How can we prepare for threats we don’t even know exist yet?
Earlier in June, CogX Festival brought together representatives from business and government to discuss innovation. It was a follow-on to a 2019 event sponsored by several partners including Accenture, BT and Visa. While the conference was held in London, it also was available to virtual attendees in real time and on demand. I watched a panel session on dealing with unpredictable existential threats. The panelists included Robert Hercock, the Chief Research Scientist at BT Security, Clarissa Rios Rojas, a research associate at the University of Cambridge's Centre for the Study of Existential Risk, and Avast CISO Jaya Baloo.
Rojas and her colleagues spend a lot of time looking at a wide range of global risks that could lead to human extinction and other dire circumstances. Her team at Cambridge has categorized risks ranging from low-impact and low-likelihood ones, such as minor manufacturing errors, to higher impacts and likelihoods, such as data thefts and bioweapons deployment.
Baloo spoke about understanding both the good and bad sides of technology and how that has implications for assessing risk. She used the example of the recent Colonial Pipeline ransomware attack as one risk that is difficult to anticipate and detect — and also one where the costs to pay the ransom were minor compared to the disruption or the risk of posting the stolen data online. She also spoke about the implications of the crossover of the cyberattack to the physical world, such as with gasoline shortages and other disruptions. But many critical infrastructures, such as an electric plant or a hospital IT network, don’t have sufficient “air gaps” to prevent these disruptions and shows how “we are dependent on digital technologies, and are not always confident what this means for our society when they fail.”
The SolarWinds attacks also show “how interconnected we are and affected multiple government agencies and hundreds of companies.” Part of the problem is that these infrastructures are complex technologies, and they involve what Hercock referred to as figuring out an adaptive system problem. “We don’t understand how things are interconnected and it is difficult to extrapolate from the present risk pool to what is coming on the horizon,” said Baloo.
The panel then turned towards discussing disinformation in terms of trust. Rojas said, “We have to start to do a better job of building up trust with our policymakers.” Hercock mentioned the 1980s ozone depletion issue. At that time, the world came together to address the problem and ban CFC products that were harming this layer of the atmosphere. “Back then, there was trust among scientists and policymakers. But since then, this trust has eroded between general society and the scientific community.” He mentioned one way to improve trust is to storyboard the various scenarios to better explain longer-term risks to policyholders. Baloo then mentioned how “we have a fundamental dilemma with Covid-19 vaccine misinformation, given the enormous number of people who have stated that they never will get vaccinated. This could demonstrate one of the root causes of our current existential crisis.” Hercock said, “Regaining this trust is going to be a challenging process today.” He mentioned the disinformation regarding the false relationship between Covid-19 and 5G networks as an additional example of this trust deficit.
The panel also offered several suggestions on how to help businesses better understand existential threats. Rojas was critical about how the relative funding of everyday activities — such as producing a blockbuster movie or operating a single McDonald's restaurant — is much more expensive than paying for the evaluation of any of these existential (and potentially catastrophic) threats. Baloo recommended starting with a risk appetite assessment that calculates what are the known risks. “But we have to take into account the unknown risks, and corporate boards of directors should have to better understand the higher-risk space and be systematic about their thinking about the longer-term implications. While we will never see companies talking about the risks of a hostile takeover in their annual reports, having some acknowledgement about medium-term risks is a sign of their domain maturity in understanding risk assessment.”
Rojas has several recommendations for evaluating risks on the higher end of the scale, such as using various experts to test assumptions, prioritizing actors and identifying their potential actions, training workforce in risk management tactics and how to properly communicate among the various stakeholders. Putting it simply, we have a long way to go to do a better job.
You can listen in on the complete panel, "Existential threats: The unpredictable horizon", in the video below.