Heist of the 21st Century' highlights risks in the innovation economy

Most of the employees at the Bangladesh Bank's central headquarters in Dhaka, Bangladesh, had gone home for the weekend on the evening of February 4, 2016, when hackers impersonated bank officials and sent a series of fraudulent money orders through the Swift intra-bank messaging system requesting the transfer of $US 951 million from the Bangladesh Bank's account at the Federal Reserve of New York.

That was the beginning of what Bloomberg Technology calls "one of the largest cyberheists in history."

While most of the transfer orders were stopped or reversed by the banking system due to errors made by the hackers, including a simple misspelling, four orders totaling $US 81 million were sent to fake accounts at a branch of the Rizal Commercial Bank in the Philippines and later withdrawn. That money has never been recovered.

The Bangladesh Bank cyberheist drew attention for its boldness, but also because of the spotlight it shines on cyber risk and the interconnectedness of the global finance system. A cyberattack on one bank in Bangladesh was just the start of a complex global crime and money-laundering operation that affected institutions around the world.

The heist is also instructive for business leaders, who need to take a holistic view of cyber risk in the innovation economy and recognize that new technologies bring new risks along with opportunities. Cyber risks are not a tech issue; they are a business issue with technical aspects.

Lori Bailey, Global Head of Special Lines for Zurich Insurance Group, says business leaders need to embrace the technologies powering the innovation economy but also be cognizant of the risks around those technologies and how they connect to other global risks.

"There are a number of different emerging technologies that clearly will have a very significant impact on the global economy, but they also come with some potentially negative consequences," Bailey says. "That speaks volumes to the fact that the risks are so interconnected with one another."

Cyberattacks and data theft or fraud are considered among the top six global risks in terms of likelihood in 2017,  and cyberattacks are the global risk of highest concern for doing business in the United States, the United Kingdom, the Netherlands and Singapore. Cyberattacks and data theft or fraud are also top five risks of concern in many other countries.

"Data theft and fraud has been continuing to rise over the last several years," Bailey says. "While we often don't know who is perpetrating these attacks, it is widely reported that many of these incidents against companies for data theft are coming from nation states and could be related to terrorism. In fact, cyber terrorism is often viewed as the new wave of terrorism in the future."

Dyn DDoS: An interconnected cyberattack

Cyberattacks and data fraud or theft risks are amplified by rising cyber-dependency between companies in the innovation economy. The Dyn DDoS attack in October 2016, showed how this amplification works. Beginning on the morning of October 21, millions of users in the U.S.  lost access to popular websites like Spotify, Twitter, CNN, Reddit and the New York Times after hackers launched a DDoS (distributed denial of service) attack on Dyn, a provider of Domain Name Systems (DNS) services.

DDoS attacks, in which incoming traffic originating from multiple sources overwhelms a website and prevents it from responding to legitimate requests, are fairly common, but the Dyn attack was an ominous departure from traditional DDoS attacks in two ways.

• According to Dyn's analysis, the primary source of the attack was the Mirai botnet, malware which enlists Internet-of-Things objects like connected cameras and DVR players in a DDoS attack. The number of devices involved -- at least 100,000 -- made the Dyn attack the largest DDoS attack ever.
• The other unusual aspect of the Dyn attack was that the targets were DNS servers, which affect a large number of websites.

"That particular event put the aggregation of risk for cyber on the map and brought awareness to this issue," Bailey says. "Not only could companies be directly impacted from a cyber attack, but even entities with whom they have no direct connection could be impacted by it as well."

This realization helped business leaders understand that it's not enough to think about cyberattacks in terms of firewalls and other protections. Even if a company does everything it can from a protection standpoint, the fact that companies are all interconnected means that they all could be impacted by a data breach or a cyberattack at a single company.

“Preparedness is very much about taking a holistic view of one's risk management and looking at it through a cyber lens,” Bailey says. "It's looking at disaster-recovery plans. It's looking at business-continuity plans and planning for specific cyber scenarios that may happen not only to your business, but also the entities to whom you are dependent. The ultimate risk management goal is to get back up and running as quickly as possible in the event that a data breach attack happens to you or to one of the companies with whom you work."

Vehicles without drivers, not without risks

One of the most talked about developments in the innovation economy are self-driving vehicles (SDVs), possibly because most of the technology supporting them is already here. According to Bloomberg Intelligence, the United Kingdom and Sweden are among European countries testing SDVs on public roads and eight U.S. states had passed autonomous-driving legislation as of September 2016.

The implementation of autonomous vehicles will be an evolution and not a revolution

The question of driverless vehicles on roads is not a matter of if, but when, says Karl Gray, Global Head of Casualty, Motor & Personal Lines, Zurich Insurance Group. Gray believes the timeline for fully autonomous vehicles is many years in the future, but semi-autonomous driving technology is already on the road today, including self-parking, adaptive cruise control and automatic braking. The growth of this technology will be exponential and its impact substantial.

"The implementation of autonomous vehicles will be an evolution and not a revolution," says Gray.

One of the main attributes of SDVs is their interconnectivity, due to the technologies needed to communicate with other vehicles, road infrastructure and GPS, but this connectivity brings a significant degree of risk

"It's not just the impact on a single vehicle of technological failure or cyber crime, but potentially hundreds, thousands or even millions of vehicles could be impacted in one event," Gray says. "The cost of such an event to businesses and individuals could be unprecedented."

Governing AI (while we still can)

In the Global Risks Report perception survey, artificial intelligence (AI) and robotics were the emerging technologies ranked highest in terms of benefits for society, but also highest in possible negative consequences. The potential advantages are far-reaching: AI could help solve some of the complex global challenges of the 21st century, including climate change. The technology could also help improve digital security by spotting cyberattacks and potential fraud in online transactions. Bloomberg Intelligence predicts that all software applications could feature embedded AI in just the next few years.

• Startups working in AI received more than US $1.5 billion in funding in the six months of 2016.
  Source: CB Insights
• Google improved its power usage by 15% after Deep Mind-powered AI took charge of parts of the company’s data centers.
  Source: Bloomberg Technology

“There's not one specific area where AI is going to be particularly prevalent,” Zurich's Bailey says. “We see it in medicine, we see it in transportation, we see it in finance, and the more that continues to advance, the more interconnected everything becomes as a result.”

The possible negative consequences of AI are equally impactful, according to John Scott, Chief Risk Officer, Commercial Insurance, Zurich Insurance Group. They include the decline of employment opportunities as AI and robots replace workers, and connected risks to social protection systems and political stability, not to mention risks that will emerge as AI systems begin to think for themselves.

"Right now, while we have the chance, we should be thinking about how artificial intelligence works and what we should put in place to govern its development, behaviors and outcomes," Scott says. "That's very challenging when you think about it because even though today we can pull the plug on an automated trading system when it breaches certain limits, as AI progresses, it will not just follow rules – it will think up its own rules. That's the point of being artificially intelligent. It's creating its own insights."

As AI progresses, it will not just follow rules – it will think up its own rules.

One example of how AI could run amok happened in 2011 when biologist Michael Eisen discovered that two dueling algorithms drove up the price of Peter Lawrence’s "The Making of a Fly: The Genetics of Animal Design," an out-of-print academic work about development biology, to $23,698,655.93 on Amazon. 

"It's very clear that that kind of price collusion behavior is prohibited, and it's easy to stop it when it's flesh and blood. You can arrest the perpetrators and stop them from doing it," Scott says. "But when an AI-enabled machine is doing it, that's more difficult to regulate."

When approaching the issue of AI governance, Scott uses the metaphor of how people first learn rules as children. In the first five years of life, we largely learn how to behave and treat others through play. Regulators are using this model to teach AI to play by rules, Scott says, creating "regulatory sandboxes" for Fintech applications to experiment with regulations and study how the technology reacts.

"It's important to build in governance rules as we develop artificial intelligence," Scott says. "Not only to control unexpected and unintended negative consequences, but also to ensure we get the maximum societal benefit from AI as an enabler of ever-more efficient human decision taking."

Innovation economy needs innovative partnerships to manage risk

The main challenge of governance of technologies in the innovation economy, whether in AI or autonomous vehicles or the Internet of Things, is striking a balance that helps mitigate the interconnected risks of the technologies, but doesn't stifle innovation and business opportunities. Plus, the global governance to tackle,  for example, cyber crime, cyber attacks, privacy and IP issues, is currently lacking.

"Clearly those technologies that are advancing and have the most potential benefits, but also the most potential consequences, are the ones that arguably need to have the most governance around them," Bailey says. "Those are the ones that are going to have the most impact on life, on society and on the economy."

Bailey believes that public-private partnerships are in position to take a holistic view of risks and opportunities and create governance that allows for innovation while making sure there's appropriate protection around potential negative consequences.

"As you look at governance and trying to manage this from a very holistic view, these public-private partnerships really have an eye into a number of different industries," Bailey says. "That creates a huge benefit because these partnerships in and of themselves are already interconnected. It allows that governance to happen on a much broader and a much more consistent scale than you might otherwise see if it were just single public entities or single private entities trying to do this on their own."

The quality of this governance is crucial to managing risks in the innovation economy, which include cyber attacks and data thefts like the Bangladesh Bank heist and the Dyn DDoS attacks, but also connect to many global risks impacting the world today.

“Automation and technology in general have strong links with other global risks and trends: rising income and wealth disparity, unemployment and underemployment, and other societal risks like profound social instability and increasing polarization of societies,” Scott says. “In prior industrial revolutions there were many jobs that disappeared but new ones were created. In the Fourth Industrial revolution we’re initially experiencing jobs disappearing, but the new jobs are taking more time to develop. When they do, it is often in 'gig economy' roles with very different working conditions and levels of worker protection than before.”

Key Takeaways:

• The interconnectedness of global information systems means that a data breach in a single institution can have systemic consequences that affect many businesses.
• Business leaders need to look at risk with a cyber lens and plans for specific cyber scenarios that may happen not only to your business but also the entities to whom you are dependent.
• The ultimate risk management goal for business leaders is to get back up and running as quickly as possible in the event that a cyberattack happens to their company or to one of the companies with whom they work.
• The impact of fully autonomous vehicles will not be seen for some time. However, the impact of semi-autonomous driving technology has already started, and its penetration will be exponential and its impact substantial.   
• Now is the time to create governance around the development and use of AI before the AI gets too smart.
• Public-private partnerships are effective organizations for creating technology governance that mitigates risks while allowing for the innovation that creates business opportunities.