Have you ever considered the impact of Cybercrime? How do your choices in terms of applying good security practices matter? Given that the current estimate for the annual bill worldwide is 9 Trillion US Dollars, there is obviously a significant financial reward for the bad guys, but have you ever wondered how that breaks down or if there’s more to their motivations and actions than just money?
This article will explore the financial element and broader human implications.
Setting the scene – 9 Trillion Dollars
That’s the current 2024/2025 estimate. The number is growing almost exponentially. Various groups calculate this number, from government agencies to involved commercial companies and not-for-profit organisations.
When you drill into the headline number, the impact becomes more understandable. There are five groups in this breakdown. Other versions calculate the effects differently, but it’s still mostly the same. The percentages of each segment are probably +/—10%, so this picture is broad strokes. Use it for illustrative purposes only.
| Segment | Detail | Rough estimate |
| Direct Financial Losses | Theft, fraud, and ransomware payments | ~ $3.0 trillion |
| Incident Response and Operational Disruption | Downtime, recovery operations, lost productivity. | ~ $2.7 trillion |
| Regulatory and Legal Costs | Penalties, lawsuits, fines | ~ $1.0 trillion |
| Reputational Damage | Customer loss, diminished brand value | ~ $1.5 trillion |
| Indirect Impacts and Security Investments | Cyber insurance premiums, security system upgrades, preventive measures | ~$ 0.8 trillion |
It starts with Software Supply Chain attacks
It’s possible to slice these figures in many other ways. We can estimate that ransomware attacks alone account for 20-25% of the total, about the same as data breaches and privacy violations. However you measure it, the attack categories are all individually worth trillions or significant fractions of one.
Software supply chain attacks, though, are different. They are often the foundational element of the others. Software weaknesses allow attackers to access systems. They enable ransomware, data theft, espionage, sabotage, and disruption. Software supply chain attacks are also at the root of most cyber-warfare activities.
No wonder software supply chain attacks are escalating rapidly. Estimates are that close to 1 million software packages are compromised, and the number is growing fast.
What is a Software Supply Chain?
A software supply chain refers to the entire ecosystem of developing, delivering, and maintaining software, from code creation to deployment. It includes source code, dependencies, CI/CD pipelines, build tools, package repositories, cloud services, and infrastructure.
For engineering managers, these are the elements that you consider when ensuring security, compliance, and efficiency in how software is built and deployed. For executives, it’s about risk management, regulatory compliance, and business continuity.
Here’s the rub. When we talk about software supply chains, we’re not just talking about the elements you control. Your software supply chains include all the software supply chains for all the software supply chains for your dependencies, tools, and platforms.
The 10% Factor
In a modern application, only about 10% of the code involved is written by the producer. The other 90% comes from the (primarily) open source that makes up the tools, frameworks, libraries, and platforms needed to realise the application. That means 90% of the code is shared with others. Software vulnerabilities are rarely in your code. There are in the code you consume—and the more popular this third-party code is, the more appealing it is to the bad guys.
Supported or Not?
Another significantly unsettling statistic is that of all the open-source out there, the OpenSSF statistics tell us that only 11% is maintained. That means, on average, your application has support for less than 20% of the code. 10% your team has written and 9.9% from open-source teams.
The software industry is certainly not paying attention to a growing tide of bad actors – whether motivated by greed, politics or military objectives.
Consequences and Risks
Using vulnerable software is prevalent. Governments, standards bodies, and industry groups are making significant efforts to address this situation. Unfortunately, the software industry is still in denial. Software creators everywhere are struggling to find a balance between reducing risks and maintaining a competitive advantage. That’s understandable if it was just about money.
Although software supply chain attacks often start as technical breaches, they can quickly escalate into scenarios with severe human consequences.
We always use the term ‘risk’ concerning software security, imbuing the conversation with a financial flavour. We think in terms of insurance. We ask, “How much risk should we take?” as if we’re placing a bet—which insurance sort of is. It’s the wrong way of framing the question.
Russian roulette is a kind-of bet too, but not one you’re likely to want to take. No kidding aside – we’re past financial risk at this point. The ease of exploitation by bad guys and military cyber-groups means that we have to start asking ourselves “how many people will die if we don’t fix this vulnerability?”
There have been indications before that people have been harmed by cybercrime, but as an indirect consequence. Ransomware attacks on hospital systems are obviously likely to cause delays to patients seeking treatment, and, no doubt, there have been people harmed or who may have died due to this.
Now we’re seeing attacks that are deliberately aimed at hurting people.
The Human Element
Since Stuxnet in 2010, we’ve been aware that there are types of attacks aimed at hardware, where software is the delivery vehicle. These attacks are escalating. Even ransomware is evolving and direct harm to humans can be part of the equation. We’re seeing direct examples where ransomware is effectively blackmail – pay up or people will get hurt. The implied threat we’ve seen with attacks on medical centres has become implicit.
The ransomware attack on Change Healthcare in 2024, one of the largest US healthcare technology companies, disrupted medical billing and prescription services nationwide. Several reports suggest delays in medication access, postponed surgeries, and financial strain on hospitals, directly impacting patient health.
A 2023 ransomware attack on a University of Alabama at Birmingham Hospital led to system outages affecting patient records and delaying treatments. A pending lawsuit alleges that a baby died due to these disruptions.
Another 2023 cyberattack on a third-party NHS IT provider caused significant disruptions in ambulance dispatch systems, leading to delays in emergency response times.
More Examples
A few more examples to illustrate this alarming reality clearly:
- Colonial Pipeline Attack (2021): Hackers disrupted fuel supplies across the United States, causing panic buying, shortages, and widespread economic disruption.
- Saudi Aramco Petrochemical Plant (2017): Cybercriminals attempted to trigger an explosion, directly threatening human lives and environmental safety.
- Water Utility Hacks in Florida (2021) and Pennsylvania (2023): Attackers targeted utilities supplying essential services, narrowly avoiding large-scale health crises.
- Tesla Remote Unlock and Start Exploit (2023) Researchers demonstrated a vulnerability in Tesla’s Bluetooth Low Energy (BLE) authentication that allowed remote unlocking and starting of vehicles.
- Medtronic Insulin Pump Vulnerability (2023): vulnerabilities in Medtronic’s insulin pumps, which could allow an attacker to modify insulin delivery.
- Philips Medical Imaging Equipment Hackability (2024): Vulnerabilities in Philips medical imaging systems were flagged as potentially allowing attackers to manipulate diagnostic results or disrupt scans
Each of these incidents underscores the evolution of cyberattacks, from financial nuisances in the beginning to existential threats today. Organizations must rethink how they define and approach “risk”. It’s time to shift the focus to the potential human consequences rather than purely financial implications.
Thinking differently about Vulnerabilities
Next time a security scan flags a vulnerability, consider the impact more clearly. Consider the consequences for the consumer and for your software creation process. Look beyond the public impact score and examine the vulnerability within your unique circumstances. Don’t disregard vulnerabilities in the build tools, compilers, etc. They are part of the software supply chain, too, and if compromised, can be used to infect your software. If the component implicated is challenging to upgrade, consider if it’s still needed. Often components with vulnerabilities are likely to gain other ones later on. Poor software engineering practices can lead to repeated failure to detect problems, so it can be in your best interests to move to an alternative, saving time and effort and reducing exposure.
Moving forward
Changing the status quo is challenging. Many governments worldwide are involved and are working with various industry groups to define counter measures. Unfortunately for the software industry, this is more stick than carrot.
Changes are coming that will bring rigour and regulations, not to mention financial and personal consequences, to those involved in creating software. New laws are being enacted, and existing ones are being extended or amended. For instance, the EU is expanding its product liability directives to cover harm caused by software
For executives, this new reality demands urgent action. Organizations must assess internal impacts and how disruptions affect users, suppliers, and the broader public. What happens when essential services become unavailable due to cyberattacks? Could your company’s software inadvertently become a weapon in attackers’ hands?
Businesses have a responsibility to protect the public proactively. Transparency about potential vulnerabilities and clear communication of preventive measures are essential. Incorporating robust practices such as continuous software monitoring, stringent security assessments, and transparent vulnerability disclosures can mitigate human consequences.
Developers, too, have a crucial role. Choosing secure, up-to-date software components and rigorously vetting third-party dependencies reduces vulnerabilities. Improving build and delivery processes in alignment with evolving legislation enhances security and safeguards human lives.
As cyber threats become increasingly aggressive and directly harmful, protecting human lives must drive the response to software supply chain attacks. Both software producers and consumers hold shared responsibility. Proactive steps today could prevent catastrophic human outcomes tomorrow.
Up for the next chapter?
In his article and JCON talk, Steve Poole explores the critical role of software quality in tackling today’s security challenges. While the article highlights the human consequences of supply chain attacks, his session shows how resilient API design lays the foundation for secure, future-ready software. Missed JCON? The session video will be online after the event – don’t miss it!
