Cyber Attaks

Despite all the attention, cyberspace is far from secure. Why this is so reflects conceptual weaknesses as much as imperfect technologies. Two questions highlight shortcomings in the discussion of cybersecurity. The first is why, after more than two decades, we have not seen anything like a cyber Pearl Harbor, cyber 9/11, or cyber catastrophe, despite constant warnings. The second is why, despite the increasing quantity of recommendations, there has been so little improvement, even when these recommendations are implemented.
These questions share an answer: the concepts underlying cybersecurity are an aggregation of ideas conceived in a different time, based on millennial expectations about governance and international security. Similarly, the internet of the 1990s has become “cyber,” a portmanteau term that encompassed the broad range of global economic, political, and military activities transformed by the revolution created by digital technologies.
If our perceptions of the nature of cybersecurity are skewed, so are our defenses. This report examines the accuracy of our perceptions of cybersecurity. It attempts to embed the problem of cyber attack (not crime or espionage) in the context of larger strategic calculations and effects. It argues that policies and perceptions of cybersecurity are determined by factors external to cyberspace, such as political trends affecting relations among states, by thinking on the role of government, and by public attitudes toward risk.
We can begin to approach the problem of cybersecurity by defining attack. While public usage calls every malicious action in cyberspace an attack, it is more accurate to define attacks as those actions using cyber techniques or tools for violence or coercion to achieve political effect. This places espionage and crime in a separate discussion (while noting that some states use crime for political ends and rampant espionage creates a deep sense of concern among states).
Cyber attack does not threaten crippling surprise or existential risk. This means that the incentives for improvement that might motivate governments and companies are, in fact, much smaller than we assume. Nor is cyber attack random and unpredictable. It reflects national policies for coercion and crime. Grounding policy in a more objective appreciation of risk and intent is a first step toward better security.

Over the last year, we have reached a new and important turning point in the struggle to manage cyber risk. In the war between cyber attackers and cyber defenders, we have reached what Winston Churchill might call “the end of the beginning.”
Three characteristics mark this new phase. First, global cyber-crime has reached such a high level of sophistication that it represents a mature, though illicit, global business sector in its own right.
Second, with near-ubiquitous technologies now connecting the digital and physical worlds to an unprecedented degree, new potential exists for individual cyber-attacks to devastate critical business and operational processes.
The third characteristic taking shape today is the rising importance of institutions—governments, regulatory authorities, law enforcement agencies, the insurance industry, and others—as a critical to counter the global cyber threat. Cyber risks can only be effectively dealt with if there is a common understanding of their importance and increased interconnected nature.
Against this backdrop, the 2018 edition of the MMC Cyber Risk Handbook provides insights on the shifting cyber threat environment, emerging global regulatory trends, and best practices in the journey to cyber resiliency. The handbook features articles from business leaders across Marsh & McLennan Companies and our expert and notable collaborators. We hope this handbook will help you better understand what it takes to achieve cyber resiliency in the face of this significant and persistent threat.

Thinking about the future is vital but hard. Crises keep intruding, making it all but impossible to look beyond daily headlines to what lies over the horizon. In those circumstances, thinking “outside the box,” to use the cliché, too often loses out to keeping up with the inbox. That is why every four years the National Intelligence Council (NIC) undertakes a major assessment of the forces and choices shaping the world before us over the next two decades.
This version, the sixth in the series, is titled, “Global Trends: The Paradox of Progress,” and we are proud of it. It may look like a report, but it is really an invitation, an invitation to discuss, debate and inquire further about how the future could unfold. Certainly, we do not pretend to have the definitive “answer.”
Long-term thinking is critical to framing strategy. The Global Trends series pushes us to reexamine key assumptions, expectations, and uncertainties about the future. In a very messy and interconnected world, a longer perspective requires us to ask hard questions about which issues and choices will be most consequential in the decades ahead–even if they don’t necessarily generate the biggest headlines. A longer view also is essential because issues like terrorism, cyberattacks, biotechnology, and climate change invoke high stakes and will require sustained collaboration to address.

The vulnerability of satellites and other space assets to cyberattack is often overlooked in wider discussions of cyberthreats to critical national infrastructure. This is a significant failing, given society’s substantial and ever increasing reliance on satellite technologies for navigation, communications, remote sensing, monitoring and the myriad associated applications. Vulnerabilities at the junction of space-based or space-derived capability with cybersecurity cause major national, regional and international security concerns, yet are going unaddressed, apart from in some ‘high end’ space-based systems. Analysing the intersection between cyber and space security is essential to understanding this non-traditional, evolving security threat.
Cybersecurity and space security are inextricably linked. Technologies in satellites and other space assets are sourced from a broad international supply base and therefore require regular security upgrades. And the upgrades via remote connections could serve to make space assets vulnerable to cyberattacks. In everyday life, satellites are regularly used to provide internet services and global navigation satellite system (GNSS) technologies which are increasingly embedded in almost all critical infrastructure.

In 2030, will the Internet and related information and communications technologies (ICT) continue to drive global innovation and prosperity? Or, will that bright promise be swamped by an unstable and insecure Internet, so overwhelmed by non-stop attacks that it has become an increasing drag on economic growth? The answers, as far as we can predict, are not promising and mean the difference in tens of trillions of dollars in global economic growth over the next fifteen years.
So far, cyberspace has been safe enough, secure enough, and resilient enough for the past decades to re-invent nearly every industry, create a ’hyperconnected world,’ and transform the global economy.

Project 2020 is an initiative of the International Cyber Security Protection Alliance (ICSPA). Its aim is to anticipate the future of cybercrime, enabling governments, businesses and citizens to prepare themselves for the challenges and opportunities of the coming decade. It comprises a range of activities, including common threat reporting, scenario exercises, policy guidance and capacity building.

The scenarios in this document are not predictions of a single future. Rather, they are descriptions of a possible future, which focuses on the impact of cybercrime from the perspectives of an ordinary Internet user, a manufacturer, a communications service provider and a government. The events and developments described are designed to be plausible in some parts of the world, as opposed to inevitable in all. They take their inspiration from analysis of the current threat landscape, the expert opinion of ICSPA members and extensive horizon scanning, particularly of emerging technologies.

Through a combination of stable technology, dedicated technicians and, resistance to random outages, the Internet has been resilient to attacks on a day-to-day basis, creating an extended period of prosperity. Yet, as we approach nearly absolute dependence on the Internet, cyber attacks of the future can and will affect globally interconnected systems like electrical grids and worldwide logistics systems. This Internet of tomorrow will be a source of global shocks for which risk managers, corporate executives, board directors, and government officials are not prepared.