The report from the World Economic Forum, discusses global risks “defined as having global geographic scope, cross-industry relevance, uncertainty as to how and when they will occur, and high levels of economic and/or social impact requiring a multistakeholder response.” However, one of the most interesting aspects is that it believes that there is still debate over the actual impact of cyber threats to the global economy.
“Will the dark side of connectivity become an amplifying factor for traditional security risks in the next decade?” it asks; but then adds: “Views of experts are mixed. There is not much empirical evidence. Research into cyber threats against governments and the private sector has largely been funded by those who are in the business of selling internet security solutions – a potential bias that causes scepticism.”
As an example, it comments that “evidence of the impacts of Stuxnet are questionable – it may have delayed the Iranian nuclear programme’s development, which is assumed to have been its goal – its broader significance lies in suggesting what is possible. A virus like Stuxnet could conceivably trigger a meltdown in a functioning nuclear power plant, turn off oil and gas pipelines or change the chemical composition of tap water.”
But while there is no actual demonstration of the effect of such threats, the rapidly expanding national budgets for both offensive and defensive national cyber capabilities suggest that governments throughout the world have no such questions. Whether current information suffers from ‘a potential bias that causes scepticism’ or not, the clear impression from this study is that cyber risk is here and here to stay. That threat may be at one remove for countries, but it is immediate and dramatic for individual companies.
Commenting on this report Henry Harrison, technical director at BAE Systems Detica, believes that while there are “a lot of people identifying 'cyber security' as a key risk, unfortunately most of them have still not really thought through in sufficient detail what this risk entails.” He adds that unless “both countries and organizations engage in some detailed exercises to work through which cyber attack scenarios are the ones which would cause the largest impact to them, and what they estimate is the likelihood of those scenarios, they still won't be able to make effective decisions to combat the risks.”
One of the dangers of this report is that in attempting to provide a scientific and objective analysis of cyber risk, it ends up underplaying that risk.