UK Infrastructure Providers “Accept an Unexpectedly High Level of Risk” of Cyber-Threats, and the National Response Is “Fractured and Incoherent”

Hacker organizations like Anonymous and LulSec are waging a worldwide cyberwar. These new combatants are highly sophisticated and have emerged as a true threat so quickly that it is understandable why many organizations remain vulnerable.

But according to a new report from Chatham House, the UK’s critical infrastructure providers actually do understand the gravity of the threat and are very concerned about what it means for their operations — they just have chosen to do little about it.

“Many of the organizations surveyed in the course of this project have developed an attitude to cyber security that is fundamentally contradictory. In most cases, they declared themselves to be aware of cyber security threats. Yet these same organizations were willing, for a variety of resource and other reasons, to accept an unexpectedly high level of risk in this area. In several cases it was even decided that cyber risk should be managed at arm’s length from the executive authority and responsibility of the board and senior management. Paradoxically, therefore, in these organizations a heightened perception of cyber security risk is being met with diminished resources and interest.”

It gets worse.

While the weak response by critical infrastructure providers is clearly presenting a risk to national security in the United Kingdom, governments aren’t helping. Those who should be leading the charge on raising security aren’t doing enough to help those they serve keep up with the threat, say the providers.

There was a perception among those interviewed (which include 100 larges businesses and banks) for the study that “the national response mechanism is for the most part fractured and incoherent” and that there is  “little sense either of governmental vision and leadership, or of responsibility and engagement” with critical infrastructure providers. Those providers also note that better information sharing could help them considerably in preparing their defenses, but so far the UK government is “more willing to solicit information than to divulge it.”

Of course, the responsibility to mitigate this threat is not solely a public responsibility. These companies must take it upon themselves to safeguard their own operations. As the report notes, however, “this will only be achieved to the extent that board members are themselves more aware of the opportunities and threats presented by cyberspace.”

It must start at the top.

But unbelievably, the report notes that some companies have “deliberately pushed [the threat] below the boardroom level in order to remove a complex and baffling problem from sight.”

To be fair, some organizations are responding better than others. But they are the exception not the rule. “The results were varied,” said study co-author Dave Clemente on a Chatham House podcast. “Some organizations have a fairly nuanced view of cybersecurity — it comes up on their board agendas on a regular basis. And others don’t. Others respond only when something unpleasant happens to them or a competitor, and then they have to do something very quickly. Something must be done. Money is thrown at the problem. And often it produces an over-reation [that’s] not very well thought-through.”

In talking about the risk to infrastructure providers, Clemente highlighted the cyberattack that Anoynmous launched against Sony, shutting down its popular online video game platform, the PlayStation Network, for more than weeks and exposed the personal info of tens of millions of users.

Games Beat explains the details of that attack.

The company was criticized for having outdated security software that did not adequately protect the PSN from hackers when they broke in. Security experts knew Sony was running outdated versions of the Apache Web server software that did not have a firewall installed. The company said hackers were able to breach the PSN and steal sensitive data while the company was fending off denial of service attacks from Anonymous, an online hacker group that typically takes up politically charged causes.

Hackers also hit a number of other high-profile companies like defense contractor Lockheed Martin and Bethesda Softworks, another game publisher. The number of hacking attacks has given network providers like Sony a new set of challenges when building security for company networks.

Clemente says that the hacker intrusion cost Sony $171 million.

That’s a large sum that should help any large company take notice. But he also notes that while these types of cyber threats are “substantial in a monetary sense but there’s also reputational damage as well.”

Incidentally, Tim Schaaff, a top Sony executive, told Games Beat that the attack a “great experience, really good time … Though I wouldn’t like to do it again.”

At first blush, that seems like a ridiculous position. But perhaps we can all learn a little bit from the PlayStation Network breach. Take this quote from  Schaaff that further elaborates on his view.

“A determined hacker will get you, the question is how you build your life so you’re able to cope with those things,” he said.

Of course prevention and fool-proof network security is the ultimate goal. But it is increasingly hard to achieve. As the Chatham study shows, the leap forward in sophistication of today’s hackers means that most companies are now playing catch-up — both technologically and in terms of understanding the nature of the threat.

In the interim, many companies can and will be hit.

Know that. And start game-planning a response. Perhaps going forward, conducting emergency, tabletop drills for cyberdisasters will be as beneficial in preparing for the real thing as emergency drills for natural disasters are today.

Companies that have money and reputations to lose would be silly not to be developing strategies to this threat. And those organizations tasked with providing the nation with critical infrastructure? Well, if they do not improve their defenses soon, “silly” will start looking a lot more like “negligent.”

(For more on cyberthreat whos, whats, whens, wheres, whys and and hows, stay tuned for our upcoming October issue of Risk Management magazine. We have an 8-page feature detailing the nature of the threat — and ways to combat it. )

Q&A on the “Global Risks 2010” Report

Recently, the World Economic Forum released its “Global Risks 2010” report, in which partners, including Swiss Re and other corporate and academic entities, collaborated to analyze the most serious global risks for the current year. This was the one of several posts we have run recently about the biggest risks ahead for 2010, whether economic, political or otherwise. One thing that we see through all of them is the word “China.” It will be interesting to keep an eye on this prediction and whether the country will hinder or help the U.S. in 2010.

To discuss this and the rest of the year ahead, I was fortunate enough to touch base with Kurt Karl, chief U.S. economist at Swiss Re, to get his take on this year’s report.

In your opinion, what is the biggest global risk facing the U.S. for 2010 and why?

Kurt Karl: The biggest global risk facing the U.S., as the “Global Risk 2010” report points out, is renewed asset price collapse. This would essentially be a global double-dip recession. With very high deficits and very low interest rates, another recession would be very difficult to combat. A return to recession could come from continued employment declines eroding consumer confidence, another banking sector scare or possibly a mutation in the pandemic virus which increases the fatalities causing consumers to panic and stop traveling and reduce shopping.

How will underinvestment in infrastructure (especially agriculture) affect the U.S. economy in the long run?

Karl: Infrastructure is essential for long-term growth and there is some evidence that the U.S. has been under-investing in infrastructure. Not only could this lead to catastrophes, such as the Minneapolis bridge collapse, but it would reduce economic growth by creating bottlenecks in, for example, the transportation system. The key risk for the agricultural sector is infrastructure that supports water supplies. This is partly an investment issue and increasingly a political issue. Reduced agricultural production will harm the US trade deficit — we export a lot of agricultural products — increase inflation and reduce standards of living.

What is the biggest, long-term international risk you see? And how will that affect the U.S.?

Karl: China, which is growing rapidly, is the biggest risk and the biggest opportunity for the U.S. economy. The global economy is increasingly dependent upon the health of the Chinese economy. At the same time, China needs to become a more open economy, with — ultimately — a floating exchange rate and free trade practices where it and other countries are competing on a level playing field.

What do you see as the biggest factor that could possibly prevent a complete economic recovery?

Karl: The biggest risk is global employment growth. If confidence turns sufficiently negative, companies will start cutting jobs again and that would kill the recovery.

The biggest global risk facing the US, as the Global Risk 2010 report points out, is renewed asset price collapse. This would essentially be a global double-dip recession. With very high deficits and very low interest rates, another recession would be very difficult to combat. A return to recession could come from continued employment declines eroding consumer confidence, another banking sector scare or possibly a mutation in the pandemic virus which increases the fatalities causing consumers to panic and stop traveling and reduce shopping.
2.  How will underinvestment in infrastructure (especially agriculture) affect the US economy in the long run?
Infrastructure is essential for long-term growth and there is some evidence that the US has been under-investing in infrastructure. Not only could this lead to catastrophes, such as the Minneapolis bridge collapse, but it would reduce economic growth by creating bottlenecks in, for example, the transportation system. The key risk for the agricultural sector is infrastructure that supports water supplies. This is partly an investment issue and increasingly a political issue. Reduced agricultural production will harm the US trade deficit — we export a lot of agricultural products — increase inflation and reduce standards of living.
3.  What is the biggest, long-term international risk you see? And how will that affect the US?
China, which is growing rapidly, is the biggest risk and the biggest opportunity for the US economy. The global economy is increasingly dependent upon the health of the Chinese economy. At the same time, China needs to become a more open economy, with — ultimately — a floating exchange rate and free trade practices where it and other countries competing on a level playing field.
4.  What do you see as the biggest factor that could possibly prevent a complete economic recovery?
The biggest risk is global employment growth. If confidence turns sufficiently negative, companies will start cutting jobs again and that would kill the recovery.1. In your opinion, what is the biggest global risk facing the U.S. for 2010 and why?
The biggest global risk facing the US, as the Global Risk 2010 report points out, is renewed asset price collapse. This would essentially be a global double-dip recession. With very high deficits and very low interest rates, another recession would be very difficult to combat. A return to recession could come from continued employment declines eroding consumer confidence, another banking sector scare or possibly a mutation in the pandemic virus which increases the fatalities causing consumers to panic and stop traveling and reduce shopping.
2.  How will underinvestment in infrastructure (especially agriculture) affect the US economy in the long run?
Infrastructure is essential for long-term growth and there is some evidence that the US has been under-investing in infrastructure. Not only could this lead to catastrophes, such as the Minneapolis bridge collapse, but it would reduce economic growth by creating bottlenecks in, for example, the transportation system. The key risk for the agricultural sector is infrastructure that supports water supplies. This is partly an investment issue and increasingly a political issue. Reduced agricultural production will harm the US trade deficit — we export a lot of agricultural products — increase inflation and reduce standards of living.
3.  What is the biggest, long-term international risk you see? And how will that affect the US?
China, which is growing rapidly, is the biggest risk and the biggest opportunity for the US economy. The global economy is increasingly dependent upon the health of the Chinese economy. At the same time, China needs to become a more open economy, with — ultimately — a floating exchange rate and free trade practices where it and other countries competing on a level playing field.
4.  What do you see as the biggest factor that could possibly prevent a complete economic recovery?
The biggest risk is global employment growth. If confidence turns sufficiently negative, companies will start cutting jobs again and that would kill the recovery.