The potential costs of cybercrime that can’t be calculated

Analysis of the cost of cyberattacks often comes with a price tag attached. We regularly read reports highlighting the average and cumulative costs of data breaches, and those figures can be staggering, such as in a Juniper Research report that asserts the global cost of breaches could exceed $2 trillion by next year. While such whopping estimates rightfully garner attention, often overlooked is an even deeper and more jarring consideration — the relationship between information and cyber security and our physical security. 

Cybersecurity risk often is treated as a nebulous, abstract concept. Except for those working on the front lines as a security practitioner, it is easy to make a distinction between our digital and our physical environments — our homes, our offices, the park where we take our children and grandchildren. We read about cyberattacks in the headlines, but it probably does not rate as visceral of a reaction as when we read about a physical assault or a bank robbery, where the imagery that springs to mind is more harrowing and personal. Yet, as the volume of cyberattacks continues to rise and the attack methods of cybercriminals becomes more wide-ranging and less predictable– and more potent — the barrier between our digital and physical worlds is becoming thinner and more fragile. Increasingly, the possibility of kinetic attacks — those that can start as cyber incidents but turn out to be a precursor or conduit to physical attacks — are commanding more and more of our attention and vigilance.

Threats apply to individuals and wider society alike

The connection between cyber and physical security applies on both a broad scale — cybersecurity is unquestionably a major national security issue, and critical infrastructure attacks carry the potential for widespread damage to our physical well-being — as well as on an individual level, particularly when it comes to the exposure of personally identifiable information (PII). Data breaches resulting in home addresses, contact information and other PII falling into the wrong hands can provide the starting point for those with malevolent intent to carry out kinetic attacks resulting in physical harm. Physical threats stemming from cyberattacks can target the most vulnerable among us — those dependent on life-saving medical treatment and devices. The potentially chilling consequences of bad actors hacking medical devices such as pacemakers or insulin pumps place a high responsibility on healthcare organizations to be diligent in making strategic investments in security and risk management programs capable of providing patients the peace of mind they deserve. 

While attacks on individuals are concerning enough, threats impacting critical infrastructure pose a larger-scale threat to our physical security. As noted in a 2017 Massachusetts Institute for Technology (MIT) report, “the digital systems that control critical infrastructure in the United States and most countries are easily penetrated and architecturally weak.” The proliferation of connected IoT devices, for all their benefits, make industrial control system inviting targets for cybercriminals, with potentially grave consequences. Attacks on critical infrastructure introduce a range of serious safety threats, including explosions at plants that would jeopardize workers, injuries to those using public transportation, and power grid failures that could leave thousands of people without food, water and sanitation services. The loss of power for an extended period would also create a dangerous environment in the streets for residents and businesses. Perhaps most disturbingly, it is conceivable to envision a brazen attack by a nation-state on a country’s critical infrastructure spiraling in a way that transitions cyber warfare into a military conflict that puts large-scale loss of life at risk.

More tools for cybercriminals to draw upon

The potential for threats that originate in the digital world to surface in our physical environment is becoming more pronounced. Increasingly, malicious uses of artificial intelligence loom as a threat to our safety, as only 40 percent of respondents to ISACA’s 2018 Digital Transformation Barometer express confidence that their organizations can accurately assess the security of systems based on AI and machine learning. As self-driving vehicles and the use of AI in maritime and other transportation modalities become more prevalent, the need for enhanced assurance of these systems’ safety will be critically important to prevent these promising innovations from leading to dangerous outcomes.  

The dark web presents another platform by which cyberthreats can transition into real-world threats to our physical safety. The dark web, inaccessible by search engines, is a haven for criminals, extremists and other groups that are looking to evade the notice of law enforcement. Dealings on the dark web can lead to hitmen being hired to carry out attacks, the plotting of terrorist activity and a range of illegal transactions, often involving drugs, that can lead to violence on the streets. We must also recognize the potential for misuse of social media to set in motion threats to our physical well-being, as oversharing or compromising information spread on social channels can swiftly turn into violence in our neighborhoods, schools, and beyond.

While all these threats are real and, in most cases, terrifying portents of a world of exponential risk, we need to balance our anxiety by remembering that there are “good guys” doing their best to delay, if not avert, a tech-induced physical attack. For instance, the IoT Security Foundation is dedicated to raising attention to important security considerations not to be neglected as we move forward to a more interconnected world. Businesses are adopting and promoting the best security practices in cloud computing with help from the Cloud Security Alliance. However, despite the best efforts of organizations such as these, it is near impossible to calculate their true effectiveness in comparison to the headline attacks and potential for physical harm. This reinforces what I have maintained all along — cybersecurity is everybody’s business, and we collectively must understand and be vigilant about working together to minimize the risks for the good of our global society and citizens.