Edward Roozenburg: € 690 million for cyber security? A bargain!
Edward Roozenburg: € 690 million for cyber security? A bargain!
This column was originally written in Dutch. This is an English translation.
By Edward Roozenburg, Senior Risk Management Consultant, Probability & Partners
In a letter to informateur Rianne Letschert, the Cyber Security Council (CSR) warns that without additional measures, the risk of digital disruption due to cyber attacks is real. The new cabinet is therefore advised to invest €690 million in digital resilience, digital autonomy and protection against AI risks in the coming period.
The CSR advises the government and emphasises that the Netherlands is investing too little in digital resilience, while threats are increasing due to geopolitical tensions and the breakthrough of AI. Without €690 million in additional investment, the continuity of government, the economy and society will come under pressure.
The CSR identifies four policy priorities: 1) strengthening vital infrastructure and government, 2) increasing digital autonomy, 3) preparing for AI-driven threats, and 4) better protecting citizens against cybercrime.
690 million is no small amount. But what will it cost if we do nothing? An example: the Netherlands depends on a limited number of submarine cables in the North Sea for its international data traffic. These cables are vital for the internet. Suppose a hostile state succeeds in sabotaging such a cable. Then the internet would be unusable for a large part of the Netherlands and business operations would come to a standstill.
I have not been able to find a reliable estimate of the economic damage caused by the known cable incidents in recent years. However, estimates can be found of the economic and social costs of well-known cybercrime incidents such as WannaCry and NotPetya. These incidents also involved large-scale failures of technical facilities, bringing the business operations of many organisations worldwide to a standstill. Although each incident is different, we can still learn important lessons from these two incidents in 2017.
In the WannaCry attack, a vulnerability in an old version of Microsoft was exploited to install ransomware on the systems of hundreds of organisations worldwide, rendering their systems unusable. The damage caused by Cyence is estimated at 4 billion US dollars worldwide. For the NHS in the United Kingdom alone, the estimate according to the same site is 92 million British pounds. Hundreds of organisations were affected by this attack.
The NotPetya attack was a similar attack, but used to destroy systems and data rather than explicitly targeting ransom collection. This attack has been attributed to Russia and shows that geopolitical tensions can also lead to cyber incidents. According to Cyber Ranges, NotPetya caused more than 10 billion US dollars in damage worldwide. For Maersk, the damage was estimated at 200 to 300 million dollars.
Although I have come across various estimates based on different assumptions, it is clear that the scale of such incidents quickly runs into the billions. For organisations where the costs have been mapped out at organisational level (generally the larger organisations, of course), estimates run to amounts of around 100 million or more.
Suppose there is indeed an incident involving a sabotaged internet cable in the North Sea, causing ten large companies to halt their operations, with an average loss of 100 million per company. That would already amount to a loss of one billion. If we can prevent one incident per year with this €690 million, it is not a large amount. The CSR advice to invest a little extra in digital resilience seems to me to be advice with a positive pay-off: financially and also for peace of mind.