CyRiM’s (Cyber Risk Management Project) chilling report, Global infection by contagious malware , describes a scenario in which a well-resourced, motivated and malicious cyber team creates a self-replicating worm that encrypts all devices and wipes backups.
I recently commented on what impact ransomware threats like the Bashe attack could have on cyber insurance.
Applying relatively conservative assumptions about infection rates, and reflecting the real-world experience of WannaCry and NotPetya, the report concludes that more than 600,000 devices could be compromised in very little time, causing global disruption, damages and clean-up costs in excess of $193 billion (about £150 billion). And that doesn’t include regulatory action for data breaches!
Most organisations, even if not directly affected, will find it difficult to ride the waves of digital disruption that accompany such an attack. The global insurance industry is not capable of handling the costs – which means they will be borne mainly by those organisations that decided they could leave cyber security until next year.
The scenarios are plausible. The assumptions are reasonable. All we’re missing is an appropriately resourced and committed attack team. Or are we?
No. The serious organised crime sector has entrepreneurial flair. Rogue nations – and not so rogue ones – have the capability, the firepower and the motivation – particularly if they can find a way of firewalling themselves off from the rest of the Internet.