WEF Report: Cyber Risks Pose Global Threats
The World Economic Forum’s (WEF) Global Risks Report 2022 outlined what they believe are the greatest worldwide threats and risks to economic development. In some ways, it reads like an Exodusian litany of plagues and threats—COVID-19, climate change, migration, international crime, nuclear war and weapons of mass destruction. Fun bedtime reading for the insomniacs. The report looks at short-term, long-term and intermediate-term threats to global economic development. In the 17th annual report, the authors also focused on specific and general cyber-related risks that pose genuine threats to worldwide economic development. The report noted:
Growing dependency on digital systems—intensified by COVID-19—has altered societies. Over the last 18 months, industries have undergone rapid digitalization, workers have shifted to remote working where possible, and platforms and devices facilitating this change have proliferated. At the same time, cybersecurity threats are growing—in 2020, malware and ransomware attacks increased by 358% and 435% respectively—and are outpacing societies’ ability to effectively prevent or respond to them. Lower barriers to entry for cyberthreat actors, more aggressive attack methods, a dearth of cybersecurity professionals and patchwork governance mechanisms are all aggravating the risk. Attacks on large and strategic systems will carry cascading physical consequences across societies, while prevention will inevitably entail higher costs. Intangible risks—such as disinformation, fraud and lack of digital safety—will also impact public trust in digital systems. Greater cyberthreats will also hamper cooperation between states if governments continue to follow unilateral paths to control risks. As attacks become more severe and broadly impactful, already sharp tensions between governments impacted by cybercrime and governments complicit in their commission will rise as cybersecurity becomes another wedge for divergence—rather than cooperation—among nation-states.
That’s quite a bit to unpack, but basically, the World Economic Forum points to the following problems associated with cyber risks:
- Growing interdependence on digital infrastructure
- More points of attack and vulnerability
- Low barriers to entry for threat actors (point-and-click, script kiddies)
- Increase in ransomware and malware attacks
- Inadequate cyber training, awareness and lack of sufficient professionals
- Disinformation and fraud
- Nation-states using cyber against each other which may lead to kinetic or other attacks
And a happy new year to you, as well.
Many of these problems are endemic to the world of cybersecurity and have been around for years. Some pose short-term risks, some represent longer-term risks. In the wake of the report, I have compiled my own list of what I think are the short-, medium- and long-term global risks to economic development due to cybersecurity issues.
Short-Term Threats
Cybercrime and Cyber-related Crime
Cybercrime and cyber-related crime pose genuine threats to the global economy. Fraudulent wire or electronic funds transfers, misappropriation of trade secrets, digital extortion, revenge porn, data interception, doxxing and public dissemination of private information not only impose direct costs on users, but reduce consumer confidence in the electronic infrastructure, impose significant costs to abate and investigate and limit the ability of organizations and/or individuals to introduce new and potentially useful technologies for fear of misuse. Cybercrime may also be targeted or merely a crime of opportunity, may be aimed at individuals or organizations and may be perpetrated by individuals, hacker groups, organized criminals, state-sponsored organizations or quasi-state actors. The response requires substantial resources, coordination and technological awareness, none of which seem adequate to the task.
Data Breach and Data Theft
Though they are related to cybercrime generally, data breaches and data theft are unique problems. These are specific kinds of cybercrime that relate to unique types of harm done to the body politic. Data breaches may expose privacy-related information and cause harm to an individual’s sense of identity—a violation that is unique to the late 20th and early 21st century notion of privacy. Moreover, much of the harm or damage resulting from data breaches or data theft cannot be measured in terms of dollars and cents (or yen or euros or rubles) and, as a result, represent a genuine threat not only to the entities that collect, store or process the data, but to those who rely on it and, most importantly, to the data subjects who are most impacted by thefts and breaches.
Identity Fraud and Identity Theft
A related problem is that of ID fraud and ID theft—typically as a result of a data breach, but not always. It is a unique problem in that, increasingly, one is defined in the world (and particularly in the world of commerce) by one’s digital identity. The inability to demonstrate who you are or having someone else impersonate you represents, at present, a short-term threat. But as the essence of people’s personas increasingly becomes digital, the inability to prove who you are (or to disprove actions based on identity) may represent more of an intermediate threat.
Ransomware
Ransomware, and its cousins extortionware and DDoS attacks, seem to be an existential threat. The attacks are costly, disruptive and cause a lack of confidence in infrastructure and technologies. They also help finance “bad actors” and new cybersecurity threats and undermine the fledgling cryptocurrency business. However disruptive ransomware currently is, however, it is likely to pose a short-term or intermediate threat to global infrastructure and networks as data becomes more resilient to attacks. That’s not to minimize the problem—it is undoubtedly significant—but simply to put it in perspective.
Data Privacy
Data privacy in the traditional sense is currently a short-term threat, partly because most countries do not value data privacy. By this, I don’t mean that they don’t think that privacy is important. Particularly in the EU—with the GDPR, for example—and in countries that have adopted similar comprehensive privacy laws and regulations, there is concern about data privacy. The problem is that countries don’t place a specific dollar value on data privacy. What is the dollar (or yen, ruble, euro) value of having the pharmacist (chemist) not reveal the fact that you are using a special mouthwash for halitosis? What are your specific damages if you receive a targeted ad from Google based on your Facebook search? Data privacy as a concept is a short-term problem. But individual integrity—the collection and sharing and analysis of digital information about all people for either commercial or governmental purposes—that’s a long-term problem.
Intermediate Threats
Identity and Data Aggregation
While the current problem of identity fraud and identity theft represents a short-term problem, the more substantial (and long-range) problem is that of digital identity. Strong authentication systems including MFA, biometrics, etc., are useful to prevent fraud. They are also useful for tracking the movements of individuals or groups, determining political or religious affiliations, suppressing dissent, encouraging conformity and profiling for all kinds of reasons. They encourage differential treatment, pricing, etc., based on data points and are rife with opportunities to be misused. If we look at the situation in China—with its massive use of facial recognition in everyday life—and compare it to what companies like Google, Amazon and Facebook are doing, this represents an intermediate-term threat to liberty and economic freedom. It also presents a tremendous barrier to economic competition, as small players cannot compete without access to the data points collected by the larger players who will enjoy functional monopolies in data and data access.
Mass Surveillance
Similar to identity and data aggregation, mass surveillance programs undermine the basic freedoms people enjoy and represent an existential threat, whether they are undertaken by governments or commercial entities. Moreover, the distinction between government and commercial is not entirely clear-cut, as governments both subscribe to commercial databases and make data available to them. Mass surveillance can include collection and aggregation of databases (e.g., spending, travel, associational activity), use of facial recognition, biometrics (e.g., gait analysis) or automated license plate readers, or the collection and use of social media information to profile and discriminate against individuals. In fact, in a recent order, the European data protection commissioner ruled that the European police agency EuroPol was subject to EU data privacy laws and noted that, due to the “high risks for data subjects and potentially severe impact on their fundamental’s rights and freedoms, the EDPS urged Europol to implement all necessary and appropriate measures to mitigate the risks created by such personal data processing activities to data subjects.” However, the mass collection of such data presents a significant threat to privacy, integrity and fundamental rights, and may actually lead to the migration of citizens to jurisdictions that do not collect such data.
Commercial Exploitation of Data
Related to mass surveillance is the threat of the commercial exploitation of mass data sets—something readers in the United States have become acclimated to. With the ubiquity of smart homes and online shopping, the consumer leaves a digital trail that traces everything they do. Relatively weak privacy laws and huge economic incentives for data collection, aggregation and analysis mean that there exists a comprehensive data profile of a large number of people, and that database is increasing exponentially both in terms of volume of data and number of data subjects. Loss of privacy—and loss of control over data—is something that likely cannot be reversed and, once lost, cannot be reclaimed. We won’t know the impact of this loss of privacy until it is too late.
Data Interdependence
Similarly, as we as individuals become the sum of our data points, we rely on data accuracy and data availability. However, data collected casually for one purpose (e.g., we post some medical observation online) may then assume a different role as it is collected by a pharmaceutical company and used to blacklist the data subject or to target them. As data volume increases, data quality may decrease. In the mid-term, this poses genuine risks to individual liberty and freedom. Add to the problem deliberate attacks that compromise data integrity and availability and we have a genuine and substantial problem.
Cascading Failures
Almost every aspect of economic life is connected through protocols using or derived from the TCP/IP protocol set. However, the internet was never designed to be secure, and the underlying core protocols are likely to have undiscovered vulnerabilities (sound familiar?). Even without attacking common vulnerabilities, an attack on a single part of a supply chain (transportation, communication, energy) will likely have a cascading impact on others. Our defenses create pockets of security that float in a sea of vulnerability. In many ways, the problem is other people’s networks and we have difficulty seeing beyond our own horizon.
Cyber Misinformation and Deception
Cyber misinformation, fraud and deception are significant threats to economic growth. Conspiracy theories of all kinds are given safe haven on social networks. Fear sells, and theories that promote fear appeal to the limbic system. Massive economic fraud (e.g., business email compromise, identity fraud and theft, etc.) undermines confidence in critical systems, including the banking and finance system. Vaccine and COVID-19 misinformation undermines trust in medical delivery systems. Misinformation about politics, elections, religion, etc. undermines core structures of democratic societies. Conversely, authoritarian regimes which force those to adhere to the party line or which restrict access to information, similarly undermine confidence and freedom. The good thing about the internet is that it makes publishers of everyone. The bad thing about the internet is that it makes publishers of everyone. While the problem of misinformation online has been systemic, it will likely increase in severity and impact.
Long-Term Threats
Artificial Intelligence
AI represents a potential long-term threat, simply because by its nature it is supposed to learn and understand things that we, as mere humans, do not or cannot understand. When a machine learning program decides which patterns are important and which are not, it is making value judgments—nudged along by programmers and others. The AI problem is not unique to AI, but it exacerbates the fact that many programmers, developers and others do not consider the morality, ethics and values inherent in the question, “Can I do this?” and “Should I do this?” AI has only the morals, values and ethics that we embed in it. Part of this is mere paranoia about our robot overlords. Another part is a basic mistrust of what I can’t understand. And another part is inevitably the result of watching Terminator too many times.
Digital Access and Disparity
It’s interesting to note that there are more smartphones in the world than toilets. Nevertheless, access to digital information (in a way that is free from both government and commercial interference) creates a world with digital “haves” and “have-nots.” Digital access is increasingly becoming a right and a necessity—like food, water, shelter, medicine and education. World leaders need to continue to press for some degree of equity.
Global Dominance
A rant on “tech giants.” For these purposes, I am concerned about two things—lack of heterogeneity and lack of choice, although there are myriad other concerns that could be expressed. With global dominance in certain technological areas, there comes an increased risk that a successful attack on a single infrastructure or company can lead to a global disaster. Take down AWS, and what happens to the economy? Crush Gmail, and how do businesses survive? Heterogeneity generally makes for some resilience. Similarly, with global dominance comes a “take it or leave it” situation. Example: Try negotiating a security agreement with Amazon, Microsoft or Google that requires them to do certain things with respect to security. Because of market dominance, they dictate the terms of cloud or other agreements; in the future, that could be a problem.
Data Aggregation and Profiling
The privacy problems of data collection are exacerbated by the casual way that data is aggregated, shared and analyzed—particularly in the United States—and the almost total lack of transparency in this system. When you go to a website and the site indicates that it uses cookies, do you really know what data is being collected, with whom it is shared and for what purpose? While data is an asset, it also represents risk. Not just risk of data breach, but risk that an individual may be profiled and discriminated against because of either an accurate or inaccurate data set. In the 1950s, U.S. Senator Joe McCarthy famously called people before the Committee on UnAmerican Activities and asked them the now infamous question, “Are you now or have you ever been a member of the Communist Party?” Those who answered in the affirmative or refused to answer were blacklisted. In 2022, no such questioning would be required; a few keystrokes (or a subpoena) could reveal individuals’ activities going back decades. Whether this is good or bad depends on how the data is used and by whom, but it represents a truly attractive and valuable target for exploitation.
Digital Identity
Finally, we are increasingly becoming whatever we are online. Our social groups, shopping, entertainment, etc., are moving from the real world to the online world. We are our digital identity. This will undoubtedly increase as we move into the metaverse (whatever the hell that is). It is important for us to retain our humanity. This is exacerbated by the fact that the online world not only encourages but also protects a degree of coarseness and crudeness that would not be tolerated in the real world—and this coarseness and crudeness infiltrates our daily life. If a public health official promotes vaccines or mask-wearing and we disagree with these decisions, online we may post threats to their life and that of their children—something we ordinarily would not do in real life. Emboldened by the illusion of anonymity and access that the virtual world provides, we do things online or as our own doppelgangers that would be abhorrent in the real world. Then, seeing that this strategy is successful, we are encouraged to replicate it in the real world. I’m no curmudgeon, but it creates a lack of civility and a disconnect in society which poses a risk to the body politic. Oh, and get off my lawn, too.
These are my gut reactions to short-term, medium-term and long-term threats. Post yours below.
Interestingly, certain cyber threats like the threat of digital inequality and cybersecurity threats have diminished in the minds of the survey respondents. The authors note that technological risks—such as digital inequality and cybersecurity failure—are other critical short- and medium-term threats to the world according to GRPS respondents, but these fall back in the rankings toward the long-term and none appear among the most potentially severe, signaling a possible blind spot in risk perception.
The 2021-2022 GRPS included a question on international risk mitigation efforts. Artificial intelligence, space exploitation, cross-border cyberattacks and misinformation and migration and refugees are the areas where most respondents believe the current state of risk mitigation efforts fall short of the challenge—that is, efforts are not started or are in early development. Meanwhile, for trade facilitation, international crime and weapons of mass destruction, large majorities perceived risk mitigation efforts to be established or effective.
