Why Is Cybersecurity So Hard—and Getting Harder? What Can Be Done?

September 18, 2019
Crowd of people recording video with cell phones at night


In the last few years, major cyber events affecting millions of people across the globe have made international headlines. Private and public institutions now view cyber as a top risk-agenda item, one that adds significant uncertainty to national economies and corporate business models. For individuals, the proliferation of passwords, security-patch updates, and interdependency between devices make hacks of personal data more and more likely.

Various institutions are committing substantial resources to develop effective solutions. Governments aim to disrupt antagonists and other state actors, corporations are enhancing cybersecurity measures, academia and associations are advancing dialogue and collaboration, and technology firms are building sophisticated cybersecurity services. However, these efforts are falling short of what is required. Whether you are a small, local business, a global conglomerate with extended supply chains, an individual with a mobile phone, or a government department responsible for national security, your level of exposure and responsibility to prepare for cyber threats are both increasing rapidly. Antagonists will continue to remain ahead of security solutions unless more sophisticated solutions are developed and implemented.

In preparing this document, we have considered a range of critical cyber challenges. The list is not exhaustive, nor necessarily unfamiliar to many involved in cybersecurity. However, our aim is to highlight those challenges for which a change in approach is most urgently needed. One of the pervading issues throughout is the interface between humans and technology. As technological sophistication increases, the human ability to understand and engage does not keep pace, resulting in a range of unintended consequences and vulnerabilities.

Furthermore, there is no comprehensive global understanding of the complex and interlinked cyber challenges. Conversely, our understanding of credit risk has developed over centuries, enabling us to establish global systems, structures, and rules that work collectively to manage (if not eradicate) risk. But we lag far behind in understanding cyber risks. To act effectively, we need to rapidly advance our understanding of cyber risks.

Lastly, we invite readers to validate or challenge our views and engage with us in driving change. Our research shows that no one entity has the authority or perspective to cover the full depth and breadth of cyber issues. Our belief is that substantial change will only occur with more dialogue and collaboration that treats cybersecurity as a common problem that affects all institutions and organizations, as well as individuals.

 What is the Impact From Cyberattacks and Cybercrime Today?

The Centre for Strategic and International Studies (CSIS) estimates cybercrime to be the most frequent illegal activity in the world. The 2018 Norton LifeLock Cyber Safety Insights Report estimates that 1.2 billion consumers in 16 countries have been the victim of a cybercrime, including 867.2 million in 2018 alone.

All private businesses, public institutions, and citizens are potential victims. Issues can range from minor malware annoyances on a laptop to organized fraud and disruption of public services, such as the blackouts caused by the 2015 cyberattack on the Ukrainian power grid. Cybercrime represents a new realm of crime that also facilitates other types of traditional criminal activity, such as facilitating trade in illicit goods.

The total direct financial cost of cyberattacks in 2017 was estimated at almost $600 billion, or 0.8 percent of global GDP, and it is expected to grow substantially over the next five years. Dedicating time and funding to cybersecurity represents a major opportunity cost. Gartner estimates that global spending on cybersecurity will grow to $124 billion in 2019.

The actual targets of cyberattacks may not suffer the most damage—uncontrolled collateral damage is often a more serious consequence. Companies may spend billions to recover from data breaches, but the impact on customers whose personal information was exposed may well be higher. It is estimated that 25 percent of all people under 18 in the US will eventually be a victim of identity fraud—and other parts of the world may experience the same fate.

Cybercrime systemically undermines trust between victims and those responsible for protection—citizens and governments, consumers and corporations. This is true even if an attack is unsuccessful.

What Is the Outlook for Cyberattacks and Cybercrime?

The future of cyber risk is harder to predict than the future of technology. Indeed, past cyberattacks are a poor predictor of future attacks. The past decade gives some indication of what to expect in the near future. Beyond this, only broad projections should be inferred.

There is certainly no reason for complacency. Attacks by state actors are growing in boldness and impact. In 2018, the US publicly warned about efforts by Russian government “cyber actors” to target small suppliers of electric-grid operators. Moving along the supply chain, these suppliers were used as stepping stones to breach IT systems of utilities and grid operators, causing large-scale blackouts. References to a new cold war have been circulating for some time; cyber intrusion appears to be a key tool of espionage and disruption for all major countries. As cyberattack tools increase in sophistication, attackers can target new vectors with different strategies. For example, the first cyberattack using AI technology took place in India in 2017, opening a new frontier in cybercrime.

The rate of technological progress exponentially enlarges the potential attack surface. With more sensors, computers, and mobile phones connecting more people and devices, the number of entry points for attackers is growing proportionally. There is no way to protect all these entry points from an attack. The result is a growing cyber threat that is potentially accelerating at a rate too fast to defend against. 

What Is Driving the Growth of Cyber Threats?

Pinpointing the opportunity for cyberattacks and the motivation of cyberattackers exposes the underlying drivers of cyber threats and attacks.

Drivers that increase the opportunity for bad actors to gain from cyberattacks include:

  • Digitization. Our lives are becoming more digitized; technology is embedded in everything we do. We increasingly want and expect “digital machines” (such as robot pharmacists, chatbots, geolocation tools, and diary organizers) to perform daily tasks. More transactions, such as bank accounts and retail purchases, are now digital and therefore on the radar of attackers.
  • Interconnectivity. The level of connectivity between products, devices, businesses, and individuals is rapidly increasing. Each connection provides attackers with another entry point. And the interdependency of devices—“digital seamlessness”—means that the point of intrusion is not necessarily the ultimate target.
  • Pace of innovation. Companies are innovating faster in an effort to transform the customer experience and improve efficiency. The growth in digital products and data innovation has been substantially driven by strong consumer demand.
  • Technological complexity. Any IT system offers an “attack surface” that an attacker can exploit. Cloud-based technologies and API-based architecture continue to enlarge this attack surface. At the same time, legacy systems are far too layered and complex to easily secure against cyberattacks.
  • Data sharing. The growing volume, variety, and velocity of data increases vulnerability by both widening the attack surface and presenting more opportunities to extract value. Allowing control of digital “property” by third parties, sometimes without knowledge or consent, puts individuals and organizations at a higher risk of a hack.
  • Attack sophistication and capability. Actors are increasingly organized and use more sophisticated techniques, providing a greater opportunity to circumvent cybersecurity systems and solutions. Attackers represent a growing industry that is in the process of professionalization, with state-backed actors entering as well. While also providing solutions, emerging technologies give antagonists new methods to attack and infiltrate systems.
  • Drivers that affect the motivation for bad actors to commit an attack include:
  • Financial reward. As financial services have migrated online, the opportunities for theft and fraud has grown. In 2017, $172 billion was stolen from consumers through phishing, ransomware, online fraud, and other intrusive tactics. Bad actors can sell this stolen data to other criminals through the Dark Web.
  • Political influence. Minor hacktivists and nation states have manipulated election systems and political narratives, either to promote certain politicians or just to disrupt society. Terrorist cells also spread messages that drive radicalization.
  • Cloaking criminal activity. Cybercrime can be used to cloak other criminal activities. Temporarily disabling security and surveillance systems enables attackers to use entry points without being detected; the ability to operate anonymously allows for illicit trading and data theft.
  • Obscurity. Law enforcement’s ability to hold cybercriminals to account is far more challenging than for more established criminal activities. Individuals behind cyberattacks often remain unknown and largely immune from arrests or penalties.