- Security TWENTY
- Women in Security
Author Gordon Woo, Eireann Leverett and Andrew Coburn
ISBN No 978-1-119-49092-0
Review date 21/02/2019
No of pages 384
Publisher URL https://www.wiley.com/en-gb/Solving+Cyber+Risk%3A+Protecting+Your+Company+and+Society-p-9781119490920
Year of publication 31/01/2019
The risk of a cyber catastrophe is relatively low, but the potential impact could be very severe on our economy, living standards, and way of life. So warn the authors of Solving Cyber Risk.
Gordon Woo, Eireann Leverett and Andrew Coburn are researchers at the University of Cambridge’s Centre for Risk Studies, at Judge Business School. They reckon that cyber is already costing the world two per cent of its production (as a number it has 11 noughts), and a really bad attack could take out power grids and cost trillions in one go; even jeopardise the digital world.
Their book Solving Cyber Risk points to where we’re weak - software is made with vulnerabilities; the amount of everything, users and tools, is rising; hackers are in business in a ‘black market’. The job is not only for companies to secure themselves better at source, but for police, policy makers and regulators, lawyers and insurers. The authors offer ‘six positive attributes for cyber resilience’: top-level commitment, a culture that supports the reporting of issues; a learning culture (that learns from good and bad); awareness of what your defences are really like; humans prepared for problems; and flexible organisations.
The book begins by going over some attacks of recent years, such as Wannacry in 2017, and against the United States retail chain Target, formally announced by the retailer in December 2013. There tens of millions of customers' bank card details were captured by malware, through infected point-of-sale terminals. Direct costs from the breach reached over $200 million, and took several years to accrue. Nobody was ever caught or prosecuted. The authors note that on websites selling stolen bank card data, banks buy back some of the card details on offer to take them off the black market and protect their card-holders: "Banks may in fact be some of the best customers of credit card hackers."
Among the consequences, the Target chief exec went, and 'it is no longer acceptable practice to have point-of-sale systems accessible through the same IT network as HVAC controls', as hackers got in through the air-conditioning (in a cyber sense, not physically). The authors note that costs are not only due to an actual attack, but 'significant losses in business opportunities'; losses incurred from the disruption to business operations; if stock cannot be moved along the supply chain because of an IT outage. Or lost customers.
Such cases while serious and affecting companies beyond the headline firm are not as bad as what the authors term 'cyber catastrophes' such as cloud outages that have the potential to disrupt many businesses worldwide; or trigger a financial crisis of confidence. They say: "There has not yet been a truly catastrophic cyber event that has cost the economy hundreds of billions of dollars. It is human nature to dismiss possible dangers before an event has actually occurred. But there are reasons to believe that future cyber events are possible that could inflict individual costs of hundreds of millions or even billions of dollars to thousands of major businesses, and inflict crippling losses on large numbers of small and medium-size enterprises."
One scenario is the disabling of multiple power generators in the United States electricity grid, taking weeks to put right; 'cyber attacks on infrastructure have the potential to generate very substantial shocks to the economies of the countries attacked'.
First having counted the costs and offered some frightening possibilities (though the authors do stress that risk assessment ought to be 'as evidence-based as possible'), the book goes on to 'Cyber-physical Systems' (and how to subvert them), errors in software, the hackers out there, and thus crucially how to measure the threat. The authors argue for risk management to make a 'Cyber-resilient Organization', with a place for cyber insurance (and opportunities besides risks for insurers), and closing with some problems, and possible solutions - 'Cybergeddon' or 'Cybertopia'.
The stakes as the authors set out are high - if the risks are not managed, people could become averse to tech and democracy could be undermined; and the ‘fourth industrial revolution’ – of Big Data, artificial intelligence, robotics, and machine learning. That said, the book does offer (as the title does say) a solution, albeit not easy and with 'no magic bullet' to hand. While the cyber risks are 'unacceptable', the authors say early on that 'they can be reduced and managed to acceptable levels with collective action, individual responsibility, and appropriate resourcing'.
A reassuringly rational book.
The book's launches are in Cambridge, London, New York and Washington, DC in January and February 2019.