Cyber Risk and Climate Risk: More in Common Than You Think
It’s not every day you get the opportunity to hear from Al Gore, the 45th vice president of the United States and Noble Peace Prize laureate. I recently had such an opportunity, and what struck me most was something quite extraordinary. In a world experiencing a series of seemingly never-ending issues and challenges, two far outweigh the rest: climate change and cyberattacks.
As a long-time CIO, I’d like to think I’m knowledgeable about cyberattacks. As a parent, I also have a vested interest in climate change. Given the importance, scale, and speed at which both issues are advancing, it got me thinking what, if anything, could these issues have in common. I thus conducted some research and talked to experts, and, surprisingly, there is more in common between these two issues than you might think.
The most significant risks and impacts lie in their value chains
In today’s interconnected world, no organization stands alone.
The characteristics of modern value chains render them more vulnerable to disruption by climate risks. Physical climate risks impact not only facilities but also supply chains, distribution networks, customers, and markets. In addition, most of the emissions released today are the result of activities, not of a single player, but the actions of others in a value chain. Indeed, a typical consumer company’s supply chain creates far greater environmental costs than its own operations, accounting for more than 80 percent of greenhouse-gas emissions [1].
Ultimately what stands out is that, while all companies (and individuals) should take steps to reduce their environmental footprint and impact, the biggest risks and impacts are typically in areas outside of their direct control.
The same could be said for enterprises and cyber risks. Some of the largest data breaches in recent memory were caused not by breaches in assets owned or controlled by an entity but vulnerabilities in their value chain—either downstream through suppliers or upstream from customers. In 2018, the Internet Society’s Online Trust Alliance (OTA) estimated that half of all cyberattacks involve the supply chain. Similarly, in its annual 2018 cyber study, Symantec found that using supply chains to launch cyberattacks increased 78 percent between 2017 and 2018. One of the more notable attacks was Magecart, which infected the payment forms on more than 6,400 e-commerce sites worldwide. In short, cybercriminals are targeting value chains to infiltrate organizations from across the entire value chain, looking for any angle in.
Cyber threats and attacks can come at any time, from any point, including the following:
- Third-party service providers with physical or virtual access to your information systems
- Poor information security practices of your suppliers, partners, and customers
- Compromised hardware or software
- Chain attacks where each part of an attack generates just a fraction of the attack’s overall malicious activity, making it far harder to detect and defend against
Companies are now so interconnected and interdependent that one business’s security failures can create chaos for a whole network of partners, suppliers, and customers.
The stakes are high
Whether you choose to believe in the science or not, the physical evidence that climate change has the potential to be the biggest risk facing humanity over the next few decades is beginning to bear this out.
You don’t need to look any further than the recent heat waves in Europe, the Arctic melting at record speeds, the increasing intensity and cost of hurricanes, the wholesale collapse of the world’s coral reefs, and the rising number of wildfires around the world, including the Amazon. Indeed, if global temperatures increase by 3 degrees Celsius (5.4 degrees Fahrenheit)—and we are already halfway there—some predictions estimate 55 percent of the planet’s population across 35 percent of the globe’s land would experience 20 days of lethally high temperatures “beyond the threshold of human survivability.” [2] Soberly, even the Trump administration’s findings in the 2018 US Fourth National Climate Assessment detailed a dire set of predictions for US businesses over the next several decades. More recently an Australian report, backed by Australia’s former military chief and written by a former fossil fuel executive, outlined scenarios seeing more than one billion people being displaced, with nearly three weeks of deadly heat per year, as well as wholly collapsed ecosystems.
Similarly, the stakes are high in the cyber world. As far back as 2012, National Security Agency Director General Keith Alexander called cyber-espionage “the greatest transfer of wealth in history.” Many market observers would agree. The Ninth Annual Cost of Cybercrime Study (2019) issued by Accenture and Ponemon Institute found a 67% increase in security breaches in the last five years, and the total value at risk from cybercrime is US$5.2 trillion over the next five years. That’s equivalent to the size of the Japanese economy—the third largest in the world.
No wonder the World Economic Forum’s Global Risk Report for 2019 listed both climate and cyber-related risks as its top two risks.
Mitigation and adaptation
In climate change circles, when experts talk of solutions, they talk in terms of mitigation and adaptation. Step one: take steps to mitigate potential threats. Step two: look to adapt to the changing environment. Again, there are similarities.
To effectively mitigate cyber threats, enterprises are beginning to look beyond their own walls. Here are just some of the more progressive recent examples:
- Security requirements being included in almost every RFP
- Component purchases becoming more tightly controlled and inspected
- Companies requesting source code for all purchased software
- Blocking a system’s ability to boot up if authentication codes are not recognized
- Requiring suppliers to hold cyber certifications as evidence they are doing all they can to mitigate risks not only for their own organization but also their customers.
The UK government and companies like Barclays, BT, Vodafone, Astra Zeneca, and Airbus are just a few examples of those now requiring suppliers to hold cyber certifications. And it’s not just for their biggest suppliers. It’s for everyone—big or small—because the criminals don’t discriminate.
Mitigation is not enough. The best method for responding to cyber risks is developing an approach that also includes adapting to the changing realities—in other words, creating a defensive principle built on a philosophy of “it’s not if but when” your system will be breached. This means not only following but also getting ahead of the hackers.
One way I have seen this work is through communication among cyber defense industry participants. Sharing knowledge, practices, and experiences on how to remain a step in front of cybercriminals is one of the best ways to stay ahead of the game. Unfortunately, today we continue to see an imbalance between how much hackers share versus what defenders share. The harsh reality is that we don’t share enough among “good players” about how we’re able to identify and solve problems when responding to attacks. This is one area where more can, and should, be done to enable companies to be better prepared to adapt to attacks when and as they happen.
Doomsday or hope
I was genuinely looking forward to hearing Al Gore’s perspectives on a range of issues, but I never thought it would bring to my attention the risks and issues I, as a long-term CIO, have to deal with in my day-to-day activities—cyber risks—in a manner that made me think again. I now appreciate just how important these issues are and how, in both climate change and cyberattacks, protecting yourself is no longer a single player game: it’s a team event.
The training, performance, and actions of partners, suppliers, and customers are just as vital in managing cyber risks as it is your own company—much like all our actions will ultimately determine the future of our planet’s climate.
[1] Anne-Titia Bové and Steven Swart “Starting at the source: Sustainability in supply chains”, McKinsey & Company Article, November 2016.
[2] Existential climate-related security risk: A scenario approach. Published by Australia’s Breakthrough National Centre for Climate Restoration. Authored by Australia’s former military chief and written by a former fossil fuel executive, May 2019.
***********************
Martin Henley is SVP of Technology Services at Globality.