Risk Management And Black Swan Events
Source: COGNITIVE WORLD on FORBES
In 2007, statistician Nassim Nicholas Taleb defined “Black Swan” as an event that “is an outlier,” as it lies outside the realm of regular expectations. Black Swans by that definition are mostly unforeseen, rare, and can be created by geo-political, economic, or from other unexpected events.
Black Swans bring challenges to risk management, especially in our rapidly transforming technological landscape. However, those transformative changes in emerging technology add to the ability to analytically forecast and try to mitigate Black Swan events.
Because of advanced computing and other emerging technologies, there are Black Swan events we can plan for, and help contain through risk management. While there are many scenarios. There are three categories that I believe we should apply risk management principles to including; 1) threats to the energy grid and critical infrastructure, 2) bio-terrorism and pandemics, and 3) the potential of malevolent artificial intelligence.
The Black Swan Threat to the Grid and Critical Infrastructure
Private industry owns most of the nation’s critical infrastructure (e.g., communications, transportation, financial, healthcare) dependent on the energy grid. The public sector helps protect it. Blackouts and persistent cyber-attacks are already a part of operational concern. Helping reduce the vulnerability of the grid and critical infrastructure has become a national imperative and the clock is ticking.
In the United States, the grid itself refers to critical infrastructure comprising a network of more than 7,650 power plants, integrated via 450,000 miles of transmission lines and 70,000 transformer power substations and thousands of power generating units. Much of the infrastructure is decades old. The (aging) grid is very susceptible to three main Black Swan threats from an energy frequency perspective. They are solar flares, Electro Magnetic Pulse (EMP), and cyber threats.
Solar Flares and Geomagnetic Storms:
Solar flares are made up of high-energy particles resulting from explosions on the Sun’s surface. A geomagnetic storm can be defined as a major disturbance of Earth's magnetosphere that occurs when there is an exchange of energy from the solar wind into the space ecosphere surrounding Earth.
It has been estimated that the earth has been struck by more than 100 solar storms in recent years. In 2008, the National Academy of Sciences estimated that the damage and disruption of the grid caused by a severe solar flare could cost up to $2 trillion in damages, with a full recovery time of 4 to 10 years. According to former CIA Director Jim Woolsey, a rare geomagnetic super-storm would collapse electric grids and life-sustaining critical infrastructures everywhere on Earth, putting at risk the lives of billions.
EMP:
EMP describes pulses of energy that can be emitted from the blast of a nuclear weapon, portable devices like high power microwave weapons (HPMWs). A 2018 military study by the Air Force titled, “Electromagnetic Defense Task Force,” warned that an EMP weapon attack such as those developed by adversaries could destroy our way of life and displace millions. (View Military warns EMP attack could wipe out America, 'democracy, world order', the Washington Examiner)
Cyber threats:
EMP and Flares are not the only extreme threats to critical infrastructure. There have been attempted cyberattacks on grids and utilities, many via phishing and ransomware, and some have been successful. In 2014, a computer in the control room at Monju Nuclear Power Plant in Tsuruga, Japan, was subjected to malware, but possibly by accident. In 2015, South Korean hackers targeted Korea Hydro and Nuclear Power Company, but luckily to no avail.
Non-nuclear power plants have also been subjected to intrusions and breaches. A hack in Ukraine was held up as a prime example. In December 2015, hackers breached the IT systems of the electricity distribution company Kyivoblenergo in Ukraine, causing a three-hour power outage.
Refineries, dams and data centers have all been targets of cyber incursion, many by state-sponsored adversaries. According to the Department of Homeland Security (DHS) Alert (TA17-293A), threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors since at least 2017 and, in some cases, have leveraged their capabilities to compromise victims’ networks.
In the federal civilian sector DHS’s new agency, Critical Infrastructure Security Agency (CISA), puts a keen focus on DHS’s integral role in cyber preparedness, response and resilience for critical infrastructure. CISA’s stated role is to coordinate “security and resilience efforts using trusted partnerships across the private and public sectors, and deliver training, technical assistance, and assessments to federal stakeholders as well as to infrastructure owners and operators nationwide.”
Risk Management Response:
On March 26, 2019, President Trump issued “Executive Order on Coordinating National Resilience to Electromagnetic Pulses” in an effort to assess the risks of such an attack to critical U.S. infrastructure. This Executive Order should lead to new investments in protecting The Grid from existential Solar Flares, EMP, and Cyber threats. There are very promising near-term technologies available that can help insulate critical infrastructure from solar and EMP risks. These solutions require urgent implementation to mitigate existing vulnerabilities. In addition, the fortification of cybersecurity through detection, encryption, automation and threat response are tools we have and can further develop to thwart potentially devastating cyber-attacks on critical infrastructure.
The Black Swan of Pandemics and Bio-terrorism:
We are all vulnerable and the vigilance to bio threats are necessary. The recent focus in the news over the outbreak again of infectious Ebola has once again alerted us to the threat of pandemics and bio-terrorism. This is not the first time the issue of biological risks has emerged. Back in 2002 and 2003, the Severe Acute Respiratory Syndrome (SARS) raised alarms over an epidemic. There was also the 2001 Anthrax scare, and the 2004 ricin letters. Measles is once again a contagious threat, and many forget that the 1918 Spanish Flu influenza pandemic killed more than 50,000 people.
In the study “Global Trends 2030” researchers found that, “No one can predict which pathogen will be the next to start spreading to humans, or when or where such a development will occur. An easily transmissible novel respiratory pathogen that kills or incapacitates more than one percent of its victims is among the most disruptive events possible. Such an outbreak could result in millions of people suffering and dying in every corner of the world in less than six months.” (View Global Trends 2030: ALTERNATIVE WORLDS, a publication of the National Intelligence Council.)
The frightening reality is that as technological sophistication grows, so does the spectrum of threat capabilities deployed by terrorists. According to Daniel M. Gerstein of Rand Corporation, “The proliferation of biotechnology coupled with the increasing use of technology by terrorists suggests a growing likelihood of a bioterrorist attack. Al Qaeda, in a previous version of its Inspire magazine, had called for like-minded scientists—biologists and chemists—to conduct attacks.” (View A Countering Bioterrorism Facility Worth a Second Look, The RAND Blog.)
Risk Management Response:
Many public sector organizations play significant roles in warning, treating, and protecting against infectious outbreaks. The World Health Organization, Centers for Disease Control and Prevention, the Health and Human Services, Department of Agriculture, and the Department of Defense are all experienced with the challenges that may arise when dealing with worldwide pandemic events. DHS also plays an important role in this area, especially when it comes to bio-surveillance and countering bio-terrorism.
Technological and pharmaceutical advances in recent years have provided some comfort in knowing the ability to detect and combat biological threats. However, a new super-virus pathogen and the bio-terrorist threat still looms large as a Black Swan potential threat.
The Black Swan of Malevolent Artificial intelligence:
The Research and consulting firm Gartner describes Artificial Intelligence (AI) as a “technology that appears to emulate human performance typically by learning, coming to its own conclusions, appearing to understand complex content, engaging in natural dialogs with people, enhancing human cognitive performance or replacing people on execution of non-routine tasks.”
AI can be a game-changer for accelerating cognitive capabilities and economic benefits. In the very near future, we will be able to develop an intelligence from AI that in itself will be an evolving form of sentience of the human. We will live in a world where human/computer interface will extend our human brain capacities, memories, and capabilities. We will create robots with the ability to reason and act.
But what if AI runs amok? A reminder of that possibility is of the sentient computer HAL in the science fiction movie a 2001 Space Odyssey who experiences jealousy and commits murder. Many great visionary minds such as Elon Musk, Bill Gates, and Stephen Hawking have expressed fears that our artificial creations may bring pitfalls. Will artificial intelligence pose a threat to humanity? At the very least AI will impact our privacy and work force, but it is not too difficult to imagine a scenario of self-replicating AI robots and control over humans with interfaced implants dictating our futures and controlling our networked environments. Or is it?
Risk Management Response:
With the development of AI, we will need to proceed with caution and an ethical framework. It’s evident that science and technology will pave our futures. How we harness and manage the tools and quantify the risk of emerging technologies such as AI can play a meaningful role lessening risk and consequences of a Black Swan event.
These are only three brief ponderings of potential Black Swan events. There are many others. For example, a meteor hitting Earth (that has happened a few times in the past), or a massive volcanic eruption that has the effect of a major nuclear blast. In all of these scenarios, there are public and academic agencies and organizations examining the implications and responses.
Black Swans and other threats really do come down to risk management and its basic applications. A good formula to apply is RISK = THREAT X VULNERABILITY X CONSEQUENCE. We can use this formula combined with new advanced computing to better predict, synthesize data, and mitigate extreme events. It is never too late to start planning.
A powerhouse by himself, Chuck Broks is a globally recognized thought leader and subject matter expert in Cybersecurity. Adjunct Faculty at Georgetown University in CyberRisk Management and Applied Intelligence programs. Chuck received two Presidential Appointments and served as an executive for several leading public companies. Named as ”The Top 5 Tech People to Follow on LinkedIn”, “Top 50 Global Influencer in Risk, Compliance,”and“ #2 Global Cybersecurity Influencer”. He is also a Visiting Editor of Homeland Security Today.