8. A “Far-reaching, Catastrophic Cyber Event in the Next Two Years”?
As part of the World Economic Forum annual event in Davos earlier this month, their Global Cybersecurity Outlook 2023, produced in collaboration with Accenture, was released. It's generally a reasonable report, but it got a lot more attention in the media because of one particular survey finding. As for instance reported here and here, their research found that found that 86% of business leaders and 91% of cyberleaders believe that global geopolitical instability is likely to lead to a far-reaching, catastrophic cyberevent in the next two years.
When we look at the data in the report how that breaks down for cyber leaders, we get this table.
| Company Size | Very Likely | Moderately Likely | Not Very Likely |
|---|---|---|---|
| < 250 | 50% | 42% | 8% |
| 251 – 1,000 | 33% | 67% | 0% |
| 1,001 – 10,000 | 47% | 40% | 13% |
| 10,001 – 100,000 | 38% | 52% | 10% |
| 100,001+ | 73% | 27% | 0% |
Even though the report does not provide details, it also states that 43% of organizational leaders think it is likely that in the next two years, a cyberattack will materially affect their own organization.
What Does a “Far-reaching, Catastrophic Cyberevent” Even Mean?
In the press conference at the release of the report, Edi Rama, prime minister of Albania gave an indication of what such a catastrophic event would look like.
“Let’s imagine an exponential multitude of viruses that mutate everyday exponentially while not threatening our body, but the bodies we live in, our organizations, our countries, our system, then, you know, it could be just apocalypse. It’s about viruses that can not only block our way of living, but can control it and deviate it.”
Albania has experienced significant cyberattacks attributed to Iran exposing intelligence and police data, but that sounds like incoherent nonsense to me.
But the man is a politician. What makes 91% of cyber leaders expect such a catastrophic event? Among those in organizations larger than 100,000 employees 73% consider it very likely and 27% moderately likely. That's curious when 57% of business and cybersecurity leaders don't think it is likely an attack would materially affect their own organization.
Something Doesn't Add Up
While across the board business leaders perception of their organization's ability to be cyber resilient dropped compared to last year, cyberleaders feeling confident their organizations are cyber resilient rose from 12% to 29%. An additional 54% perform common cyber-resiliency practices but recognize they have more work to do. Don't we always.
So, who then is this far-reaching, catastrophic event going to affect?
Surely, far-reaching and catastrophic means something bigger than Mirai, Solarwinds, Log4Shell, Rackspace, or Ransomware-as-a-Service.
If 91% of cyberleaders consider such an event likely, yet 83% consider themselves to have a baseline of cyber resiliency in place, this seems an irrational fear of such an event happening elsewhere.
Catastrophic for Whom?
I am a “cyber leader” (arguably 😉) in a cloud service provider with over 100,000 employees – supposedly the category that considers such an event very or moderately likely. We certainly threat model and try to mitigate against catastrophic scenarios. But despite the role the company plays for our customers, it is still very unlikely that a cyber event would grow into a far-reaching, catastrophic one for society.
That is not to say that a cyber event couldn't be far-reaching and catastrophic for a single or select customers, or the company itself.
So, I am going to be an outlier compared to the report. I consider a cyber event along the lines described by the Albanian prime minister highly unlikely. But I do consider it very likely that a cyber event proves catastrophic for a single large organization in the next two years. Our job, meanwhile, is to ensure we do what we can to prevent that being us.
cloud security posts without corporate approval @jaythvv@infosec.exchange