To mitigate the risk of future cyberattacks, governments and corporations need to maintain up-to-date technology and improve information sharing of technical vulnerabilities.
Over the four thousand years since cryptography originated in ancient Egypt, encryption techniques and information thieves have both become much more advanced. These information thieves have pulled off two major heists this year. In both attacks – WannaCry in May and Petya in June – the victims included several major multinational companies. These hacks can cause expensive operational difficulties. According to an estimate by Lloyd’s of London, the global cost of a major cyber attack could top $120 billion; more than the cost incurred by Hurricane Katrina.
Costs of attacks
So far, only two companies – Mondelez and Reckitt Benckiser – have attempted to quantify the impact from June’s Petya attack. Both firms have cautioned that the hack is likely to depress sales as it hampered distribution and invoicing. If a cyber attack succeeds in curtailing several companies’ profits, this could have negative spillovers for the wider economy, as companies which are less profitable are more likely to lay-off workers, experience share-price declines, and not pay out dividends. All of these factors could erode consumers’ incomes, leading them to cut back on spending. There is also the potential for a domino effect – a loss-making firm could cut back on orders from its suppliers; these firms will also come into the firing line.
In addition to direct financial damage, businesses and governments also have to spend money and resources to identify what know-how and data have been compromised by hackers. These funds could otherwise be put to other productive uses, such as developing new technology.
The victims of cyber attacks also risk having their reputations tarnished. This can have financial repercussions: a business that is perceived to be an easy target for cyber attacks may find it to hard to raise debt to expand its business or secure a good deal in M&A transactions. For instance, cyber attacks against Yahoo led Verizon to lower its takeover offer for the internet firm.
Risks to banks
When the victim is a financial services firm, the economic consequences can be even more serious. A large-scale cyber attack on a bank may result in its solvency being questioned; this could have negative spillovers on other lenders which have links to the firm which was hit by the attack. The subprime crisis is a glaring example of how a loss of faith in the banking system can hurt economies. The negative spillovers could be particularly serious when the victim is a central bank – these institutions are the lenders of last resort – those who can keep the financial system’s wheels moving when ordinary lending and saving routes get clogged up. Last year, hackers siphoned off $81 million from the central bank of Bangladesh. This June, one of Petya’s victims included Ukraine’s central bank.
Even before this year’s ransomware attacks, policymakers were already taking steps to ensure that banks had the firepower necessary to cope with cyber attacks. In 2015, the Bank of England started testing whether major banks had adequate safeguards to fend off hacks. The European Banking Authority has similar plans and is also keen for banks to shore up capital so they are less likely to be hurt by cyber attacks. A European Union (EU) regulation which is scheduled to kick in next year is designed to ensure that companies hit by cyber attacks take prompt action to safeguard data. Before the Petya attack in June, the EU announced that it would impose sanctions on hackers.
Mitigating against cyberattacks
When it comes to preventing such attacks, a crucial element involves upgrading technology. One of the reasons WannaCry was so destructive was because a lot of organisations had old versions of Microsoft’s software. Governments can encourage companies to spend to invest in technology and in cyber security. One route is tax incentives – just as debt is tax-deductible, money spent by businesses in preventing cyber attacks could also be made tax-deductible or taxed at a lower rate. A greater focus on cyber security may drive companies to seek out more advanced encryption methods.
However, this may not be well-received by governments. Concerns over terrorism have prompted lawmakers in several developed countries to push companies to allow law enforcement officials to access encrypted communications. While policymakers believe this approach could help prevent terrorism, more information circulating about encryption means that some of these tools for breaking encryption could end up in the hands of hackers, especially as government organisations themselves are not immune to cyber attacks. Likewise, an aggressive push by governments to demand access to encrypted communications may deter companies from developing these technologies and hence make sensitive information even more vulnerable to hacks.
It is also important that governments and corporations develop effective information sharing channels to ensure that software vulnerabilities are addressed before hackers can exploit them. WannaCry originated in part from a lack of information sharing. The National Security Agency (NSA) discovered a flaw in Microsoft Windows and developed software to use this vulnerability this was leaked online to hackers, who then used the flaw to develop the WannaCry virus. The NSA warned Microsoft before the attack but only after the tool was leaked.
Given the amount of economic damage involved, policymakers and companies need to take proactive measures to prevent cyberattacks. Imposing penalties on hackers is one way and so is having up-to-date technology. When it comes to sharing information, the debate about access to encrypted communications is unlikely to be resolved soon but secure communication channels between governments and corporations could certainly be a step forward.