The Disturbing Inevitability of Cyberattacks

By Brian E. Finch,

While a systematic cataclysm is possible, targeted hacks against businesses do more harm.

A small but growing number of cybersecurity experts warn that we are a few keystrokes away from a dystopian world with no lights, running water or modern communications. Some even argue that it will take such a disastrous attack to jolt us into finally building more effective virtual defenses. While the possibility of large-scale cyberattacks gets the lion’s share of attention, chaos by small doses is more probable.

Government and private businesses have invested billions of dollars in cybersecurity measures to protect critical infrastructure, dramatically decreasing the likelihood that hackers could bring about another Stone Age. While rogue squirrels nesting in utility components are responsible for thousands of blackouts, cyberattacks have caused few. Recent incidents reveal a far likelier scenario: paralyzed operations for countless businesses. And even concerns about cyberattacks against business operations have historically taken a back seat to worries about personal data hacks, which can affect millions of individual consumers.

Hackers are increasingly turning to “ransomware,” a type of virus that encrypts computer systems and data without the owner’s approval. Unless prepared to pay a “ransom” to the hacker, the victim is effectively blocked from ever again accessing the system. Ransomware attacks are bad enough, but their effect can be much worse if the damage is irreversible. And that is exactly how “NotPetya,” the latest in a string of global cyberattacks, appears to be playing out.

Businesses of all sizes are suffering significant and lasting damage due to NotPetya because it appears to be modified ransomware code that has no unlock key (even when payment is made). One multibillion-dollar consumer-goods conglomerate, Reckitt Benckiser Group , has had many of its supply-chains systems rendered inoperable by NotPetya, leading to shipment delays, invoicing issues and manufacturing problems. Those business disruptions are expected to cost the company close to $130 million.

FedEx has also been hit hard by NotPetya.

Smaller businesses are also vulnerable. One rural hospital in West Virginia had its systems so badly infected by NotPetya that it is being forced to replace its entire information-technology infrastructure.

A hospital system in Pennsylvania canceled surgeries due to NotPetya.

Ransomware is not the only threat. The online world is awash in destructive viruses and poorly built malware that causes unintentional harm. Still, the ransomware plague illustrates a larger point: businesses of every size are vulnerable. Someday a company will take a fatal hit to its revenue or reputation.

Fortunately, much can be done to mitigate these threats. For starters, the federal government can spur increased cybersecurity through wider use of the Safety Act of 2002, a law that provides liability protections for companies that use proven defensive technologies. Such protections will help protect companies against lawsuits claiming that they—not their hackers—were responsible for a successful cyberattack.

Next, rather than creating a gargantuan new cybersecurity agency, the federal government should empower existing cabinet agencies to act more quickly against cyberthreats. The government also must take the fight to the hackers. Arrest them. Name and shame foreign governments who enable cyberattacks or host hackers on their territory. These aggressive measures have led to material decreases in hacks.

More From The Wall Street Journal (subscription required):