Internet makes global economy vulnerable to Lehman-like crash, study says
The global economy is becoming so intertwined with the Internet, and the Internet has so many interlinked vulnerabilities, that one failure could cascade into a crash, a new study suggests.
The global economy is entering phase of heightened vulnerability to digital disruption – a threat likened to the US mortgage crisis, which was largely hidden until its dramatic collapse in 2008, a new report warns.
The report suggests larger dangers are lurking beyond headlines of cyber-espionage, crime, and cyber-weapons development. For one, the fast-rising dependence on outsourcing key operations to cloud Internet Service Providers could result in cascading problems that cause a far broader or longer-lasting crash.
“The internet is highly interconnected and tightly coupled with society, meaning that (as in other such systems) a small failure or series of them in one place can cascade, producing an outsized impact elsewhere,” according to the study by the Atlantic Council, a national security think tank, and Zurich Insurance Company. “While our society’s reliance on the internet grows exponentially, our control of it only grows linearly.”
What if, for example, a major Internet cloud service provider that provided billing, design, or ordering had “a ‘Lehman moment’ – with everyone’s data there on Friday, and gone on Monday,” the study asks. If that single failure “cascaded to a major logistics provider or company running critical infrastructure, it could magnify a catastrophic ripple running throughout the real economy in ways difficult to understand, model or predict beforehand.”
That’s especially true if such an incident coincided with another.
“The recent Heartbleed vulnerability demonstrates the main message of the report,” says Jason Healey, director of the Atlantic Council’s Cyber Statecraft Initiative and author of the the report, referring to the recently discovered security gap in two-thirds of Internet websites.
“The Internet is so complex and tightly coupled to the real world, it turns out we were all gravely exposed to a cyber-risk in an obscure technology that few understand, and we didn’t see coming,” he adds. “This time it was just passwords, but what happens once the Internet is connected to the electrical grid or driverless cars?”
Other reports have raised similar concerns.
“When ‘everything is becoming digital,’ private, public, and civil institutions become more dependent on information systems and more vulnerable to attack…,” according to a World Economic Forum and McKinsey & Co. report in January. “As a result, all of our institutions will have to make increasingly thoughtful trade-offs between the value inherent in a hyperconnected world and the risk … that cyberattacks create.”
The problem is that Internet commerce is built on the expectation of a “stable system state,” said Daniel Geer, an Internet security specialist, at a February conference. “Yet the more technologic the society becomes, the greater the dynamic range of possible failures.”
Amid the rush to take advantage of new efficiencies, the nation’s critical infrastructure – whose control systems, like those of the power grid, are often “insecure by design” – is frequently being connected to Internet-tied corporate networks that are hackable, cyber-security experts say.
“This is typically where regulation is to step in ... where a business's economic interest conflicts with the interest of the general good,” writes Dale Peterson, CEO of Digital Bond, a cyber-security company in Sunrise, Fla., in an e-mail interview.
That tension is a natural product of “business logic,” according to Ralph Langer, the man who first identified Stuxnet as a cyber-weapon targeting Iran’s nuclear program.
“A fundamental reason for this failure is the reliance on the concept of risk management, which frames the whole problem in business logic,” he and a co-author wrote in a study last year. “Business logic ultimately gives the private sector every reason to argue the always hypothetical risk away, rather than solving the factual problem of insanely vulnerable cyber systems that control the nation’s most critical installations.”
When systems are based on a handful of software and hardware architectures, Dr. Geer said, the vulnerabilities only grow.
“When you live in a technologic society where everybody and everything is optimized in some way akin to just-in-time delivery,” he said in February, “the dynamic range of failures is incomprehensibly larger and largely incomprehensible.”