Identifying Critical Infrastructure in a World with Supply Chain and

ed
Cross-Sectoral Cybersecurity Risk

Deven R. Desai and Christos A. Makridis1

iew
Abstract

Supply chains are fragile. The Covid-19 pandemic has highlighted the fragility of supply
chains in a range of critical infrastructure: food, medicines, health care, information technology,
communications, and more. This paper focuses on an under-appreciated supply chain risk—
cybersecurity—that has been missed under the current legal approach to critical infrastructure and

ev
exacerbated by the pandemic.
Although the proliferation of digital services creates significant value and employment
opportunities, it also inadvertently leads to a wide array of new cybersecurity vulnerabilities.
Vulnerabilities of DVRs, CCTVs, voting machines, and municipal systems, leading to denial-of-

r
service attacks and ransomware hold ups are known. But these examples miss a problem. They give
the impression that only certain hardware and specific entities are affected, yet all the connected
services can be at risk too. For example, given that enterprise software, which is common for work
er
at home situations, is rapidly becoming a cybersecurity vulnerability, anyone connected by this
software necessarily becomes a target too. Malicious cyber incidents, like data breaches and ransoms
exemplified by the SolarWinds and Colonial Pipeline incidents of 2021, can have ripple effects
across a network of businesses and sectors. Yet, current definitions and regulations of Critical
pe
Infrastructure (CI) and their focus on vertical sectors overlook this point.
We argue that cybersecurity supply chain risk is an important, under-studied aspect of the
problem. Legal definitions of CI and the voluntary nature of cybersecurity governance leave gaps in
the classification of CI and how to identify cybersecurity risk, particularly in the professional services
sector. In addition, the voluntary nature of cybersecurity governance demands risk-based and
ot

objective measures to aid in identifying when to take steps on improving cybersecurity, but exactly
what such metrics are is, at best, evolving.
We address both these problems. By drawing on a new dataset, we develop metrics that
measure productivity effects and that captures cybersecurity risk across sectors. This approach
tn

allows us to show that a major sector, professional services, is missed by current definitions of
critical infrastructure, but could be captured if CI definitions accounted for cross-sectoral
cybersecurity risk. In addition, the approach aids voluntary participation in mitigating cybersecurity
risk because it provides a way for any firm or sector to identify and assess the nature of its cross-
rin

sectoral cybersecurity risk.

In short, cross-sectoral cybersecurity vulnerabilities can adversely affect aggregate growth
and national security objectives because of connectivity across firms and sectors. This work seeks to
provide a path forward for understanding, defining, and protecting cross-sectoral cybersecurity.
ep

1 Deven R. Desai, Georgia Institute of Technology, Scheller College, Area Coordinator Law & Ethics, Assoc. Director
of Law, Policy, and Ethics ML@GATECH; affiliated fellow Yale Information Society Project; former Academic
Research Counsel, Google, Inc., deven.desai@scheller.gatech.edu. Christos Makridis, Arizona State University and
Pr

Stanford University, cmakridi@stanford.edu. The Authors thank the participants in the Cybersecurity Law & Policy
Scholars Conference 2020 hosted by the Nebraska College of Law and University of Minnesota Law School for their
feedback. The ideas and statements in the paper reflect our views only and not those of any affiliated institutions.

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
 Draft

I. Introduction

ed
Hollywood has enjoyed using cybersecurity vulnerabilities to enhance and drive movie plots

iew
for decades. The Italian Job involved hacking traffic lights during a heist.2 In War Games a young

hacker accesses the Department of Defense’s AI-driven computer that controls the U.S. nuclear

arsenal.3 In Sneakers, someone has a device that defeats encryption.4 When testing the device, hackers

ev
gain access to several vital infrastructures—The Federal Reserve: “Anyone want to shut down The

Federal Reserve?”; the national power grid: “Anyone want to blackout New England?”; the Air

r
Traffic Control system “Anybody want to crash a couple of passenger jets?”.5 In Skyfall, even James

Bond must deal with a master hacker who leaks secret data and blows up buildings.6
er
Cybersecurity vulnerability is unfortunately not just a movie plot. Transportation systems,
pe
financial services, government facilities, and many other sectors are critical infrastructure (CI)

sectors. The United States recognizes sixteen designated sectors “whose assets, systems, and

networks, whether physical or virtual, are considered so vital to the United States that their
ot

incapacitation or destruction would have a debilitating effect on security, national economic security,

national public health or safety, or any combination thereof.”7 Defining sixteen sectors seems
tn

comprehensive and allows for differences in cybersecurity threats for each sector. But what if the list

misses an important way to identify cyber-risk so much so that an entire vital sector is not even on
rin

the list? Further, what if the approach does not account for the way a vulnerability in one sector

could spill over into another sector?

ep

2 This tactic was used in both the original and the remake. See The Italian Job (1969); The Italian Job (2003).
3 War Games (1983).
4 Sneakers (1992).
5 Id.
Pr

6 Skyfall (2012).
7 CRITICAL INFRASTRUCTURE SECTORS, Cybersecurity and Infrastructure Security Agency, March 24, 2020 at

https://www.cisa.gov/critical-infrastructure-sectors.

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
 Draft

This paper investigates whether the current approach potentially misses an important aspect

ed
of cybersecurity—cross-sectoral risk. This blind spot means the perhaps largest productivity and

cyber-vulnerable sector is not on the current list of critical infrastructure and misses the way a breach

iew
in one CI might lead to problems in one or more other CIs. In short, we offer a practical and

transparent way to understand and quantify cross-sectoral cybersecurity risk as way to improve

identifying what should be deemed critical infrastructure and when increased cybersecurity measures

ev
are needed.

We begin with a background on cybersecurity risk and its relation to supply chain risks. We

r
show that supply chain risks affect almost any sector. Then, we turn to legal definitions of critical

infrastructure to show what is covered, and we identify gaps stemming from those definitions. Next,
er
we look at the current approach to governance of critical infrastructure and cybersecurity. We

document four results. First, whether a sector is deemed CI matters for governance. Second, the
pe
approach demands a risk-based approach with “consistent, objective criteria.”8 Third, even if a

sector is not CI, the approach asks such a sector to take action consistent with the National Institute
ot

of Standards and Technology (NIST) Framework for Improving Critical Infrastructure

Cybersecurity9 (the “Framework”).10 Fourth, precision and “consistent, objective criteria”11 on what
tn

constitutes cross-sectoral cybersecurity-risk could and should be more robust.

We subsequently take our observations to practice and offer a new way to assess cross-
rin

sectoral cybersecurity risk. We draw on data from the Bureau of Economic Analysis (BEA), which

allows us to measure how much (in dollars) each sector contributes to every other sector in the form

of intermediate and final goods and services, and data from Rapid7, which allows us to measure
ep

8 Exec. Order No. 13636, 78 Fed. Reg. 11739 (Feb. 19, 2013).
9 Matthew P. Barrett, FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY, Version 1.1, April 16,
Pr

2018, National Institute of Standards and Technology, NIST.

10 SECTOR SPECIFIC AGENCIES, August 22, 2018 at https://www.cisa.gov/sector-specific-agencies
11 Exec. Order 13636, supra note 8.

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
 Draft

cybersecurity vulnerabilities for the Fortune 500 firms. We combine these data to compute a

ed
measure of inter-sectoral productivity linkages (i.e., the direct productivity effects) and cybersecurity

linkages (i.e., the indirect supply chain effects). Although our approach is inherently limited by the

iew
data to which we have access, we show how the current definition of critical infrastructure falls short

of reflecting the full breadth of cybersecurity risk, especially in the professional services sector. We

use our coarse data as an illustrative example to highlight the importance of enriching the definition

ev
of critical infrastructure—moving away from a purely sectoral approach to more of a cross-sectoral

approach that identifies the complementarities across firms in the economy.

r
We conclude by making two policy recommendations. First, the evaluation of cybersecurity

risk should be part of legal definitions of CI and guide federal priorities, especially those by the
er
Cybersecurity and Infrastructure Security Agency (CISA) in the Department of Homeland Security.

CISA should look beyond traditionally classified CI sectors to influential nodes in the network that
pe
matter for aggregate risk so that federal agencies can focus its limited resources on where they

matter most. Second, improved cybersecurity risk assessment needs tools. As such, we offer a plan
ot

where NIST and the Bureau of Industry and Security (BIS)—both centered within the Department

of Commerce—should coordinate assessment of cross-sectoral cybersecurity risk. As part of that

tn

plan, we argue that NIST should provide annual or biannual re-evaluated guidance, and we offer

three cybersecurity risk categories to guide that work. While some of these capabilities might already
rin

exist on paper, the reality is many of these federal agencies do not interact with one another. That is,

agencies that hold data for understanding supply chain linkages must build meaningful partnerships

to enable the mapping of cross-sectoral networks and related cybersecurity vulnerabilities, otherwise
ep

these capabilities only exist in theory.

Pr

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
 Draft

II. Understanding Supply Chain and Cross-Sectoral Threats

ed
Consider healthcare technology,12 a city’s closed-circuit TV system, a car,13 a DVR,14 a voting

machine, a fish tank,15 a home thermostat, city government such as Atlanta’s payment and data

iew
storage systems;16 none of these things seem that similar. But they are the same in one important

way; they pose cybersecurity risk.17 As an odd but vivid example, in 2018 an unnamed U.S. casino

was hacked and lost 10 gigabytes of data via a fish tank that was networked to allow for automated

ev
water temperature adjustment, salinity monitoring, and feeding.18 That is, all sorts of devices can be

hacked and a range of bad outcomes—from data theft to cyber holdups to shutdowns of systems to

r
unauthorized surveillance to falsified voting and more—are possible.

er
pe
12 See e.g., Ken Hoyme, “Developing a ‘Software Bill of Materials’ for the Future of Cybersecurity” at
https://aamiblog.org/2018/10/02/ken-hoyme-developing-a-software-bill-of-materials-for-the-future-of-cybersecurity/
(noting WannaCry affected hospitals).
13 See Davis Z. Morris, Tesla Stealing Hack Is About Much More than Tesla, FORTUNE (Nov. 26, 2016),
ot

[https://perma.cc/GQ2N-Y3XC; Andrea Peterson, Researchers Remotely Hack Tesla S, WASH. POST (Sept. 20, 2016),
[https://perma.cc/X3EL-CFZM].
14 See “Hacked Cameras, DVRs Powered Today’s Massive Internet Outage” at

https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/. DVR threats

tn

persisted for years. See Catalin Cimpanu, “Over nine million cameras and DVRs open to APTs, botnet herders, and
voyeurs,” ZDNET, Oct. 9, 2018, at https://www.zdnet.com/article/over-nine-million-cameras-and-dvrs-open-to-apts-
botnet-herders-and-voyeurs/; Doug Olenick, “Zero-day Being Used to Turn LILIN DVRs into Botnets” March 24,
2020 at https://www.scmagazine.com/home/security-news/vulnerabilities/zero-day-being-used-to-turn-lilin-dvrs-into-
botnets/
15 See Lee Mathews, Criminals Hacked a Fish Tank to Steal Data from a Casino, July 27, 2017, FORBES, at
rin

https://www.forbes.com/sites/leemathews/2017/07/27/criminals-hacked-a-fish-tank-to-steal-data-from-a-
casino/?sh=3c05b80832b9
16 Stephen Deere, “CONFIDENTIAL REPORT: Atlanta’s cyber attack could cost taxpayers $17 million,” August 2, 2018, at

https://www.ajc.com/news/confidential-report-atlanta-cyber-attack-could-hit-
million/GAljmndAF3EQdVWlMcXS0K/ (noting loss of police patrol car video footage, and that the costs made it one
ep

of the highest ransomware attacks of the year).

17 One might also look at these problems as related to the Internet of Things or IoT. Kishore Angrishi, Turning internet of

things (iot) into internet of vulnerabilities (iov): Iot botnets. ARXIV PREPRINT arXiv:1702.03681 (2017) at
https://arxiv.org/pdf/1702.03681.pdf. As the study summarizes, the “common mode of IOT botnets” involves
malware scanning for vulnerable IoT devices, usually for open Telnet ports or other services reachable over the
Internet.” Id.
Pr

18 See Lee Mathews, Criminals Hacked a Fish Tank to Steal Data from a Casino, July 27, 2017, FORBES, at

https://www.forbes.com/sites/leemathews/2017/07/27/criminals-hacked-a-fish-tank-to-steal-data-from-a-
casino/?sh=3c05b80832b9

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
 Draft

Before everything was networked, a given piece of electronic hardware was relatively safe.

ed
Someone would have to have physical access to the device to be able to upload malware, alter the

software, or steal data.19 With networked devices cybersecurity becomes a bigger risk.

iew
The recent revelation about the hack of SolarWinds software illustrates the problem.

SolarWinds sells enterprise software that is supposed to help firms monitor their IT infrastructure.20

Russian hackers managed to get to the software while in development and before the software went

ev
to customers. Once the software was deployed by SolarWinds, the hackers used the natural part of

such software, networked updating, to attack more than 18,000 SolarWinds customers which

r
includes The Pentagon, intelligence agencies, nuclear labs, and Fortune 500 companies.21 The attack

is called a supply chain attack because the attack goes after outside products to get into a firm’s
er
network.22 As CISA explained, in such an attack the attacker uses “an ability to exploit software

supply chains” to then exploit its “knowledge of Windows networks.”23

pe
One might think that the issues are related only to the SolarWinds entry point; but that is

incorrect. CISA’s alert about SolarWinds captures the larger problem: “The SolarWinds Orion
ot

supply chain compromise is not the only initial infection vector this APT actor leveraged.”24 That is,
tn

19 See e.g., David Kushner, The Real Story of Stuxnet, IEEE Spectrum, Feb. 23, 2013, at
rin

https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
20 David. E. Sanger, Nicole Perlroth, and Eric Schmitt, Scope of Russian Hack Becomes Clear: Multiple U.S. Agencies Were Hit,

NY TIMES, December 16, 2020, at https://www.nytimes.com/2020/12/14/us/politics/russia-hack-nsa-homeland-

security-pentagon.html
21 Id.
ep

22 David. E. Sanger, Russian Hackers Broke Into Federal Agencies, U.S. Officials Suspect, NY TIMES, December 16, 2020, at

https://www.nytimes.com/2020/12/13/us/politics/russian-hackers-us-government-treasury-commerce.htm; cf. CISA,

Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, Alert AA20-
352A, December 17, 2020 (“One of the initial access vectors for this activity is a supply chain compromise of the
following SolarWinds Orion products.”).
23 CISA, supra note 22.
Pr

24 Id. (“This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of

Windows networks. It is likely that the adversary has additional initial access vectors and tactics, techniques, and
procedures (TTPs) that have not yet been discovered.”).

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
 Draft

other software can be the way into a firm’s systems.25 In short, increasing supply chain risk for

ed
software combined with networked computing means someone can more easily find a way into a

system and wreak havoc.26

iew
Recent data shows that cybersecurity risks include not only data breaches that have increased

from 2005 to 2018, according to the Council of Economic Advisers,27 but also distributed denial of

service (DDOS) attacks and ransomware attacks. In addition to the SolarWinds attack, in late

ev
August 2020, the New Zealand Stock Exchange, YesBank India, MoneyGram, PayPal, Braintree,

and Venmo were all attacked by a DDOS attack.28 The attack shut down the stock exchange for at

r
least three days in a row.29 Following the rise of singular data breaches, there has also been an

increase in cyberattacks on supply chain. Data from the Atlantic Council on software supply chain
er
attacks—that is, attacks that emerge based on vulnerabilities in a company’s software—indicates that

such attacks have increased from 3 in 2010 to 16 in 2019.30

pe
Because nearly all organizations use software that they did not produce, vulnerabilities in

them can have serious consequences. For example, NotPetya is a ransomware attack that encrypts
ot

hard drives and thus sets up a demand for payment to release the data.31 The software started as an
tn

25 David. E. Sanger and Nicole Perlroth, More Hacking Attacks Found as Officials Warn of ‘Grave Risk’ to U.S. Government,
NY TIMES, December 18, 2020 (“That suggests other software, also used by the government, has been infected and used
for access by foreign spies.”) at https://www.nytimes.com/2020/12/17/us/politics/russia-cyber-hack-trump.html.
26 Hannah Murphy, How Home Tech Can Be Companies’ Weakest Link, FINANCIAL TIMES, FT.COM, September 27, 2020 at
rin

https://www.ft.com/content/5cf95b77-12a4-4e34-a5c0-30904d981c58
27 Council of Economic Advisers, “Economic Report of the President.” (2019) at https://www.whitehouse.gov/wp-

content/uploads/2019/03/ERP-2019.pdf
28 Catalin Cimanu, DDoS Extortionists Target NZX, Moneygram, Braintree, and Other Financial Services, August 27, 2020, at

https://www.zdnet.com/article/ddos-extortionists-target-nzx-moneygram-braintree-and-other-financial-services/.
ep

29 Id.
30 Formally, supply chain attacks are defined as an “attack [that] occurs when an attacker accesses and edits software in

the complex software development supply chain to compromise a target farther up on the chain by inserting their own
malicious code.”
https://www.atlanticcouncil.org/programs/scowcroft-center-for-strategy-and-security/cyber-statecraft-
initiative/breaking-trust/
Pr

31 See e.g., Aparna Banerjea, NotPetya: How a Russian Malware Created the World’s Worst Cyberattack Ever, BUSINESS

STANDARD, Aug. 27, 2018 at https://www.business-standard.com/article/technology/notpetya-how-a-russian-malware-

created-the-world-s-worst-cyberattack-ever-118082700261_1.html.

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
 Draft

attack on Ukraine but quickly spread across the world and infected “hospitals in Pennsylvania to a

ed
chocolate factory in Tasmania.”32 The attack hit “multinational companies including Maersk,

pharmaceutical giant Merck, FedEx’s European subsidiary TNT Express, [and] French construction

iew
company Saint-Gobain.”33 NotPetya also reached major players in the fast-moving consumer goods

sector such as Mondelez, and Reckitt Benckiser.34 In short, NotPetya was indiscriminate as it

infected industry after industry. The attack was so strong and unpredictable that “NotPetya spread

ev
back to Russia, striking the state oil company Rosneft”—a result not “expected” by its inventors.35 It

is thought to lurk within systems for some time after the initial attack.36

r
Enterprise software shows yet another reason cybersecurity risk needs to be reassessed. The

now infamous Colonial Pipeline ransomware attack appears to have exploited Virtual Private
er
Networks (VPN) and Remote Desktop Protocols (RDP) vulnerabilities that forced a shutdown of

access to fuel across a large swath of the U.S. and cost the company millions to regain access to its
pe
data.37 Even before the Colonial Pipeline attack, in the first half of 2020, enterprise ransomware hit

“all-time high[s]” often by exploiting VPN and RDP with RDP exploits being “regarded as the
ot

single biggest attack vector for ransomware,” according to one cyber-security firm.38 Server Message

Block (SMB) protocol vulnerability in Microsoft’s Window Operating system is an older enterprise
tn

software risk in that the infamous WannaCry malware incident in 2017 relied on SMB protocol

vulnerability.39 And yet, SMB vulnerability persists as a problem exacerbated by VPN and RDP
rin

32 Id.
33 Id.
34 Id.
35 Id.
ep

36 Id.
37 See David E. Sanger and Nicole Perlroth, Pipeline Attack Yields Urgent Lessons About U.S. Cybersecurity, N.Y. TIMES, May

14, 2021, updated May 18, 2021 at https://www.nytimes.com/2021/05/14/us/politics/pipeline-hack.html; Jordan

Nuce, et al., Shining a Light on Darkside Ransomware Operations, FIREEYE, May 22, 2021 at
https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
38 Catalin Cimanu, Top Exploits Used by Ransomware GAngs Are VPN Bugs, but RDP Still Reigns Supreme, August 24, 2020 at
Pr

https://www.zdnet.com/article/top-exploits-used-by-ransomware-gangs-are-vpn-bugs-but-rdp-still-reigns-supreme/.
39 Computer Emergency Response Team-EU, WannaCry Ransomware Campaign Exploiting SMB Vulnerability, (May 22,

2017) at https://cert.europa.eu/static/SecurityAdvisories/2017/CERT-EU-SA2017-012.pdf

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
 Draft

software issues. For example, the Cybersecurity and Infrastructure Security Agency issued an alert in

ed
2019 documenting a VPN attack that then allowed the attacker to use SMB to “Create a reverse

SMB SOCKS proxy that allowed connection between an cyber threat actor-controlled VPS and the

iew
victim organization’s file server.”40 In October of 2020, an auto part supplier suffered an attack that

started with its RDP and then went on to exploit SMB and other vulnerabilities.41 Exactly how the

infamous Colonial Pipeline attack worked is unclear. But in general, the Darkside ransomware

ev
behind the attack is thought to exploit VPN and RDP to then use SMB “to exfiltrate hundreds of

gigabytes of data” and “create ransom notes” among other ways that the ransomware gets into a

r
company’s systems.42

Given the ways hackers find ways into systems, two questions arise. First, as an internal
er
matter: How does a security breach affect an entity? Second as an external matter: Might that breach

spill over into another entity with whom the breached entity does business?
pe
Let’s consider an entity, Corp. A. that is an energy CI. Corp A has a contract with vendor V,

and V is breached. When Corp. A installs V’s software, Corp. A now has a bomb waiting to go off
ot

in its system. Thus, ex ante Corp. A must make sure that operational parts of its system are

protected from other parts. In theory, companies isolate operations from other parts of the business
tn

so that breaches in one area do not affect the entire business.43 That appears to be what Colonial

Pipeline did not do with its ransomware event, and so there was a need to shut down its entire
rin

40 Cybersecurity and Infrastructure Security Agency, Federal Agency Compromised by Malicious Cyber Actor, Analysis Report
(AR20-268A) (September 24, 2020) at https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a
41 Peter Fretty, Nobody Gets Hacked? That’s Only True in a Fantasy World, INDUSTRY WEEK, (October 21, 2020) at

https://www.industryweek.com/technology-and-iiot/article/21144041/nobody-gets-hacked-thats-only-true-in-a-
ep

fantasy-world
42 See Jordan Nuce, et al., Shining a Light on Darkside Ransomware Operations, FIREEYE, May 22, 2021 at

https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
43 See David E. Sanger and Nicole Perlroth, Pipeline Attack Yields Urgent Lessons About U.S. Cybersecurity, N.Y. TIMES, May

14, 2021, updated May 18, 2021 at https://www.nytimes.com/2021/05/14/us/politics/pipeline-hack.html (“the long-

held belief that the pipeline’s operations were totally isolated from the data systems that were locked up by DarkSide, a
Pr

ransomware gang believed to be operating out of Russia, turned out to be false.”); Teri Rachidel, Colonial Pipeline Hack,
Medium, May 15, 2021 at https://medium.com/cloud-security/colonial-pipeline-hack-4486d16f2957 (“in a perfect
world, there are no connections between the administrative and operational systems”).

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
 Draft

operations.44 But a breached Corp. A may have to shut down not only to protect its entire system;

ed
but also, to make sure the malware does not affect other entities. As one author put it, regarding

Colonial, “[It had] to make sure the malware [didn’t] escape and infect other pipelines in the United

iew
States, customer systems, or operational systems within Colonial Pipeline. If the malware is still

there and in any way can impact the operational systems, something worse could happen.”45 That is,

infection at Corp. A could spread to another sector.

ev
We can expand the example by thinking of Corp A. using outside vendors for 1) VPNs, 2)

RDPs, 3) a payroll system from PS Corp, and 4) a consumer relations system from CRS Corp. If PS

r
Corp. is infected at its home system, how far does that reach into Corp A? SolarWinds shows that

the problem can reach Corp. A, and Colonial Pipeline suggests depending on how well Corp. A
er
isolates its systems, the problem can reach deep into Corp. A. In addition, Colonial Pipeline’s need

to shut down to protect connected systems and customers, suggests that the threat of spreading
pe
from Corp A to CRS Corp. is real and strong.

In sum knowing that software vendors have vulnerabilities does not stop the holes; more
ot

steps are needed. The persistence of cybersecurity holes raises at least three questions. When is a

sector critical infrastructure? If it is CI, what, if anything, does that mean for its approach to cross-
tn

sectoral cybersecurity? If a sector is not CI, what, if anything, is required?

III. Designated and Undesignated Critical Infrastructure

rin
ep

44 See David E. Sanger and Nicole Perlroth, Pipeline Attack Yields Urgent Lessons About U.S. Cybersecurity, N.Y. TIMES, May
14, 2021, updated May 18, 2021 at https://www.nytimes.com/2021/05/14/us/politics/pipeline-hack.html
(“Cybersecurity experts also note that Colonial Pipeline would never have had to shut down its pipeline if it had more
Pr

confidence in the separation between its business network and pipeline operations.”).
45 Teri Rachidel, Colonial Pipeline Hack, Medium, May 15, 2021 at https://medium.com/cloud-security/colonial-

pipeline-hack-4486d16f2957

10

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
 Draft

The U.S. approach to cybersecurity distinguishes between critical and non-critical

ed
infrastructure,46 but in ways that under appreciate whether an industry should be deemed critical and

thus come under federal agency supervision. This section sets out the current approach to CI and

iew
why it needs updating.

A. What the Designated CI Approach Misses

ev
Today three criteria—national defense, economic security, and public health and safety—are

r
considered when designating critical infrastructure.47 The definition of critical infrastructure sectors

is broad and yet exclusive. The formal definition under Presidential Policy Directive 21 indicates any
er
sector might be deemed critical if one makes the case that loss of function would “have a debilitating

effect on security, national economic security, national public health or safety, or any combination
pe
thereof.”48

The sixteen designated sectors—chemical; commercial facilities; communications; critical

ot

manufacturing; dams; defense industrial base; emergency services; energy; financial services; food

and agriculture; government facilities; healthcare and public health; information technology; nuclear
tn

reactors materials and waste; transportation systems; and water and waste systems—may or may not

cover the example problems set out above.49 The City of Atlanta fits into the government sector. A
rin

stock exchange fit into financial services. But where do professional services such as ADT for

payment services and human resources, or PeopleSoft for consumer relations software—or simpler,
ep

46 See e.g., Elder Haber and Tal Zarsky, Cybersecurity for Infrastructure: A Critical Analysis, 44 FLORIDA STATE UNIV. L. REV.
515, 518-519 (2017).
47 See 42 U.S.C. § 5195(c); accord, Haber and Zarsky, supra note 36 id. at 519.
48 Presidential Policy Directive 21: Critical Infrastructure Security and Resilience (PPD-21), released on February 12,
Pr

2013; accord CRITICAL INFRASTRUCTURE SECTORS, supra note 7; accord Tara Seals, Feds Hit with Successful Cyberattack, Data
Stolen, THREATPOST, (September 24, 2020) at https://threatpost.com/feds-cyberattack-data-stolen/159541/.
49 See supra notes 12 to 18 and accompanying text.

11

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
 Draft

accounting or legal services—fit in? What about subcontractors that are technically outside a

ed
designated CI sector?

In other words, enterprise software—such as payment systems and customer relations

iew
software—is used by a range of sectors regardless of whether they are a designated CI sector, and so

enterprise software poses a large threat. Before the Covid-19 Pandemic, many industries relied on

VPN and RDP to enable work away from the office. During the Pandemic, working away from the

ev
office has become the norm. In addition, many industries are rethinking whether full-time at an

office work is needed going forward.50 Possibilities include flexible days at the office so that a worker

r
may be in office only two or three days, yet still put in the rest of the full work week from home.51

Although there are high quality VPNs, whether a given VPN is configured to the latest standards
er
and whether the entity implementing the VPN has addressed matters such as not using VPN

defaults can lead to vulnerabilities.52 Even federal agencies and financial institutions, which should
pe
be able to choose good VPN services, have found that a chosen VPN, such as Pulse Secure, can

have security flaws that “allows untrusted users to remotely execute malicious code on Pulse Secure
ot

hardware, and from there, to gain control of other parts of the network where it's installed.”53

In short, as more companies and thus less-sophisticated ones, use VPNs and RDPs for
tn

workers’ computers, cybersecurity risk will likely increase in importance. This practice will occur for

almost all sixteen sectors and perhaps more so for sectors not explicitly designated as CI such as professional
rin

services. These sectoral interdependencies and the pervasiveness of the networked economy, where
ep

50 Kim Lyons, Google Pushes Return to Office to September and Will Test Flexible Work Week, THE VERGE, December 14, 2020
at https://www.theverge.com/2020/12/14/22175150/google-return-office-september-flexible-work-week-coronavirus-
pandemic-sundar-pichai.
51 Id.
52 NSA, Securing IPsec Virtual Private Networks, U/OO/148259-20 | PP-20-0504 | October 2020 ver. 1.2.
53 Dan Goodin, More US agencies potentially hacked, this time with Pulse Secure exploits, ArsTechnica, April 30, 2021, at
Pr

https://arstechnica.com/gadgets/2021/04/more-us-agencies-potentially-hacked-this-time-with-pulse-secure-exploits/;
accord CISA, Mitigate Pulse Connect Secure Product Vulnerabilities, EMERGENCY DIRECTIVE 21-03, APRIL 20,
2021 at https://cyber.dhs.gov/ed/21-03/.

12

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
 Draft

there is such a reliance on data and professional services, can lead to network nightmares. In short,

ed
cross-sectoral cybersecurity vulnerabilities matter.

iew
B. Questions Left Open Under the Current System for Cybersecurity and CI

Governance

ev
It is not that cybersecurity is ignored in CI governance. Rather, where CI and cybersecurity

overlap presents questions about the role cybersecurity plays in CI governance. Cybersecurity is an

r
explicit part of maintaining and improving CI. In addition, even if a company is not in a designated

CI sector, it is expected to assess its cybersecurity risk voluntarily. Under the current approach,
er
however, any company wishing to address cybersecurity faces open questions about exactly how to

identify and then achieve CI cybersecurity. This part explains the current approach and conundrums
pe
as that understanding is needed before turning to how our approach seeks to fill these

implementation questions.
ot

Cybersecurity can affect any sector regardless of CI designation. The Department of

Homeland Security Risk-Based Performance Standards identifies three factors that indicate a
tn

security risk: (1) likelihood of a successful attack (vulnerability); (2) existence of an adversary with

the necessary intent and capabilities to attack the facility (threat); and (3) consequences of a
rin

successful attack on a facility (consequence).54 Executive Order 13636, Improving Critical

Infrastructure Cybersecurity, ties being CI and Cybersecurity together.55 Section 9 of EO 13636

prohibits “identif[ying] any commercial information technology products or consumer information

ep
Pr

54 See RISK STEERING COMM., DEP’T. OF HOMELAND SEC., DHS RISK LEXICON 17, 30 (2008),
[https://perma.cc/9XML-8Y6X].
55 Exec. Order 13636, supra note 8.

13

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
 Draft

technology services”; thus naming a given product such as a VPN or service such as Google as CI is

ed
not allowed. Instead, Section 9 takes a broad approach and requires using

a risk-based approach to identify critical infrastructure where a cybersecurity incident could

iew
reasonably result in catastrophic regional or national effects on public health or safety,

economic security, or national security. … [and] apply[ing] consistent, objective criteria in

identifying such critical infrastructure.56

ev
Although it may seem that a designated CI must follow exact rules, as Haber and Tarsky explain, the

U.S. approach relies on voluntary action to protect critical infrastructure except for chemical and

r
energy both of which follow “mandatory government-set standards.”57 Rather than provide specific

rules, the DHS sets out standards to follow.58 Explicit designation of sectors matters because that
er
designation controls what agency oversees and establishes protocols for a sector. But lack of

designation does not imply a sector or company does not have actions it could or should take.
pe
Given that there was not a centralized agency or rule for addressing cybersecurity risk and

the approach is essentially voluntary, and yet EO 13636 calls for “a risk-based approach” to identify
ot

and address cybersecurity vulnerabilities in CIs, something was needed to guide even voluntary

actions so that “consistent, objective criteria” were in place.59 That is where the NIST Framework
tn

for Improving Critical Infrastructure Cybersecurity60 (the “Framework”) comes in as a key part of

addressing CI cybersecurity risk. The Framework is designed to “strengthen the resilience of” CI by
rin

creating cybersecurity risk frameworks.61 The approach is “technology neutral” and is “not a one-

size-fits-all approach,”62 as it is intended to accommodate the variance in risks across sectors and
ep

56 Id.
57 See e.g., Haber and Zarsky, supra note 46, at 534.
58 Id. at 534-535.
59 Exec. Order 13636, supra note 8.
60 Matthew P. Barrett, FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY, Version 1.1, April
Pr

16, 2018, National Institute of Standards and Technology, NIST.

61 Id. at 1.
62 Id. at 2.

14

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
 Draft

organizations.63 Although the Framework is explicitly tied to CI as defined under U.S. law, the vision

ed
is that the Framework “can be used by organizations in any sector of the economy or society” both

within and outside the U.S.64 Even if not designated as a CI, a company or sector is, on a voluntary

iew
basis, encouraged to use the framework to assess and manage cybersecurity risk. In addition, NIST

suggests that cybersecurity should be part of enterprise risk management (ERM).65

NIST’s approach to cybersecurity and ERM reveals further issues in addressing

ev
cybersecurity. NIST offers that “Cybersecurity risk inputs to ERM programs should be documented

and tracked in written cybersecurity risk registers that comply with the ERM program guidance.”66

r
The lack of “consistent, repeatable ways” to document and share cybersecurity risk is, however, a

problem. For example, even NIST has commented that they would like to see quantified, aggregated
er
cybersecurity risk assessments that are not “ad hoc” and that have rigor.67 The connection between

NIST Cybersecurity ERM and the NIST Framework gives any entity goals for addressing
pe
cybersecurity risk: diagnose the state of its cybersecurity risk, set goals for future cybersecurity risk,

be specific about where to improve and how to do so in an on-going manner, and state
ot

cybersecurity risk issues for both internal and external stakeholders.68

The Framework sets out specific “five concurrent and continuous Functions—Identify,
tn

Protect, Detect, Respond, Recover” to guide entities on how to achieve the goals.69 Of the five

functions, Identify is “foundational for effective use of the Framework.”70 Specifically, an entity has
rin

63 Id.
64 Id. at 3.
65 Kevin Stine, Stephen Quinn, Gregory Witte, Karen Scarfone, and Robert Gardner. Integrating Cybersecurity and Enterprise

Risk Management (ERM). NO. NIST INTERNAL OR INTERAGENCY REPORT (NISTIR) 8286 (Draft). NATIONAL
ep

INSTITUTE OF STANDARDS AND TECHNOLOGY, 2020.

66 Id. at vii.
67 Id.
68 See Barrett, supra note 60 (“the Framework provides a common taxonomy and mechanism for organizations to 1)

Describe their current cybersecurity posture; 2) Describe their target state for cybersecurity; 3) Identify and prioritize
opportunities for improvement within the context of a continuous and repeatable process; 4) Assess progress toward the
Pr

target state; 5) Communicate among internal and external stakeholders about cybersecurity risk.”).
69 Id. at 3.
70 Id. at 7.

15

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
 Draft

to start by “Understanding the business context, the resources that support critical functions, and

ed
the related cybersecurity risks” so that it can assess what and how to address issues in ways that fit

its “risk management strategy and business need.”71 Thus, any enterprise that must or wishes to

iew
address cybersecurity risk needs tools to achieve these goals and perform these functions. And even

though addressing cybersecurity is voluntary and based on public-private partnerships, the overall

approach indicates action is expected.72

ev
This leaves entities to use the framework, but still demands qualitative and quantitative ways

to assess cybersecurity vulnerabilities. Furthermore, entities may argue that the DHS Risk-Based

r
Performance Standards can be fuzzy, debated, and seen as not requiring action, because assessing

what vulnerability, threat, and consequences has been difficult. Until now.
er
New data and measurements regarding information security and risk provide insights into

just how vulnerable sectors are. Based on that analysis, assessing threats and consequences becomes
pe
easier. Put differently, given that our approach offers that cybersecurity and cross-sectoral risk

should be a part of a specific way to assess whether a given sector is CI, we know present a way to
ot

implement our recommendation.

tn

IV. A Method to Assess Cross-sectoral Cybersecurity Risk

We draw on newly available proprietary data from Rapid7, a leader in the information
rin

security sector that provides services to organizations and some data to the public for purposes of

strengthening the collective cybersecurity of the nation. Motivated by the emergence of internet
ep
Pr

71 Id.
72 As Haber and Zarsky put it, “While the private sector was not subject to mandatory requirements, these instruments
clearly signal the government’s expectations of the private sector.” Haber and Zarsky, supra note 46, at 532.

16

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
 Draft

scanning as an approach to identify vulnerabilities,73 Rapid7 has developed a proprietary method for

ed
scanning networks, called Project Sonar.74 The approach involves sending one or more “probe

packets” to a target IP address, tracing out the response (or lack of response) from the targeted host.

iew
Gathering these externally collected data on exposed ports has also been shown to dramatically

improve the quality of predictions of data breaches and other malicious activity on networks.75

While Project Sonar allows Rapid7 to scan all exposures on the open internet, whether a

ev
company is private or public, the challenge involves mapping IP addresses to specific organizations.

Since this requires manually searching for the IP-ranges for each firm, Rapid7 focuses on the

r
Fortune 500 firms as a starting point simply to obtain a sensible and well-defined list of firms. In this

sense, the primary limitation of the data is that it does not cover firms outside of the Fortune 500,
er
meaning that certain sectors that have few companies in the Fortune 500 will get selective coverage,

if at all. For example, the government is excluded from the sample all together.
pe
Because there is no single measure of cyber vulnerability, we focus on a couple. For example,

Rapid7 presents data on the number of organizational assets exposing server message block (SMB)
ot

and Telnet,76 both of which are identified as significant ways cyberattacks are successful.77 SMB is

one of the most dangerous services that can be exposed in an organization since it is an “all-in-one
tn

73 Nadia Heninger, Zakir Durumeric, Eric Wustrow, and J. Alex Halderman, Mining Your Ps and Qs: Detection of Widespread
Weak Keys in Network Devices, PROCEEDINGS OF THE 21ST USENIX CONFERENCE ON SECURITY SYMPOSIUM, Berkeley,
rin

CA (2012); Antonio Nappa, Zhaoyan Xu, Juan Caballero, and Guofei Gu, Cyberprobe: Towards Internet-scale Active Detection
of Malicious Servers, PROCEEDINGS OF NDSS 2014, San Diego, CA (2014).
74 Project Sonar began in September of 2013 “with the goal of improving security through the active analysis of public

networks. While the first few months focused almost entirely on SSL, DNS, and HTTP enumeration, the discoveries
and insights derived from these datasets, especially around the identification of systems unknown to IT teams, led to the
ep

expansion of Project Sonar to include the scanning of UDP services. Today, Project Sonar conducts internet-wide
surveys across more than 70 different services and protocols to gain insights into global exposure to common
vulnerabilities.” https://www.rapid7.com/research/project-sonar/
75 Yang Liu, Armin Sarabi, Jing Zhang, and Parinaz Naghizadeh, Manish Karir, Michael Bailey, and Mingyan Liu. Cloudy

with a Chance of Breach: Forecasting Cyber Security Incidents, PROCEEDINGS OF THE 24TH USENIX SECURITY SYMPOSIUM,
Washington DC (2015); Jing Zhang, Zakir Durumeric, Michael Bailey, Mingyan Liu, and Manish Karir, On the
Pr

Mismanagement and Maliciousness of Networks, NDSS SYMPOSIUM 2014 (2014).

76 Rapid7, Industry Cyber-exposure Report (2018)
77 See supra notes 17, and 37-42 and accompanying text.

17

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
 Draft

file-sharing and remote administration protocol” that allows malicious attackers to gain control over

ed
an organization. Although Microsoft has endeavored to reduce SMB exposure, many organizations

still continue it, perhaps because they use an old version of Windows. Similarly, Telnet is a cleartext

iew
protocol that allows a user to directly login to a server and network equipment and to run scripts at

the operating system level. This means that a malicious attacker could gain access to usernames,

passwords, or even data that is being transmitted. Moreover, there is no technical justification for

ev
running Telnet services, particularly as it has been replaced with the Secure Shell (SSH) Transport

Layer Protocol, “which provides encryption-in-transport and encourages the use of digital

r
certificates when authenticating connections.”78

We now develop a measure of the “productivity supply-chain effect” of each industry in the
er
economy, which incorporates information about a sector’s productivity and its connectivity with
pe
others in the economy.79 Denoting 𝑦𝑦!(#) as the contribution of real output in sector 𝑖𝑖 to sector 𝑗𝑗 and

𝑦𝑦# as real output in sector 𝑗𝑗, we define the “productivity supply-chain” effect as follows:

𝑦𝑦%! = ' 𝑦𝑦!(#) 𝑦𝑦#

ot

where we now weight the indirect effect from in sector 𝑖𝑖 to sector 𝑗𝑗 based on the output in the
tn

connected sector 𝑗𝑗. The term 𝑦𝑦!(#) is important because it captures the relative contribution of one

sector to another, proxied using the 2018 Bureau of Economic Analysis (BEA) input-output tables.
rin

These tables are produced largely from businesses’ income statements and balance sheets,80

which allows the BEA to convert information about income into production after accounting for

the cost of goods sold, inventories, and more. While the Economic Census, conducted by the
ep

78 T. Ylonen and C. Lonvick, The Secure Shell (SSH) Transport Layer Protocol, THE INTERNET SOCIETY (Jan. 2006) at
Pr

https://tools.ietf.org/html/rfc4253.
79 We use the North American Industry Classification Standard (NAICS) codes to define sectors.
80 See https://www.bea.gov/resources/methodologies/concepts-methods-io-accounts

18

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
 Draft

Census Bureau, is the primary source for the input-output tables every five years, data from other

ed
annual surveys, including Bureau of Industry and Security (BIS),81 fills in the gaps over remaining

years. Specifically, we use the “industry-by-industry” total requirements table, which shows “the

iew
production required, both directly and indirectly, from the industry per dollar of delivery to final use

of the industry.”82 Importantly, we exclude industry 𝑖𝑖’s contribution to itself from these estimates. In

this sense, we see the dollar-value of intermediate and final goods and services each sector sells to

ev
every other sector, which we scale by the total economic activity in that sector. These data are

available at a six-digit North American Industry Classification System (NAICS) level, but we use the

r
two-digit major sectoral classification because we are constrained by the availability of Rapid7 data

for only the Fortune 500, meaning that aggregations of the Fortune 500 within narrow sector
er
classifications will produce a fairly sparse and unrepresentative dataset.
pe
We can also define the “network cybersecurity risk effect” similarly as follows:

𝑐𝑐̂! = ' 𝑦𝑦!(#) 𝑐𝑐#

#

where 𝑐𝑐# now denotes a measure of cybersecurity vulnerabilities in sector 𝑗𝑗.

ot

We now compare the direct effect with the effect across sectors. For example, Figure 1 plots
tn

the two together for logged real GDP (“productivity”). We see that there is a correlation of 0.38:

sectors with larger real GDP also have larger cross-sector effects. Table 1 also enumerates these by
rin

sector, ranked from lowest to greatest. While educational services has the lowest productivity effect,

professional services has the greatest. Figure 2 plots an analogous relationship for cybersecurity
ep

81 While the BIS focuses heavily on conducting surveys over firms that are concentrated in the defense sector, more
generally, they assist in helping federal agencies understand the important material suppliers and the competitiveness
Pr

implications facing industry.

82 Karen J. Horowitz and Mark A. Planting, Concepts and Methods of the Input-output Accounts, BUREAU OF ECONOMIC

ANALYSIS (2006).

19

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
 Draft

vulnerabilities based on the number of exposed ports at a sectoral level. Interestingly, the correlation

ed
between an industry’s own exposure and its network cybersecurity risk effect is only 0.10.

iew
r ev
er
pe
ot
tn
rin
ep
Pr

20

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
 Draft

Figure 1: Comparison of 2018 Real GDP and Productivity Supply Chain Effect, by Sector

ed
iew
r ev
er
Notes.—Sources: Bureau of Economic Analysis, 2018. The figure plots the logged real GDP in 2012 prices and billions
of dollars with the logged “productivity supply chain effect,” which is measured by taking the sum across the product of
the contribution of sector 𝑖𝑖 to sector 𝑗𝑗 and real GDP in sector 𝑗𝑗. The observations are weighted by 2018 employment.
pe
Figure 2: Comparison of 2018 Cyber Exposure and the Cyber Network Effect, by Sector
ot
tn
rin
ep

Notes.—Sources: Rapid7, 2018. The figure plots the logged number of exposed ports that are not recommended as per
the Rapid7 Project Sonar scan on the Fortune 500 companies with the logged “cyber network effect,” which is measured
by taking the sum across the product of the contribution of sector 𝑖𝑖 to sector 𝑗𝑗 and the number of cyber vulnerabilities
in sector 𝑗𝑗. The observations are weighted by 2018 employment.
Pr

21

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
 Draft

Table 1: Productivity Supply Chain and Cybersecurity Network Effects, by Sector

ed
Industry Productivity Effect Cybersecurity Effect
Educational services, health 55.1 27.9
care, and social assistance
Retail trade 227.6 90.5
Other services, except 406.8 291.4

iew
government
Construction 453.0 218.4
Utilities 455.5 315.9
Arts, entertainment, 560.2 424.1
recreation, accommodation,
and food services

ev
Government 651.8 484.7
Agriculture, forestry, fishing, 791.5 324.6
and hunting
Mining 1146.3 438.4

r
Information 1146.4 534.9
Transportation and 1343.2 827.5
warehousing
Wholesale trade
Finance, insurance, real
estate, rental, and leasing
1653.5
3530.8
er 749.1
2710.7
pe
Manufacturing 3976.2 2567.7
Professional and business 4733.4 4314.8
services
Notes.—Sources: Bureau of Economic Analysis and Rapid7, 2018. The table reports the productivity supply chain and
cybersecurity network effects, ranked by industry according to the productivity effect.
ot

Before continuing, we note that our approach is flexible, but constrained to the availability
tn

of quality data. In particular, although it might appear concerning that information services ranks

fairly low in its cybersecurity effect—that is, even below transportation and warehousing—that is a

function of the way sectors are classified by the BEA. Whereas the four-digit NAICS sub-sector
rin

5182 is “Data Processing, Hosting, and Related Services,” many of the other sub-sectors in the

information services major category include newspaper publishers, motion picture and video
ep

industries, recording studios, and radio, television, and cable broadcasting. If our Rapid7 data

included more than the Fortune 500 companies, we could further disaggregate and quantify the
Pr

cybersecurity effect for NAICS 5182 (among others), but we focus only on major sectors.

22

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
 Draft

ed
V. Implications of and Recommendations for Taking Supply Chain and Cross-Sectoral
Cybersecurity into Account

iew
The traditional approach to measuring cybersecurity risk has involved classifying certain

sectors as critical infrastructure. This classification strategy, however, faces limitations due to the

inherent inter-sectoral complementarities—that is, the dependence of one sector on another—which

ev
have grown fast in the networked economy. Our approach directly addresses these shortcomings by

accounting for intersectoral linkages, such as the contribution of professional services to traditional

r
CI sectors. To the extent that every sector relies, at least partially, on information and professional

er
services, risks in these sectors become the “weakest link” for all other sectors.

Our approach also allows for the possibility of differences within sectors. For example,
pe
attacks against the federal reserve might be more threatening than attacks against community banks

from the perspective of aggregate system risk. So too for attacks on the professional services sector

as compared to agriculture. This comparison does not mean that agriculture should not be deemed
ot

CI. It suggests that agriculture may have less cross-sectoral cybersecurity risk than the other sectors,

for now. As agriculture embraces networked farm devices from automated farming to managing
tn

supply chains for feed, production, and distribution, testing their cross-sectoral cybersecurity

becomes ever more important. Indeed, under our approach, should agriculture pose greater cross-
rin

sectoral risk over time, such risk would be detected and hopefully fixed before a catastrophic

security breach and ensuing shutdown of a CI service.

ep

Our measurement is admittedly coarse since we work at a major sectoral level. We do not

disaggregate to the firm, or even to a more detailed industry classification level, because of our data
Pr

limitations. Nonetheless, to the extent that data on firm linkages exist, then our empirical approach

can be applied to arbitrarily granular levels.

23

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
 Draft

In general, the approach offers a way to allow any sector or firm to work within the NIST

ed
Framework and promises pathways for more work in the area. That is, as more granular,

disaggregated data becomes available, we illustrate a broader methodology that we hope will be of

iew
use for researchers and practitioners down the road. For example, given that the Department of

Commerce has detailed firm-level data on input-output linkages, a collaboration with a cybersecurity

firm could lead to a much more granular measurement of network cybersecurity risk.

ev
Based on these results, we offer three policy recommendations. First, this new evaluation of

cybersecurity risk should guide the priorities in CISA and other federal authorities. Although their

r
role has focused on aiding the traditionally classified CI sectors, our analysis shows that there might

be more influential nodes in the network that matter for aggregate risk. Put simply, given limited
er
resources, agencies should focus their efforts where they matter most.

Second, to enable CISA to improve how it assesses cybersecurity risk, NIST and the Bureau
pe
of Industry and Security (BIS)—both centered within the Department of Commerce—should

coordinate assessment of cross-sectoral cybersecurity risk. In addition, NIST should provide annual
ot

or biannual re-evaluated guidance assessing three cybersecurity risk categories—1) firms that display

systemic risk because of their size and connectivity, 2) sectors that display sufficiently large risk
tn

based on the firms in the sector and their connectivity to the rest of the economy, and 3) firms

and/or sectors that pose lower cross-sectoral cybersecurity risk because of size and connectivity.
rin

Third, federal agencies that currently do not interact with one another, but hold important

data for understanding supply chain linkages, should begin sharing data and mapping out nodes in

the digital network. For example, the Bureau of Economic Analysis and Census Bureau could share
ep

data on economic activity at an establishment level and map out the inputs that go into aggregate

economic activity and isolate the areas of greatest risk.

Pr

24

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
 Draft

In addition, our work has implications for cybersecurity and national security beyond these

ed
recommendations. No matter how one defines CI within the U.S., one can consider the mapping

and closing of cybersecurity holes in CI as a defensive action. Yet, understanding supply chain risk

iew
also has implications for offensive cybersecurity, which reflects a broader shift in policy and practice

away from cyber diplomacy .83 This shift has been happening in practice at the NSA and Cyber

Command,84 including even an attack on ISIS.85 As one paper argues, to bolster deterrence of

ev
foreign adversaries and augment offensive capabilities, there must be substance behind threats and

demonstrated capacity.86 An assessment of such an approach is beyond the scope of this paper. For

r
example, an assessment might ask whether such an approach would create a race for cyberattacks or

what international law implications arise under such an approach. Nonetheless, we note this shift as
er
our approach’s focus on better understanding the key nodes in the broader economic network that

are vulnerable is important for not only defensive capabilities, but also for offensive efforts against
pe
adversaries should the government wish to pursue such a course. There are, however, some extra

implications of our approach should one wish to pursue offensive cybersecurity.

ot

In general, once authorities understand and effectively map out internal U.S. vulnerabilities,

that approach can be applied to other countries using estimates of their industrial composition and
tn

comparability to the U.S. economy. As with a defensive approach to cybersecurity, pursuing an

offensive approach will require better data and inter-agency cooperation. First, understanding
rin

cybersecurity vulnerability in the U.S. as a defensive matter likely provides insights into similar

vulnerabilities outside the U.S. Thus, agencies such as NIST building the internal vulnerability map,
ep

83 See e.g., Emily Goldman, From Reaction to Action: Adopting a Competitive Posture in Cyber Diplomacy, 3 TEX. NAT’L.
SECURITY REV. 84 (2020) at http://dx.doi.org/10.26153/tsw/10950.
84 See e.g., Garret M. Graff, The Man Who Speaks Softly—and Command A Big Cyber Army, WIRED, Oct. 13, 2020 at

https://www.wired.com/story/general-paul-nakasone-cyber-command-nsa/.
85 See Dina Temple-Rason, How the U.S. Hacked ISIS, NPR, Sept. 26, 2019 at
Pr

https://www.npr.org/2019/09/26/763545811/how-the-u-s-hacked-isis
86 See Mark Montgomery and Erica Borghard, Cyber Threats and Vulnerabilities to Conventional Strategic Deterrence, 102 JOINT

FORCE QUARTERLY 79 (2021).

25

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
 Draft

may need to share insights with agencies such as Cyber Command. The offensive context will also

ed
have particular needs for international mapping. For example, Space Force could likely play a role by

leveraging satellite imagery resources to map out the linkages in other countries’ economic networks.

iew
The internal and international maps may then need to be combined to prevent an attack from

having a boomerang effect. Recall that that Stuxnet and notPetya showed that a cybersecurity

vulnerability in a particular region and technology status quo could spread beyond intended targets

ev
and even boomerang back to from where the attack originated.87 If an internal map shows that U.S.

systems are relatively secure—-because of precautions and/or fewer systems have a certain

r
vulnerability—as compared to other regions, one might develop attacks less likely to have a

boomerang effect on the U.S.

er
In simplest terms, our approach is agnostic regarding defensive or offensive uses of the

information gained by understanding cross-sectoral and supply chain vulnerabilities. The core point
pe
is that by understanding where such vulnerabilities exist, the government, CI sectors, and particular

companies should all be better set-up to take positive steps to address cross-sectoral and supply
ot

chain risk.
tn

VI. Conclusion

Our research highlights the linkages across sectors and the implications for measuring
rin

cybersecurity risk in the broader network. At the immediate level, our research offers three concrete

policy actions. As a matter of cross-sectoral cybersecurity risk, our work calls out the need to
ep

understand such risk and offers a method to measure such risk. Although much more research

remains to be done, especially with better data that allows for greater disaggregation, our coarse
Pr

87 See supra notes 19, 31-36 and accompanying text.

26

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
 Draft

measurement provides an illustrative example of how traditional critical infrastructure definitions

ed
might be overly simplistic. In addition, we create a replicable methodology that can be of even

greater use with the right data. Our results highlight the transmission of shocks throughout sectors,

iew
while also showing that more empirical work is needed to quantify the actual effect sizes of data

breaches and other malicious cyber incidents on the full range of firms in a network. Future work

along these lines should provide guidance on the social welfare effects of cyber-attacks and could

ev
lead to the formation of a credible cyber insurance sector.

r
er
pe
ot
tn
rin
ep
Pr

27

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544