The internet and associated information technology (IT), which often go by the name ‘cyberspace,’ give modern societies, economies and lives benefits that are too numerous to count. But the dark side of our dependence on the internet goes far beyond the day-to-day headlines of cyber crime, identity theft or concerns about online espionage or loss of privacy.
While our society’s reliance on the internet grows exponentially, our control of it only grows linearly, limited by outdated government procedures and ineffective governance. “As society becomes more technologic, even the mundane comes to depend on distant digital perfection,” according to Dan Geer, a noted internet risk expert.
Yet modern cyber risk management does not give much thought to ‘distant digital perfection,’ the aggregations of cyber risk, which lie sometimes far outside an organization’s own server and firewalls.
The way in which the complexity of interconnected risks is assessed is painfully similar to how financial risks were assessed prior to the 2008 crash. Risks were considered one at a time, each organization largely assuming these risks to be all local and not highly correlated with one another. Indeed, pre-2008, many experts insisted that due to its own complexity, correlations had been engineered out of the system, though in the end, it was this very complexity which helped bring the system down.
In a parallel to how the many elements of the fi nancial system created an extended period of prosperity, a combination of factors has led to the internet being incredibly resilient. Stable technology, dedicated technicians and resistance to random outages have been the bedrock of this resilience. But the same added complexity which has made it relatively risk-free can, and likely will, backfire at some time.
There are a number of reasons to believe the internet of tomorrow will almost certainly be less resilient, available, and robust than today. It will also be more likely to initiate and cascade global shocks.
The internet is highly interconnected and tightly coupled with society, meaning that (as in other such systems) a small failure or series of them in one place can cascade, producing an outsized impact elsewhere.
On the internet, it has been easier to attack than defend for decades. The original architecture of the internet was founded on trust, not security, software is still poorly written and secured, and the system is so complex that it is difficult to defend. Systems in which one set or participants have asymmetric advantages, year after year and decade after decade, must hit a tipping point when there are more predators than prey. Attackers could have not just a local advantage, but superiority with strategic consequences for the internet’s availability and resilience.
This increasingly tight coupling of the internet with the real economy and society means a full-scale cyber shock is far more likely to occur than some risk managers (and internet professionals) care to admit: internet failures could cascade directly to internetconnected banks, water systems, cars, medical devices, hydroelectric dams, transformers, and power stations.
Past internet incidents and attacks have only made ones out of zeros, and broken software or things made of silicon. All of these can be recreated or replaced with relative ease. But as the internet connects increasingly with real life, in places like the smart grid interconnection with the electrical power infrastructure, this will no longer be true: cyber incidents will break things made not of silicon but of concrete and steel.
Risk managers, regulators, and organizations with system-wide responsibility all need to focus more on resilience and agility rather than simply prevention. In an increasingly interconnected world, risks can strike quickly and from any direction – so, too, is it equally critical that those affected are able to respond rapidly to ride out the shocks.