Climate change may not be an issue synonymous with cyber security, but there is a growing need for the security sector to recognise and address the impact a changing climate is having.
A new report from the World Meteorological Organization (WMO) stated that there is a 50 per cent chance that, during the next five years, the global average surface temperature will exceed 1.5°C above the preindustrial average for the first time in an individual year.
Climate-related factors such as shifting weather patterns, resource availability, and mass migration could alter the cyber threats organisations and governments face, introducing new or heightened risks in an already complex landscape.
Despite this, climate change remains a little-discussed topic of risk in boardrooms and teams within most enterprises, according to cyber security advisor, researcher, and change maker Chloé Messdaghi.
“I’ve met with various executives in cyber security who have yet to discuss the potential impact of climate change to their business,” she wrote in a recent blog post. “When climate change is mentioned, it’s usually dismissed. Dismissed due to deniers of the existence of climate change or simply because they haven’t found the time to understand the potential risks.”
Climate change is one of the biggest challenges facing the future of the cyber security sector, Messdaghi tells CSO, and the topic must become higher up the agenda across businesses to address its implications.
Here are four reasons why the cyber security sector cannot ignore – and must takes steps to address – climate change.
1. Critical resources become key attack targets
One of the most significant aspects of climate change is its effect on accessibly to key resources. For example, periods of drought can limit access to clean water while heavy storms can knock out electricity and gas pipelines, potentially leaving people without power, heating and food.
When such critical resources are threatened, they and the systems that supply them become highly attractive attack targets for malicious cyber actors seeking to cause maximum havoc at times of crises.
Messdaghi cites droughts in California as a prime example.
“Water resource becomes very limited, and it becomes something very sacred, that we want to protect," she added. "If you think about nation state actors and how they may want to attack California in the future, the best way may be to go after its clean water. With climate change, the weather is going to get ever more severe and unpredictable, and that means changes and challenges towards our businesses.”
A recent joint cyber security advisory has already warned of advanced persistent threat (APT) adversaries using custom-made tools to attack industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices, and in the event of key resources becoming limited, the likelihood of nation state actors or criminals taking advantage with attacks such as ransomware or DDoS increases.
The advisory advocated for organisations in the space to implement enhanced security approaches to address growing threats posed to ICS/SCADA systems.
2. Power outages, energy shortages threaten cyber security protection
Heightened attacks targeting critical resources and systems are not the only security concern associated with climate change. Violent storms and drought-induced forest fires can lead to power outages and take systems offline, with renewable energy shortages adding to challenges.
Security providers that rely on data centres to deliver their services could find themselves unable to do so, leaving organisations vulnerable, KnowBe4 CEO Stu Sjouwerman tells CSO. Vendors that are tied to one location could struggle, and so it’s important for businesses to invest in providers that take an agile approach to operations that can be moved at short notice, he added.
“It is also possible that crisis response to a major weather event – as part of a business continuity response – could lead to security corners being cut to restore services more quickly,” said Andrew Barratt, vice president of cyber security consultancy Coalfire.
3. Mass migration increases remote working risks
Climate-associated factors such as rising temperatures are beginning to make some global locations less habitable, with more extreme conditions threatening to trigger mass migration across towns, cities, states and even national borders. This poses another potential security headache, and one that has already come to fruition throughout the COVID-19 pandemic.
As the last two years have shown, when large numbers of people are forced to suddenly relocate, it can disrupt established working patterns and force individuals to adopt remote, riskier habits such as using less secure internet connections, devices, and network access points for work purposes.
Organisations have had a “good run” at tackling this during the pandemic where remote/hybrid working has become a trend, said Messdaghi, but it’s still an issue to acknowledge in the future as more established working patterns return.
“It’s about having an agile and trusted identity and authentication process where you’re able to view and see where people are connecting from and making sure that you have all the precautions possible to eliminate potential risks,” she added.
4. Climate-related financial and logistical challenges emerge
Climate change is also creating new financial and logistical challenges for organisations as security endeavours to keep up with threat demands, Peter Lowe, principal security researcher at DNSFilter, said. “As threat actors worldwide become more professional and organised, our preparations, defences and responses need to keep up, and all that means increased dedicated cyber security resources.
With climate change pushing up energy prices and imposing geographic restrictions, our choices of how to deploy resources are being limited, so as well as keeping up on a technical level, new logistical and financial challenges are starting to appear. New cyber security technologies and defences must be carefully weighed as to how they’re decided on.”
This means greater care and attention is needed regarding where money is spent and in selecting the choices with the lowest environmental impact, which can make the vendor research process longer and more costly, Lowe added.
“Data centre selection and workforce deployments need to consider where renewable energy is being produced, and what the impact is on the local environment. City centres or other areas with high pollution levels need to be avoided, and remote workers from regions with a lower environmental footprint must be considered even if they cost more or are less convenient.”
Supply chains are also an integral factor to consider, both from a resilience perspective with potential disruptions more likely from climate change events, but also from the standpoint of environmental impact, Lowe said.
Cyber security’s role in addressing climate change
Cyber security vendor Rapid7 established its own Environment Sustainability Committee in 2020. Raj Samani, Rapid7 senior vice president, chief scientist, told CSO that the cyber security sector, as part of the wider technology industry, must address climate change.
“Climate change is no longer an issue which the technology and cyber security industries can turn a blind eye to. The industry has already had an impact on climate change, with the ICT industry being responsible for between 2-4 per cent of global carbon emissions.
"Additionally, it is not just carbon emissions that the industry is pumping out, but also high energy usage. For example, the sector’s electricity usage is estimated at seven per cent, and cryptocurrency has a 0.55 per cent demand for electricity production.”
Demands for technology are increasing, and it becomes the industry’s responsibility to do something, Samani added. “The technology sector has the opportunity to lead change; a report by the International Telecommunications Union showed technology can help monitor the climate, support food security, and stop deforestation.”
The cyber security sector must not underestimate its power to drive change, and there are measures it can put in place to address climate-related problems, Samani said.
“Organisations need to be measuring major greenhouse gas (GHG) emissions, so business leaders can identify which departments have the greatest impact on climate change. A regular review of GHG emissions will allow the cyber security industry to reduce carbon-intensive activities and improve energy efficiencies and the procurement of renewable energies.”
Offices should have goals, practices, and metrics in place to create more sustainable workspaces, such as waste audits in headquarters and large offices to measure waste reduction along with banning single-use items to help reduce landfills, Samani said.
Changes already appear to be happening in the sector, for example, with UK cyber security services company Bridewell recently announcing it has become carbon negative, making it the first UK cyber security organisation to achieve carbon net zero in accordance with recognised standards.
The firm said it reached net zero through a combination of initiatives, including a switch to renewable energy, offsetting, and climate projects, stating that it wants its journey to act as a blueprint for those looking to drive sustainability improvements and that it is sharing its experiences with other like-minded businesses and customers to help embed sustainability into their cyber security strategies.