3 Aspects to Managing Systemic Cyber Risk
Authored by Michael Daniel, President & CEO of the Cyber Threat Alliance
Cyberspace enables connections, whether between individuals, organizations, governments, or some combination of the three. In fact, one can argue that enabling simple, fast, and reliable connections over vast distances and at enormous scales is the key feature of cyberspace that makes it so revolutionary. Such connections have allowed individuals, organizations, and governments to conduct business, manage activities, and deliver services at an unprecedented speed, scope, and scale. Through the network effect, these connections have enabled a handful of hardware, software, and protocol systems to become almost ubiquitous. Easy, reliable connections have permitted certain platforms, like cloud service providers, to grow to extraordinary sizes and become indispensable to thousands of organizations. Finally, these easy, rapid connections have allowed us to extend the trust and confidence usually reserved for in-person relationships across great distances and at large scales.
Thus, the rapid, easy, connection-creating capability of the Internet and cyberspace has made individuals, for-profit companies, non-profit organizations, and government agencies reliant on each other to an unprecedented degree. Most of the time, this system works sufficiently well to generate huge benefits to society. However, this cross-cutting reliance also has a downside. Each of those features described above creates systemic risk. Common hardware, software, or protocols; common service providers; functional interdependencies; and the criticality of trust and confidence mean that risk flows throughout cyberspace along with the connections. In such a complex, interdependent system, a disruption to one element can negatively affect almost any element, often in unexpected ways or through unforeseen pathways.
However, systemic risk means that negative effects go beyond unexpected connections. An incident in a private sector element can negatively affect our overall national security, economic prosperity, or public health and safety. Ransomware attacks have provided us some of the starkest examples. For instance, an ostensible ransomware attack on the Ukrainian government in 2017 (NotPetya) spread far beyond the original target set to the global transportation system, due to the required use of a common piece of software (a tax payment system). The May 2021 ransomware attack on Colonial Pipeline’s business IT systems caused the company to shut down the operating technology infrastructure, thereby slowing oil and gasoline distribution to the US East Coast; in turn, this slowed distribution resulted in panic buying of gasoline that created a self-fulfilling shortage. The inability to fill a gas tank was not because the ransomware shut down the pipeline (it didn’t), but because a breakdown in trust and confidence at a distance occurred, similar to a run on a bank in the financial sector.
While we are still grappling with the full implications of the systemic risks generated through cyberspace, we have already learned a few lessons. If attacks on a private sector entity can affect our national security or general public health and safety, then cybersecurity becomes not just one organization’s responsibility, but a collective responsibility. Yet, since cyber risk is systemic and flows through these interconnected pathways, even the US Federal government cannot manage this risk on its own. Merely understanding how risk could manifest requires interagency, cross-sectoral, public-private discussions to ensure that all the relevant connections and effects are taken into account – let alone deciding the right level of risk to accept or how to manage it. Consequently, managing systemic cyber risk in such an environment requires us as a society to apply new structures, policies, and tools to the problem.
What would such structures, policies, and tools look like? While we are still developing the answer to this question, at least three aspects of an effective response have already emerged:
Heterogeneous participants – managing the risk from terrorism is a government activity in which the private sector does not play a significant role. On the flip side, managing brand reputation risk is a private sector affair which generally does not involve the government. For the reasons laid out above, however, managing systemic cyber risk is different. Government has a role driven by the national security and law enforcement aspects of the problem. The private sector plays a role because it owns most of the infrastructure either at risk or used to carry out activities. Civil society and non-profit groups also have capabilities that governments lack but that can be critical to a response. Thus, the number, type, background, context, and capability of the participants in cyber risk management efforts will vary extensively, far beyond what is required to address most other types of risk.
Operational Collaboration – as the name implies, this concept has two parts. First, the “operational” part goes beyond sharing information or even division of labor; it means synchronizing actions or operations in space and time to amplify effects on our adversaries. Second, the “collaboration” part means multiple types of entities working together. Further, participating entities can come from multiple parts of the ecosystem depending on the situation. Making operational collaboration effective will require new policies, laws, and regulations.
New relationship types – the relationships between the entities involved in operational collaboration will not be traditional. For example, the government is normally either a regulator, buyer, or enforcer with respect to the private sector, but in this situation, it is a peer. Private sector companies often establish structured, contractual relationships with each other, but in these conditions, time may not be sufficient. Nor will these relationships always persist indefinitely. Certain collaborations will become permanent (like the Cyber Threat Alliance, a standing association of cybersecurity providers), while others will form to address a specific situation then disband. More informal, fluid, and less hierarchal relationships will often form the basis for this work – just like other kinds of work in the digital age.
Creating effective policies, structures, and tools to manage our systemic cyber risk forms one of the most important cybersecurity challenges we will face for the next decade. If we are not able to develop these capabilities, then not only will we forgo potential future benefits that could flow from the digital ecosystem, but we will also lose some of the benefits we currently have as people and organizations pull back from the on-line world. That’s not a future any of us want. Therefore, as we head into the second half of Cybersecurity Awareness Month, think about the role you can play in addressing our systemic cyber risk. After all, since we’re all connected, everyone can contribute to the answer.
Michael Daniel serves as the President & CEO of the Cyber Threat Alliance (CTA), a not-for-profit that enables high-quality cyber threat information sharing among cybersecurity organizations. Prior to CTA, Michael served for four years as US Cybersecurity Coordinator, leading US cybersecurity policy development, facilitating US government partnerships with the private sector and other nations, and coordinating significant incident response activities. From 1995 to 2012, Michael worked for the Office of Management and Budget, overseeing funding for the U.S. Intelligence Community. Michael also works with the Aspen Cybersecurity Group, the World Economic Forum’s Partnership Against Cybercrime, and other organizations improving cybersecurity in the digital ecosystem. In his spare time, he enjoys running and martial arts.