We just passed the ten-year anniversary of the 2008 recession, which rocked economies around the world. The culprit? In large part, the sub-prime mortgage crisis and the bankruptcy of Lehman Brothers.
Since then, analysts and governments have focused on whether financial institutions can withstand the kind of shock that took place in 2008. But they may be missing the point. Will our next crisis—not just financial but related to critical infrastructure—begin in the way crises have arisen in the past? With more and more reliance on the cloud, government and private systems that make our modern world function are more vulnerable than ever, leaving us open to a debilitating cyber-attack that could be our next crisis.
In September of last year, Paul Mee and Til Schuermann, partners at consulting firm Oliver Wymans, argued this point in the Harvard Business Review. They said that the most likely culprit of the next major crisis will be “a cyber-attack that causes disruptions to financial services capabilities, especially payments systems, around the world.”
Others have echoed their concern. In 2018, the World Economic Forum (WEF) carried out its Global Risks Report. One of its most stark findings was that cyber threats may outstrip natural catastrophes in terms of losses. A year earlier, the WEF ranked cyber threats as the biggest risk facing businesses in North America, even more than terrorism, asset bubbles, or financial crises. While we haven’t seen anything as dramatic as Mee, Schuermann and the WEF predict, there are signals that it could happen.
In the last few years, we’ve seen some major breaches. They’ve happened at large, international companies—think Experian, British Airways, and TalkTalk—and have knocked entire operations offline. The risk of these kinds of attacks is only getting more serious, especially as companies, governments, and institutions transfer their operations into the cloud.
While using these cloud services—such as Azure or Amazon Web Services (AWS)—does come with major benefits, it also comes with risk. And the risk doesn’t necessarily need to stem from a cyber-attack. Simple technical problems—or unforeseen natural events like hurricanes—can cause these systems to fail. The best example of this is when AWS servers failed due to an overload of metadata requests from a new DynamoDB feature. This forced popular apps and websites like Reddit, Tinder, Netflix, and IMDB to go offline for roughly seven hours.
A hurricane had the same effect a few years earlier. In 2012, Hurricane Sandy hit the east coast of the United States and took several important servers offline. The result? The Huffington Post, BuzzFeed, and Gawker, among other large websites, failed. In this case, the outcome was simply the failure of websites, but an event like this could easily take much more critical services offline.
As serious as these events were, they happened due to weather or technical reasons. Much more sinister, and potentially devasting, is when an outage happens because of an attack. One good example of this is the attacks on the United Kingdom’s National Health Service in 2017, when ransomware infected hospital computers across England. Another poignant example is the Ukraine power grid hack, thought to be the first successful attack on power infrastructure, and involved hackers compromising the systems of several energy distribution companies and, for some time, disrupting electricity supply to customers.
What these attacks show is that it is possible to compromise the systems that help make our modern world function. Distorting Internet routes, DNS or compromising major cloud providers like Microsoft and AWS could bring down large parts of the Internet, including financial systems and thousands of organizations at the same time.
As we integrate more and more with the cloud, policy needs to change, and more proactive measures need to be taken to protect the basic infrastructure our societies rely on. The global economy is slowing at a disconcerting rate. The next market meltdown may not be related to the US’s crude trade policies or the chaotic Brexit process – they could be – but rather a massive, strategic cyber-attack bringing down a major cloud provider and thousands of businesses with it.