What the COVID-19 pandemic teaches us about cybersecurity – and how to prepare for the inevitable global cyberattack
Author: Nicholas Davis, Professor of Practice, Thunderbird School of Global Management and Visiting Professor in Cybersecurity, UCL Department of Science, Technology, Engineering and Public Policy & Algirde Pipikaite, Project Lead, Industry Solutions, Centre for Cybersecurity, World Economic Forum
COVID-19 shows that the world is at great risk of disruption by pandemics, cyberattacks or environmental tipping points.
- We should prepare for a COVID-like global cyber pandemic that will spread faster and further than a biological virus, with an equal or greater economic impact.
- The coronavirus crisis provides insights into how leaders can better prepare for such cyber risks.
Most of the world is currently experiencing highly atypical living conditions as a result of COVID-19. At the height of the pandemic, more than 2 billion people were under some form of lockdown, and 91% of the world’s population, or 7.1 billion people, live in countries with border controls or travel restrictions due to the virus.
It would be comforting to think this is merely a “blip” interrupting an essentially stable state of affairs, and that the world will return to “normal” once medicine and science have tamed the virus.
Comforting – and wrong.
COVID-19 is not the only risk with the ability to quickly and exponentially disrupt the way we live. The crisis shows that the world is far more prone to disturbance by pandemics, cyberattacks or environmental tipping points than history indicates.
Our “new normal” isn’t COVID-19 itself – it’s COVID-like incidents.
And a cyber pandemic is probably as inevitable as a future disease pandemic. The time to start thinking about the response is – as always – yesterday.
To start that process, it’s important to examine the lessons of the COVID-19 pandemic – and use them to prepare for a future global cyberattack.
Lesson #1: A cyberattack with characteristics similar to the coronavirus would spread faster and further than any biological virus.
The reproductive rate – or R0 – of COVID-19 is somewhere between two and three without any social distancing, which means every infected person passes the virus to a couple of other people. This number affects how fast a virus can spread; the number of infected people in New York state was doubling every three days before lockdown.
By contrast, estimates of R0 of cyberattacks are 27 and above. One of the fastest worms in history, the 2003 Slammer/Sapphire worm, doubled in size approximately every 8.5 seconds, spreading to over 75,000 infected devices in 10 minutes and 10.8 million devices in 24 hours. The 2017 WannaCry attack exploited a vulnerability in older Windows systems to cripple more than 200,000 computers in 150 countries; it was halted by emergency patches and the accidental discovery of a “kill switch”.
The cyber equivalent of COVID-19 would be a self-propagating attack using one or more “zero-day” exploits, techniques for which patches and specific antivirus software signatures are not yet available. Most likely, it would attack all devices running a single, common operating system or application.
Since zero-day attacks are rarely discovered right away – Stuxnet used four separate zero-day exploits and hid in systems for 18 months before attacking – it would take a while to identify the virus and even longer to stop it from spreading. If the vector were a popular social networking application with, say, 2 billion users, a virus with a reproductive rate of 20 may take five days to infect over 1 billion devices.
Lesson #2: The economic impact of a widespread digital shutdown would be of the same magnitude – or greater – than what we’re currently seeing.
If cyber-COVID mirrored the pathology of the novel coronavirus, 30% of infected systems would be asymptomatic and spread the virus, while half would continue functioning with performance severely degraded – the digital equivalent of being in bed for a week. Meanwhile, 15% would be “wiped” with total data loss, requiring a complete system reinstall. Finally, 5% would be “bricked” – rendering the device itself inoperable.
The end result: millions of devices would be taken offline in a matter of days.
The only way to stop the exponential propagation of cyber-COVID would be to fully disconnect all vulnerable devices from one another and the internet to avoid infection. The whole world could experience cyber lockdown until a digital vaccine was developed. All business communication and data transfers would be blocked. Social contact would be reduced to people contactable by in-person visits, copper landline, snail-mail or short-wave radio.
A single day without the internet would cost the world more than $50 billion. A 21-day global cyber lockdown could cost over $1 trillion.
Cyber lockdown would also introduce novel challenges for digitally dependent economies. During the 2020 Australian bushfires, power outages and damage to mobile phone infrastructure gave citizens a newfound appreciation for battery-operated FM radios. But if cyber-COVID ravaged a country, which radio stations would still operate without digital recording and transmission systems? Would states like Norway, which has completed its transition to digital radio, be able to roll back?
Lesson #3: Recovery from the widespread destruction of digital systems would be extremely challenging.
Replacing 5% of the world’s connected devices would require around 71 million new devices. It would be impossible for manufacturers to rapidly scale up production to meet demand, particularly if manufacturing and logistics systems were affected. For systems that survive, there would be a significant bottleneck in patching and reinstallation.
The geographic concentration of electronics manufacturing would create other challenges. In 2018, China produced 90% of mobile phones, 90% of computers and 70% televisions. Finger-pointing about the source and motive of the cyberattack, as well as competition to be first in line for supplies, would inevitably lead to geopolitical tensions.
What is the World Economic Forum doing on cybersecurity?
The World Economic Forum Platform for Shaping the Future of Cybersecurity and Digital Trust aims to spearhead global cooperation and collective responses to growing cyber challenges, ultimately to harness and safeguard the full benefits of the Fourth Industrial Revolution. The platform seeks to deliver impact through facilitating the creation of security-by-design and security-by-default solutions across industry sectors, developing policy frameworks where needed; encouraging broader cooperative arrangements and shaping global governance; building communities to successfully tackle cyber challenges across the public and private sectors; and impacting agenda setting, to elevate some of the most pressing issues.
Platform activities focus on three main challenges:
Strengthening Global Cooperation for Digital Trust and Security – to increase global cooperation between the public and private sectors in addressing key challenges to security and trust posed by a digital landscape currently lacking effective cooperation at legal and policy levels, effective market incentives, and cooperation between stakeholders at the operational level across the ecosystem. Securing Future Digital Networks and Technology– to identify cybersecurity challenges and opportunities posed by new technologies and accelerate solutions and incentives to ensure digital trust in the Fourth Industrial Revolution. Building Skills and Capabilities for the Digital Future – to coordinate and promote initiatives to address the global deficit in professional skills, effective leadership and adequate capabilities in the cyber domain.
The platform is working on a number of ongoing activities to meet these challenges. Current initiatives include our successful work with a range of public- and private-sector partners to develop a clear and coherent cybersecurity vision for the electricity industry in the form of Board Principles for managing cyber risk in the electricity ecosystem and a complete framework, created in collaboration with the Forum’s investment community, enabling investors to assess the security preparedness of target companies, contributing to raising internal cybersecurity awareness.
For more information, please contact us.
How can we prepare for cyber-COVID?
The COVID-19 pandemic provides insight into how leaders can prepare for such a “fat tail” risk:
1. Widespread, systemic cyberattacks are not just possible or plausible; they should be anticipated. As we have seen with COVID-19, even a short delay in the response can cause exponential damage.
2. New Zealand’s success in fighting the pandemic proves that early, decisive actions and clear, consistent communication increase resilience. It’s impossible to prepare for every potential risk, but both the public and private sectors should invest in scenario exercises to reduce reaction time and appreciate the range of strategic options in the event an attack occurs.
3. COVID-19 has revealed the importance of international, cross-stakeholder coordination. Cooperation between public and private sector leaders is also critical, particularly when it comes to mitigation. The Centre for Cybersecurity at the World Economic Forum is just one example of an organization addressing systemic cybersecurity challenges and improving digital trust across institutions, businesses and individuals.
4. Just as COVID-19 has pushed individuals and organizations to look to digital substitutes for physical interactions, government and business leaders should think about the inverse. “Digital roll back” and continuity plans are essential to ensuring organizations can continue to operate in the event of a sudden loss of digital tools and networks, as Maersk learned during the NotPetya cyberattack in 2017, which took out 49,000 laptops and printers and wiped all contacts from their Outlook-synced phones. A necessary part of the digital transformation is having sensitive and important information stored and accessible in physical, printed form.
But perhaps the most important lesson: COVID-19 was a known and anticipated risk. So, too, is the digital equivalent.
Let’s be better prepared for that one.