When is a cyberattack systemic?

October 29, 2022

Seldom. Circumstances must be right.

A few years ago, I wrote a piece titled Cyber risk as systemic risk and more recently have been thinking about the topic after reading the excellent This is how they tell me the world ends by Nicole Perlwoth.

Nation states can cripple infrastructure with cyber attacks, as Russia did to Ukraine in 2018 and since. Utilities, security services, health system and the financial system are all at risk. Everybody can be hacked. The damage can run to hundreds of billions or even trillions of dollars for the largest countries. The annual cost alone of guarding against cyber attacks is in the hundreds of billions of dollars annually.

But will nation state cyberattacks cause a systemic financial crisis?

Systemic risk in the context of economics and finance means the chance of a major financial crisis that has the potential to cause a severe economic recession. A systemic event costs tens of per cent of GDP, so for the United States and Europe is measured in trillions of dollars. Fortunately, such crises are not frequent, happening on average one year out of 43 in the typical country.

So will a major cyberattack cause a systemic crisis? Superficially yes. As the story goes, a critical system, perhaps the payment system, goes down. That constitutes a major crisis event and can disrupt economic activity, thereby meeting the definition of systemic risk.

Hold on. That is not sufficient.

We learned from Covid and the Russia-Ukraine war that a major shock does not have to be systemic. The reason is that if such an event hits a financial system that is operating normally, then the system has a very significant shock absorption capacity. While the cost might be huge and disruption widespread, it does not meet the threshold for becoming systemic.

And that is precisely what most cyberattacks are. Disruptive and expensive when happening on a random day. But, the financial system and economy will likely absorb even the most severe cyberattack. Moreover, all critical systems have (or should have) backup facilities, with experts ready to restore operations. We have seen this in action in wartime, and Ukraine is showing us today how to operate even when subject to ferocious cyberattacks.

There is an exception — double coincidence.

Suppose an attack launched today takes out critical financial infrastructure, like the payment system. It most likely will not be systemic.

Suppose, instead, such an attack was launched on 28 September 2008. It would then viciously interact with a financial crisis underway, with both feeding off each other. Pushing us into Depression-era territory, 1929 style, instead of just a run-of-the-mill recession like we got in 2008.

We need the double coincidence of a cyberattack and heightened systemic vulnerability. In other words, endogenous risk needs to be particularly high. In cyber warfare, as in so many things, timing is everything.

A putative nation state cyberattacker needs to manufacture that double coincidence. Create ever rising endogenous risk that nobody detects, one that is triggered on demand when the cyberattack is launched.

It is straightforward to do so.

All it needs is patience and resources. The financial resources to do so are formidable but certainly not excessively high in the context of warfare.