Double trouble with ‘silent silent’ cyber

In September 2014, hackers breached the computer systems at the National Oceanic and Atmospheric Administration, resulting in its website being taken down and satellite imagery becoming unavailable to agencies who relied upon it.

The incident highlights a phenomenon that Scott Stransky, assistant vice president and principal scientist at risk modeling firm AIR Worldwide in Boston, calls “silent silent cyber.”

Silent cyber refers to any policy that doesn’t include or exclude cyber coverage, but silent silent cyber is the risk to noncyber policies that can be indirectly exacerbated by a cyber event.

A more recent example, Mr. Stransky said, occurred in April in Dallas, when a radio frequency trigger hack set off every one of the city’s 156 emergency weather sirens. Roughly 4,400 calls poured into the city’s already understaffed 911 call center, according to news reports, resulting in significant delays.

“I think the biggest concern is that when a real tornado comes to Dallas, people may hear the sirens and ignore them,” he said. “We may not see the consequences for several years, but if there’s a tornado heading toward Dallas, it could be an issue.”

While sounding the sirens themselves wouldn’t be expected to lead to much loss, Mr. Stransky said drivers could have been distracted by the sudden blaring and gotten into accidents. People might have had heart attacks or panicked and started looting or behaved in some other way that could have led to insurance and economic losses, he said.

Despite the fact that the Dallas incident was sparked by a radio frequency, Mr. Stransky said he believes it can be considered a cyber attack.

“All that means is you don’t know what you don’t know,” Sarah Stephens, head of cyber for JLT Specialty Ltd. in London, said of silent silent cyber risks. “We couldn’t imagine this scenario, and then it occurs for the first time and you realize that it’s there.”