Cyber-attacks are already imposing heavy costs on emerging markets. Wait until they start targeting critical infrastructure
"You don't need to be a cybercrime expert to use the toolbox. You just need deep pockets." That's how Jonathan Evans, former boss of the UK's secret services, started a speech at Infrastructure Investor's Berlin Summit last week. His point was simple: everything you need to penetrate a system or jam a website is available for rent on the 'dark web', the online equivalent of the black market. And although companies' awareness of cyber-risks is high, he said, implementation of defence strategies is low.
Well-publicised attacks on the likes of Target or Sony Pictures make it sound like the main victims are developed-world firms. But emerging markets are far from immune: in the three years to 2015, KPMG reckons Indonesia suffered about 36.6m assaults. Cybercrime shaved more than $600bn off China's GDP in 2013, according to the Center for Strategic and International Studies. Some analysts estimates that identity theft affected about 50 million people in Turkey last year.
Hackers have good reasons to target emerging markets. Within the developed world, their traditional hunting ground, regulators have started to impose heavy fines on companies that fail to protect customer data in sectors like financial services or healthcare. Protections have been bulked up as a result, with businesses' core functions now more resilient.
But with organisations increasingly operating in chains, systems are now ever more integrated. Hackers have therefore moved from targeting individual companies to orchestrating chained operations - where attacking one organisation give them access to the digital assets of another. Emerging markets tend to be among the first targeted, because they often host the chain's weakest link: an offshore subsidiary that's not up to the group's global standards, say, or a third-party supplier with weaker defences.
All this is bad enough. But of more catastrophic potential is a different kind of threat: cyber-attacks on critical infrastructure. While theft tends to be the primary motive behind hacks on businesses, attempts to disable power grids or water systems aim at crippling states or inflicting large-scale damage on populations. Various types of actors can be behind these: covert agents of enemy states, terrorists, or criminals wanting to hold the government to ransom.
A handful of attacks have already proven successful. Last December, the entire Ivano-Frankivsk region in Ukraine suffered a major power outage, which investigators later found had been caused by a malware that disconnected electrical substations. The Stuxnet virus became famous after 2010 by disabling nuclear installations in Iran, while the Shamoon malware made waves in 2012 by stranding infrastructure operated by state-owned Saudi Aramco.
Still, compared to cyber-attacks on corporates, the number of reported cases remains small. In part this is because few attacks end up being covered in the media: assaults on infrastructure typically don't involve personal data theft or syphoning off money - the stuff that makes newspaper headlines. In fact, they're probably not so rare. A recent survey by the Organisation of American States found that about 200 out of 500 critical infrastructure suppliers in North and South America have recently experienced attempts to shut their network; more than half also reported attempts to remotely manipulate their equipment.
What has yet to happen, however, is a genuine catastrophe - such as a dam releasing its water on a populous valley or the deliberate shutdown of a nuclear plant's cooling systems.
But such scenarios could soon become real. The Nuclear Threat Initiative (NTI), a non-profit organisation, reckons many countries still don't have the necessary laws and regulations in place to secure atomic facilities against cyber assaults. Out of the world's 47 states it identifies as having nuclear capabilities, NTI's 2016 Index gives 20 nations a score of zero. A recent study by UK think-tank Chatham House also finds that the nuclear industry falls behind other sectors in terms of cyber security.
Emerging markets are especially vulnerable to such attacks. Even more so, ironically, as they strive to modernise their infrastructure: modern networks are both part of the internet and more directly connected to end users, providing hackers with as many new potential points of entry and opportunities for mischief. But existing infrastructure is not better off, because retrofitting old systems to make them cyber-proof is sometimes even more complex than designing a good system from scratch.
Some developed markets have thought to protect themselves by threatening to retaliate. The US, for instance, says very clearly that any cyber-attacks on its essential infrastructure would probably trigger a military response. But deterrence is a less effective defence for emerging markets, because many lack sophisticated tools to trace back culprits and credible means to enforce a retaliatory threat.
Their governments need to take real actions fast. They should make cyber-proofing their infrastructure a core part of their national security strategy, and invest more in it. They need to craft laws and regulation that provide infrastructure operators – both public and private – with the right carrots and sticks to secure their systems.
But national efforts will work better if seconded by a global response. As Evans said last week, government forces remain responsible for the bulk of large-scale attacks. Beyond sharing best practices, one option states should explore is a pact of non-aggression in the cyber space, in line with what was agreed between the US and China last year. Leaving the broader topic of corporate cyber-theft for later, the agreement should first focus on assaults on essential infrastructure.
Getting a critical mass of states to join in may take several years. But arms control treaties have made a real difference in the past, as the relative success of nuclear Non-Proliferation treaties has shown. They could now help shape the norms of acceptable behaviour in the cyberspace, too. Time to plug in.