What should we do about 'systemic' cyber risks? Wait, what even are those
Complexity and scale of the internet hold back our ability to tackle disaster
Analysis In a report published this week addressing "systemic" cybersecurity risks, several infosec experts noted that as the number of significant network intrusions rises, an understanding of the problem and the ability to address the larger issues remain lacking.
Even something as basic as defining which online security risks are systemic or agreeing on the extent of the problem isn't easy, they wrote in the report for think tank the Carnegie Endowment for International Peace.
There have long been concerns about systemic risks, as in where a single event cause widespread negative effects that roll across multiple countries and myriad industries. We have seen this play out in the 2008 financial crisis and of course, fresher in memory, the pandemic.
More recently, similar concerns have risen in the tech industry. A systemic cyber risk is one where a single failure somewhere in the internet could result in catastrophic results that span a country or spread around the world and impacting societies, governments and entire cyber infrastructures.
No single event has reached that level, though there have been incidents that could have become widespread and catastrophic. With increasing levels of connectivity and interdependency among global infrastructures, the rise of the cloud, the Internet of Things (IoT) and other trends that have fueled the increasing decentralizing of compute and a growing dependence on a set of technologies and services, the chances of such an event are increasing.
Government organizations are beginning to make moves to address such a cataclysmic incident. The US Cybersecurity and Infrastructure Security Agency (CISA) last year kicked off the Systemic Cyber Risk Reduction Effort to focus on the issue, including developing metrics and tools to measure and address the risks to the nation's infrastructure.
Meanwhile, the European Systemic Risk Board earlier this year published a pan-European incident coordination framework that EU regulators can use in case of an incident.
'Systemic cyber risk' is a vague concept with no widely accepted definition
"'Systemic cyber risk' is a vague concept with no widely accepted definition," the Carnegie report says. "Moreover, tools and methodologies for finding and measuring sources of systemic cyber risk remain very limited. Cyberspace is incredibly complex, with billions of devices managed by millions of organizations. It is hard to assemble useful data on so many interdependencies, and models are still too crude to draw confident conclusions from what data does exist."
Even worse, efforts to reduce or manage system cyber risk are ad hoc and uncoordinated. An issue of this scale and complexity requires broad and deep collaboration among companies in all industries, between private and public entities and spanning international borders.
"Although much remains unknown about systemic cyber risk, including its true size and distribution, public and private sector leaders worldwide can and should act now to investigate, reduce, and manage the risk," the report adds.
The report – written by Jon Bateman and Nick Beecroft, both at the Carnegie Endowment, and David Forscey and Beau Woods, both with CISA and other organizations – notes two recent cyber incidents that highlight the potential for widespread impacts.
One is the Log4j vulnerability, which would allow bad actors to easily take over entire machines. A key problem is that the open-source software tool is deeply embedded in millions of devices and is so commonplace that it's difficult for organizations to find it to patch it. In addition, by the time the Apache Foundation issued its first patch two weeks after the flaw was discovered, the attacks leveraging it were already underway.
The authors also pointed to the incident in October 2021 when a minor error during routine maintenance caused Facebook's servers to crash, which caused a ripple effect that includes the company's billions of users and its employees to lose access and public advertising to be halted. It was not only inconvenient to consumers but also hurt businesses that rely on Facebook.
Both incidents illustrated common problems, including a concentration of technology products and services that the global economy increasingly rely on and the growing digitization and networking of industries like healthcare and transportation that previous were not connected to the internet.
There also have been a number of other widespread incidents, from the WannaCry and NotPetya attacks in 2017, the Meltdown and Spectre vulnerabilities in processors and the SolarWinds and Microsoft hacks of 2020 and 2021, as well as various outages sustained by such cloud providers as Amazon Web Services, Google Cloud and Microsoft Azure.
"The worst cyber events can now cause bodily harm or deaths, political crises, and multibillion-dollar economic losses," they wrote. "As digital networks interlink with the physical world in complex, dynamic, and opaque ways, many observers fear new forms of fragility that no one understands."
Addressing systemic cyber risk is a highly complex problem with many moving parts. That includes determining what it is – which involves not only the risk factors but also the definitions of such terms as "system" and "systemic," which can mean different things to different people. But definitions are important, the authors wrote, because addressing the issue will require broad collaboration across disparate interest groups that need to be working with the same understandings.
That understanding also includes the vast number of ways a massive incident can happen, and they don't all take place in cyberspace. They noted the impact the pandemic has had on infrastructure and services and how the 2020 suicide bombing in Nashville took down communications services over a wide area.
Systemic cyber incidents also can take on various forms, including a problem in a single system rippling through an expanding number of entities to one where multiple system components fail at the same time or in rapid succession.
Efforts to reduce such risks need to address causes, from the reliance of the digital economy on common technologies and services and the increasingly complex nature of networks and systems to the proprietary nature of many technologies, which make them difficult to see or understand. Also, the scale of cyberspace with millions of machines that often use the same technologies – with the same vulnerabilities – and the increasing sophistication of threat actors raise the risks.
More research is needed around mitigating factors – such as the increasing technology disconnection between the United States and China, which could help limit the impact of cyber events – and being able to identify systemic risks will go along way to developing risk management processes.
- Meltdown, Spectre: The password theft bugs at the heart of Intel CPUs
- Log4j RCE: Emergency patch issued to plug critical auth-free code execution hole in widely used logging utility
- Kaspersky Lab autopsies evidence on SolarWinds hack
- 74 countries hit by NSA-powered WannaCrypt ransomware backdoor: Emergency fixes emitted by Microsoft for WinXP+
- Everything you need to know about the Petya, er, NotPetya nasty trashing PCs worldwide
The authors also point out steps policymakers can take, from identifying software dependencies and promoting diversity in products and services to hardening key building blocks of cyberspace, such as cloud infrastructures and key open-source software.
Organizations and governments need to start taking steps now to address the issue of systemic cyber risk, but the growing awareness of it is highlighting the twin challenges of growing complexity and coordinated action.
"While these problems are not confined to cyber risk, the ever-expanding capabilities of digital technology, coupled with deepening dependence throughout society, mean that systemic cyber risk has the potential to spread harm with a unique combination of speed, scale, and uncertainty," the report concludes. "Many key questions remain unanswered… It may take years to arrive at satisfactory answers. But now is the time to pose these questions and begin taking tangible action – before a truly catastrophic cyber event occurs." ®