2 July 2021

Report estimates major cyberattack could cost more than recovering from natural disasters

MAGGIE MILLER

The cost of a major cyberattack on a critical major U.S. utility or service provider could equate to that of a natural disaster such as a hurricane, a report released Monday found.

The report, put together by experts from the Foundation for Defense of Democracies (FDD) and insurance group Intangic, used a risk-rating system developed by Intangic to estimate the impact of two types of disruptive cyberattacks.

The findings estimated that a three-day cyber disruption of a managed service provider giving IT services to hundreds of customers across a variety of critical fields could lead to an economic loss of almost $80 billion, more than the $65 billion cost of Hurricane Sandy in 2012.

The losses would be even higher with an attack on a critical utility, such as regional electric utility, with Intangic estimating that a breach causing disruption to power for five days would cost an estimated $193.5 billion, more than the cost of 2005’s Hurricane Katrina and the 2018 California wildfires.

“Cyber vulnerabilities pose a systemic risk to the U.S. economy,” the report reads.

The report was released on the heels of mounting cyberattacks on critical organizations.

A ransomware attack in May on Colonial Pipeline, which provides 45 percent of the East Coast’s fuel supply, forced the company to shut down the pipeline for almost a week, leading to gasoline shortages. A ransomware attack shortly after on JBS USA, the nation’s largest provider of beef, also disrupted a key food supply chain.

The FBI attributed both attacks to likely Russian-based cyber criminal groups. While the FBI assessed that the groups are not Kremlin-backed, concerns around Russia harboring cyber criminals was a topic of conversation between President Biden and Russian President Vladimir Putin at their recent in-person summit in Switzerland.

Attacks on hospitals, health care systems, schools and government agencies have also spiked during the COVID-19 pandemic in the U.S. and around the world. These include the SolarWinds hack, which allowed Russian hackers to compromise nine U.S. government agencies and 100 private sector groups for a year.

“Successful cyberattacks and ransomware against nearly every sector of the U.S. economy demonstrates to policymakers that the market has failed on its own to convince the private sector of the necessity of a minimum level of cyber hygiene,” Mark Montgomery, the senior director of FDD’s Center on Cyber and Technology Innovation, said in a statement Monday.

“This paper provides policymakers with data that makes clear that government action is needed to fix this market failure,” he added.

The report calls on Congress to approve a national breach notification law to force companies to require companies hit by a cyberattack, regardless of whether customer data was impacted, to report the breach.

Lawmakers are looking at doing just that. A draft bill from Senate Intelligence Committee Chairman Mark Warner (D-Va.), Vice Chairman Marco Rubio (R-Fla.) and Sen. Susan Collins (R-Maine) includes language requiring federal agencies, federal contractors, and owners and operators of critical infrastructure to report cybersecurity incidents within 24 hours to the Cybersecurity and Infrastructure Security Agency.

Rubio told The Hill last week that the bill would likely be formally introduced “probably the first week” when the Senate returns from the July 4 recess.

No comments: