After leading the Foresight team for more than 5 years, Cécile Wendling is now Head of Security Strategy, Anticipation of Threats and Research, for the AXA group. With a background in Humanities and Social Sciences, she participates in many advisory bodies in various fields such as the protection of personal data, artificial intelligence or cybersecurity.
Do you think a cyberpandemic is possible?
Cécile Wendling. Yes, it is quite possible. A major cyber-event could have a global economical and physical impact in the real world, as did the Covid-19 pandemic. That being said, we all need to get on the same page because at present when we speak of a cyber-event we mix different types of events and attackers. We must distinguish between targeted and intentional attacks from unintentional ones, like a server crash or a storm! In the same way, attacks can be due to isolated individuals, organised crime, ideological groups or foreign states.
An insurance company must understand the real risk to offer the appropriate insurance cover. Hence the importance of defining a common language, a terminology which can class events into different categories, compare threats, and their evolution over time in order to have a historical view.
Would this aid the development of cyber-insurance?
Yes, but it depends upon classification and information of cyber risks, to determine which part is covered by the insurance. The real issue here is risk education and prevention. If we continue the analogy with the Covid-19 pandemic, we see that we taught people sanitary rules, basic gestures to protect them from the coronavirus and prevent its spread. Cybersecurity is still a fairly secret field. Only a few people know information on attacks led against companies, it is not very visible to the general public. Uninformed people cannot take preventive action on their connected devices because they do not know “basic hygiene”, what actions they must use to protect themselves, like for example, making regular backups. Thus, if they are unaware of the risks, they cannot insure themselves against them.
Regulatory and legal decisions would be required to insure these cyber risks, as in the case of motor vehicles: to drive, it is mandatory to insure the vehicle against damage potentially caused to third parties. In the case of a cyberpandemic, we would also need to consider the mutualisation of risk and create a public-private pool, as is the case for major natural disasters or for the Covid-19 pandemic. In concrete terms, in the case of a crisis, we would need to create a protection continuum covering education, prevention and technical assistance.
How can we anticipate the risk of a cyberpandemic?
It is very difficult, because, as in the case of the health crisis, a cyberpandemic would result in multiple risks. In fact, it would interconnect crises and therefore risks. To anticipate such an event, it is necessary to understand multiple-hazard scenarios. In Lebanon for instance, an economic crisis, the Covid-19 pandemic and the explosion in the Beyrouth harbour occurred simultaneously.
Anticipating a threat raises the question of its temporality and its possible evolution over time. We cannot have a stable scenario in time, we need to update it regularly. To be resilient, we must continue to anticipate by forecasting over the longer term.
As a matter of fact, anticipation is based on two different types of exercises. On one hand, a control tower performs prospective surveillance on a daily basis on many subjects, for example, the role a quantum computer could play in the case of a cyberattack. On the other hand, on a practical level, we anticipate stress scenarios. For example, how can a cyberattack be managed in lock down, did we anticipate the fact that we would need to work with pen and paper?
Anticipation rests on different cells and temporalities. To put it simply, we need “geeks” to perform threat intelligence at a two-month horizon and actuaries who will evaluate the risk in the long run. The challenge lies in connecting these two worlds with different time scales and finding a middle ground.