 countries was incurred. These attacks affected more than 300,000 organizations, including some Fortune 500 firms such as Maersk, which bore the brunt of the NotPetya attack.
While a replacement for the PPD 20 is contemplated, it is paramount that additional resources and education campaigns are developed alongside it for small business and other front-line targets who will ultimately become the collateral damage of this new warfare. Small businesses in the United States make up approximately 97% of employer firms. Attacking this sub group of the economy could have a devastating impact on the country, its GDP and national security. Not to mention the costs of any recovery efforts will ultimately be borne by the government and therefore tax payers.
Lacking the necessary resources and guidance on how to combat these potential threats leaves an open flank in our national defenses for potential adversaries to take advantage of. Even with PPD 20’s repeal, and the military’s greater flexibility to launch cyber-attacks, our nation will remain at risk as long as we do not invest in building up the cybersecurity infrastructure and defenses of our most vulnerable sectors. In short, the nation that has the most to lose in cyber warfare should opt for a strategy of détente or mutually assured destruction (MAD), but not a posture of first-strike.