Global Catastrophic Malware Attack Would Be Shocking, Not Impossible, Study Suggests

One year after a global IT outage hampered travel, healthcare, banks, and more, a report from CyberCube and Munich Re examined the systemic cyber risks that could dramatically affect worldwide infrastructure.

The report, Key insights into systemic cyber risk, offered insights gleaned from 93 cybersecurity experts across disciplines and industries, but with a weight on U.S. organizations and large corporations. The goals of the survey were to inform cyber catastrophe modeling with expert perspectives on novel scenarios, to test whether model assumptions on risk mitigation still hold true today, and to gather informed views that could validate or challenge model hypotheses. Experts were asked to consider extreme outcomes—not just averages—judging whether they were in the realm of possibility.

Those experts noted that new technology begins to affect the threat environment at about the same pace that it is adopted into cybersecurity practices, noting a race between defenders and attackers to leverage new vectors. In the near term, respondents warned that industrial and consumer Internet of Things (IoT) devices pose the biggest concern. Around artificial intelligence (AI), they said that current AI tools like large language models (LLMs) are currently a high concern, and more future-facing applications like artificial general intelligence will be a greater concern in five or more years.

“LLMs have shown to be productivity enhancers across industries, allowing users to quickly learn and implement cybersecurity methodology on both the defense and attack side,” the report said. “For example, LLMs allow for scaling sophisticated spear phishing operations, whereas previously those were laborious exercises. Conversely, LLMs also allow practitioners to analyze the sentiment, origin, and prior communications of messages to better detect phishing attempts.”

The report found that another widespread malware risk on the scale of WannaCry or NotPetya would be unsurprising to many experts. Experts said that a global attack affecting a quarter of the world's computer systems would be shocking but possible, while a 10 percent infection would be surprising but more likely.

How long would an infection of that magnitude take? Reaching a 5 percent global infection rate within a week would be expected. Reaching that rate in as little as 12 hours would be extreme but not impossible.

“These findings highlight the rapid potential escalation of malware and the importance of early detection and containment,” the report said.

The experts surveyed said that patch management, network segmentation, and maintaining up-to-date backups were the most effective strategies to reduce the likelihood of being affected by such an attack and reduce the financial impact of such an attack once infected. Social engineering was a top vector for initial malware infection, but the experts rated security awareness training as only somewhat effective in mitigating it.

Organizations with strong cyber hygiene could expect a 50 to 80 percent reduced likelihood of impact from a widespread malware event.

Given so many organizations’ dependence on cloud-based services and tools today, threats to the cloud are particularly unnerving for security and resilience professionals. Experts agreed that cloud outages lasting hours to a few days are plausible, even if extended outages are not considered likely. But even a short outage has significant implications—a single-day outage of an organization’s most critical cloud service provider could result in a financial loss equal to 1 percent of the client’s annual revenue. If the outage were to extend to five days, half of respondents said losses would increase by at least a factor of seven.

This echoes organizations’ experience during the CrowdStrike outage in July 2024, when a flawed rapid response content update in security software caused many Microsoft Windows systems to malfunction. The glitch ground air travel to a halt and disrupted some healthcare facilities’ digital access to online records. Most systems were brought back online swiftly, but fixes were inconsistent.

Delta is suing CrowdStrike, claiming the cybersecurity firm "forced untested and faulty updates to its customers" that led to a crash of Delta's systems and more than $500 million in out-of-pocket losses. https://t.co/iPFeiKOV4E

— Security Management (@SecMgmtMag) October 29, 2024

Finger-pointing ensued, with some companies and individuals blaming Microsoft, CrowdStrike, and the client organizations in turn. Delta Airlines filed a lawsuit against CrowdStrike for the glitch, claiming that the computer crashes directly led to more than $500 million in out-of-pocket losses.

Since then, CrowdStrike has doubled-down on its resilience by design philosophy, according to a recent blog post from company president Mike Sentonas. The changes include a sensor self-recovery capability that can automatically shift systems into safe mode when a crash loop is detected.

Editor's note: This article has been corrected to note the cause of the July 2024 CrowdStrike outage and the spelling of CrowdStrike President Mike Sentonas's name.