The Disturbing Inevitability of Cyberattacks

A small but growing number of cybersecurity experts warn that we are a few keystrokes away from a dystopian world with no lights, running water or modern communications. Some even argue that it will take such a disastrous attack to jolt us into finally building more effective virtual defenses. While the possibility of large-scale cyberattacks gets the lion’s share of attention, chaos by small doses is more probable.

Government and private businesses have invested billions of dollars in cybersecurity measures to protect critical infrastructure, dramatically decreasing the likelihood that hackers could bring about another Stone Age. While rogue squirrels nesting in utility components are responsible for thousands of blackouts, cyberattacks have caused few. Recent incidents reveal a far likelier scenario: paralyzed operations for countless businesses. And even concerns about cyberattacks against business operations have historically taken a back seat to worries about personal data hacks, which can affect millions of individual consumers.

Hackers are increasingly turning to “ransomware,” a type of virus that encrypts computer systems and data without the owner’s approval. Unless prepared to pay a “ransom” to the hacker, the victim is effectively blocked from ever again accessing the system. Ransomware attacks are bad enough, but their effect can be much worse if the damage is irreversible. And that is exactly how “NotPetya,” the latest in a string of global cyberattacks, appears to be playing out.

Businesses of all sizes are suffering significant and lasting damage due to NotPetya because it appears to be modified ransomware code that has no unlock key (even when payment is made). One multibillion-dollar consumer-goods conglomerate, Reckitt Benckiser Group , has had many of its supply-chains systems rendered inoperable by NotPetya, leading to shipment delays, invoicing issues and manufacturing problems. Those business disruptions are expected to cost the company close to $130 million.

FedEx has also been hit hard by NotPetya. On July 17 it informed the Securities and Exchange Commission that NotPetya was still causing its European subsidiary TNT Express to suffer from widespread service delays, and that it may never be able to restore fully the systems and data encrypted by the virus. FedEx’s revenue has already declined as a result, compelling it to report a potential “material” financial impact to the SEC.

Smaller businesses are also vulnerable. One rural hospital in West Virginia had its systems so badly infected by NotPetya that it is being forced to replace its entire information-technology infrastructure. A hospital system in Pennsylvania canceled surgeries due to NotPetya. Past ransomware attacks have forced hospitals across the U.S. and U.K. to close down. In those attacks, ambulances had to be turned away until the hospitals expunged the computer virus or paid the hackers for the decryption key.

The problem isn’t going anywhere. Cybercriminals launch hundreds of millions of attacks daily across the globe, and recent studies have found that as many as 60% involve ransomware. The dominance of ransomware is simple to explain. It can be obtained free or easily made. It has a high success rate and generates handsome profits for hackers. Ransomware also tends to be used indiscriminately. While targeted attacks do happen, ransomware is typically blasted out en masse to infect any susceptible computer system.

Sometimes the only solution to a destructive hack is to rip out and replace the information infrastructure, much like what the Saudi national oil company did in 2012 and the U.S. Marine Corps did in 2014 when hackers infested their systems. The fix they ultimately settled on—physically shredding fatally infected laptops, servers and even keyboards—would be financially ruinous to most companies.

Ransomware is not the only threat. The online world is awash in destructive viruses and poorly built malware that causes unintentional harm. Still, the ransomware plague illustrates a larger point: businesses of every size are vulnerable. Someday a company will take a fatal hit to its revenue or reputation.

Fortunately, much can be done to mitigate these threats. For starters, the federal government can spur increased cybersecurity through wider use of the Safety Act of 2002, a law that provides liability protections for companies that use proven defensive technologies. Such protections will help protect companies against lawsuits claiming that they—not their hackers—were responsible for a successful cyberattack.

Next, rather than creating a gargantuan new cybersecurity agency, the federal government should empower existing cabinet agencies to act more quickly against cyberthreats. The government also must take the fight to the hackers. Arrest them. Name and shame foreign governments who enable cyberattacks or host hackers on their territory. These aggressive measures have led to material decreases in hacks. Companies can also help protect themselves by purchasing insurance that covers business-interruption losses, rather than standard policies that only reimburse costs associated with compromised personal data. While cataclysmic cyberattacks are always possible, mundane attacks are likelier to cripple companies permanently. The failure to focus on that threat will not only be painful, it will also be painfully obvious in retrospect.