Where climate change and cyber attacks intersect
One session at RSA Conference 2023 focused on climate change -- a topic that is not commonly featured during cybersecurity conversations, but should be.
We've all heard about the effects of climate change: More frequent and extreme weather events are occurring and will only continue. Sea levels will continue to rise. Agriculture and food security will be at risk. Physical and mental health will be affected. More pandemics will occur. Communities will be displaced. The economy will be affected. Animals and humans will die. Species will go extinct.
Those are all important -- but what does climate change have to do with cybersecurity? And why did Chloé Messdaghi, CEO and founder of Global Secure Partners, talk about it at RSA Conference?
"No direct causal relationship between climate change and cybersecurity exists," Messdaghi admitted during her presentation. But the key takeaway is that climate change will result in more cyber attacks, she said.
The connection between climate change and cyber attacks
"Climate change increases cyberthreats, instability and disruptions that can be exploited by cybercriminals," Messdaghi said. In particular, she noted the following effects:
- Extreme weather events can damage physical infrastructure, including data centers, servers and critical IT systems, leaving them vulnerable to attack. During Hurricane Sandy in 2012, for example, major data centers were affected, leading to internet disruptions. A 2018 earthquake and tsunami in Indonesia damaged underground cables, interrupting internet connectivity, mobile networks and financial transactions.
- Supply chain issues, especially for industries that rely on raw materials, energy and transportation, might occur as a result of climate change. "When supply chains are disrupted, businesses turn to alternative suppliers or adopt new technologies to maintain production levels. These changes can create new vulnerabilities in the supply chain for cybercriminals to exploit," Messdaghi said. This was evidenced during the 2011 floods in Thailand, which shut down hard drive manufacturers and forced many organizations to use other suppliers for their hardware needs.
- Remote work boomed at the start of the COVID-19 pandemic and continues strongly today. "Remote work creates new security risks, such as insecure home networks or personal devices used for work purposes," Messdaghi said. "[Security team] burnout will definitely be on the rise if you're working from home and all these [technology] shifts with new risks happen and new pandemics occur."
- Green technology adoption -- or adoption of any new technology -- introduces new attack vectors. Attacks on these systems could result in disruptions or loss if not properly secured.
- Nation-state attacks could increase as a result of geopolitical instability caused by climate change, Messdaghi said. Cyber attacks will target critical infrastructure, seek to infiltrate new technologies, and exfiltrate intellectual property related to clean energy and climate change.
- Cloud services, adopted by many organizations in an attempt to reduce their carbon footprint, bring new cloud-specific threats and vulnerabilities to address.
- IoT devices, adopted by many organizations to manage and monitor climate risk, come with their own set of security considerations and issues.
- Social engineering will see an uptick as climate change causes more catastrophic events. "Social engineering attacks have more success when chaos is happening," Messdaghi said, citing the increase in phishing scams during the COVID-19 pandemic.
How the IT industry -- and cybersecurity industry -- affects climate change
The cybersecurity industry might not be directly responsible for climate change, but it is part of the larger IT industry that is responsible for the following major climate change contributions:
- Data centers consume a lot of energy, rely on fossil fuels and generate a lot of emissions. According to the International Energy Agency, global data centers use up to 320 terawatt hours of electricity annually, or about 1.3% of global electricity demand -- more than the energy consumption of Iran. Data center transmission networks use up to 340 terawatt hours of electricity annually, or about 1.4% of global electricity demand. Combined, they contribute 0.6% of total greenhouse gas emissions.
- Crypto-asset activity globally creates about 140 million metric tons of carbon dioxide (CO2) annually, or about 0.3% of global greenhouse gas emissions. In the U.S., it contributes up to 50 million metric tons of CO2 emissions annually -- up to 0.8% of total U.S. greenhouse gas emissions. Sierra Club and Earthjustice reported that cryptomining in the U.S. from mid-2021 to mid-2022 created 27.4 million metric tons of CO2 emissions -- three times the emissions of the largest coal plant in the U.S. in 2021.
- AI consumes immense energy. Training a single AI system can create 250,000 pounds of CO2 emissions. AI across all sectors contributes approximately as much CO2 emissions as the aviation industry.
How to reduce risk
Mitigating the vulnerabilities and risks of attacks related to climate change doesn't necessarily require anything other than standard cybersecurity best practices. "We should all be doing these things anyway," Messdaghi said, listing the following key security tasks:
- Conduct risk assessments.
- Develop a cybersecurity plan.
- Implement strong encryption and authentication protocols.
- Collaborate with other organizations.
- Develop a business continuity plan.
- Stay up to date with emerging threats and vulnerabilities.
- Develop a strong security culture.
- Educate employees.
- Create and maintain an incident response plan.
- Develop partnerships with law enforcement and government agencies.
In terms of climate change specifically, Messdaghi recommended security teams collaborate with others in their organization and do the following:
- Know your organization's carbon footprint.
- Promote remote work and reduce travel.
- Adopt green tech and renewable energy resources.
- Promote policies and regulations that support sustainable practices.
While green cybersecurity hasn't been a big part of the climate change conversation, it will -- and should -- get more attention. Messdaghi suggested creating and adopting green cybersecurity tech and policies, such as smart grid cybersecurity, green IT cybersecurity and sustainable cybersecurity to start.
Messdaghi also recommended cybersecurity be part of the ESG conversation, if there is one at all. If an organization hasn't had a climate change conversation yet -- and many organizations haven't -- it's time to start. And security should be represented during it.
"Be that leader. Put yourself in that room," Messdaghi said. She urged security leaders to focus on resilience, becoming sustainable and educating their team so that it can address the effects of climate change -- starting with cyber attacks.
"We have to do better," Messdaghi said. "Change is possible."