In Depth: Systemic cyber risk - a primer
MARCH 07, 2022 • DAVID FORSCEY, JON BATEMAN, NICK BEECROFT, BEAU WOODS
As Russia’s war spills into cyberspace, there is a growing risk of large-scale cyber disruptions well beyond Ukraine. How did the digital world become so vulnerable to big shocks? What can be done to create resilience?
In this primer, experts cover how wide-reaching cyber incidents reveal under-appreciated dependencies and latent fragilities that could lead to larger systemic events, and how both the problem and potential solutions remain under-examined.
INTRODUCTION
There is growing concern about “systemic cyber risk”—the possibility that a single failure somewhere in cyberspace could cause widening ripples with catastrophic consequences. Whereas most cyber events have a narrowly defined set of victims, a systemic cyber incident could do damage on a national or even a global scale—threatening the digital infrastructure that entire societies, economies, and governments rely on to function. In the last few months alone, two very different events illustrated distinct versions of the problem.
On November 24, 2021, Chinese cybersecurity researchers disclosed a severe vulnerability in Log4j—a low-profile software utility embedded in millions, or perhaps billions, of consumer devices and enterprise systems around the world. The security flaw could permit hackers to take total control of vulnerable machines with relative ease. The job of fixing Log4j fell to a team of volunteer programmers at Apache, who took two weeks to release a security patch. By that point, the hacking had already begun. The first patch was then followed by a second patch and a third patch, as more security gaps were uncovered. Meanwhile, organizations struggled to apply these patches because Log4j is often hidden underneath layers upon layers of other software packages. Experts predict it will take years to fully resolve the issue. Until then, innumerable victims remain vulnerable to state-sponsored hackers, ransomware gangs, and other bad actors.
Compare the Log4j incident—a slow-rolling crisis actively abused by malicious actors—with another recent global event that was shorter, sharper, and completely accidental. On October 4, 2021, billions of users worldwide lost access to all Facebook services, including Instagram and WhatsApp. This happened because a small error during routine maintenance had unexpected and cascading consequences. An errant command was entered, and a bug in Facebook’s auditing systems mistakenly allowed the command to run, disconnecting all data centers. Misjudging the situation, Facebook’s DNS servers reacted by automatically halting public advertisements, blinding the internet to Facebook’s online location. Meanwhile, widespread network failures blocked Facebook’s IT staff from accessing the affected systems, even physically, to restore them. Although the outage lasted only six hours, that was a lifetime for many small businesses, family networks, and others reliant on Facebook for their daily needs.
These different incidents point to a common set of underlying problems. While organizations and consumers have more tools than ever to protect their data from loss or compromise, improvements in individual defense have been offset by a heightened risk of systemwide events. Many sectors of the global economy now rely on the same set of critical technology products and services, concentrating risk into an unknown number of possible failure points. The potential for catastrophe increases as developing nations further digitize and as activities that were previously separated from the internet—like medical care or transportation—become networked. The worst cyber events can now cause bodily harm or deaths, political crises, and multibillion-dollar economic losses. As digital networks interlink with the physical world in complex, dynamic, and opaque ways, many observers fear new forms of fragility that no one understands.
The dangers come in various forms and are illustrated by an increasing number of large-scale cyber incidents. Before the Log4j crisis, the WannaCry and NotPetya hacks (2017), the Meltdown and Spectre vulnerabilities (disclosed in 2018), and the compromises of SolarWinds (discovered in 2020) and Microsoft Exchange (2021) all demonstrated how a single piece of faulty hardware or software could jeopardize critical systems worldwide. Before the Facebook outage, simple human errors had triggered previous outages of Amazon, Google, and Microsoft cloud services. There have also been physical disruptions, both malicious—like the 2020 Nashville suicide bombing that impaired regional telecommunications—and natural—like Hurricane Maria in 2017, which disrupted internet connectivity in Puerto Rico. So far, these and other high-impact cyber events have proven largely manageable. Nevertheless, they reveal latent risk factors and illuminate some potential triggers and pathways of a future systemic event. Modelers have warned that even more damaging cyber incidents are possible.
Despite rising worries about systemic cyber risk, the problem and potential solutions are poorly understood. “Systemic cyber risk” is a vague concept with no widely accepted definition. Moreover, tools and methodologies for finding and measuring sources of systemic cyber risk remain very limited. Cyberspace is incredibly complex, with billions of devices managed by millions of organizations. It is hard to assemble useful data on so many interdependencies, and models are still too crude to draw confident conclusions from what data does exist. Worst of all, efforts to bound, reduce, or manage systemic risk remain ad hoc and uncoordinated. A problem of this scale and complexity demands much broader and deeper collaboration among industries, across the public-private divide, and internationally.
This paper seeks to provide a common foundation for understanding and addressing systemic cyber risk. Building on prior research, it explores definitions of the problem, underlying contributing factors, and potential policy responses. Although much remains unknown about systemic cyber risk, including its true size and distribution, public and private sector leaders worldwide can and should act now to investigate, reduce, and manage the risk.
READ THE FULL PAPER HERE
