5_cyber protection
π Digital
Are we prepared for a cyberpandemic?

“We need preventive measures to prevent cyber crises”

Sophy Caulier, Independant journalist
On March 3rd, 2021 |
3 mins reading time
2
“We need preventive measures to prevent cyber crises”

    Cécile Wendling
    Cécile Wendling
    Director of Security Strategy and Security Awareness for AXA Group
    Key takeaways
    • According to Cécile Wendling, Head of Security Strategy, Anticipation of Threats and Research, for the AXA group, a “cyberpandemic” is possible.
    • Like a health pandemic, it would lead to a cascade of all sorts of crises and would have a significant impact on the economy.
    • Insurance companies such as AXA are now considering covering cyber risks.
    • However, cyber-protection is a field still little-known by citizens. Prevention efforts and education on digital protection measures must be implemented so that insurance companies can cover these risks.

    After lead­ing the Fore­sight team for more than 5 years, Cécile Wendling is now Head of Secu­ri­ty Strat­e­gy, Antic­i­pa­tion of Threats and Research, for the AXA group. With a back­ground in Human­i­ties and Social Sci­ences, she par­tic­i­pates in many advi­so­ry bod­ies in var­i­ous fields such as the pro­tec­tion of per­son­al data, arti­fi­cial intel­li­gence or cybersecurity. 

    Do you think a cyber­pan­dem­ic is possible? 

    Cécile Wendling. Yes, it is quite pos­si­ble. A major cyber-event could have a glob­al eco­nom­i­cal and phys­i­cal impact in the real world, as did the Covid-19 pan­dem­ic. That being said, we all need to get on the same page because at present when we speak of a cyber-event we mix dif­fer­ent types of events and attack­ers. We must dis­tin­guish between tar­get­ed and inten­tion­al attacks from unin­ten­tion­al ones, like a serv­er crash or a storm! In the same way, attacks can be due to iso­lat­ed indi­vid­u­als, organ­ised crime, ide­o­log­i­cal groups or for­eign states.

    An insur­ance com­pa­ny must under­stand the real risk to offer the appro­pri­ate insur­ance cov­er. Hence the impor­tance of defin­ing a com­mon lan­guage, a ter­mi­nol­o­gy which can class events into dif­fer­ent cat­e­gories, com­pare threats, and their evo­lu­tion over time in order to have a his­tor­i­cal view.

    Would this aid the devel­op­ment of cyber-insurance? 

    Yes, but it depends upon clas­si­fi­ca­tion and infor­ma­tion of cyber risks, to deter­mine which part is cov­ered by the insur­ance. The real issue here is risk edu­ca­tion and pre­ven­tion. If we con­tin­ue the anal­o­gy with the Covid-19 pan­dem­ic, we see that we taught peo­ple san­i­tary rules, basic ges­tures to pro­tect them from the coro­n­avirus and pre­vent its spread. Cyber­se­cu­ri­ty is still a fair­ly secret field. Only a few peo­ple know infor­ma­tion on attacks led against com­pa­nies, it is not very vis­i­ble to the gen­er­al pub­lic. Unin­formed peo­ple can­not take pre­ven­tive action on their con­nect­ed devices because they do not know “basic hygiene”, what actions they must use to pro­tect them­selves, like for exam­ple, mak­ing reg­u­lar back­ups. Thus, if they are unaware of the risks, they can­not insure them­selves against them.

    Reg­u­la­to­ry and legal deci­sions would be required to insure these cyber risks, as in the case of motor vehi­cles: to dri­ve, it is manda­to­ry to insure the vehi­cle against dam­age poten­tial­ly caused to third par­ties. In the case of a cyber­pan­dem­ic, we would also need to con­sid­er the mutu­al­i­sa­tion of risk and cre­ate a pub­lic-pri­vate pool, as is the case for major nat­ur­al dis­as­ters or for the Covid-19 pan­dem­ic. In con­crete terms, in the case of a cri­sis, we would need to cre­ate a pro­tec­tion con­tin­u­um cov­er­ing edu­ca­tion, pre­ven­tion and tech­ni­cal assistance.

    How can we antic­i­pate the risk of a cyberpandemic? 

    It is very dif­fi­cult, because, as in the case of the health cri­sis, a cyber­pan­dem­ic would result in mul­ti­ple risks. In fact, it would inter­con­nect crises and there­fore risks. To antic­i­pate such an event, it is nec­es­sary to under­stand mul­ti­ple-haz­ard sce­nar­ios. In Lebanon for instance, an eco­nom­ic cri­sis, the Covid-19 pan­dem­ic and the explo­sion in the Bey­routh har­bour occurred simultaneously.

    Antic­i­pat­ing a threat rais­es the ques­tion of its tem­po­ral­i­ty and its pos­si­ble evo­lu­tion over time. We can­not have a sta­ble sce­nario in time, we need to update it reg­u­lar­ly. To be resilient, we must con­tin­ue to antic­i­pate by fore­cast­ing over the longer term. 

    As a mat­ter of fact, antic­i­pa­tion is based on two dif­fer­ent types of exer­cis­es. On one hand, a con­trol tow­er per­forms prospec­tive sur­veil­lance on a dai­ly basis on many sub­jects, for exam­ple, the role a quan­tum com­put­er could play in the case of a cyber­at­tack. On the oth­er hand, on a prac­ti­cal lev­el, we antic­i­pate stress sce­nar­ios. For exam­ple, how can a cyber­at­tack be man­aged in lock down, did we antic­i­pate the fact that we would need to work with pen and paper?

    Antic­i­pa­tion rests on dif­fer­ent cells and tem­po­ral­i­ties. To put it sim­ply, we need “geeks” to per­form threat intel­li­gence at a two-month hori­zon and actu­ar­ies who will eval­u­ate the risk in the long run. The chal­lenge lies in con­nect­ing these two worlds with dif­fer­ent time scales and find­ing a mid­dle ground.