There hasn’t been much good news in cybersecurity lately. In the first three months of 2021, organizations have been exposed by zero-days in Microsoft Exchange and Accellion’s secure file transfer appliance, and there have been revelations of three more malware strains related to the SolarWinds Orion product. This brings the total number of malware related to Orion to eight, including some that have been attributed to both Russian and Chinese operatives.

Just before we turned the dial to 2021, we ended the previous year with a chilling statistic from McAfee and the Centre for Strategic and International Studies (CSIS): “[C]ybercrime costs the world economy more than $1 trillion, or just more than one percent of global GDP, which is up more than 50 percent from a 2018 study that put global losses at close to $600 billion.” Given the action this year already, that figure is likely to rise.

Have we Hit Rock Bottom in Cybersecurity?

This is a hard question to answer, but the signs for cybersecurity, in my estimation, all point to an unsustainable situation. Those who suffered as a result of the Texas winter storm face $50 billion worth of destruction. While that event had little to do with a cyberattack, I mention it here to provide some perspective – the climate and cybersecurity spheres have far more in common than we think, and both are under a sustained global threat. It was not a widespread cyberattack against the national critical infrastructure of Texas that left thousands without power and water (as far as we know). In fact, the failure in Texas was of a far more human nature.

Lawmakers there failed to pass measures over the past two decades that would have required the state’s main power grid operator to ensure adequate reserves to shield against blackouts, provided better board and agency oversight representation for residential and small commercial consumers and ensured the state’s top emergency planning agency made sure power plants were adequately “hardened” against disaster.

Connecting the Dots From Texas to Cybersecurity

Thankfully, we have not seen a cyberattack that resulted in anything close to tens of billions of dollars in damage – or have we? So far, the most impactful cyberattack measured $1.3 billion in losses (measured fairly accurately) that Maersk claimed from its insurers following the NotPetya attack on its computer networks. It remains to be seen if this amount will ever be paid, as insurance companies suggested NotPetya was a “hostile act amounting to a war or terrorist attack,” therefore denying coverage under some Maersk policies.

The Elusive ‘Bigger Picture’

On August 16, 2017, 128 countries signed The Minamata Convention on Mercury. It is an international treaty designed to protect human health and the environment from anthropogenic emissions and the release of mercury and mercury compounds. The vast majority of these emissions were caused by individual and small gold mining operations, even though organic mercury compounds were first described in the 1800s, with fatal cases of mercury poisoning reported as far back as 1865. Despite all kinds of clinical evidence from the 1900s onward and regulatory safeguards established in the 1960s and 1970s (which were largely ineffective), the consensus after 156 years is, “Mercury is bad for the environment and bad for humans.” In a word, it’s toxic.

The story of cybersecurity – or lack thereof – is like the demoralizing story of mercury. It’s my hope that we can reach a broad understanding that poor cybersecurity is just as bad for the environment and bad for humans, but that we can do so in a lot less than 156 years. Like the human desire to risk mercury poisoning in the pursuit of physical gold, we are mining virtual gold, in the form of Bitcoin; burning energy at an alarming rate with a high likelihood of future toxic environmental effects, both directly and indirectly, by facilitating cyber ransoms.

An article in the BBC technology section, Bitcoin consumes more electricity than Argentina, ran Feb. 10, 2021 and did not receive nearly as much attention as it deserved. Buried within the article, however, was arguably an even more sinister detail. According to David Gerard, quoted in the article, “Tesla got $1.5bn in environmental subsidies in 2020, funded by the taxpayer. It turned around and spent $1.5bn on Bitcoin, which is mostly mined with electricity from coal. Their subsidy needs to be examined.” It certainly should be, as Tesla’s purchase propelled the virtual currency’s value to unprecedented new heights, making roughly $1 billion in profits from its investment into Bitcoin, according to some estimates.

Earlier this year, aerospace firm Dassault Falcon Jet suffered an extensive data breach by the Ragnar Locker ransomware operators. The attackers remained hidden on the company’s network for more than six months after using the Shitrix vulnerability (CVE-2019-19781) to gain persistence on the network. They started encrypting the data on December 7, 2020, after exfiltrating the data to steal it before encryption. The cybercriminals then demanded $2 billion in Bitcoin as a ransom. Exploitation and ransomware are the unfortunate risks of being online, but there are far more impactful cyberattacks capable of inflicting millions, if not billions, in damages.

Take, for instance, an attack that occurred in 2013, reported by the BBC: AP Twitter hack causes panic on Wall Street and sends Dow plunging. During the three minutes that the fake tweet was circulating, it wiped away $136 billion in equity market value. “About an hour after it was over, a group of hackers who cause trouble in support of Assad, an informal collective known as the Syrian Electronic Army, claimed responsibility for the attack.” What perhaps is most concerning is when one tweet by a celebrity on Feb. 21, 2018 could inflict a market capitalization loss of $1.3 billion on Snap. Those in western nations advocating a potential military cybersecurity response to the SolarWinds cyberattacks (attributed to Russia) and attacks on SolarWinds and Microsoft (attributed to China) may have forgotten just how precarious a digital world we live in. Let’s hope we back away from pounding the cybersecurity war drums before we are shown precisely how vulnerable we really are.

Entering the Era of Cyberdisaster Capitalism

It’s a sad state of affairs  – and a stark reminder of the precarious digital environment in which we live – when we invest millions of dollars in cybersecurity and yet billions of dollars in damages still can be inflicted by a tweet. Naomi Klein writes, “The appetite for easy, short-term profits offered by purely speculative investment has turned the stock, currency and real estate markets into crisis-creation machines.” In a 2018 opinion piece on Bitcoin, Klein’s labelling of some of the cryptocurrency industry’s leading figures as “tax dodgers” seemed to eerily foreshadow the recent 2021 indictment of John McAfee and an associate for cryptocurrency promotional activities.

Given the current state of affairs, wherever we see the inexorable opening up of business systems, zero-day vulnerabilities in Microsoft exchange, Accellion and others demonstrate that we are facing both a cybersecurity crisis and a broader tech industry crisis. Anyone looking at the problem as exclusive to cybersecurity is not seeing the whole picture. “In early 1970, as a result of heightened public concerns about deteriorating city air, natural areas littered with debris, and urban water supplies contaminated with dangerous impurities, President Richard Nixon presented the House and Senate a ground-breaking 37-point message on the environment.” It is once again time for American leadership, and for the UK, EU and other western nations to support President Biden in introducing an aggressive cybersecurity protection-focused legislative agenda and time to empower a Cyber Protection Agency. We need to see the kind of global enforcement powers that the EPA unleashed against Volkswagen.

“Volkswagen said its 2015 diesel cheating scandal has cost it 31.3 billion euros (USD $34.69 billion) in fines and settlements.” And in 2017, the U.S.- based Volkswagen executive Oliver Schmidt, who oversaw emissions issues, was sentenced to seven years in prison and fined $400,000, the maximum possible sentence under a plea deal the German national made with prosecutors after admitting to charges of conspiring to mislead U.S regulators and violate clean-air laws.

The solution for the tech industry, and its related cybersecurity problem, is simple: hold organizations and individuals accountable for cybersecurity by requiring adherence to an aggressive regulatory framework. There is already a model for this in the environmental and financial services protection frameworks: they may not be perfect but as they say, “perfect is the enemy of good/better,” and what we need right now is something to clean up the global cybersecurity and environmental mess we have created. The last twenty years of “letting the cybersecurity market decide” has only managed to make us more vulnerable than ever before. Something has to change.