Some Vital Lessons In How Systemic Risk Is Changing Cybersecurity
Attackers are exploiting systemic weaknesses in digital business systems in new and creative ways. Cybersecurity approaches need to recognize this shift and adapt to the catastrophic and compounding effects of the systemic risks now threatening businesses and critical infrastructure.
Systemic risk in cybersecurity is the inherent risk that exists within complex digital business systems. It’s the threat of risk spreading into a business from connected third-parties or out of your business into others. It’s also the threat of one part of a digital business system going down, which then cascades and has a much larger negative impact on the extended system.
Hackers are now pinpointing and exploiting targeted parts of complex systems for this reason. Understanding and protecting the “crown jewels” has been staple cybersecurity advice. While, protecting “crown jewels” is still important, it is no longer good enough. It’s now also necessary to understand and protect against systemic risk, which can start from an asset that is not considered a “crown jewel.” Attackers have figured out that bringing the system to a standstill and impairing an organization’s ability to function is the ultimate crown jewel.
I interviewed Bob Kress of Accenture Security to get his insight into what companies can do to understand and defend themselves against systemic cyber risk.
Zukis: Give me an example of a recent hack that was systemic in nature?
Kress: Colonial Pipeline was a great example. It’s also one where the systemic threat and impact was self-imposed as they shut down the system themselves. It’s also a good example of how systemic cyber threats can extend well beyond the digital system and threaten the business and critical infrastructure. Their hack was reportedly through a compromised password. That’s the hallmark of how systemic threats start, it’s usually a single and often simple point of failure. A ransomware attack followed, and as a result they made the decision to shut down their systems to control the spread of any damage a little over an hour after the attack. This then created fuel shortages and widespread disruptions.
The point that the shutdown of their digital and operational systems was voluntary is a very important point. It’s frequently the only option leaders have when there’s a lack of understanding to how risks can flow throughout the system. When systemic risk isn’t understood, it can be ignored, or the system can be shut down. Those are the only two options, they chose the later.
Zukis: Is systemic risk new, and how is it impacting cybersecurity?
Kress: It’s not new, although what’s new is the inherent complexity of the digital business systems that are running today’s complex and interconnected companies. The levels of systemic risk most companies now face is entirely new. Digital complexity is introducing entirely new levels of systemic risk. To a certain extent a level of systemic risk can’t be avoided in complex systems. SolarWinds was another good example of a systemic attack. By implanting malware in their software that’s used by tens of thousands of their customers, the attackers were able to piggyback into these customers off of the back of SolarWinds software. A perfect example of using the system against itself. Notably, SolarWinds board added a technology and cybersecurity committee to their board after this breach together with some new directors with deep cybersecurity experience and expertise.
Cybersecurity is about defending against the active threats to the system. Systemic risk management is now vital in cybersecurity and needs to understand these inherent threats and stop the active threats from exploiting them.
We’re only getting started on this, although some good work is being done. The National Institute of Standards & Technology (NIST) has some good guidance on these issues with NIST SP 800-160. Engineering in systemic resiliency is what this about, and it’s also what cybersecurity is becoming in terms of how companies need to approach the security of their digital and business system.
Zukis: Is this a boardroom level issue?
Kress: Yes, without a doubt. The boardroom is a part of any cybersecurity system. Without an effective corporate governance approach, the cybersecurity system isn’t as strong as it needs to be. It takes a high performing cybersecurity system to defend a complex digital business system. Other breaches and especially ransomware attacks all show signs that attackers have figured out that the system is itself the weak point. And when they can find a way in through a weak point, the damage they can inflict gets amplified by the system itself.
We haven’t yet seen the level of damage that is coming when cyber threats start to jump and move across companies and industries. SolarWinds could have been much worse. This is a new dimension in risk that corporate boards need to be aware of and have a responsibility to govern. Understanding issues such as the risks that your company can inherit and what you can spread to your business partners, customers, and other stakeholders are new challenges in corporate governance.
The cyber insurance industry has even been asked to focus on this from their regulator the New York Department of Financial Services in their Cyber Insurance Risk Framework.
Zukis: What signs CISO’s or boardrooms should look out for in beginning to understand this issue?
Kress: It starts with knowing where the digital business system begins and ends, the parts within it, and the third-parties who are inter-connected with it. Whether they are vendors who are a part of a cloud infrastructure, or customers and suppliers, how far and wide the systemic risk footprint extends will be surprising for many companies. But systemic risk also exists within the system, it’s not just a third-party issue. If a critical part of the system fails or is corrupted, how that impacts the larger system is often a much more difficult thing to map and understand.
It’s extremely important for companies to understand their internal architecture – business, technology, and cybersecurity – to understand how their processes and systems work together and are inter-connected – whether intentionally or not. Only then can they take steps to mitigate systemic risk through things like network segmentation and the isolation of credentials.
Finally, boards and companies need to recognize that they are largely self-insured for these types of systemic failures. Cyber insurance only covers a small part of cyber risk generally, and particularly with any large-scale systemic failure. Understanding this issue, and mitigating systemic risk is the best short and long-term cybersecurity risk management approach.