In the first three months of 2021, organisations were exposed by 0days in Microsoft Exchange and Accellion's secure file transfer appliance, and there have been revelations of three more malware strains related to the SolarWinds Orion product. This brings the total number of malware related to Orion to eight, including some that have been attributed to both Russian and Chinese operatives.

Just before we turned the dial to 2021, we ended the year with a chilling statistic from McAfee and the Centre for Strategic and International Studies (CSIS): "Cybercrime costs the world economy more than $1 trillion, or just more than one percent of global GDP, which is up more than 50 percent from a 2018 study that put global losses at close to $600 billion." Given the action this year already, that figure is only likely to rise.

HAVE WE HIT ROCK BOTTOM IN CYBERSECURITY?
This is a hard question to answer, but the signs for cybersecurity, in my estimation, all point to an unsustainable situation. For the people who suffered as a result of the Texas winter storm, there is a 50-billion-dollar bill attached that now has to be dealt with. While that event which had little to do with a cyberattack, I mention it here to provide some perspective - the climate and cyber spheres have far more in common than we think and are under a sustained global threat.

It was not a widespread cyberattack against the national critical infrastructure of Texas that left thousands without power and water (as far as we know). In fact, the failure in Texas was of a far more human nature: lawmakers also failed to pass measures over the past two decades that would have required the operator of the state's main power grid to ensure adequate reserves to shield against blackouts, provided better representation for residential and small commercial consumers on the board that oversees that agency and allowed the state's top emergency-planning agency to make sure power plants were adequately 'hardened' against disaster.

DRAWING A LINE FROM TEXAS TO CYBER
Thankfully, we have not seen cyberattack that has resulted in tens of billions of dollars of damage - or have we? So far, the most impactful cyberattack has been relatively accurately measured at $1.3 billion in losses that Maersk has claimed from its insurers following the NotPetya attack that hit its computer networks.

It remains to be seen if this amount will ever be paid (at least as I write), since insurance companies are suggesting NotPetya was a "hostile act amounting to a war or terrorist attack" and therefore denying coverage under some Merck policies.

On 16 August 2017, 128 countries signed The Minamata Convention on Mercury, which is an international treaty designed to protect human health and the environment from anthropogenic emissions and releases of mercury and mercury compounds. The vast majority of these emissions were caused by individual and small gold mining operations, even though organic mercury compounds were first described in the 1800s, with fatal cases of mercury poisoning reported in 1865.

Despite all kinds of clinical evidence from the 1900s onwards and regulatory safeguards established in the 1960s and 1970s, which were largely ineffective, the consensus after 156 years is: 'Mercury is bad for the environment and bad for humans.' In a word, it's 'toxic'.

Ian Thornton-Trump, CISO, CYJAX.
The story of cybersecurity, or rather the lack of it, is like the demoralising story of mercury, and it's my hope that we reach a broad understanding that poor cybersecurity is also bad for the environment and bad for humans in a lot less than 156 years.

Like the human desire to risk mercury poisoning in the pursuit of physical gold, we are Bitcoin mining virtual gold by burning energy at an alarming rate, with a high likelihood of future toxic environmental effects, from directly and indirectly by facilitating cyber ransoms.

BITCOIN SHOCKWAVES
An article in the BBC technology section, with the headline 'Bitcoin consumes more electricity than Argentina', ran on 10 Feb 2021 and did not receive nearly as much attention as it deserved. Buried within the article, however, was arguably an even more sinister detail.

According to David Gerard, quoted in the article: "Tesla got $1.5bn in environmental subsidies in 2020, funded by the taxpayer. It turned around and spent $1.5bn on Bitcoin, which is mostly mined with electricity from coal. Their subsidy needs to be examined." It certainly should be, as Tesla's purchase propelled the virtual currency to unprecedented new values making roughly $1 billion in profits from its investment into Bitcoin, according to some estimates.

Earlier this year, aerospace firm Dassault Falcon Jet suffered an extensive data breach by the Ragnar Locker ransomware operators. The attackers had remained hidden on the company's network for more than six months, having used the 'Shitrix' vulnerability (CVE-2019-19781) to gain persistence on the network. They then started encrypting the data on 7 December 2020, after exfiltrating the data steal it before encryption.

EXPLOITATION AND RANSOMWARE
The cybercriminals demanded $2 billion in Bitcoin as a ransom. Exploitation and ransomware are the unfortunate consequences of being online, but, as I alluded to earlier, there are far more impactful cyberattacks capable of inflicting millions, if not billions, in damages.

Take, for instance, this attack in 2013: 'AP Twitter hack causes panic on Wall Street and sends Dow plunging.' During the three minutes that the 'fake tweet' was circulating, it wiped $136 billion in equity market value. About an hour after it was over, a group of hackers who cause trouble in support of Assad, an informal collective known as the Syrian Electronic Army, claimed responsibility for the attack. What perhaps is most concerning is when one tweet by a celebrity on 21 Feb 2018 could inflict a loss of $1.3 billion out of the market capitalisation of Snap. For those in western nations advocating a potential military cyber response to Russian cyberattacks on SolarWinds and Chinese attacks on SolarWinds and Microsoft, they may have forgotten just how precarious a digital world we live in. Let's hope we back away from 'cyber war drums' before we are shown precisely how vulnerable we really are.

ENTERING THE ERA OF CYBER DISASTER CAPITALISM
It's a sad state of affairs if we invest millions of dollars in cybersecurity and yet billions of dollars of damages can be inflicted by a tweet, because of the precarious digital environment we have created. Naomi Klein writes: "The appetite for easy, short-term profits offered by purely speculative investment has turned the stock, currency and real estate markets into crisis-creation machines." In a 2018 opinion piece on Bitcoin, Klein's labelling of some of the cryptocurrency industry's leading figures as "tax dodgers" seemed eerily to foreshadow the recent 2021 indictment of John McAfee and an associate related to cryptocurrency promotional activities.

Given the current state of affairs, wherever, increasing opening up of business systems seems inexorable, 0day vulnerabilities in Microsoft exchange, Accellion and others demonstrate that we are facing both a cybersecurity crisis and a broader tech industry crisis.

Anyone looking at the problem as an exclusively cybersecurity problem is not seeing the whole picture. "In early 1970, as a result of heightened public concerns about deteriorating city air, natural areas littered with debris and urban water supplies contaminated with dangerous impurities, President Richard Nixon presented the House and Senate a ground-breaking 37-point message on the environment."

It is once again time for American leadership, with the UK, EU and other Western nations supporting President Biden, in introducing an aggressive cyber protection-focused legislative agenda empowering a 'Cyber Protection Agency'. We need to see the kind of global enforcement powers that the EPA unleashed against Volkswagen.

"Volkswagen said its 2015 diesel cheating scandal has cost it 31.3 billion euros (USD $34.69 bn) in fines and settlements." And in 2017, the US-based VW executive Oliver Schmidt, who oversaw emissions issues, was sentenced to seven years in prison and fined $400,000, the maximum possible under a plea deal the German national made with prosecutors after admitting to charges of conspiring to mislead US regulators and violate clean-air laws.

The solution for the tech industry, and its related cybersecurity problem, is simple: hold organisations and individuals accountable for cybersecurity by requiring adherence to an aggressive regulatory framework. There is already a model for this in the environmental and financial services protection frameworks: they may not be perfect, but, as they say, "perfect is the enemy of good/better" and what we need right now is something to clean up the global cyber environmental mess we have created. The last twenty years of letting the 'cyber market decide' has managed to make us ever more vulnerable. Something has to change.