As our critical infrastructure and service providers become increasingly inter-connected, and leverage common hardware, software and vendors, the nation’s cyber risk level is dramatically increasing. Although more attention has been paid to managing systemic risk in the wake of the SolarWinds and Exchange server attacks. Most cyber risk management efforts still focus on codifying firm-specific best practices and incentivizing individual companies to adopt them. For example, the leading cyber risk management frameworks – provided by the National Institute of Standards and Technology (NIST), ISO/IEC 27000 series and Center for Internet Security (CIS) controls – focus largely on protecting a company’s own networks and assets. However, numerous examples demonstrate that risk manifests not only at the individual company level, but at the systems level, cascading across suppliers, vendors, business partners and customers. Cyber risk management needs to advance materially and marry company- and systems-level views of cyber risk. This chapter aims to further frame the dynamics of systemic cyber risk. First, by providing definitions of firm-specific and systemic cyber risk to establish clarity and level-set. Next, the chapter briefly describes a few recent systemic cyber risks to provide the reader with better context. Then, it reviews the current framework for assessing cyber risks to National Critical Functions (NCFs) and recommend enhancements. Last, recommendations are provided for work that can be done by the Federal government, in collaboration with industry, to better defend the nation’s critical infrastructure from systemic technology failure.
Combining Technology, Public Policy and Economics to Create a Sustainable System of Cybersecurity