January 7, 2021

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

The world was caught by surprise in May 2017 by the WannaCry ransomware attack. In June of the same year, a more damaging attack – NotPetya – infected many major global corporations leading to IT infrastructure damage and business disruption. The two events caused over $10 billions of economic loss and serve as a dramatic reminder of the potential for cyber-attacks of a systemic nature to cause damage at scale.

The common element across all of them is the reliance on a widely used software product or vendor. Failure of the central product or counterparty leads to widespread losses and cascading impacts. The number of these multi-party “ripple” events is growing – Cyentia Institute and Risk Recon report that such incidents are increasing at an average annual growth rate of 20%. Over the last ten years, more than 800 multi-party events have occurred resulting in downstream damages to nearly 5,500 entities. Cyentia estimates that the median financial cost of ripple events is 13x larger than single-party incidents. This is a significant challenge to national security that requires collaborative action across industry and government.

Notwithstanding the traditional focus on cyber risk to entities (companies/government agencies) numerous examples demonstrate that risk increasingly manifests not only at the individual level, but at the systems level, cascading across suppliers, vendors, business partners and customers.

On May 12, 2017, many companies were significantly impacted by a ransomware attack, which has been attributed to North Korean state actors. “WannaCry” exploited a common vulnerability in unpatched and unsupported versions of a widely used operating system. It spread globally to 200,000 computers in a period of four days before it was stopped by a security researcher who discovered a “kill switch.” Impacted companies had data encrypted and were asked to pay a ransom in Bitcoin to recover it. The result was significant business disruption, data and income loss; some estimates suggest that the WannaCry attack resulted in $4 – $8 billion of economic loss.

A month later, a more damaging attack called “NotPetya” was launched. Numerous governments have concluded that this attack was launched by the Russian military with the intent to destabilize Ukraine. Companies operating in Ukraine, using a dominant accounting software called “MeDoc,” with unpatched operating system vulnerabilities, were most heavily impacted. The attack resulted in major business and industrial manufacturing disruption and other financial impacts. Some estimates suggest that NotPetya resulted in over $10 billion in global economic damage.

In a highly targeted August 2018 attack, a malicious actor gained access to the systems of American Medical Collection Agency (AMCA), a large provider of medical collection services for the healthcare industry. The breach was discovered eight months later; sensitive healthcare and personal information for over 25 million patients treated at more than 20 medical facilities was stolen. AMCA declared bankruptcy as a result of the breach, citing a “cascade of events” that led to “enormous expenses that were beyond the ability of the debtor to bear.” This pushed many of the costs back to AMCA’s customers, demonstrating how failure of a common vendor can result in material negative externalities. Direct financial costs included mandated breach notification and personal credit monitoring; indirect costs included loss of brand equity and customer trust. Most troubling, patients face the prospect of future identity theft, financial fraud and other potentially harmful impacts.

These “outsourced” business processes are becoming bigger sources of systemic cyber losses. In August of 2019, an attacker launched a ransomware attack on 22 Texas municipalities blocking access to data and demanding ransom payments. An investigation after the attack suggested that attackers infiltrated a Managed Service Provider (MSP) – an entity hired by the towns to manage their IT systems and infrastructure. In a similar event, attackers targeted another MSP to block 400 dental practices from accessing their medical records and interrupted medical care.

These examples illustrate the potential for a number of companies to be simultaneously impacted from failures of cyber security. It is likely that we will see more and larger systemic cyber events in the future, requiring governments, corporations and citizens to work together to assess, prepare for, and manage this risk.

Join the Rethink Cybersecurity Community click here