To the Moon and back: Toward a secure cyberspace age
Kristof Terryn, Group Chief Operating Officer May 14, 2019
Succeeding in cybersecurity requires the same ingredients as succeeding in outer space: public-private collaboration and a focus on protection and security.
Almost exactly 50 years ago, Neil Armstrong became the first human to set foot on the Moon. This symbolizes the remarkable achievement that is space travel – unimaginable only years before and surpassed by few endeavors since. It is also testament to what is possible through public-private collaboration.During the 1960s, roughly 90 percent of NASA's overall budget went to purchase goods and services from the private sector. Businesses literally powered man to the Moon – North American Aviation built Apollo 11’s Saturn V rocket. Protection against the many complex risks of space travel was just as vital. Goodyear Aerospace regulated engine temperatures operating at almost 6,000 degrees Fahrenheit. Meanwhile, ILC Dover created spacesuits which protected against the Moon’s extreme temperature variations. Without such protections, space travel would never have been viable.
Half a century on from Apollo 11, technology developed for the program is used in products ranging from kidney dialysis machines to water purification. Even our smart devices owe their roots to the Apollo program.
Today, smart technology places us at the edge of a new cyberspace age. The combination of connectivity, mobility and data presents almost boundless opportunities. The aim is the same – to advance humanity. And success will require the same ingredients: public-private collaboration and a focus on security and protection against the risks.
The task is formidable: data breaches continue to rise in both frequency and cost. Meanwhile, the World Economic Forum’s Regional Risks for Doing Business 2018 report showed cyberattacks as the number one concern for businesses in Europe, East Asia and the Pacific, and North America. And cyberattacks are increasingly migrating from traditional data loss and service interruption to material or even bodily impact.
Neither the public nor private sectors can solve the challenges alone. We need to increase momentum on collaborations, resist silo thinking and recognize that geopolitical tension is a hindrance to the crucial work needed. Organizations such as the World Economic Forum play an important role in bringing stakeholders together and coordinating activities. An example is the World Economic Forum’s Centre for Cybersecurity. This brings together experts and thought leaders to further address systemic cyber risks and create tools to better understand it.
At a high level, the key aims for collaboration are three-fold. First, we must build a general culture of resilience, rather than protecting against individual cyberthreats. In the 2018 PwC Global Economic Crime survey, less than half of organizations had conducted a cybercrime risk assessment and only 30% had a cyber-response plan. Meanwhile, many lack a thorough understanding of what their critical data assets are, where they reside, and whom they support. Investment is needed to truly understand what information is needed to sustain critical business operations and protect data.
Public and private sectors must therefore work to increase organizational preparedness. Risk transfer is only one part of the tapestry for cyber insurers, and Zurich Insurance has invested in a new, state-of-the-art Cyber Fusion Center to establish collaboration between highly-skilled cyberthreat intelligence, response, forensics, and vulnerability management teams. We are also working with several security service providers, such as Zeneth Technology Partners (ZenOpz), to help customers identify cybersecurity vulnerabilities in their systems before an attack takes place.*
For their part, policymakers should look to improve “cyber education” in the private sector, particularly amongst SMEs. The U.S. Department of Homeland Security’s recently announced plans to set up a National Risk Management Center are particularly welcome in this vein. The Center will initially work with financial firms, energy companies and telecom providers to help identify industry security weaknesses, develop response plans and run cyber drills.
Achieving resilience also means monitoring and improving incident response on a global level, particularly to systemic cyber events. This will require increasing cooperation on global governance. Policymakers must seek to identify those global governance institutions that are fit for purpose, strengthen and clarify their roles, and isolate them from geopolitical tension. Global cyber governance could also be improved via the use of networks to allow national cyber governance entities to interact; creating trust, increasing coordination, and facilitating joint responses. This approach would mirror the informal coordination among central bank governors, which proved successful during the financial crisis. One further idea could be to establish either a Cyber WHO or G20 structure, which would coordinate preparedness, resilience and response to a systemic cyberattack or failure.
The second area for collaboration is facilitating conditions that allow the insurance sector to play its traditional risk management role. As with any exposure, in order to effectively underwrite cyber risk – and assess frequency and severity – insurers must have access to credible and consistent data. This includes incident reporting, impact assessments, forms of attack and threat analysis. The public sector can bolster information sharing by protecting victims of cyberattacks from liability concerns. Establishing common attribution protocols will also aid underwriting. This is under discussion within the insurance industry and among businesses across the globe that are facing major cyber-related risks. Clarity will support the growth of the cyber insurance market and ensure that customers have the correct coverage in place.
But even with these efforts, not all large-scale events may be insurable. Such is the systemic and complex nature of cyberattacks – with often uncertain levels of total or “accumulation” risk – that some government capital support may be needed. Cyber warfare such as a state-sponsored attack on a national electricity grid may fall beyond the appetite of the market. The third and final action for collaboration is therefore to consider the feasibility of government-backed reinsurance schemes, similar to those addressing natural catastrophes and terrorism. These discussions must find the right balance between a sustainable cyber insurance industry and the natural demand for mitigating these risks for consumers and the economy.
Today’s cyberspace age may not have a Moon landing, but its potential benefit for society in the next 50 years could be even greater. Success is within our grasp, but the stakes are higher and the risks more complex. A collaborative focus is once again required. It is time to come together in this next giant leap for mankind.
The information in this publication was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Any and all information contained herein is not intended to constitute advice (particularly not legal advice). Accordingly, persons requiring advice should consult independent advisors when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. We undertake no obligation to publicly update or revise any of this information, whether to reflect new information, future developments, events or circumstances or otherwise. Moreover, Zurich reminds you that this cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances. The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy.