- If a cyberattack took a leading cloud provider offline for three to six days, the U.S. economy would lose at least $15 billion and $3 billion in insured losses, according to a Lloyd's report. The report is based off the expected impact on 12.4 million U.S. businesses.
- Businesses outside the Fortune 1,000 would be disproportionately impacted, accounting for 63% of the economic losses and 57% of the insured losses, according to the report. The heightened impact for companies outside the Fortune 1,000 stems from their increased adoption of cloud service providers.
- The outage of a leading cloud service providers would hit manufacturing the hardest, with the sector seeing economic losses of up to $8.6 billion. Wholesale and retail sectors would also face losses of up to $3.6 billion.
Since the advent of the cloud, businesses have operated with relatively few significant service disruptions from the major cloud vendors. The most recent example is of the Amazon S3 hiccup last February — which brought down huge swaths of the internet because of a mere typo.
Service disruptions can cause an hour or two of downtime, but Lloyd's projections of three to six days is unheard of.
That's because such a significant impact to a tier 1 provider — whether that's AWS, Microsoft, Google or other leading CSPs — would have to occur as a result of a "big time geopolitical event," said Martin Holste, CTO for cloud at FireEye, in an interview with CIO Dive.
The cloud is built for redundancy, with multiple power sources and distributed hosting. So to take down a tier 1 provider, it would take the coordination on par with cutting all the undersea cables at the same time.
Though cutting power to the grid or targeting undersea cables is similar to an act of war, "there is still very much the clear and present danger of nation states affecting our critical infrastructure," said Holste.
The increase in nation state threats, targeting businesses of all shapes and sizes, has put the cybersecurity community on notice. And the increase in frequency of attacks on critical infrastructure has remained headline news since the Ukrainian blackout in 2015.
But a cyberattack doesn't have to take down an entire tier 1 cloud service provider to be considered a cataclysmic event, according to Holste. It is more likely that a damaging cyberattack will impact on a smaller scale, whether that's targeting a city or an industry.