What should we do about 'systemic' cyber risks? Wait, what even are those

Complexity and scale of the internet hold back our ability to tackle disaster


Analysis In a report published this week addressing "systemic" cybersecurity risks, several infosec experts noted that as the number of significant network intrusions rises, an understanding of the problem and the ability to address the larger issues remain lacking.

Even something as basic as defining which online security risks are systemic or agreeing on the extent of the problem isn't easy, they wrote in the report for think tank the Carnegie Endowment for International Peace.

There have long been concerns about systemic risks, as in where a single event cause widespread negative effects that roll across multiple countries and myriad industries. We have seen this play out in the 2008 financial crisis and of course, fresher in memory, the pandemic.

More recently, similar concerns have risen in the tech industry. A systemic cyber risk is one where a single failure somewhere in the internet could result in catastrophic results that span a country or spread around the world and impacting societies, governments and entire cyber infrastructures.

No single event has reached that level, though there have been incidents that could have become widespread and catastrophic. With increasing levels of connectivity and interdependency among global infrastructures, the rise of the cloud, the Internet of Things (IoT) and other trends that have fueled the increasing decentralizing of compute and a growing dependence on a set of technologies and services, the chances of such an event are increasing.

Government organizations are beginning to make moves to address such a cataclysmic incident. The US Cybersecurity and Infrastructure Security Agency (CISA) last year kicked off the Systemic Cyber Risk Reduction Effort to focus on the issue, including developing metrics and tools to measure and address the risks to the nation's infrastructure.

Meanwhile, the European Systemic Risk Board earlier this year published a pan-European incident coordination framework that EU regulators can use in case of an incident.

'Systemic cyber risk' is a vague concept with no widely accepted definition

"'Systemic cyber risk' is a vague concept with no widely accepted definition," the Carnegie report says. "Moreover, tools and methodologies for finding and measuring sources of systemic cyber risk remain very limited. Cyberspace is incredibly complex, with billions of devices managed by millions of organizations. It is hard to assemble useful data on so many interdependencies, and models are still too crude to draw confident conclusions from what data does exist."

Even worse, efforts to reduce or manage system cyber risk are ad hoc and uncoordinated. An issue of this scale and complexity requires broad and deep collaboration among companies in all industries, between private and public entities and spanning international borders.

"Although much remains unknown about systemic cyber risk, including its true size and distribution, public and private sector leaders worldwide can and should act now to investigate, reduce, and manage the risk," the report adds.

The report – written by Jon Bateman and Nick Beecroft, both at the Carnegie Endowment, and David Forscey and Beau Woods, both with CISA and other organizations – notes two recent cyber incidents that highlight the potential for widespread impacts.

One is the Log4j vulnerability, which would allow bad actors to easily take over entire machines. A key problem is that the open-source software tool is deeply embedded in millions of devices and is so commonplace that it's difficult for organizations to find it to patch it. In addition, by the time the Apache Foundation issued its first patch two weeks after the flaw was discovered, the attacks leveraging it were already underway.

The authors also pointed to the incident in October 2021 when a minor error during routine maintenance caused Facebook's servers to crash, which caused a ripple effect that includes the company's billions of users and its employees to lose access and public advertising to be halted. It was not only inconvenient to consumers but also hurt businesses that rely on Facebook.

Both incidents illustrated common problems, including a concentration of technology products and services that the global economy increasingly rely on and the growing digitization and networking of industries like healthcare and transportation that previous were not connected to the internet.

There also have been a number of other widespread incidents, from the WannaCry and NotPetya attacks in 2017, the Meltdown and Spectre vulnerabilities in processors and the SolarWinds and Microsoft hacks of 2020 and 2021, as well as various outages sustained by such cloud providers as Amazon Web Services, Google Cloud and Microsoft Azure.

"The worst cyber events can now cause bodily harm or deaths, political crises, and multibillion-dollar economic losses," they wrote. "As digital networks interlink with the physical world in complex, dynamic, and opaque ways, many observers fear new forms of fragility that no one understands."

Addressing systemic cyber risk is a highly complex problem with many moving parts. That includes determining what it is – which involves not only the risk factors but also the definitions of such terms as "system" and "systemic," which can mean different things to different people. But definitions are important, the authors wrote, because addressing the issue will require broad collaboration across disparate interest groups that need to be working with the same understandings.

That understanding also includes the vast number of ways a massive incident can happen, and they don't all take place in cyberspace. They noted the impact the pandemic has had on infrastructure and services and how the 2020 suicide bombing in Nashville took down communications services over a wide area.

Systemic cyber incidents also can take on various forms, including a problem in a single system rippling through an expanding number of entities to one where multiple system components fail at the same time or in rapid succession.

Efforts to reduce such risks need to address causes, from the reliance of the digital economy on common technologies and services and the increasingly complex nature of networks and systems to the proprietary nature of many technologies, which make them difficult to see or understand. Also, the scale of cyberspace with millions of machines that often use the same technologies – with the same vulnerabilities – and the increasing sophistication of threat actors raise the risks.

More research is needed around mitigating factors – such as the increasing technology disconnection between the United States and China, which could help limit the impact of cyber events – and being able to identify systemic risks will go along way to developing risk management processes.

The authors also point out steps policymakers can take, from identifying software dependencies and promoting diversity in products and services to hardening key building blocks of cyberspace, such as cloud infrastructures and key open-source software.

Organizations and governments need to start taking steps now to address the issue of systemic cyber risk, but the growing awareness of it is highlighting the twin challenges of growing complexity and coordinated action.

"While these problems are not confined to cyber risk, the ever-expanding capabilities of digital technology, coupled with deepening dependence throughout society, mean that systemic cyber risk has the potential to spread harm with a unique combination of speed, scale, and uncertainty," the report concludes. "Many key questions remain unanswered… It may take years to arrive at satisfactory answers. But now is the time to pose these questions and begin taking tangible action – before a truly catastrophic cyber event occurs." ®

Narrower topics


Other stories you might like

  • Near-undetectable malware linked to Russia's Cozy Bear
    The fun folk who attacked Solar Winds using a poisoned CV and tools from the murky world of commercial hackware

    Palo Alto Networks' Unit 42 threat intelligence team has claimed that a piece of malware that 56 antivirus products were unable to detect is evidence that state-backed attackers have found new ways to go about the evil business.

    Unit 42's analysts assert that the malware was spotted in May 2022 and contains a malicious payload that suggests it was created using a tool called Brute Ratel (BRC4). On its rather brazen website, BRC4 is described as "A Customized Command and Control Center for Red Team and Adversary Simulation". The tool's authors even claim they reverse-engineered antivirus software to make BRC4 harder to detect.

    The malware Unit 42 observed starts life as a file that pretends to be the curriculum vitae of a chap named Roshan Bandara. Unusually, Bandara's CV is offered as an ISO file – a disk image file format. If users click on the ISO it mounts as a Windows drive and displays a File Manager window with a sole file: "Roshan-Bandara_CV_Dialog".

    Continue reading
  • Cyberattack shuts down unemployment, labor websites across the US
    Software maker GSI took systems offline, affecting thousands of people in as many as 40 states

    A cyberattack on a software company almost a week ago continues to ripple through labor and workforce agencies in a number of US states, cutting off people from such services as unemployment benefits and job-seeking programs.

    Labor departments and related agencies in at least nine states have been impacted. According to the Louisiana Workforce Commission in a statement this week, Geographic Solutions (GSI) was forced to shut down state labor exchanges and unemployment claims systems, and as many as 40 states and Washington DC, all of which rely on GSI's services, could be affected.

    In a statement to media organizations, GSI President Paul Toomey said the Palm Harbor, Florida-based company "identified anomalous activity on our network," and took its services offline. Toomey didn't elaborate whether GSI was hit with ransomware or some other type of malware.

    Continue reading
  • Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks
    Now those are some phishing boats

    Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.

    A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

    It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

    Continue reading
  • Meta: We need 5x more GPUs to combat TikTok, stat
    And 30% fewer new engineers this year

    Comment Facebook parent Meta has reportedly said it needs to increase its fleet of datacenter GPUs fivefold to help it compete against short-form video app and perennial security concern TikTok.

    The oft-controversial tech giant needs these hardware accelerators in its servers by the end of the year to power its so-called discovery engine that will become the center of future social media efforts, according to an internal memo seen by Reuters that was written by Meta Chief Product Officer Chris Cox.

    Separately, CEO Mark Zuckerberg told Meta staff on Thursday in a weekly Q&A the biz had planned to hire 10,000 engineers this year, and this has now been cut to between 6,000 and 7,000 in the shadow of an economic downturn. He also said some open positions would be removed, and pressure will be placed on the performance of those staying at the corporation.

    Continue reading
  • Start using Modern Auth now for Exchange Online
    Before Microsoft shutters basic logins in a few months

    The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

    In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

    "Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote. "After completing the migration to Modern Auth, agencies should block Basic Auth."

    Continue reading
  • $185m anti-malware patent dispute: Norton and Columbia University fight on
    Decade-old spat over security tech not over yet as New York institution files for enhanced damages

    NortonLifeLock and Columbia University's legal tussle over anti-malware patents continued last week, with attorney fees and a new trial in dispute two months after a jury awarded the uni $185 million.

    In 2013, Columbia sued Norton and accused the company of infringing 167 claims over six patents. Although the May award went Columbia's way, it has since asked for additional attorneys' fees.

    The security company has countered this [PDF] by saying that the "purpose of an award of attorneys' fees under the Patent Act is to compensate a prevailing party that was forced to litigate a case that was 'exceptional,' either because the party's case was remarkably weak or baseless, or because the other party engaged in vexatious litigation misconduct. Neither applies here."

    Continue reading
  • Contractor loses entire Japanese city's personal data in USB fail
    Also, Chrome add-ons are great for fingerprinting, and hacked hot tubs splurge details

    In brief A Japanese contractor working in the city of Amagasaki, near Osaka, reportedly mislaid a USB drive containing personal data on the metropolis's 460,000 residents.

    Continue reading

Biting the hand that feeds IT © 1998–2022