What if there was a global cyber pandemic?

Robert Madelin on how a cyber attack could threaten the fabric of modern society. The interview is part of the Risk Response Network’s “What if?” series.

Given your research, what would you say is the most under-appreciated risk?
In terms of under-appreciated risks, I would say that thanks to SARS and bird flu, public health risks are better appreciated now. But then if I come from that world to the information society, as I did about two years ago, I would say the risk is the lack of any sense of awareness of cybersecurity of similar proportions.

A key under-appreciated risk is a global cyber pandemic – whether by accident, terrorist or state attack – undermining the global Internet systems on which we depend. And that might or might not be an attack on the Internet as such, or it might come through a challenge to some other sort of networked system such as global air traffic control or global energy infrastructure.

How would you frame this risk as a hypothetical scenario, specifically what if this global cyber pandemic were to happen?
I think what we are talking about is, for example, a Stuxnet scenario where a targeted disease is developed, which could proliferate in ways not intended. Rather like the proliferation of human disease, it could spread from concentration point to concentration point. Some places might (as with pandemics) be reached later. And other places like London, Tokyo or Seoul could be reached sooner. This could either be the viral spread of a problem or simultaneous attacks or a localized epidemic – it depends how exactly it would infect networked systems.

In your analysis, how might this scenario unfold?
The more concentration points break down, the worse it would be. But in any given place – and this is the part that I think is underestimated – it would be an attack on the way modern society functions, with underestimated consequences, so definitely this is not just about the Internet and not just a problem for Internet engineers. In the same way that a pandemic spreads, this is the sort of challenge you face, with a severe breakdown in electronic communications of three or four days.

When we look at these risks in pandemic scenarios, the whole supply chain starts to suffer according to this sort of period. When a smart grid goes down, the consequences are seen very quickly – within 24 hours. And the same is true in supermarkets – if the refrigeration systems break down, the food starts to go off very quickly.

Who would feel the impact the most, and how?
In answering the who and how – the who is that it would affect everybody through networked systems. And how – through transport, communications, logistics to begin with, then power and water systems next.

How well do you think we are prepared for such a contingency?
In terms of the risk of a cyber pandemic in integrated information systems, no one outside the IT domain has thought about this in enough detail.

And so what is your top mitigation approach for this risk?
The first approach, which we have begun to deploy rather slowly, is cross-sectoral partnerships, involving industry across many different sectors, governments and civil society working together to improve awareness horizontally.

And the other approach is for government to mandate more appropriate security. And that is not simply saying that a government’s or the European Union’s firewalls are inadequate, but really thinking about how we can institute and improve security. This is not just looking at the security of households or companies individually, but raising standards across the board.

And presumably joined-up government would be part of that, because mitigation for this type of risk would cut across different ministries?
Absolutely, joined-up government is definitely part of it. And that was very much the challenge I experienced when I was working in health in the (European Commission) Health Ministry– when you spot this sort of thing and say to your colleagues we have to do something, your colleagues say no, do not worry everyone. And I would say that the security world, the NATO worlds and civil society are starting to think about these things, but in parallel, not together.

On the flip side to risk, what opportunities do you see?
The very clear opportunity would be that people start worrying enough about this risk to realize joined-up government at the global level. Then we would have a better chance of keeping the Internet road open for business, which is obviously vital for us all and vital for the growth of the digital economy.

This was apparent at the G8 in Deauville last summer, where it was clear that cybersecurity is too big for any single nation to fix alone. We need to do more to join up efforts. This is vital for the Internet economy, which is borderless and global.

Are we talking about revising the Budapest Convention (on cybercrime), because that is obviously quite outdated now?
Well, that was the landmark G8 moment, where we saw Russia and the US saying publicly that we do need to work together on this. And we had China saying for the first time let’s talk about this. Although I think we are not necessarily at the stage yet of saying we need a new convention. We need the connections rather than the rules at this stage.

The main problem is in our way of seeing the world. Everybody continues to see borders rather than one world. But in the online world that is the Internet – how do we join up? You see it in legal approaches to data protection, cybercrime, cybersecurity standards and intellectual property. And the missing piece is the overarching principle that reconciles territorial jurisdiction with the efficiencies that only the Internet can bring.

If you go into jurisdiction, you run into the same problem again and again. This means you have to deal with it piece by piece, section by section. On copyright, the Internet should never subvert copyright law. And then there is the pressing problem of data protection. So you have to raise it to a more strategic level. The question is not do we want the Internet or not – we need a Bretton Woods settlement for Internet economics, but one which does not do away with national discretion.

Would you say it is a question of how can we best protect our national interests online?
We need to have national discretion and its relationship with Internet governance much more explicitly framed, subject to the usual exceptions in public health and order. National jurisdiction could override global Internet governance, unless we have an appeals-based system. And some people would say that this has already been dealt with in the World Trade Organization and elsewhere, but I am not quite sure that is right.

Pictured: Delegates surf the Internet at the Asian Development Bank’s annual meeting in Manila (Reuters)

Robert Madelin is Director-General for Information Society and Media, European Commission, Brussels and a Member of the World Economic Forum Global Agenda Council on Media, Entertainment & Information