With a US inteligence report confirming that President Putin authorised a pro-Trump influence campaign in the latest election, China and the US in a stand-off, and the recklessness of ransomware groups tolerated, and at times abetted, by state actors, geographical risk is at its highest in a long time. See my latest column in The Quantum Daily on how we are skirting the edge. And what steps can be taken to mitigate risk.

An assassination in Sarajevo. The subsequent chain of events ultimately leads to a world war. An estimated 20 million people die.

A small US bank succumbs to a cyberattack. Amidst carefully placed misinformation campaigns, bank runs and riots, the repercussions start to drag down the financial system. The US blames Russia, calls on NATO under Article 5, where an attack on one is an attack on all, and step-by-step the world explodes into the Third World War.

What unifies these two scenarios is that we are living in an era reminiscent of pre-World War I: the seeds of conflict are sown, irrigated by mistrust, and one spark can start a wildfire.

Last month at their Geneva summit Joe Biden made clear to Vladimir Putin where the US red lines in cybersecurity lie. “Certain critical infrastructure should be off-limits to attack, period,” said the US President.  One of the 16 sectors mentioned was financial services. It is a given that the message was also aimed at China, Iran and other hostile states with a track record of cyberattacks.

The US government has been in contact with American banks this year to chivy them into increasing their cyber defences, while Federal Reserve Chairman Jerome Powell stated that cyberattacks are the biggest risk to the system. They can trigger a liquidity run and lead to solvency issues.

One of the most worrying possibilities is a supply chain attack. In a little-publicised paper published by the New York Federal Reserve, Cyber Risk and the US Financial System: A Pre-Mortem Analysis, the authors note that an attack on a significant service provider which connects small and medium sized banks has the potential to cause a systemic event. The concentration of banks using the few existing cloud providers, like AWS or Microsoft’s Azure, for instance, is a clear risk.

The authors also note that in a five-day cyber attack, nearly half of US financial institutions would run out of reserves by day five.

The top concern is not so much a provocation, as a misjudgement, ultimately leading to WWIII. Take the recent Colonial Pipeline attack by DarkSide. They planned to attack the business side, not the operational side, which is responsible for transmitting roughly 45% of East Coast fuel. They knew the latter would be perceived as an attack on infrastructure, bringing the might of the US intelligence services down on them for straying into the political arena.

“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our other motives,” they swiftly posted on their Dark Web page, as they sought to excuse their error and distance themselves from suspicions of links to the Russian government.

There is no easy solution to the uncertainty of who is behind a cyber attack, nor to mishaps prevalent in a digital world.

But there is a clear need for key sectors to take a big step up in cybersecurity. Not least with China – which just celebrated the 100th anniversary of the Communist Party amid Taiwan fly-overs – on what looks ever more likely to be a collision course with the West.

Paradoxically, the quantum industry may be the answer to cybersecurity, while also being its biggest threat. The creation of quantum keys which are certifiably random – unlike the current RSA encryption and other standard ones – could provide hacker-free security. At least eleven global banks are exploring quantum safe protocols for security, ranging from JP Morgan to BNP Paribas and RBC of Canada, as reported here by The Quantum Daily (TQD). Around thirty-five quantum companies in countries ranging from Poland to Singapore are working on quantum cybersecurity products.

A handful of years down the line powerful quantum computers may be able to decrypt the data already being harvested by ransomware gangs and hostile nation states – yet another reason to experiment with current quantum cryptography.

Although information is hard to come by, China reportedly has quantum key distribution technology over fibre optic cable between Beijing and Shanghai. In essence, a quantum internet, providing hundreds of kilometres of totally secure communications.

The West is intent on catching up, with governments and companies spending large sums. Germany, for instance, announced in May a €2bn investment in quantum and related technologies, while a month later British start-up Arquit announced a link with defence company Northrop Grumman to explore its own end-to-end quantum encryption.  Meanwhile, the US Department of Energy last year unveiled a blueprint for a quantum internet.

The Cold War arms race mostly involved creating weapons of destruction, the so-called Mutually Assured Destruction (MAD) doctrine which, arguably, kept the peace over many decades. In the 21st century, the most important advance in keeping world peace will be security and protection: Mutually Assured Defence – not as MAD.

This month we comment in The Quantum Daily on why the City needs to become involved in Quantum Computing, a $10bn market over the next few years. There is a great opportunity in servicing the UK’s 73 quantum start-ups – the second largest number in the world after the US – with fundraising & consultancy, while machine learning for portfolio optimisation, and cybersecurity and MedTech are all going to benefit from it.

Quantum needs to be part of the the City Corporation’s recovery plan.

To note, I write this as a Senior Advisor to Cambridge Quantum Computing and a City champion.  

Read the article here

2021’s three unmissable trends

Empathy is the word that most marks 2020, a year in which companies worried about their employees’ mental health; the #MeToo movement forged ahead; #BlackLivesMatter took off, and Covid-19 lead to the rediscovery of community.

Empathy will continue to have an impact in 2021 by being present in two upcoming trends: debt forgiveness and supply chain responsibility. As for the third fundamental trend, quantum cybersecurity, its eruption onto the corporate scene as an applicable and commercial technology will ignite a bonfire of innovation.

Boards would do well to anticipate how these key factors will impact their companies in 2021 and ensuing years, even as the pandemic continues to upend business and politics.

TREND ONE: DEBT FORGIVENESS

Covid-19’s devastating economic effects will continue to disproportionally hit the less skilled. Many of them are BAME and the owners of small and medium sized businesses (SMEs), whose access to credit depends on government guarantees.

Debt for SMEs ties into discussions about inequality in society. These will ‘’continue to rise in volume and importance,” notes Alderman and Professor Michael Mainelli of the Zyen Group, who advocates a proper discussion by the financial services sector on the role of credit in the economy.

In the UK, for instance, the £43.5bn Bounce Back Loans Scheme consists of easily accessed, loans of up to £50,000 with no interest the first year and a constant 2.5% over the next decade, all available through banks but guaranteed by the government. They constitute most of the government’s business debt schemes.

Pumping funds out to help small businesses stay afloat was a forward-thinking policy akin to the furlough scheme to ensure businesses kept employees on the payroll. Other countries came up with similar programmes.

The alternative was, and is, massive unemployment – predominantly amongst those who lack savings in the hospitality and retail trade. The Bank of England (BoE) has admitted there is a chance the unemployment rate could rise to 10% mid-2021.

Most pandemic-associated loans are unrecoverable due to lack of ability to repay, or fraud. The government itself had already estimated losses of 25% to 75% when it launched the scheme in the spring of 2020.

Talk of a ‘bad bank’ to park loans, swapping the debt for equity or a tax obligation, restructuring or creating preference shares – some solutions put forward by TheCityUK’s admirable report on recapitalisation of business post the pandemic – should only be completed for large businesses.

None of the debt manipulation schemes make sense for SMEs, creating a layer of complication and obligation for (mainly) struggling and understaffed businesses. On a societal level, they would be perceived as clearly unfair and create social tensions. If the government does not act voluntarily to cancel the debts, there could well be a rising backlash through social media and public demonstrations.

(Fascinatingly, the Bible speaks of the forgiveness of all debts every 50 years, the jubilee year, note Alexander Adamou and Ole Peters in a Royal Statistical Society paper, resulting in a radical reduction in inequality).

Let the government and the banks admit the Emperor has no clothes and write off the debt for small businesses. The US financial sector didn’t pussy foot around after the financial crisis. As a result, it recovered faster than the European financial sector which kept unrecoverable loans on its balance sheet, a drag on new lending and growth. Although TheCityUK’s suggestions push much of the debt off-balance sheet, it would remain a burden on small business.

TREND TWO: SUPPLY CHAIN RESPONSIBILity

There is a slight whiff of manufacturing to the phrase ‘supply chain.’ But the network between professional and financial services companies and their suppliers of services is just as much a supply chain, and one that will gain added prominence this year and in years to come, mainly in two areas: people and planet.

How you treat those not directly employed by the firm is going to become as important as how you treat your own workers. The outsourcing model of the last few decades will be under threat, having delivered value to shareholders in parallel to subtracting rights from workers.

Worst-hit by the pandemic, the low-skilled are moving into the spotlight of social justice. Interestingly, hedge fund Chanos is shorting gig economy companies such as food delivery platform Grubhub, betting that there is going to be a greater political focus on low-wage, precarious workers.

In the UK, there is a designated NED on the board with responsibility for the workforce, a recent advance in corporate governance – and not enough directors are aware that the duties extend to the outsourced workers in the supply chain.

Meanwhile, a new taskforce led by the City of London Corporation aims to reduce the number of senior City roles held by people from privileged backgrounds. This was a Treasury and business department social mobility initiative. Governments are going to become more involved in the supply chain of people, just as much as they are in that of products.

On the planetary front, 2020 was the year where the Covid-19 pandemic brought home the cost of ignoring the environment. Shareholder activism is rising. Mining giant Rio Tinto changed course on its Australian imbroglio on the back of it. Prescient Unilever announced the decision to put its climate action plans to shareholders every few years. Before too long, institutional shareholders like BlackRock and Schroders will insist all companies do so.

TREND THREE: QUANTUM CYBERSECURITY

Cybersecurity is the central challenge of our digital age, tweeted Microsoft CEO Satya Nadella in 2019, a challenge amplified by the move to home working in the pandemic. The IMF calls it “the new threat to financial stability.”

Cyberattacks as a foreign policy tool are growing in importance and capability, highlighted by the recent Russian hack of the Orion software which is widely used by US government and companies like Microsoft. Without going into too much detail, the enemy is still within the computer systems of an unknown number of those attacked. Meanwhile, cybercrime is predicted to inflict damages of $6 trillion globally in 2021.

Kamala Harris was ahead of her time when in 2011 as Attorney General of California she began work on setting up the state’s Cyber Crime Center.

Years later as a US Senator, she served on both the Homeland Security and Intelligence Committees, giving her unparalleled access to threat intelligence (one of only two Senators) and put forward a bill to invest in quantum computing. In 2018 the National Quantum Initiative Act became law, providing $1.25bn in funding between 2019-23 for the industry.

Kamala Harris is set to be one of the most active vice-presidents in US history and she is committed to quantum.

Cybersecurity based on existing quantum computing to protect security systems, data, networks and communications will be 2021’s great technological innovation. Quantum is no longer a decade away, as has so often been the case, it is here now.*

CONCLUSION

Developing themes for the future in an unparalleled, disrupted world to help guide CEOs and Chairs is arduous work. For the record, Robinson Hambro crows with pleasurable self-satisfaction at having called the retreat of globalisation in a 2015 presentation to the International Advisory Board of a bank. In a pre-Trump, pre-Brexit world that was no mean feat. Nor was our 2017 forecast on the four tornados of change that would slam into Big Tech and social media.

We aren’t always right – calling the end for President Putin in 2014 when he can now stay in power legally until 2036 was a tad premature – but on debt forgiveness, supply chain responsibility and quantum cybersecurity, Robinson Hambro is confident these trends are here to stay.

 *I will dedicate a full column to quantum next month. Its importance to boards and companies cannot be overestimated.

Collaboration key to minimising threat

What career advice do you give a young person leaving Cambridge with a double first in Classics and entering a graduate job market dynamited by Covid-19?

Heading into an industry with a Compound Annual Growth Rate (CAGR) of well over 13% has got to be an enticing option. Future projections are even more optimistic on the back of the coronavirus revolution in leisure and working practices. In fact, the cybersecurity market is already worth around $120bn, similar to the GDP of Morocco, while the cost of cybercrime is estimated at up to $2tr.

Back in 2019 Microsoft CEO Satya Nadella tweeted that cybersecurity is the central challenge of our digital age. His warning is amplified by the vast increase in online activity since the pandemic struck. The biggest vulnerability for companies is now a cyber breach via staff working remotely. For individuals, there has been a 667% increase in spear fishing attacks (a targeted scam) helped by the fact that “everyone’s grannie is now doing yoga online, a whole new population for cyber criminals to prey on,” quips Andy Bates, Executive Director at the Global Cyber Alliance (GCA).

In his 25-year career working with organisations ranging from the security services to NATO and telecoms group Verizon, he has seen cybercrime constantly mutate, adapting to where defences are easiest to breach and the largest opportunity lies. The unholy alliance of rogue states, criminal gangs, and individuals in their bedrooms is behind everything from the Facebook data breach earlier this year, where 267 million user profiles were hacked and then sold for a measly $540 on the dark web, to the TalkTalk hack in 2015 where two young men stole the banking information of over 150,000 customers. This was then followed by other criminals piling in to try and blackmail the CEO. Total cost to the company: £77m.

As financial services and other large firms build up their cyber defence at vast cost ($600m at bank behemoth JPMorgan Chase), criminals have moved to easier victims. “It is simpler to steal £100 pounds from 100,000 people or SMEs across hundreds of different legal jurisdictions than a million from a well-defended bank,” notes Mr Bates, speaking at a webinar hosted by the Worshipful Company of International Bankers.

In 2015 the proceeds of known cybercrime exceeded known physical crime, leading to the foundation of the Global Cyber Alliance in two of the largest financial cities in the world. The three founding partners, the City of London Police, the New York District Attorney’s Office and the Center for Internet Security, were soon joined by others including Bank of America and Lloyds Bank. Chaired by the head of Security Policy at Microsoft, Scott Charney, in its 5 years of existence this cybersecurity knight in shining armour has created free tools worth around £5000 per individual.

A not-for-profit organisation, GCA works across borders and sectors to enhance collaboration. It seeks to learn more about data to remove criminal web infrastructure. Its recently announced strategic partnership with ICANN is a case in point, aimed at cutting back on Domain Name System (DNS) abuse.  

The auburn-haired graduate mentioned earlier did not find his lack of a computer science degree an impediment to landing a job in cybersecurity. “Hiring the usual suspects into your IT department makes no sense because they don’t think like the Russian Mafia,” says Mr Bates. Whether a Cambridge education is the best training for understanding an uber-criminal is a subject for discussion; it has historically proved a great education to become a spy. The collaboration between the security services of countries like China and North Korea and professional crooks means a Cambridge education may not be entirely wasted.

A few years ago the military realised that to recruit in-house hackers they would need to relax military discipline and dress. Covid-19 has lifted the stigma from working at home, so hiring somebody who wears a Motorhead t-shirt and has dreadlocks may no longer be such a stretch for corporates, notes Mr Bates. This is essential given that the average time to hack a company is 56 days while the average time to discover the hack is 190. Individuals are attacked on average 150 times a day.

While we hear about the major hacks, such as the recent one that saw requests for Bitcoin donations emanate (purportedly) from the Twitter accounts of famous people like Kim Kardashian and Bill Gates, the press doesn’t cover the millions that occur to individuals, SMEs, and larger companies that manage to avoid all media coverage. GCA’s free toolkit, which already protects around 150m people, can reduce the risk of cyberattack by 85%.

The financial services sector is the most obvious one for criminals to attack, while the electricity infrastructure is most likely to be attacked by enemy states.  There were four failed attacks on the UK electricity grid last year, three by the Russians and one by the North Koreans. GCA, which counts a former head of European policing agency Europol on its board, is intent on encouraging intelligence sharing between the banks and the utilities to foster best practice and reveal more details on attackers.

Similarly, more collaboration between the private sector, the government and NGOs is crucial in the fight against crime and spying. Not least because distinguishing between criminal networks and country attackers is problematic: the latter often outsource their dirty work to the former, a shadow version of an economy’s supply chain.

And mistakes happen. Moller-Maersk, the world’s largest shipping container company, saw its computer screens go black on 27 June, 2017. To understand the scale of the disaster, it helps to know that every 15 minutes one of its massive ships docks in a port somewhere in the world, a complicated logistical and digital exercise. Recovery took ten days. The cost to the firm is estimated at $300m. To cap it all, the Danish company was not the intended victim. The Russian ransomware, known NotPetya, was aimed at Ukrainian businesses as part of the troubled relations between the two countries, but Moller-Maersk’s office in Kiev accidentally caught the virus.

A much larger issue for internet security over the next five to ten years is quantum computing, which would break all known encryption. Although quantum computers currently lack the necessary processing power, the industry is advancing in leaps and bounds.

With over 4 million unfilled vacancies and the demand for neurodiversity to understand better an ever-changing threat, the cybersecurity sector has opened its arms to bankers, doctors, and a host of other professions, as well as the auburn-haired Cambridge graduate, my stepson, who is due to start his new job for a top cybersecurity firm this autumn. I wish him well.

END

GCA is looking to partner with financial services and other firms to help them combat fraud and create a safer internet.