Newspaper headlines inundate us with stories about massive data breaches, disruptive cyberattacks, and espionage against government agencies and companies. With risks mounting, a new Atlantic Council report Overcome by Cyber Risks? Economic Benefits and Costs of Alternate Cyber Futures, published in collaboration with Zurich Insurance Group and University of Denver’s Pardee Center for International Futures,uses economic modeling tools to understand how cyber costs and benefits might affect global GDP and envision a set of different cyber futures to unfold within the next fifteen years.
At the report’s official Washington, DC launch event, hosted at the Atlantic Council on October 15, 2015, a panel of prominent cybersecurity experts and business leaders discussed what we can learn from the report’s findings and how we can develop new strategies and policy measures to steer us towards the most rewarding cyber futures. The discussion was moderated by Tal Kopan, cybersecurity reporter for CNN Politics.
Here are a few things we learned:
1. Cyber risk encompasses not just direct losses, but also opportunity cost.
Companies will continue to lose money and their Chief Executive Officer’s (CEO) tenures will be cut short by data breaches and hacks. But an added loss from cyber risk may be the delay it imposes on deploying innovative technologies, said McKinsey’s Tucker Bailey.
“One of the more pernicious risks is not the direct spend or the direct risk, but the uncertainty,” said Mr. Bailey, “Companies are not investing in technologies, new ways to reach customers, new ways to deliver products and services, because of security concerns.”
2. Resolving cyber risk will require not just a whole of government approach, but will need to include private entities as well.
The traditional national security view of cyberspace treats civilians as either in the way or victims, leaving them no role to play in helping secure cyberspace. This contributed to the report’s push for a non-state centric approach to cybersecurity. “Winning in cyberspace is not about seizing more digital hilltops,” said the Atlantic Council’s Jay Healey, “the national security view fails to see its transformative aspect for our economy.”
Discussing the role the government and policy can play in this space, Ari Schwartz commented on the need for a whole of government approach. “A lot of focus has been on spending a lot of money on a few agencies, rather than improving the systems across the entire government,” said the former White House Cyber Policy Director.
3. Information Sharing Only Helps At the Margins.
Mr. Healey commented that the ultimate goal is to reach a point where each dollar spent on defense buys more than a dollar of offense. By this measure, information sharing does not scale well.
Security professionals are already inundated with information, said Mr. Bailey. The real challenge is knowing how to action information and determine what the threat to the business is.
Zurich’s John Soughan further commented that where information comes from is less important than what it is for determining exposure base and damages. “Data can shape and inform this over time,” said Mr. Soughan, “and it is what insurance companies will need to build a free market model for transferring risk.”
This event was part of the Atlantic Council project with Zurich Insurance Group and the University of Denver’s Pardee Center for International Futures focusing on assessing the balance between emerging risks and global economic growth. In 2015, using quantitative and qualitative frameworks, the group assessed the impact of accumulated downside cyber risks on upside opportunities for economic growth. In 2016, the team will evaluate the impacts of geopolitical and demographic risks.