Looking back at the last decade of cyber risk offers insight into what can be expected for the future growth of technologies and vulnerabilities. The most expensive cyber attacks of the last decade were both contagious malware events that struck in 2017, WannaCry and NotPetya. These events caused an estimated $3 billion and $10 billion of economic damage respectively. One of the in-depth scenario reports published by the Centre for Risk Studies (CRS) in 2019 was the Bashe Contagious Malware scenario, which considered a similar contagious malware event with far-reaching, expensive consequences.
Cyber risk has transitioned from being largely attritional to systemic. A growing curiosity ten years ago, cyber risk was not yet a top concern for corporates in 2009. In 2013, CRS published the Sybil Logic Bomb report, followed by the Business Blackout report a few years later, which looked at the impact a cyber attack might have on the US power grid. Both innovative scenario reports became industry standards, despite being controversial at the time. In the years since those publications, there have been similar attacks on corporates, regions, and infrastructure. In response, CRS developed a taxonomy of business risks through careful curation and collaboration with industry to include a range of technology risk types, including emerging risks associated with new technologies, such as augmented reality, industrial accidents that may result from digital attacks, and more frequent cyber attacks such as DDoS and data exfiltration events.
The next decade is likely to see an increase in ransomware attacks on public systems, such as with the 2018 attack on the City of Atlanta’s municipal systems, which brought down their databases, WiFi, utility, parking, and court services. This will be accompanied by an increase in attacks on critical national infrastructure (CNI), such as power grids and transportation networks, a risk that many governments, including the US, UK, and Russia, are closely following. The rise in cybercrime commoditisation, a risk that did not exist ten years ago, will make attacks on public systems and CNI more likely. Different services are available on the dark web, such as DDoS-for-hire, rent-a-hacker, and ransomware-as-a-service. With little or no technical knowledge and often limited budget, users can target individual sites, companies, and people with catastrophic consequences.
A growing issue in the last decade, and a risk that will continue to increase in the next decade, is the prevalence of internet-connected devices in what has become known as the internet of things (IoT). With more connected devices, such as refrigerators, alarm clocks, and cars, attackers have far more entry points to a network. Most IoT devices have little to no cybersecurity regulation, heightening the risk that they may be used in an attack. Attackers often employ IoT devices to amass cheap botnets that are used in targeted DDoS attacks, and a single attack may employ millions of individual IoT devices. With a significant increase in technological capabilities in the last decade, it has become possible for ever-larger DDoS attack that break records year-on-year. In January 2019, there was a DDoS attack which crossed the 500 million packets per second mark, a measure of DDoS attack intensity, more than four times the largest attack seen in 2018.
The last decade saw the rise of megabreaches, which are data breaches consisting of 50 million or more records. Gigabreaches, which consist of data from several separate breaches, are rising, as is the frequency of breaches, the number of companies falling victim to data exfiltration attacks, and the value of the data, which often contains personally-identifiable or financial information.
Looking forward, virtual reality has had a slow uptake but augmented reality has far more practical uses at present, found in employee instruction manuals, retail, and games. Future cyber attacks in this space may take the form of viruses that display misinformation to the users or turn the screen on heads-up displays black. The danger of a malware that blocks out images of cars or moving objects is life-threatening.
The situation is similarly spooky when we consider artificial intelligence (AI), which is leading us towards a new algorithmic warfare battlefield that has no borders and may not even have humans involved. 2019 has already seen examples of attackers combining existing AI technologies with malware to create new breeds of attacks, such as tailoring mass phishing emails to individual people. The future may see a worm-style attack such as WannaCry, but instead of being restricted to one form of lateral movement within a network, AI could enable it to understand the target environment and choose lateral movement techniques accordingly.
These technologies have many benefits. AI is a dual-use technology; it can be used for cybercrime and cybersecurity, detecting abnormalities in a system faster than a human can. The use of AI and big data requires responsible data handling techniques, robust legal frameworks, and explicit user consent.
We are seeing increasing cybersecurity awareness and regulation, which will continue to improve worldwide. The world is in a technical arms race where the defenders are trying to outmatch the pace of the offenders. This will lead to new technological advancements and a non-linear increase in technological capacity.