Business

Cyber attacks worry Davos elites

  • 22 January 2015
  • From the section Business
Kaspersky Image copyright AFP

Something strange is happening to Eugene Kaspersky.

The cyber-security guru, who has been at the forefront of his field for more than 25 years, can scarcely stride a few metres in the main conference hall of the World Economic Forum (WEF) in Davos without being stopped by a chief executive or head of state.

Indeed, merely being in the Swiss mountains is eating into the fast-talking Russian's much sought-after time.

In recent weeks, he has spent more time in "Boeings and Airbuses" than on the ground, being flown around the world to advise business leaders and government bodies - including the UK's National Crime Agency - on battling ever more daring cyber criminals.

But it was not always thus. While the threat of corporate cyber attacks has been at the periphery of the WEF agenda for many years, 2015 is arguably the first year in which the issue is taking centre stage.

Mr Kaspersky's profile, and that of the many cyber-security experts attending this annual conference, has been helped by the extraordinary events of the past year, in which attacks on Sony Pictures, eBay, Target and JP Morgan have dominated the headlines.

Attentive boardrooms

Business elites are taking heed. To coincide with Davos 2015, the World Economic Forum has issued a report that warns failing to improve cyber security could cost the global economy $3tn, and is urging companies to sign up to a new "framework" for assessing the risk of an attack.

In previous years, "every time we talked to a top 500 company about cyber-security, they'd say to us: 'talk to my technology guy,'" says Carlos Moreira, a Davos regular and boss of Swiss cyber-security firm WISeKey.

Image copyright Getty Images
Image caption An attack on Sony centred around its film The Interview showed the vulnerability of even large companies

"Now the board of directors, the CEOs of the companies pay attention. There is a new sense of urgency"

That urgency is prompting unprecedented investment in cyber security. One US bank, Mr Moreira tells me, spent a whopping $2.3bn last year on protecting its online activities.

'Space shuttles'

And the threats are increasingly sophisticated.

When I ask Eugene Kaspersky how cyber attacks have evolved in the quarter of a century he has been in the business, he chuckles knowingly.

"25 years ago they were just simple bicycles. 10-15 years ago they were cars.

"Now they are space shuttles."

It's not just the attacks that are evolving, but the targets too.

"The main threat that is really scaring me is attacks on critical infrastructure," says Mr Kaspersky, alluding to nuclear power stations and the like.

City 'bunkers'

"We don't see many attacks on this scale but I'm afraid we will see them more and more and then more and more and more".

At an early morning roundtable meeting in a Davos hotel, various European and US business leaders are trying to come up with possible "preventative measures" - a term they favour.

Image copyright Getty Images
Image caption An attack on critical hardware like a nuclear reactor is "really scaring" Mr Kaspersky

Perhaps the most bizarre is a plan for cyber-security "hub cities," in which Rick Perry, the Governor of Texas, is apparently interested.

The complex plan includes separate bunkers for identity and data, and segregated access - so one person cannot access both areas.

Third-party audits of businesses' cyber-security credentials from firms such as Deloitte and KPMG were also suggested.

But the most enthusiastically endorsed plan is the need for a global body that sets cyber-security standards - similar to what "IATA does for planes".

"There is a strong sense here that there needs to be more co-operation between governments and companies in order to ward off future threats," says Mr Moreira.

But while the agenda may have finally woken up to the need for better cyber-security, it is perhaps most telling that the talk has shifted from how to stop cyber attacks, to how businesses can manage them when they are inevitably attacked.

As Sadie Creese, a professor of cyber-security at the University of Oxford, says: "We tell managers 'assume you've been compromised'".