The Centre for Risk Studies at Cambridge University has developed a detailed risk scenario describing a slow-burning cyber attack on a fictional software developer that has global consequences. The improbable but plausible scenario, based on a variety of real (but smaller) cases, is intended as a ‘stress test’ for organizations and public policy bodies and offers lessons in how to mitigate the impact of such attacks.
The extensive damage caused by computer hackers accessing the confidential information held within a company’s information technology is, unfortunately, well documented. But beyond compromising millions of customers or accessing company secrets, a cyber attack on an SITE (systemically important technology enterprise) could be even more catastrophic, potentially damaging the global economy and undermining the value of world financial markets. SITEs — like their ‘too-big-to-fail’ banking counterparts Systematically Important Financial Institutions or SIFIs — are considered vital to international corporate productivity.
The likelihood of such a catastrophic cyber event on this scale is improbable (1% chance of occurrence within a given year) but plausible. To help companies prepare for the eventuality of such an attack, researchers at Cambridge University’s Centre for Risk Studies have developed a ‘stress test’ scenario that recreates such an attack and reveals the extent of the resulting global damage.
Called Sybil Logic Bomb Scenario, the scenario describes a malicious insider who modifies the source code in a regular upgrade of the Sybil (the company is fictional) database software. The ‘bomb’ is designed to slowly corrupt data backups by introducing small errors in the systems — errors so small that they are not noticeable at first. Because the Sybil software is a popular software used by many companies, the bomb gets distributed into the information systems of companies around the world within a few weeks. Imperceptibly, the virus damages and undermines business systems over a period of several years. Eventually, the damage is slowly uncovered — but after a period of up to five quarters or 15 months — and as the full, horrifying extent of the damage becomes apparent, people’s faith in the information technology systems in both the private and public sector is shaken, leading to what the researchers call “information malaise.”
Based on the scenario, the total losses to global GDP output over a five-year period range from $4.5 trillion to, in the most extreme scenario, $15 trillion.
The impact on financial markets, however, is relatively small, totalling, by the time the software problem is identified and fixed, a 4% loss in cumulative returns.
Although the scenario has a low probability of occurrence, it was constructed using the precedents of past cyber attacks. For example, the researchers describe in the scenario how the Sybil Logic Bomb impacts specific companies, such as a fund management firm that loses £440 million in just 45 minutes of trading, a utilities company responsible for a series of spillages at its sewage treatment plant (the compromised process control system keeps opening valves), or a UK bank that is forced to write down $1.75 billion because of small accounting errors over a period of two years. All of these incidents are based on real cases: a U.S. fund managers lost $440 million in 45 minutes due to a mistake in their trading algorithm; by hacking into the company’s control systems, a disgruntled employee caused 47 sewage spill incidents for an Australian utility; and an Australian bank had to write down $1.75 billion because of an error in a financial model.
In the digital world, a small error whether malicious or accidental can have disastrous consequences. Although a scenario of such global reach is plausible but not probable, it offers important lessons seeking to protect the integrity of its information systems.
The damage caused by the Sybil Logic Bomb could have been mitigated, according to the scenario, through the following measures:
As with all types of crises, an effective reputation management process already in place is essential. Another recommendation from the scenario is barely heard in today’s digital conservation: having a physical backup to the digital information. When a crisis hits your information systems, do you have any physical options to fall back on?
Stress Test Scenario: Sybil Logic Bomb Cyber Catastrophe. Simon Ruffle, Gary Bowman, Fabio Caccioli, Scott Kelly, Andrew Coburn, Ben Leslie & Daniel Ralph. Cambridge Risk Framework Series. Centre for Risk Studies University of Cambridge (June 2014).
Ideas for Leaders is a free-to-access site. If you enjoy our content and find it valuable, please consider subscribing to our Developing Leaders Quarterly publication, this presents academic, business and consultant perspectives on leadership issues in a beautifully produced, small volume delivered to your desk four times a year.
For the less than the price of a coffee a week you can read over 650 summaries of research that cost universities over $1 billion to produce.
Use our Ideas to:
Speak to us on how else you can leverage this content to benefit your organization. email@example.com