Systemic Cyber Risk: A Primer

Link to tweet

https://carnegieendowment.org/2022/03/07/systemic-cyber-risk-primer-pub-86531

INTRODUCTION

There is growing concern about “systemic cyber risk”—the possibility that a single failure somewhere in cyberspace could cause widening ripples with catastrophic consequences. Whereas most cyber events have a narrowly defined set of victims, a systemic cyber incident could do damage on a national or even a global scale—threatening the digital infrastructure that entire societies, economies, and governments rely on to function. In the last few months alone, two very different events illustrated distinct versions of the problem.

On November 24, 2021, Chinese cybersecurity researchers disclosed a severe vulnerability in Log4j—a low-profile software utility embedded in millions, or perhaps billions, of consumer devices and enterprise systems around the world.1 The security flaw could permit hackers to take total control of vulnerable machines with relative ease.2 The job of fixing Log4j fell to a team of volunteer programmers at Apache, who took two weeks to release a security patch. By that point, the hacking had already begun. The first patch was then followed by a second patch and a third patch, as more security gaps were uncovered. Meanwhile, organizations struggled to apply these patches because Log4j is often hidden underneath layers upon layers of other software packages.3 Experts predict it will take years to fully resolve the issue. Until then, innumerable victims remain vulnerable to state-sponsored hackers, ransomware gangs, and other bad actors.4

Compare the Log4j incident—a slow-rolling crisis actively abused by malicious actors—with another recent global event that was shorter, sharper, and completely accidental. On October 4, 2021, billions of users worldwide lost access to all Facebook services, including Instagram and WhatsApp. This happened because a small error during routine maintenance had unexpected and cascading consequences.5 An errant command was entered, and a bug in Facebook’s auditing systems mistakenly allowed the command to run, disconnecting all data centers. Misjudging the situation, Facebook’s DNS servers reacted by automatically halting public advertisements, blinding the internet to Facebook’s online location. Meanwhile, widespread network failures blocked Facebook’s IT staff from accessing the affected systems, even physically, to restore them.6 Although the outage lasted only six hours, that was a lifetime for many small businesses, family networks, and others reliant on Facebook for their daily needs.

These different incidents point to a common set of underlying problems. While organizations and consumers have more tools than ever to protect their data from loss or compromise, improvements in individual defense have been offset by a heightened risk of systemwide events. Many sectors of the global economy now rely on the same set of critical technology products and services, concentrating risk into an unknown number of possible failure points. The potential for catastrophe increases as developing nations further digitize and as activities that were previously separated from the internet—like medical care or transportation—become networked. The worst cyber events can now cause bodily harm or deaths, political crises, and multibillion-dollar economic losses. As digital networks interlink with the physical world in complex, dynamic, and opaque ways, many observers fear new forms of fragility that no one understands.

*snip*