Internet makes global economy vulnerable to Lehman-like crash, study says

The global economy is becoming so intertwined with the Internet, and the Internet has so many interlinked vulnerabilities, that one failure could cascade into a crash, a new study suggests.

By , Staff writer

  • close
    The scene of employees leaving the Lehman Brothers headquarters in New York is the enduring image of the 2008 crash. Researches say the Internet could make the global economy vulnerable to a similar event.
    View Caption

The global economy is entering phase of heightened vulnerability to digital disruption – a threat likened to the US mortgage crisis, which was largely hidden until its dramatic collapse in 2008, a new report warns.

The report suggests larger dangers are lurking beyond headlines of cyber-espionage, crime, and cyber-weapons development. For one, the fast-rising dependence on outsourcing key operations to cloud Internet Service Providers could result in cascading problems that cause a far broader or longer-lasting crash.

“The internet is highly interconnected and tightly coupled with society, meaning that (as in other such systems) a small failure or series of them in one place can cascade, producing an outsized impact elsewhere,” according to the study by the Atlantic Council, a national security think tank, and Zurich Insurance Company. “While our society’s reliance on the internet grows exponentially, our control of it only grows linearly.”

Recommended: How much do you know about cybersecurity? Take our quiz.

What if, for example, a major Internet cloud service provider that provided billing, design, or ordering had “a ‘Lehman moment’ – with everyone’s data there on Friday, and gone on Monday,” the study asks. If that single failure “cascaded to a major logistics provider or company running critical infrastructure, it could magnify a catastrophic ripple running throughout the real economy in ways difficult to understand, model or predict beforehand.”

That’s especially true if such an incident coincided with another.

“The recent Heartbleed vulnerability demonstrates the main message of the report,” says Jason Healey, director of the Atlantic Council’s Cyber Statecraft Initiative and author of the the report, referring to the recently discovered security gap in two-thirds of Internet websites.

“The Internet is so complex and tightly coupled to the real world, it turns out we were all gravely exposed to a cyber-risk in an obscure technology that few understand, and we didn’t see coming,” he adds. “This time it was just passwords, but what happens once the Internet is connected to the electrical grid or driverless cars?”

Other reports have raised similar concerns.

“When ‘everything is becoming digital,’ private, public, and civil institutions become more dependent on information systems and more vulnerable to attack…,” according to a World Economic Forum and McKinsey & Co. report in January. “As a result, all of our institutions will have to make increasingly thoughtful trade-offs between the value inherent in a hyperconnected world and the risk … that cyberattacks create.”

The problem is that Internet commerce is built on the expectation of a “stable system state,” said Daniel Geer, an Internet security specialist, at a February conference. “Yet the more technologic the society becomes, the greater the dynamic range of possible failures.”

Amid the rush to take advantage of new efficiencies, the nation’s critical infrastructure – whose control systems, like those of the power grid, are often “insecure by design” – is frequently being connected to Internet-tied corporate networks that are hackable, cyber-security experts say.

“This is typically where regulation is to step in ... where a business's economic interest conflicts with the interest of the general good,” writes Dale Peterson, CEO of Digital Bond, a cyber-security company in Sunrise, Fla., in an e-mail interview.

That tension is a natural product of “business logic,” according to Ralph Langer, the man who first identified Stuxnet as a cyber-weapon targeting Iran’s nuclear program.

“A fundamental reason for this failure is the reliance on the concept of risk management, which frames the whole problem in business logic,” he and a co-author wrote in a study last year. “Business logic ultimately gives the private sector every reason to argue the always hypothetical risk away, rather than solving the factual problem of insanely vulnerable cyber systems that control the nation’s most critical installations.”

When systems are based on a handful of software and hardware architectures, Dr. Geer said, the vulnerabilities only grow.

“When you live in a technologic society where everybody and everything is optimized in some way akin to just-in-time delivery,” he said in February, “the dynamic range of failures is incomprehensibly larger and largely incomprehensible.”

Share this story:
Make a Difference
Inspired? Here are some ways to make a difference on this issue.
Follow Stories Like This
Get the Monitor stories you care about delivered to your inbox.

We want to hear, did we miss an angle we should have covered? Should we come back to this topic? Or just give us a rating for this story. We want to hear from you.