Clicky

Cyber-Attack Catastrophe: Lessons from a Plausible Risk Scenario - Ideas for Leaders

Cyber-Attack Catastrophe: Lessons from a Plausible Risk Scenario

Idea #491

Cyber-Attack Catastrophe: Lessons from a Plausible Risk Scenario

This is one of our free-to-access content pieces. To gain access to all Ideas for Leaders content please Log In Here or if you are not already a Subscriber then Subscribe Here.
Main Image
Main Image

KEY CONCEPT

The Centre for Risk Studies at Cambridge University has developed a detailed risk scenario describing a slow-burning cyber attack on a fictional software developer that has global consequences. The improbable but plausible scenario, based on a variety of real (but smaller) cases, is intended as a ‘stress test’ for organizations and public policy bodies and offers lessons in how to mitigate the impact of such attacks.


IDEA SUMMARY

The extensive damage caused by computer hackers accessing the confidential information held within a company’s information technology is, unfortunately, well documented. But beyond compromising millions of customers or accessing company secrets, a cyber attack on an SITE (systemically important technology enterprise) could be even more catastrophic, potentially damaging the global economy and undermining the value of world financial markets. SITEs — like their ‘too-big-to-fail’ banking counterparts Systematically Important Financial Institutions or SIFIs — are considered vital to international corporate productivity.

The likelihood of such a catastrophic cyber event on this scale is improbable (1% chance of occurrence within a given year) but plausible. To help companies prepare for the eventuality of such an attack, researchers at Cambridge University’s Centre for Risk Studies have developed a ‘stress test’ scenario that recreates such an attack and reveals the extent of the resulting global damage.

Called Sybil Logic Bomb Scenario, the scenario describes a malicious insider who modifies the source code in a regular upgrade of the Sybil (the company is fictional) database software. The ‘bomb’ is designed to slowly corrupt data backups by introducing small errors in the systems — errors so small that they are not noticeable at first. Because the Sybil software is a popular software used by many companies, the bomb gets distributed into the information systems of companies around the world within a few weeks. Imperceptibly, the virus damages and undermines business systems over a period of several years. Eventually, the damage is slowly uncovered — but after a period of up to five quarters or 15 months — and as the full, horrifying extent of the damage becomes apparent, people’s faith in the information technology systems in both the private and public sector is shaken, leading to what the researchers call “information malaise.” 

Based on the scenario, the total losses to global GDP output over a five-year period range from $4.5 trillion to, in the most extreme scenario, $15 trillion.

The impact on financial markets, however, is relatively small, totalling, by the time the software problem is identified and fixed, a 4% loss in cumulative returns.


BUSINESS APPLICATION

Although the scenario has a low probability of occurrence, it was constructed using the precedents of past cyber attacks. For example, the researchers describe in the scenario how the Sybil Logic Bomb impacts specific companies, such as a fund management firm that loses £440 million in just 45 minutes of trading, a utilities company responsible for a series of spillages at its sewage treatment plant (the compromised process control system keeps opening valves), or a UK bank that is forced to write down $1.75 billion because of small accounting errors over a period of two years. All of these incidents are based on real cases: a U.S. fund managers lost $440 million in 45 minutes due to a mistake in their trading algorithm; by hacking into the company’s control systems, a disgruntled employee caused 47 sewage spill incidents for an Australian utility; and an Australian bank had to write down $1.75 billion because of an error in a financial model.

In the digital world, a small error whether malicious or accidental can have disastrous consequences. Although a scenario of such global reach is plausible but not probable, it offers important lessons seeking to protect the integrity of its information systems.

The damage caused by the Sybil Logic Bomb could have been mitigated, according to the scenario, through the following measures:

  • Reporting near misses. If something unexplained happens, don’t shrug off the error. Investigate.
  • Dual-source technologies. The best option is to have two databases from different vendors that mirror each other. At the least, insist on two different, mirroring versions of the same database.
  • Plug swappable technologies. Put in place the capability to swap one software module for another.  
  • Consider standardization initiatives carefully. It is easy to be seduced by standardization initiatives — but consider the potential loss of security as much as the potential cost-savings or increase in efficiency.
  • Defend against insider attacks. Develop the techniques and processes to protect against insidious attacks from insiders.

As with all types of crises, an effective reputation management process already in place is essential. Another recommendation from the scenario is barely heard in today’s digital conservation: having a physical backup to the digital information. When a crisis hits your information systems, do you have any physical options to fall back on?


  • SHARE


REFERENCES

Stress Test Scenario: Sybil Logic Bomb Cyber Catastrophe. Simon Ruffle, Gary Bowman, Fabio Caccioli, Scott Kelly, Andrew Coburn, Ben Leslie & Daniel Ralph. Cambridge Risk Framework Series. Centre for Risk Studies University of Cambridge (June 2014).

Ideas for Leaders is a free-to-access site. If you enjoy our content and find it valuable, please consider subscribing to our Developing Leaders Quarterly publication, this presents academic, business and consultant perspectives on leadership issues in a beautifully produced, small volume delivered to your desk four times a year.

FIND OUT MORE HERE

Idea conceived

June 1, 2014

Idea posted

Feb 2015
challenge block
Can't find the Idea you are after?
Then 'Challenge Us' to source it.

SUBSCRIBE TO IDEAS FOR LEADERS AND ACCESS ALL OUR IDEAS, PODCASTS, WEBINARS AND RECEIVE EXCLUSIVE EVENT INVITATIONS.

For the less than the price of a coffee a week you can read over 650 summaries of research that cost universities over $1 billion to produce.

Use our Ideas to:

  • Catalyse conversations with mentors, mentees, peers and colleagues.
  • Keep program participants engaged with leadership thinking when they return to their workplace.
  • Create a common language amongst your colleagues on leadership and management practice
  • Keep up-to-date with the latest thought-leadership from the world’s leading business schools.
  • Drill-down on the original research or even contact the researchers directly

Speak to us on how else you can leverage this content to benefit your organization. info@ideasforleaders.com