Out-Law News | 24 Apr 2014 | 11:51 am | 4 min. read
The proposed G20+20 Cyber Stability Board should be made up of leaders of the world's 20 major economies plus 20 or more representatives from major global information and communications technology firms, and possibly cyberspace regulatory authorities, the Atlantic Council has said.
But companies must also address cyber risks to their operations at local level – and take a more holistic approach to risk management in an age when internet connectedness could see the failure of a major cloud data storage provider or electricity provider cascade through the international economy, it said.
The US-based Atlantic Council, which aims to promote constructive leadership and engagement in international affairs, made its calls in a report carried out jointly with Geneva-based Zurich Insurance. Research involved consultations with cyber experts and risk professionals across a range of industries over the course of a year, the think tank said.
The report said that the proposed G20+20 Cyber Stability Board could help address risks which it is difficult for organisations to understand or predict in the internet age.
"The internet is dominated by the private sector companies which create and maintain it on a daily basis and fill it with content," said the Atlantic Council. "But governments still have sovereign powers and responsibilities."
The think tank said that its call for a new global cyber stability organisation takes a step further an informal proposal by the technology company Microsoft for the establishment of a G20+20 Group made up of global leaders and information and communications firms, designed to draft a set of principles for acceptable behaviour in cyberspace.
"Such an idea could go beyond a single set of principles to a larger plan for risk management to deal with cyber shocks," said the Atlantic Council. "Specifically a G20+20 Cyber Stability Board could look across all aggregations of cyber risk to improve risk management, resilience and response."
The report further recommends that governments should "cautiously use existing regulatory authority to expand risk management to third-party providers and affiliates and also "consider recognition of globally significant important internet organisations".
The report is authored by Jason Healey, cyber statecraft initiative director at the Atlantic Council, and highlights that while data breaches are a top concern for organisations today, leaders need to focus on "distant digital perfection" and "the increasing danger of global shocks initiated and amplified by the interconnected nature of the internet."
The report uses the analogy of the US sub-prime mortgage market, which inflated US real estate prices and preceded the 2008 global financial crisis, to outline how it believes cyber security failures could ripple through the global economy.
"This increasingly tight coupling of the internet with the real economy and society means a full-scale cyber shock is far more likely to occur than some risk managers (and internet professionals) care to admit," according to the report. "Internet failures could cascade directly to internet-connected banks, water systems, cars, medical devices, hydroelectric dams, transformers and power stations."
"Risk managers, regulators and organisations with system-wide responsibility all need to focus more on resilience and agility rather than simply prevention."
The report identifies seven "aggregations of cyber risk", which it says organisations must be aware of if they are to protect themselves. These are the organisation's own internal corporate network and security practises; risks posed by partners and affiliates such as cooperating banks or joint venture partners; and risks linked to outsourced service providers, such as human resource consultants or cloud IT providers. Traditional supply chains and the IT supply chain are also at risk from cyber attacks; and risks to or from new technologies such as the smart grid and the largely automated digital economy further aggregate risks. Potential disruptions to essential infrastructures such as electricity systems, financial systems and telecommunications networks also pose risks. The seventh aggregation of risk, according to the report, are those which are out of the control of organisations including malware pandemics or major international conflicts.
The report envisages a scenario in which a major cloud service provider fails "with everyone's data there on Friday and gone on Monday."
"If that failure cascaded to a major logistics provider or company running critical infrastructure, it could magnify a catastrophic ripple running throughout the real economy in ways difficult to understand , model or predict beforehand," said the report. "Especially if this incident coincided with another, the interaction could cause a crash or collapse of much larger scope, duration and intensity than would seem possible – similar to the series of events that struck the financial system in 2008."
The report recommended a number of measures companies can take to protect themselves against cyber risks.
These include application whitelisting, which allows computers to run only a selected set of programmes, to help guard against malware; employing standard secure system configurations, which make computers easier and cheaper to defend; and reducing the number of users with administrative privileges.
In addition companies should patch application and system software within 48 hours – rather than within weeks, as in some organisations. According to the report, when technology companies release "patches" designed to fix software, a "window of vulnerability" opens up which hackers can exploit.
Larger organisations should expand their risk management horizon to take account of risks from partner organisations and companies to which they outsource contracts. Boards must become more aware of and knowledgeable about cyber risks and companies should consider securing additional alternative power, telecoms and internet service providers which could swing into action in case of emergency. Cyber insurance and trained incident response teams can also help guard against the effects of cyber risks, the report said.