We just passed the ten-year anniversary of the 2008 recession, which rocked economies around the world. The culprit? In large part, the sub-prime mortgage crisis and the bankruptcy of Lehman Brothers. Since then, analysts and governments have focused on whether financial institutions can withstand the kind of shock that took place in 2008. But they may be missing the point. Will our next crisis—not just financial but related to critical infrastructure—begin in the way crises have arisen in the past? With more and more reliance on the cloud, government and private systems that make our modern world function, are more vulnerable than ever, leaving us open to a debilitating cyber-attack that could be our next crisis.
In September of last year, Paul Mee and Til Schuermann, partners at consulting firm Oliver Wymans, argued this point in the Harvard Business Review. They said that the most likely culprit of the next major crisis will be “a cyber-attack that causes disruptions to financial services capabilities, especially payments systems, around the world.”
Others have echoed their concern. In 2018, the World Economic Forum (WEF) carried out its Global Risks Report. One of its most stark findings was that cyber threats may outstrip natural catastrophes in terms of losses. A year before that in 2017, the WEF ranked cyber threats as the biggest risk facing businesses in North America, even more than terrorism, asset bubbles, or financial crises.While we haven’t seen anything as dramatic as Mee, Schuermann and the WEF predict, there are signals that it could happen.
In the last few years, though, we have seen some major breaches. They’ve happened at large, international companies—think Experian, British Airways, and TalkTalk—and have knocked entire operations offline. The risk of these kinds of attacks is only getting more serious, especially as whole companies, governments, and institutions transfer their operations into the cloud.
More and more, governments and companies that provide private infrastructure are transitioning their work to cloud providers. While using these cloud services—such as Azure or Amazon Web Services (AWS)—does come with major benefits, it also comes with risk. And the risk doesn’t necessarily need to stem from a cyber-attack. Simple technical problems—or unforeseen natural events like hurricanes—can cause these systems to fail. The best example of this is when AWS servers failed due to an overload of metadata requests from a new DynamoDB feature. This forced popular apps and websites like Reddit, Tinder, Netflix, and IMDB to go offline for roughly seven hours.
A hurricane had the same effect a few years earlier. In 2012, Hurricane Sandy hit the east coast of the United States and took several important servers offline. The result? The Huffington Post, BuzzFeed, and Gawker, among other large websites, failed. In this case, the outcome was simply the failure of websites. But an event like this one could easily destroy servers that control the power grid, cellular networks, and other critical infrastructure.
As serious as these events were, they happened due to weather or technical reasons. Much more sinister, and potentially devasting, is when an outage happens because of an attack. One good example of this is the attacks on the United Kingdom’s National Health Service in 2017, when software infected hospital computers across England. Another poignant example is the Ukraine power grid hack, thought to be the first successful attack on power infrastructure, and involved hackers compromising the systems of several energy distribution companies and, for some time, disrupting electricity supply to customers.
What these attacks show is that it is possible to compromise the systems that help make our modern world function. They also show that even if a major attack that, say, distorts Internet routes, DNS or compromises major cloud providers like Microsoft and AWS and as a result, brings down parts of the Internet, countries, government and financial systems and thousands of organizations at the same time are unlikely, they are certainly possible.
As we integrate more and more with the cloud, policy needs to change, and more proactive measures need to be made to protect the basic infrastructure our societies rely on. The global economy is slowing at a disconcerting rate. The next market meltdown may not be related to the US’s crude trade policies or the chaotic Brexit process – they could be – but rather a massive, strategic cyber-attack bringing down a major cloud provider and thousands of businesses with it.