Creepy Cyber Coincidence? Probably Not.
On Thursday, United Airlines, The Wall Street Journal, the popular financial blog site ZeroHedge and the New York Stock Exchange all had to shut down their services for “technical reasons.” Although the Department of Homeland Security released a statement saying that there was “no sign of malicious activity” at the New York Stock Exchange, intellectual speculators quickly joined their financial peers to suggest these events were not coincidental and the result of a coordinated cyberattack.
Simple probabilities support the view that this was not a set of coincidental technical failures.
Given the criticality of technology to United Airlines, let’s assume for a moment it has a daily reliability rate of 99.99 percent, meaning it has a system failure once every 10,000 days, or once every 30 years. Seems reasonable. Now, let’s assume the New York Stock Exchange has a daily reliability rate of 99.9 percent, meaning it fails once every 1000 days, or approximately once every 3 years. Given The Wall Street Journal doesn’t directly handle billions of dollars or millions of lives, let’s assume its daily reliability rate is 99 percent, equating to one failure every 100 days.
If these events were truly random and independent, then the frequency of all three of these events happening at the same time is — are you ready? — once in a billion days, or once in about 2.8 million years! If for some reason you feel that The Wall Street Journal’s reliability is higher, say 99.9 percent, then the three events would happen even less frequently — once in 10 billion days! Coincidental failure is possible, sure, but it does seem highly unlikely. The numbers suggest that these events are not actually independent.
When looking at other global developments, one is immediately drawn to China’s imploding stock market. Might there be a connection? Some have suggested that disgruntled Chinese hackers were behind the attack, a fact that both a real-time cyberattack map from Norse and a digital attack map produced by Google Ideas and Arbor Networks appear to validate. Perhaps the Chinese are not happy that the Wall Street Journal reported on China’s plunging stock market? Or could they be unhappy about the regularly falling prices of their U.S. listed securities?
Whether my speculative musings prove true or false, one thing does seem certain: cyber risks are large, they’re rising and they will affect almost everyone. Travel by air? Even before yesterday’s shut down of United Airlines, the industry has been warning that a major cyberattack is “absolutely inevitable.” Just last month, Poland’s LOT Airlines was grounded after hackers disrupted their flight planning technologies.
And critical infrastructure controls are also at risk. The University of Cambridge Centre for Risk Studies and the Lloyd’s of London insurance market recently concluded that an attack on the U.S. power grid that disrupts NYC and DC has the potential to cost up to $1 trillion. Want to dismiss this as a wild scenario by risk thinkers gone wild? Don’t. Since 2000 there have been 15 cyberattacks on the U.S. electricity system.
Lest you think cyberattacks only affect information and electricity, think again. They have the potential to damage the physical as well. Last year, a German steel mill was hacked, and the perpetrators blocked the control systems from properly shutting down a blast furnace, resulting in massive damage. Given this risk to facilities and equipment, it’s not surprising that insurance giant AIG invested in K2 Intelligence, an emerging leader in the field of cybersecurity.
One reason for their investment was to better understand the costs of cyberattacks, which are likely to be enormous. PwC’s 2014 Global Economic Crime Survey found that almost 7 percent of U.S. organizations lost more than $1 million due to cybercrimes and 19 percent of organizations reported financial losses of between $50,000 and $1 million. That’s just in the U.S. The global costs are much higher. The Center for Strategic and International Studies estimates that cybercrimes and espionage cost more than $445 billion globally.
And please don’t dismiss these risks as just being about hackers stealing customer information from large corporations such as Target or Home Depot. Cyberattacks will soon be a risk we bear in our everyday lives. Use the Starbucks app to buy your daily latte? Cyberattacks have enabled hackers to drain bank accounts through the Starbucks app. As the Internet of Things booms (IDC estimates there will be 200 billion connected devices by 2020) and devices as far ranging as refrigerators to cars are brought online, vulnerabilities multiply.
One particularly problematic area is the domain of medical devices. Insulin pumps can be hacked, as can many other wirelessly controlled medical devices, rendering patients vulnerable to medical cybercrimes. Remember the “Homeland” episode in which the Vice President’s pacemaker was hacked by terrorists, allowing them to administer a lethal cyberattack? As explained by the show’s producers and noted by Dick Cheney’s doctor, hackers can quite literally break your heart.
Vikram Mansharamani is a Lecturer at Yale University in the Program on Ethics, Politics, & Economics and a Senior Fellow at the Mossavar-Rahmani Center for Business and Government at the Harvard Kennedy School. Visit his website for more information or to subscribe to his mailing list. He can also be followed on Twitter.