This post is authored by Paul Nicholas, Senior Director, CPP US
“The meaning and implications of systemic cyber risk are not yet fully recognized or understood”, states the newly published White Paper on Understanding Systemic Cyber Risk from the Global Agenda Council (GAC) on Risk & Resilience of the World Economic Forum (WEF).
The White Paper is something that my team and I here in Microsoft contributed to, along with critical infrastructure providers and other experts around the world. Through a pair of workshops and multiple interviews, the lack of clarity in thinking around systemic cyber risk became obvious. This was not a total shock because cyber risk is increasingly hard to quantify when its ramifications across complex and interconnected systems are elusive or at times overwhelming. Many people generally acknowledge that a single cybersecurity event could, in theory, cascade into a widespread crisis but the interactions of technologies with human decisions and other complex systems, e.g. financial markets or transport infrastructure, make it hard to predict the what, how, when and why of such a crisis.
Illustrating the depth of this challenge, the White Paper itself references the WEF’s earlier Global Risks Report 2016. This report on broad risks facing the world found that although the risk of large-scale cyberattacks was seen as a high impact/high likelihood risk, the likely consequences of such cyberattacks, i.e. failure/shortfall of critical infrastructure and breakdown of critical information infrastructure and networks, were perceived as being considerably lower down the list of likely global risks than perhaps they should be.
Why does any of this matter to policy-makers and business leaders, and to private individuals? In some respects this is a hard question to answer. There are, for example, no easily referenced and universally agreed baselines for measuring or managing cyber risk. Nor is there an internationally accepted definition of cyber resilience. Without these decision-makers are often left with the fallback position of “we’ll know it when we see it”, which is hardly ideal for planning purposes and makes it harder to promote the importance of both managing risk and preparing for resilience amongst those not already expert in the issues.
The White Paper helps partly address this problem by proposing a definition of cyber risk that speaks to all those who might be effected: “Systemic cyber risk is the risk that a cyber event (attack(s) or other adverse event(s)) at an individual component of a critical infrastructure ecosystem will cause significant delay, denial, breakdown, disruption or loss, such that services are impacted not only in the originating component but consequences also cascade into related (logically and/or geographically) ecosystem components, resulting in significant adverse effects to public health or safety, economic security or national security. The adverse real economic, safety and security effects from realized systemic risk are generally seen as arising from significant disruptions to the trust in or certainty about services and/or critical data (i.e. the integrity of data), the disruption of operations and, potentially.”
This definition is just a starting point. More needs to be done to refine it and to evolve a disciplined understanding of systemic cyber risk. It seems clear to me that systemic cyber risk and cyber resilience are, in themselves, the logical extensions of thinking coherently and realistically about cybersecurity. As with any form of protection and defense, we need to recognize that nothing can be 100% secure 100% of the time. Even with limitless resources committed to cybersecurity there will always a risk of something going wrong. This recognition must lead us, in turn, to ask about what we can do when our defenses have been bypassed in some way. Should we accept that once the secure perimeters have been breached and our internal systems bypassed that we must accept a zero-sum game loss? Or do we see such a cybersecurity failure as simply the start of a resilience process that will ensure our ICT systems and critical infrastructures continue to operate at some level, whilst we respond to the problem, reinvent our processes and re-establish normal operations.
All in all, then, the report provides another, much-needed catalyst to discussions, in depth and in detail, of cyber risk and resilience. In doing so it provides another opportunity for policy-makers, business leaders and others to start or expand their thinking about how cyber resilience should feature in their plans. After all, the unpredictability of the nature of the next crisis does not mean we should not plan for it. And whilst we are unlikely to predict the specifics of every challenge we may face, as President Eisenhower observed, “In preparing for battle I have always found that plans are useless, but planning is indispensable”.
This White Paper is the concluding publication of the GAC on Risk & Resilience. It has been a valuable experience for me and my colleagues to have participated in the GAC’s discussions over the last six months. We were very excited to be able to contribute to its publications and attend its meetings and events. I recommend that anyone seeking to better understand the implications of cyber risk and cyber resilience for themselves and for their organizations should look in detail at the work of the GAC, and I look forward to future work with the WEF on these issues, which will only become more important as technology continues to spread through businesses, governments and societies around the world.