January 6, 2021

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

The Russian attack on the SolarWinds software is destined to impact thousands of government and private sectotor entities.  However its real significance may lie in not the extent, or even the damage of this specific attack, but rather in the way this cyber attack was carried out SolarWinds may well consitute a dangerous paradigm shift in the nature of cyber attacks.

To date the overwhelming emphasis of private and public policy work in cybersecurity has been on risk to entities such as cyber breaches stealing corporate intellectual property or consumer data. However, as attack methods have become increasingly sophisticated, and the attack community has grown, the risk of systemic cyber failure with potentially catastrophic impacts has grown.  We are at a point where the cybersecurity community needs to intensify the preliminary work that has been done to analyze and prevent these systemic attacks.

Historically, cyber risk management has been very company specific, addressing the cyber security posture single organization. Most cyber risk management efforts have focused on codifying firm-specific best practices and incentivizing individual companies to adopt them. A single company view aims to answer: how likely is it that Company X will have a critical failure of cyber security? And, how damaging will that failure be to the company? The traditional approach has been valuable in minimizing the potential for large single-company loss. However, this approach was insufficient in addressing the multi-company, cascading impacts, and the breakdown of systems that underlie the country’s economic health and well-being. Recent attacks such as “WannaCry” and “NotPetya” demonstrates that risk manifests not only at the company level, but at the systems level, cascading across sectors and industries.

It is important to note that firm-specific risk management should not be undermined, but the historical approach has focused more on the trees rather than the forest. As mentioned above, risk management process aims to assess range of possible outcomes that could drive deviation from what we expect and minimize its surprise. Historical approach to cyber risk management has overlooked the importance of systemic risk and has been inadequate in fulfilling its role in a society where systemic risk imposes great threat. To address the concern, cyber risk management needs to advance materially and marry company- and systems-level views of cyber risk. Going forward, it will be crucial for industries and sectors to cooperate in developing a systemic risk management process to prepare for the future.

Systemic technology failures go far beyond economic disruption, and, in some cases, may jeopardize human life and property. Employees of the National Health Service in the United Kingdom learned this first-hand as they moved to paper and pencil and turned away patients when WannaCry crippled NHS’ Windows-based computer system. Today, attackers are exploiting vulnerabilities in commonly used software to direct crippling ransomware at hospitals treating COVID-19 patients, technology companies supplying aviation navigation information, and energy companies supplying natural gas. As our critical infrastructure and service providers become increasingly inter-connected, and leverage common hardware, software and vendors, the nation’s cyber risk level increases.

Most cyber risk management efforts have focused on codifying firm-specific best practices and incentivizing individual companies to adopt them, addressing the potential for single company failures to safeguard information, or maintain the integrity or availability of data and systems. For example, the leading cyber risk management frameworks – provided by the National Institute of Standards and Technology (NIST), ISO/IEC 27000 series and Center for Internet Security (CIS) controls – focus largely on protecting a company’s own networks and assets.

This firm-specific risk management is valuable in ensuring that we minimize the potential for large single-company losses. However, it does not address the problem of multi-company, cascading impacts, and the breakdown of systems that underlie the country’s economic health and well-being. The truth of the matter is that we’ve built a network of highly interconnected and tightly coupled counterparties that rely on common technology products and services. Failures at a single critical point can lead to cascading effects across the entire system.

As a society, our expectations, and hence risk models, have not caught up with this reality. The key systemic risk questions that must be answered include:

  • Which companies and technology products represent critical nodes of aggregation (NoAs) based on the number of counterparties that rely upon them?
  • How vulnerable are the NoAs to material failures of cyber security? How secure are the products supplied to the network.
  • Which NoAs are being actively targeted by attackers? What is the attackers’ motivation? and intent? How likely are they to succeed?
  • How well prepared are NoAs to handle the significant costs and demands in the event of a security failure in their technology products or services?
  • What policies will incentivize strong security at NoAs, make protecting the system a top priority and minimize negative externalities?

Some initial progress has been made on exploring these questions in some sectors – for example, in Financial Services, via the risk register and scenario work being done by the Financial Systemic Analysis & Resilience Center (FSARC). NIST has also published information recently that guides companies on identifying and addressing digital supply chain risk. DHS has initiated an important cross-sectoral model by developing their critical functions list. This work will be foundational to expand practices to other critical sectors and functions and ensure that the country is not surprised by, and unprepared for, future systemic technology failures. In the next series of blogs, we will be outlining critical next steps in developing a comprehensive systemic risk model.  As we will detail there is a lot of work that needs to be done in this largely uncharted field, and the time pressure, while not precisely knowable, is certainly getting shorter.  This is an area in need of substantial development and fast.

Join the Rethink Cybersecurity Community click here