My thoughts on WEF's Global Risk Report 2014

(I’m limiting this short review to two main subjects that I feel I know enough about to comment. The rest I’m a dabbler, but I don’t get paid to have serious opinions on. And the last thing the world needs is yet another armchair general know-it-all.)

First, before you read the rest of the Global Risks Report 2014 (GRR14) you really need to keep the following paragraph in mind. Mostly because majority of the outlets will blindly quote the GRR without also providing this disclaimer. Yes, Virginia, risk managers are not clairvoyants.

"the statements in this report may provide current expectations of future events based on certain assumptions and may include statements that do not directly relate to a historical or current fact. These statements involve known and unknown risks, uncertainties and other factors which are not exhaustive… Readers are cautioned not to place undue reliance on these statements."

Thankfully cyber risks don’t make it in the top 10 most concerning risks for 2014. A welcome respite from all the other hand-wringing and alarmism around cyber. But cyber does show as one of the three major interdependent/interrelated clusters of risks for the coming decade. Under “Digital disintegration” future cyber risks are given a bit of a FUD based mostly on two factors:

  1. superficial understanding of both the attack and the defence side in cyber; and
  2. the alarmist and often ignorant articles and interviews given by many self-described “experts” in the field.

Unfortunately that tinted the GRR14 to state:

So far, cyberspace has proved resilient to attacks, but the underlying dynamic of the online world has always been that it is easier to attack than defend. The world may be only one disruptive technology away from attackers gaining a runaway advantage, meaning the Internet would cease to be a trusted medium for communication or commerce. Fresh thinking at all levels on how to preserve, protect and govern the common good of a trusted cyberspace must be developed.[Emphasis mine]

In actuality, the attackers on the internet fulfil the role of a parasite. They are on the internet because the host (global electronic ecosystem) is well, strong, and healthy. It is in parasites’ best interest not to kill the host for the reasons that the GRR14 states, namely cessation of use of Internet as a trusted medium for commerce. Attackers do not by rule create own disruptive technology, but time and again reappropriate, subvert, or plainly pervert existing processes and technologies to suit their purpose.

On page 18, under Figure 1.2 showing the disparity in the risk perception between the genders (which is great) the following paragraph caught my attention:

Responses to the survey can be disaggregated by gender,  as shown in Figure 1.2. An extensive body of literature exists on the link between gender and risk perceptions,  suggesting women are typically more sensitive to risk than men.

That paragraph cites Men, women and risk aversion: Experimental evidence by CC Eckel and PJ Grossman - Handbook of experimental economics results, 2008 - Elsevier. However, that paper’s conclusion is that:

The findings from field studies conclude that women are more risk averse than men. The findings of laboratory experiments are, however, somewhat less conclusive. While the preponderance of laboratory evidence is consistent with field evidence, there is enough counter-evidence to warrant caution. For example, both field and lab studies typically fail to control for knowledge, wealth, marital status and other demographic factors that might bias measures of male/female differences in risky choices.

That last sentence is the clincher. For the purposes of GRR14 people that are considered experts in their field are polled for their risk perception. And this is one area where at least one field study showed what GRR14 is hinting at (but should cite that study -  Ambiguity and gender differences in financial decision making: an experimental examination of  competence and confidence effects by M Gysler, JB Kruse, R Schubert, R Schubert… - 2002 instead):

Women are shown to be significantly more risk-averse, with their risk aversion decreasing with competence, overconfidence, and knowledge: women’s risk-aversion diminishes as their expertise increases. The interactions have just the opposite effect for men, with risk aversion increasing in expertise and confidence.

2.4 Digital Disintegration starts somewhat strong with the following:

First, the growth of the “Internet of Things” means that ever  more devices are being connected online, touching many more parts of life and widening both the potential entry  points for and impacts of disruption.

Unfortunately I can’t completely agree with the above for the following simple reasons:

  1. Questionable that the number of deployed devices will increase the contact surface. Majority of the home devices will be behind a Network Address Translation (NAT) device, which hides the device from being discovered - unless the device actively transmits data;
  2. Even if there is an increase in the contact surface, that still requires further activity in order for risk to eventuate:
  3. the attackers must be willing and able to act against the asset; and
  4. the asset's controls must be weaker than the attacker's force.
  5. Yes, I know of NAT-walking, firewall-walking, etc. Those are great examples for generalities, but not something we’re going to see every day because there’s insufficient motivation and insufficient gains for the attackers;
  6. The code base for all those Internet of Things devices is going to further fragment, making wide area attacks unlikely - something that is likely to be balanced by the sheer volume of devices.

Whilst 2.4 rightfully calls for global governance over the Internet we all know that political realities will prevent any such thing now and in the near future.<

No attacks or even failures have been both widespread and persistent. This is due to robust standards and networks, high levels of investment and the ability of the technical community to flock to and overwhelm disruptions  (such as undersea cable outages).

Absolutely agree on the willingness to make things work, not on the robustness of standards or their implementation. The standards not robust: they are flexible. The end result is generally the same in normal times: things just work. Where the flexibility shines through is in the times when things don’t work as planned. When a number of successive events start to pull in three different directions all at the same time robustness fails. The internet is resilient because it is not robust.

Next we come to oft-quoted but rarely understood and even more rarely questioned truism of information security, namely that

an attacker needs only to find  a single way through defences at a single point in time, while  the defender must defend all vulnerable points forever –  increasingly threatens to undermine that resilience.

Unfortunately for the attacker finding that “single way through defences at a single point in time” isn’t as much a cakewalk as most would have you believe. The security coding standards have improved dramatically over the last decade. The defenders’ toolkit has improved and expanded. The OS is mostly secured and trusted and the battle has moved to the periphery: the web interface to server-side data. Web applications are still considered a poor second cousin to “normal applications” and thus get far less attention than necessary. Partly this is due to historical trends: far more web app developers are people that moved up the development stack from writing HTML code for pages than there are developers that have previously done “normal application” development. This is where the law of large numbers comes in: there are many, many web applications, written by more or less skilled and trained developers all accessible via the internet. But the law of large numbers works both ways: because there are many web applications a number of them are susceptible to attacks. No two web applications will have the vulnerability that can be exploited in exactly the same way, thus increasing the workload for the attacker and reducing the likelihood of a truly devastating attack. That’s not to say that a single attack on a single site can’t be “devastating” to the victims. It’s just that the magnitude is nowhere near sufficient to be considered a global risk.

To underline the narrative of the threat to the internet as a systemic risk GRR14 references Boston Consulting Group’s paper and states:

A threat to the Internet increasingly means a threat to everything. Every part of the world’s societies and economies uses the same underlying infrastructure, the same hardware, software and standards with billions of devices connected to the Internet, from simple e-book readers to electrical distribution networks.

Problem with that is that the paper referenced isn’t one with depth to support that claim. The paper referenced is all about the strength or otherwise of ecommerce around the world and the penetration rates that the internet has had on local commercial and retail businesses. In other words the claim is technology equivalent of a saying that a group of people with a single similar trait “are all the same”.

It only gets worse from there:

In the past, cyber attacks typically had only a limited effect because they broke only ones and zeroes or things made of silicon. Organizations under attack might have a bad week, but after that they generally could execute business continuity plans, rebuild computers and use data from securely backed-up vaults. However, projects such as the Smart Grid – online connection of electrical power generation and transmission – are increasing the possibility of cyber attacks breaking things made of concrete and steel.

I don’t even know where to begin, so I’ll just say that Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition Systems (SCADA) have been around for 60+ years. They are computers by all intents and purposes and, improperly configured, can well and truly harm things made of steel and concrete or flesh and bones. Even saying that the internet made ICS and SCADA systems far more reachable than they used to be in the past is a bit of a stretch for anyone that remembers that these systems often had a modem attached since the 80’s for remote management wherever possible. A history of SCADA (that unfortunately doesn’t go into the 80’s yet) for those interested in such things. Or, if you want more recent work, there’s a good page on SCADA systems, security and connectivity. In short: this is a risk we’ve lived with for the past 6 decades and if anything the overall SCADA security is improving.

OK, it gets better:

But there are other risks in cyberspace that could have systemic impacts. For example,a large cloud provider could suffer an Enron- or Lehman-style failure virtually overnight.

Agreed, there’s a possibility that a large cloud provider or other internet infrastructure provider could go the way of Enron. Matter of fact, a few of them did - and it wasn’t overnight. Remember the WorldCom collapse? The Global Crossing implosion? They were both significant in their time (and still are) but the main lesson learnt from those bankruptcies is that the world kept on turning. At the time of collapse WorldCom was the biggest Tier 1 network service provider in the world, with estimates of between 40% and 70% of internet traffic using its infrastructure. Moral of the story: things, including large telecom providers, do not just disappear. Their wares, even if they are just 1s and 0s in a virtual environment are still more tangible than the products that cause GFC in 2008.

It also highlights some of the risks that we love to ignore, fingers-in-ears, “la la la la la can’t hear you” style:

A solar super-storm could cause substantial outages of national grids, satellites, avionics or signals from global navigation satellite systems (GNSS). The growing mass of “space junk” in orbit around the earth also poses a threat to GNSS.
A surprising number of critical systems rely on GNSS, including emergency 911 calls, ATMs and other financial  infrastructure, and both wired and wireless communications networks.

Yes, there are workarounds and the risk posed by unavailability of GNSS (GPS) would not be devastating in the long run. It would just be a collection of small events all piled up. ;-) And yes, the reliance on satellites is far greater than we imagine. Or want to imagine.

And then we come to the part that made the most sense to me, and also the part that I believe needs to be discussed more and openly: the trust issue.

For national security organizations, the dynamic of attackers having the advantage over defenders brings advantages of being able to spy anonymously on their adversaries. However, by the same logic, nations are also vulnerable to  the use of such tactics by others. 
An increasing erosion – or even eventual breakdown – of  international trust seems a natural consequence. A lack of trust and confidence helped to accelerate the financial crisis (such as when nations limited the amount of help their banks could give to subsidiaries in other nations) and could prove similarly disastrous when dealing with international cyber shocks.

There are already signs that revelations about the role of national security organizations have exacerbated risks of fragmentation of the Internet, which could lead to an overall erosion of the factors that led cyberspace to be so transformational in the first place.

Me, ever a believer in human resilience, believe that, whilst the risk of cyberspace fragmentation is possible I do not think that it will impact the social side as much as it will commercial. And that realisation will sooner or later hit even the most jingoistic of polities out there. It is easier to deny people a public good if they’ve never tasted it. Much harder to take it away once they’ve developed a taste for it:

The main casualty of US spying allegations may not be US relations with Germany or Brazil, but people’s trust in their government’s integrity on online privacy.

In short, World Economic Forum’s Global Risk Report 2014 is recommended, as always. It is a good overview of the global risks - even if I pulled apart the sections I’m familiar with I will wholeheartedly recommend it to my peers. Yes, it’s not perfect, but it does one thing it sets to do: highlight the risk perceptions of professionals across the world. It will help me better communicate on the points that I find the GRR (and by extension a number of others) hold that are not exactly correct (in my view).