Professional Documents
Culture Documents
Preprint Not Peer Reviewed
Preprint Not Peer Reviewed
ed
Cross-Sectoral Cybersecurity Risk
iew
Abstract
Supply chains are fragile. The Covid-19 pandemic has highlighted the fragility of supply
chains in a range of critical infrastructure: food, medicines, health care, information technology,
communications, and more. This paper focuses on an under-appreciated supply chain risk—
cybersecurity—that has been missed under the current legal approach to critical infrastructure and
ev
exacerbated by the pandemic.
Although the proliferation of digital services creates significant value and employment
opportunities, it also inadvertently leads to a wide array of new cybersecurity vulnerabilities.
Vulnerabilities of DVRs, CCTVs, voting machines, and municipal systems, leading to denial-of-
r
service attacks and ransomware hold ups are known. But these examples miss a problem. They give
the impression that only certain hardware and specific entities are affected, yet all the connected
services can be at risk too. For example, given that enterprise software, which is common for work
er
at home situations, is rapidly becoming a cybersecurity vulnerability, anyone connected by this
software necessarily becomes a target too. Malicious cyber incidents, like data breaches and ransoms
exemplified by the SolarWinds and Colonial Pipeline incidents of 2021, can have ripple effects
across a network of businesses and sectors. Yet, current definitions and regulations of Critical
pe
Infrastructure (CI) and their focus on vertical sectors overlook this point.
We argue that cybersecurity supply chain risk is an important, under-studied aspect of the
problem. Legal definitions of CI and the voluntary nature of cybersecurity governance leave gaps in
the classification of CI and how to identify cybersecurity risk, particularly in the professional services
sector. In addition, the voluntary nature of cybersecurity governance demands risk-based and
ot
objective measures to aid in identifying when to take steps on improving cybersecurity, but exactly
what such metrics are is, at best, evolving.
We address both these problems. By drawing on a new dataset, we develop metrics that
measure productivity effects and that captures cybersecurity risk across sectors. This approach
tn
allows us to show that a major sector, professional services, is missed by current definitions of
critical infrastructure, but could be captured if CI definitions accounted for cross-sectoral
cybersecurity risk. In addition, the approach aids voluntary participation in mitigating cybersecurity
risk because it provides a way for any firm or sector to identify and assess the nature of its cross-
rin
1 Deven R. Desai, Georgia Institute of Technology, Scheller College, Area Coordinator Law & Ethics, Assoc. Director
of Law, Policy, and Ethics ML@GATECH; affiliated fellow Yale Information Society Project; former Academic
Research Counsel, Google, Inc., deven.desai@scheller.gatech.edu. Christos Makridis, Arizona State University and
Pr
Stanford University, cmakridi@stanford.edu. The Authors thank the participants in the Cybersecurity Law & Policy
Scholars Conference 2020 hosted by the Nebraska College of Law and University of Minnesota Law School for their
feedback. The ideas and statements in the paper reflect our views only and not those of any affiliated institutions.
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
Draft
I. Introduction
ed
Hollywood has enjoyed using cybersecurity vulnerabilities to enhance and drive movie plots
iew
for decades. The Italian Job involved hacking traffic lights during a heist.2 In War Games a young
hacker accesses the Department of Defense’s AI-driven computer that controls the U.S. nuclear
arsenal.3 In Sneakers, someone has a device that defeats encryption.4 When testing the device, hackers
ev
gain access to several vital infrastructures—The Federal Reserve: “Anyone want to shut down The
Federal Reserve?”; the national power grid: “Anyone want to blackout New England?”; the Air
r
Traffic Control system “Anybody want to crash a couple of passenger jets?”.5 In Skyfall, even James
Bond must deal with a master hacker who leaks secret data and blows up buildings.6
er
Cybersecurity vulnerability is unfortunately not just a movie plot. Transportation systems,
pe
financial services, government facilities, and many other sectors are critical infrastructure (CI)
sectors. The United States recognizes sixteen designated sectors “whose assets, systems, and
networks, whether physical or virtual, are considered so vital to the United States that their
ot
incapacitation or destruction would have a debilitating effect on security, national economic security,
national public health or safety, or any combination thereof.”7 Defining sixteen sectors seems
tn
comprehensive and allows for differences in cybersecurity threats for each sector. But what if the list
misses an important way to identify cyber-risk so much so that an entire vital sector is not even on
rin
the list? Further, what if the approach does not account for the way a vulnerability in one sector
2 This tactic was used in both the original and the remake. See The Italian Job (1969); The Italian Job (2003).
3 War Games (1983).
4 Sneakers (1992).
5 Id.
Pr
6 Skyfall (2012).
7 CRITICAL INFRASTRUCTURE SECTORS, Cybersecurity and Infrastructure Security Agency, March 24, 2020 at
https://www.cisa.gov/critical-infrastructure-sectors.
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
Draft
This paper investigates whether the current approach potentially misses an important aspect
ed
of cybersecurity—cross-sectoral risk. This blind spot means the perhaps largest productivity and
cyber-vulnerable sector is not on the current list of critical infrastructure and misses the way a breach
iew
in one CI might lead to problems in one or more other CIs. In short, we offer a practical and
transparent way to understand and quantify cross-sectoral cybersecurity risk as way to improve
identifying what should be deemed critical infrastructure and when increased cybersecurity measures
ev
are needed.
We begin with a background on cybersecurity risk and its relation to supply chain risks. We
r
show that supply chain risks affect almost any sector. Then, we turn to legal definitions of critical
infrastructure to show what is covered, and we identify gaps stemming from those definitions. Next,
er
we look at the current approach to governance of critical infrastructure and cybersecurity. We
document four results. First, whether a sector is deemed CI matters for governance. Second, the
pe
approach demands a risk-based approach with “consistent, objective criteria.”8 Third, even if a
sector is not CI, the approach asks such a sector to take action consistent with the National Institute
ot
Cybersecurity9 (the “Framework”).10 Fourth, precision and “consistent, objective criteria”11 on what
tn
We subsequently take our observations to practice and offer a new way to assess cross-
rin
sectoral cybersecurity risk. We draw on data from the Bureau of Economic Analysis (BEA), which
allows us to measure how much (in dollars) each sector contributes to every other sector in the form
of intermediate and final goods and services, and data from Rapid7, which allows us to measure
ep
8 Exec. Order No. 13636, 78 Fed. Reg. 11739 (Feb. 19, 2013).
9 Matthew P. Barrett, FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY, Version 1.1, April 16,
Pr
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
Draft
cybersecurity vulnerabilities for the Fortune 500 firms. We combine these data to compute a
ed
measure of inter-sectoral productivity linkages (i.e., the direct productivity effects) and cybersecurity
linkages (i.e., the indirect supply chain effects). Although our approach is inherently limited by the
iew
data to which we have access, we show how the current definition of critical infrastructure falls short
of reflecting the full breadth of cybersecurity risk, especially in the professional services sector. We
use our coarse data as an illustrative example to highlight the importance of enriching the definition
ev
of critical infrastructure—moving away from a purely sectoral approach to more of a cross-sectoral
r
We conclude by making two policy recommendations. First, the evaluation of cybersecurity
risk should be part of legal definitions of CI and guide federal priorities, especially those by the
er
Cybersecurity and Infrastructure Security Agency (CISA) in the Department of Homeland Security.
CISA should look beyond traditionally classified CI sectors to influential nodes in the network that
pe
matter for aggregate risk so that federal agencies can focus its limited resources on where they
matter most. Second, improved cybersecurity risk assessment needs tools. As such, we offer a plan
ot
where NIST and the Bureau of Industry and Security (BIS)—both centered within the Department
plan, we argue that NIST should provide annual or biannual re-evaluated guidance, and we offer
three cybersecurity risk categories to guide that work. While some of these capabilities might already
rin
exist on paper, the reality is many of these federal agencies do not interact with one another. That is,
agencies that hold data for understanding supply chain linkages must build meaningful partnerships
to enable the mapping of cross-sectoral networks and related cybersecurity vulnerabilities, otherwise
ep
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
Draft
ed
Consider healthcare technology,12 a city’s closed-circuit TV system, a car,13 a DVR,14 a voting
machine, a fish tank,15 a home thermostat, city government such as Atlanta’s payment and data
iew
storage systems;16 none of these things seem that similar. But they are the same in one important
way; they pose cybersecurity risk.17 As an odd but vivid example, in 2018 an unnamed U.S. casino
was hacked and lost 10 gigabytes of data via a fish tank that was networked to allow for automated
ev
water temperature adjustment, salinity monitoring, and feeding.18 That is, all sorts of devices can be
hacked and a range of bad outcomes—from data theft to cyber holdups to shutdowns of systems to
r
unauthorized surveillance to falsified voting and more—are possible.
er
pe
12 See e.g., Ken Hoyme, “Developing a ‘Software Bill of Materials’ for the Future of Cybersecurity” at
https://aamiblog.org/2018/10/02/ken-hoyme-developing-a-software-bill-of-materials-for-the-future-of-cybersecurity/
(noting WannaCry affected hospitals).
13 See Davis Z. Morris, Tesla Stealing Hack Is About Much More than Tesla, FORTUNE (Nov. 26, 2016),
ot
[https://perma.cc/GQ2N-Y3XC; Andrea Peterson, Researchers Remotely Hack Tesla S, WASH. POST (Sept. 20, 2016),
[https://perma.cc/X3EL-CFZM].
14 See “Hacked Cameras, DVRs Powered Today’s Massive Internet Outage” at
persisted for years. See Catalin Cimpanu, “Over nine million cameras and DVRs open to APTs, botnet herders, and
voyeurs,” ZDNET, Oct. 9, 2018, at https://www.zdnet.com/article/over-nine-million-cameras-and-dvrs-open-to-apts-
botnet-herders-and-voyeurs/; Doug Olenick, “Zero-day Being Used to Turn LILIN DVRs into Botnets” March 24,
2020 at https://www.scmagazine.com/home/security-news/vulnerabilities/zero-day-being-used-to-turn-lilin-dvrs-into-
botnets/
15 See Lee Mathews, Criminals Hacked a Fish Tank to Steal Data from a Casino, July 27, 2017, FORBES, at
rin
https://www.forbes.com/sites/leemathews/2017/07/27/criminals-hacked-a-fish-tank-to-steal-data-from-a-
casino/?sh=3c05b80832b9
16 Stephen Deere, “CONFIDENTIAL REPORT: Atlanta’s cyber attack could cost taxpayers $17 million,” August 2, 2018, at
https://www.ajc.com/news/confidential-report-atlanta-cyber-attack-could-hit-
million/GAljmndAF3EQdVWlMcXS0K/ (noting loss of police patrol car video footage, and that the costs made it one
ep
things (iot) into internet of vulnerabilities (iov): Iot botnets. ARXIV PREPRINT arXiv:1702.03681 (2017) at
https://arxiv.org/pdf/1702.03681.pdf. As the study summarizes, the “common mode of IOT botnets” involves
malware scanning for vulnerable IoT devices, usually for open Telnet ports or other services reachable over the
Internet.” Id.
Pr
18 See Lee Mathews, Criminals Hacked a Fish Tank to Steal Data from a Casino, July 27, 2017, FORBES, at
https://www.forbes.com/sites/leemathews/2017/07/27/criminals-hacked-a-fish-tank-to-steal-data-from-a-
casino/?sh=3c05b80832b9
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
Draft
Before everything was networked, a given piece of electronic hardware was relatively safe.
ed
Someone would have to have physical access to the device to be able to upload malware, alter the
software, or steal data.19 With networked devices cybersecurity becomes a bigger risk.
iew
The recent revelation about the hack of SolarWinds software illustrates the problem.
SolarWinds sells enterprise software that is supposed to help firms monitor their IT infrastructure.20
Russian hackers managed to get to the software while in development and before the software went
ev
to customers. Once the software was deployed by SolarWinds, the hackers used the natural part of
such software, networked updating, to attack more than 18,000 SolarWinds customers which
r
includes The Pentagon, intelligence agencies, nuclear labs, and Fortune 500 companies.21 The attack
is called a supply chain attack because the attack goes after outside products to get into a firm’s
er
network.22 As CISA explained, in such an attack the attacker uses “an ability to exploit software
incorrect. CISA’s alert about SolarWinds captures the larger problem: “The SolarWinds Orion
ot
supply chain compromise is not the only initial infection vector this APT actor leveraged.”24 That is,
tn
19 See e.g., David Kushner, The Real Story of Stuxnet, IEEE Spectrum, Feb. 23, 2013, at
rin
https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
20 David. E. Sanger, Nicole Perlroth, and Eric Schmitt, Scope of Russian Hack Becomes Clear: Multiple U.S. Agencies Were Hit,
22 David. E. Sanger, Russian Hackers Broke Into Federal Agencies, U.S. Officials Suspect, NY TIMES, December 16, 2020, at
24 Id. (“This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of
Windows networks. It is likely that the adversary has additional initial access vectors and tactics, techniques, and
procedures (TTPs) that have not yet been discovered.”).
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
Draft
other software can be the way into a firm’s systems.25 In short, increasing supply chain risk for
ed
software combined with networked computing means someone can more easily find a way into a
iew
Recent data shows that cybersecurity risks include not only data breaches that have increased
from 2005 to 2018, according to the Council of Economic Advisers,27 but also distributed denial of
service (DDOS) attacks and ransomware attacks. In addition to the SolarWinds attack, in late
ev
August 2020, the New Zealand Stock Exchange, YesBank India, MoneyGram, PayPal, Braintree,
and Venmo were all attacked by a DDOS attack.28 The attack shut down the stock exchange for at
r
least three days in a row.29 Following the rise of singular data breaches, there has also been an
increase in cyberattacks on supply chain. Data from the Atlantic Council on software supply chain
er
attacks—that is, attacks that emerge based on vulnerabilities in a company’s software—indicates that
them can have serious consequences. For example, NotPetya is a ransomware attack that encrypts
ot
hard drives and thus sets up a demand for payment to release the data.31 The software started as an
tn
25 David. E. Sanger and Nicole Perlroth, More Hacking Attacks Found as Officials Warn of ‘Grave Risk’ to U.S. Government,
NY TIMES, December 18, 2020 (“That suggests other software, also used by the government, has been infected and used
for access by foreign spies.”) at https://www.nytimes.com/2020/12/17/us/politics/russia-cyber-hack-trump.html.
26 Hannah Murphy, How Home Tech Can Be Companies’ Weakest Link, FINANCIAL TIMES, FT.COM, September 27, 2020 at
rin
https://www.ft.com/content/5cf95b77-12a4-4e34-a5c0-30904d981c58
27 Council of Economic Advisers, “Economic Report of the President.” (2019) at https://www.whitehouse.gov/wp-
content/uploads/2019/03/ERP-2019.pdf
28 Catalin Cimanu, DDoS Extortionists Target NZX, Moneygram, Braintree, and Other Financial Services, August 27, 2020, at
https://www.zdnet.com/article/ddos-extortionists-target-nzx-moneygram-braintree-and-other-financial-services/.
ep
29 Id.
30 Formally, supply chain attacks are defined as an “attack [that] occurs when an attacker accesses and edits software in
the complex software development supply chain to compromise a target farther up on the chain by inserting their own
malicious code.”
https://www.atlanticcouncil.org/programs/scowcroft-center-for-strategy-and-security/cyber-statecraft-
initiative/breaking-trust/
Pr
31 See e.g., Aparna Banerjea, NotPetya: How a Russian Malware Created the World’s Worst Cyberattack Ever, BUSINESS
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
Draft
attack on Ukraine but quickly spread across the world and infected “hospitals in Pennsylvania to a
ed
chocolate factory in Tasmania.”32 The attack hit “multinational companies including Maersk,
pharmaceutical giant Merck, FedEx’s European subsidiary TNT Express, [and] French construction
iew
company Saint-Gobain.”33 NotPetya also reached major players in the fast-moving consumer goods
sector such as Mondelez, and Reckitt Benckiser.34 In short, NotPetya was indiscriminate as it
infected industry after industry. The attack was so strong and unpredictable that “NotPetya spread
ev
back to Russia, striking the state oil company Rosneft”—a result not “expected” by its inventors.35 It
is thought to lurk within systems for some time after the initial attack.36
r
Enterprise software shows yet another reason cybersecurity risk needs to be reassessed. The
now infamous Colonial Pipeline ransomware attack appears to have exploited Virtual Private
er
Networks (VPN) and Remote Desktop Protocols (RDP) vulnerabilities that forced a shutdown of
access to fuel across a large swath of the U.S. and cost the company millions to regain access to its
pe
data.37 Even before the Colonial Pipeline attack, in the first half of 2020, enterprise ransomware hit
“all-time high[s]” often by exploiting VPN and RDP with RDP exploits being “regarded as the
ot
single biggest attack vector for ransomware,” according to one cyber-security firm.38 Server Message
Block (SMB) protocol vulnerability in Microsoft’s Window Operating system is an older enterprise
tn
software risk in that the infamous WannaCry malware incident in 2017 relied on SMB protocol
vulnerability.39 And yet, SMB vulnerability persists as a problem exacerbated by VPN and RDP
rin
32 Id.
33 Id.
34 Id.
35 Id.
ep
36 Id.
37 See David E. Sanger and Nicole Perlroth, Pipeline Attack Yields Urgent Lessons About U.S. Cybersecurity, N.Y. TIMES, May
https://www.zdnet.com/article/top-exploits-used-by-ransomware-gangs-are-vpn-bugs-but-rdp-still-reigns-supreme/.
39 Computer Emergency Response Team-EU, WannaCry Ransomware Campaign Exploiting SMB Vulnerability, (May 22,
2017) at https://cert.europa.eu/static/SecurityAdvisories/2017/CERT-EU-SA2017-012.pdf
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
Draft
software issues. For example, the Cybersecurity and Infrastructure Security Agency issued an alert in
ed
2019 documenting a VPN attack that then allowed the attacker to use SMB to “Create a reverse
SMB SOCKS proxy that allowed connection between an cyber threat actor-controlled VPS and the
iew
victim organization’s file server.”40 In October of 2020, an auto part supplier suffered an attack that
started with its RDP and then went on to exploit SMB and other vulnerabilities.41 Exactly how the
infamous Colonial Pipeline attack worked is unclear. But in general, the Darkside ransomware
ev
behind the attack is thought to exploit VPN and RDP to then use SMB “to exfiltrate hundreds of
gigabytes of data” and “create ransom notes” among other ways that the ransomware gets into a
r
company’s systems.42
Given the ways hackers find ways into systems, two questions arise. First, as an internal
er
matter: How does a security breach affect an entity? Second as an external matter: Might that breach
spill over into another entity with whom the breached entity does business?
pe
Let’s consider an entity, Corp. A. that is an energy CI. Corp A has a contract with vendor V,
and V is breached. When Corp. A installs V’s software, Corp. A now has a bomb waiting to go off
ot
in its system. Thus, ex ante Corp. A must make sure that operational parts of its system are
protected from other parts. In theory, companies isolate operations from other parts of the business
tn
so that breaches in one area do not affect the entire business.43 That appears to be what Colonial
Pipeline did not do with its ransomware event, and so there was a need to shut down its entire
rin
40 Cybersecurity and Infrastructure Security Agency, Federal Agency Compromised by Malicious Cyber Actor, Analysis Report
(AR20-268A) (September 24, 2020) at https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a
41 Peter Fretty, Nobody Gets Hacked? That’s Only True in a Fantasy World, INDUSTRY WEEK, (October 21, 2020) at
https://www.industryweek.com/technology-and-iiot/article/21144041/nobody-gets-hacked-thats-only-true-in-a-
ep
fantasy-world
42 See Jordan Nuce, et al., Shining a Light on Darkside Ransomware Operations, FIREEYE, May 22, 2021 at
https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
43 See David E. Sanger and Nicole Perlroth, Pipeline Attack Yields Urgent Lessons About U.S. Cybersecurity, N.Y. TIMES, May
ransomware gang believed to be operating out of Russia, turned out to be false.”); Teri Rachidel, Colonial Pipeline Hack,
Medium, May 15, 2021 at https://medium.com/cloud-security/colonial-pipeline-hack-4486d16f2957 (“in a perfect
world, there are no connections between the administrative and operational systems”).
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
Draft
operations.44 But a breached Corp. A may have to shut down not only to protect its entire system;
ed
but also, to make sure the malware does not affect other entities. As one author put it, regarding
Colonial, “[It had] to make sure the malware [didn’t] escape and infect other pipelines in the United
iew
States, customer systems, or operational systems within Colonial Pipeline. If the malware is still
there and in any way can impact the operational systems, something worse could happen.”45 That is,
ev
We can expand the example by thinking of Corp A. using outside vendors for 1) VPNs, 2)
RDPs, 3) a payroll system from PS Corp, and 4) a consumer relations system from CRS Corp. If PS
r
Corp. is infected at its home system, how far does that reach into Corp A? SolarWinds shows that
the problem can reach Corp. A, and Colonial Pipeline suggests depending on how well Corp. A
er
isolates its systems, the problem can reach deep into Corp. A. In addition, Colonial Pipeline’s need
to shut down to protect connected systems and customers, suggests that the threat of spreading
pe
from Corp A to CRS Corp. is real and strong.
In sum knowing that software vendors have vulnerabilities does not stop the holes; more
ot
steps are needed. The persistence of cybersecurity holes raises at least three questions. When is a
sector critical infrastructure? If it is CI, what, if anything, does that mean for its approach to cross-
tn
44 See David E. Sanger and Nicole Perlroth, Pipeline Attack Yields Urgent Lessons About U.S. Cybersecurity, N.Y. TIMES, May
14, 2021, updated May 18, 2021 at https://www.nytimes.com/2021/05/14/us/politics/pipeline-hack.html
(“Cybersecurity experts also note that Colonial Pipeline would never have had to shut down its pipeline if it had more
Pr
confidence in the separation between its business network and pipeline operations.”).
45 Teri Rachidel, Colonial Pipeline Hack, Medium, May 15, 2021 at https://medium.com/cloud-security/colonial-
pipeline-hack-4486d16f2957
10
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
Draft
ed
infrastructure,46 but in ways that under appreciate whether an industry should be deemed critical and
thus come under federal agency supervision. This section sets out the current approach to CI and
iew
why it needs updating.
ev
Today three criteria—national defense, economic security, and public health and safety—are
r
considered when designating critical infrastructure.47 The definition of critical infrastructure sectors
is broad and yet exclusive. The formal definition under Presidential Policy Directive 21 indicates any
er
sector might be deemed critical if one makes the case that loss of function would “have a debilitating
effect on security, national economic security, national public health or safety, or any combination
pe
thereof.”48
manufacturing; dams; defense industrial base; emergency services; energy; financial services; food
and agriculture; government facilities; healthcare and public health; information technology; nuclear
tn
reactors materials and waste; transportation systems; and water and waste systems—may or may not
cover the example problems set out above.49 The City of Atlanta fits into the government sector. A
rin
stock exchange fit into financial services. But where do professional services such as ADT for
payment services and human resources, or PeopleSoft for consumer relations software—or simpler,
ep
46 See e.g., Elder Haber and Tal Zarsky, Cybersecurity for Infrastructure: A Critical Analysis, 44 FLORIDA STATE UNIV. L. REV.
515, 518-519 (2017).
47 See 42 U.S.C. § 5195(c); accord, Haber and Zarsky, supra note 36 id. at 519.
48 Presidential Policy Directive 21: Critical Infrastructure Security and Resilience (PPD-21), released on February 12,
Pr
2013; accord CRITICAL INFRASTRUCTURE SECTORS, supra note 7; accord Tara Seals, Feds Hit with Successful Cyberattack, Data
Stolen, THREATPOST, (September 24, 2020) at https://threatpost.com/feds-cyberattack-data-stolen/159541/.
49 See supra notes 12 to 18 and accompanying text.
11
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
Draft
accounting or legal services—fit in? What about subcontractors that are technically outside a
ed
designated CI sector?
iew
software—is used by a range of sectors regardless of whether they are a designated CI sector, and so
enterprise software poses a large threat. Before the Covid-19 Pandemic, many industries relied on
VPN and RDP to enable work away from the office. During the Pandemic, working away from the
ev
office has become the norm. In addition, many industries are rethinking whether full-time at an
office work is needed going forward.50 Possibilities include flexible days at the office so that a worker
r
may be in office only two or three days, yet still put in the rest of the full work week from home.51
Although there are high quality VPNs, whether a given VPN is configured to the latest standards
er
and whether the entity implementing the VPN has addressed matters such as not using VPN
defaults can lead to vulnerabilities.52 Even federal agencies and financial institutions, which should
pe
be able to choose good VPN services, have found that a chosen VPN, such as Pulse Secure, can
have security flaws that “allows untrusted users to remotely execute malicious code on Pulse Secure
ot
hardware, and from there, to gain control of other parts of the network where it's installed.”53
In short, as more companies and thus less-sophisticated ones, use VPNs and RDPs for
tn
workers’ computers, cybersecurity risk will likely increase in importance. This practice will occur for
almost all sixteen sectors and perhaps more so for sectors not explicitly designated as CI such as professional
rin
services. These sectoral interdependencies and the pervasiveness of the networked economy, where
ep
50 Kim Lyons, Google Pushes Return to Office to September and Will Test Flexible Work Week, THE VERGE, December 14, 2020
at https://www.theverge.com/2020/12/14/22175150/google-return-office-september-flexible-work-week-coronavirus-
pandemic-sundar-pichai.
51 Id.
52 NSA, Securing IPsec Virtual Private Networks, U/OO/148259-20 | PP-20-0504 | October 2020 ver. 1.2.
53 Dan Goodin, More US agencies potentially hacked, this time with Pulse Secure exploits, ArsTechnica, April 30, 2021, at
Pr
https://arstechnica.com/gadgets/2021/04/more-us-agencies-potentially-hacked-this-time-with-pulse-secure-exploits/;
accord CISA, Mitigate Pulse Connect Secure Product Vulnerabilities, EMERGENCY DIRECTIVE 21-03, APRIL 20,
2021 at https://cyber.dhs.gov/ed/21-03/.
12
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
Draft
there is such a reliance on data and professional services, can lead to network nightmares. In short,
ed
cross-sectoral cybersecurity vulnerabilities matter.
iew
B. Questions Left Open Under the Current System for Cybersecurity and CI
Governance
ev
It is not that cybersecurity is ignored in CI governance. Rather, where CI and cybersecurity
overlap presents questions about the role cybersecurity plays in CI governance. Cybersecurity is an
r
explicit part of maintaining and improving CI. In addition, even if a company is not in a designated
CI sector, it is expected to assess its cybersecurity risk voluntarily. Under the current approach,
er
however, any company wishing to address cybersecurity faces open questions about exactly how to
identify and then achieve CI cybersecurity. This part explains the current approach and conundrums
pe
as that understanding is needed before turning to how our approach seeks to fill these
implementation questions.
ot
Homeland Security Risk-Based Performance Standards identifies three factors that indicate a
tn
security risk: (1) likelihood of a successful attack (vulnerability); (2) existence of an adversary with
the necessary intent and capabilities to attack the facility (threat); and (3) consequences of a
rin
54 See RISK STEERING COMM., DEP’T. OF HOMELAND SEC., DHS RISK LEXICON 17, 30 (2008),
[https://perma.cc/9XML-8Y6X].
55 Exec. Order 13636, supra note 8.
13
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
Draft
technology services”; thus naming a given product such as a VPN or service such as Google as CI is
ed
not allowed. Instead, Section 9 takes a broad approach and requires using
iew
reasonably result in catastrophic regional or national effects on public health or safety,
ev
Although it may seem that a designated CI must follow exact rules, as Haber and Tarsky explain, the
U.S. approach relies on voluntary action to protect critical infrastructure except for chemical and
r
energy both of which follow “mandatory government-set standards.”57 Rather than provide specific
rules, the DHS sets out standards to follow.58 Explicit designation of sectors matters because that
er
designation controls what agency oversees and establishes protocols for a sector. But lack of
designation does not imply a sector or company does not have actions it could or should take.
pe
Given that there was not a centralized agency or rule for addressing cybersecurity risk and
the approach is essentially voluntary, and yet EO 13636 calls for “a risk-based approach” to identify
ot
and address cybersecurity vulnerabilities in CIs, something was needed to guide even voluntary
actions so that “consistent, objective criteria” were in place.59 That is where the NIST Framework
tn
for Improving Critical Infrastructure Cybersecurity60 (the “Framework”) comes in as a key part of
addressing CI cybersecurity risk. The Framework is designed to “strengthen the resilience of” CI by
rin
creating cybersecurity risk frameworks.61 The approach is “technology neutral” and is “not a one-
size-fits-all approach,”62 as it is intended to accommodate the variance in risks across sectors and
ep
56 Id.
57 See e.g., Haber and Zarsky, supra note 46, at 534.
58 Id. at 534-535.
59 Exec. Order 13636, supra note 8.
60 Matthew P. Barrett, FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY, Version 1.1, April
Pr
14
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
Draft
organizations.63 Although the Framework is explicitly tied to CI as defined under U.S. law, the vision
ed
is that the Framework “can be used by organizations in any sector of the economy or society” both
within and outside the U.S.64 Even if not designated as a CI, a company or sector is, on a voluntary
iew
basis, encouraged to use the framework to assess and manage cybersecurity risk. In addition, NIST
ev
cybersecurity. NIST offers that “Cybersecurity risk inputs to ERM programs should be documented
and tracked in written cybersecurity risk registers that comply with the ERM program guidance.”66
r
The lack of “consistent, repeatable ways” to document and share cybersecurity risk is, however, a
problem. For example, even NIST has commented that they would like to see quantified, aggregated
er
cybersecurity risk assessments that are not “ad hoc” and that have rigor.67 The connection between
NIST Cybersecurity ERM and the NIST Framework gives any entity goals for addressing
pe
cybersecurity risk: diagnose the state of its cybersecurity risk, set goals for future cybersecurity risk,
be specific about where to improve and how to do so in an on-going manner, and state
ot
The Framework sets out specific “five concurrent and continuous Functions—Identify,
tn
Protect, Detect, Respond, Recover” to guide entities on how to achieve the goals.69 Of the five
functions, Identify is “foundational for effective use of the Framework.”70 Specifically, an entity has
rin
63 Id.
64 Id. at 3.
65 Kevin Stine, Stephen Quinn, Gregory Witte, Karen Scarfone, and Robert Gardner. Integrating Cybersecurity and Enterprise
Risk Management (ERM). NO. NIST INTERNAL OR INTERAGENCY REPORT (NISTIR) 8286 (Draft). NATIONAL
ep
Describe their current cybersecurity posture; 2) Describe their target state for cybersecurity; 3) Identify and prioritize
opportunities for improvement within the context of a continuous and repeatable process; 4) Assess progress toward the
Pr
target state; 5) Communicate among internal and external stakeholders about cybersecurity risk.”).
69 Id. at 3.
70 Id. at 7.
15
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
Draft
to start by “Understanding the business context, the resources that support critical functions, and
ed
the related cybersecurity risks” so that it can assess what and how to address issues in ways that fit
its “risk management strategy and business need.”71 Thus, any enterprise that must or wishes to
iew
address cybersecurity risk needs tools to achieve these goals and perform these functions. And even
though addressing cybersecurity is voluntary and based on public-private partnerships, the overall
ev
This leaves entities to use the framework, but still demands qualitative and quantitative ways
to assess cybersecurity vulnerabilities. Furthermore, entities may argue that the DHS Risk-Based
r
Performance Standards can be fuzzy, debated, and seen as not requiring action, because assessing
what vulnerability, threat, and consequences has been difficult. Until now.
er
New data and measurements regarding information security and risk provide insights into
just how vulnerable sectors are. Based on that analysis, assessing threats and consequences becomes
pe
easier. Put differently, given that our approach offers that cybersecurity and cross-sectoral risk
should be a part of a specific way to assess whether a given sector is CI, we know present a way to
ot
We draw on newly available proprietary data from Rapid7, a leader in the information
rin
security sector that provides services to organizations and some data to the public for purposes of
strengthening the collective cybersecurity of the nation. Motivated by the emergence of internet
ep
Pr
71 Id.
72 As Haber and Zarsky put it, “While the private sector was not subject to mandatory requirements, these instruments
clearly signal the government’s expectations of the private sector.” Haber and Zarsky, supra note 46, at 532.
16
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
Draft
scanning as an approach to identify vulnerabilities,73 Rapid7 has developed a proprietary method for
ed
scanning networks, called Project Sonar.74 The approach involves sending one or more “probe
packets” to a target IP address, tracing out the response (or lack of response) from the targeted host.
iew
Gathering these externally collected data on exposed ports has also been shown to dramatically
improve the quality of predictions of data breaches and other malicious activity on networks.75
While Project Sonar allows Rapid7 to scan all exposures on the open internet, whether a
ev
company is private or public, the challenge involves mapping IP addresses to specific organizations.
Since this requires manually searching for the IP-ranges for each firm, Rapid7 focuses on the
r
Fortune 500 firms as a starting point simply to obtain a sensible and well-defined list of firms. In this
sense, the primary limitation of the data is that it does not cover firms outside of the Fortune 500,
er
meaning that certain sectors that have few companies in the Fortune 500 will get selective coverage,
if at all. For example, the government is excluded from the sample all together.
pe
Because there is no single measure of cyber vulnerability, we focus on a couple. For example,
Rapid7 presents data on the number of organizational assets exposing server message block (SMB)
ot
and Telnet,76 both of which are identified as significant ways cyberattacks are successful.77 SMB is
one of the most dangerous services that can be exposed in an organization since it is an “all-in-one
tn
73 Nadia Heninger, Zakir Durumeric, Eric Wustrow, and J. Alex Halderman, Mining Your Ps and Qs: Detection of Widespread
Weak Keys in Network Devices, PROCEEDINGS OF THE 21ST USENIX CONFERENCE ON SECURITY SYMPOSIUM, Berkeley,
rin
CA (2012); Antonio Nappa, Zhaoyan Xu, Juan Caballero, and Guofei Gu, Cyberprobe: Towards Internet-scale Active Detection
of Malicious Servers, PROCEEDINGS OF NDSS 2014, San Diego, CA (2014).
74 Project Sonar began in September of 2013 “with the goal of improving security through the active analysis of public
networks. While the first few months focused almost entirely on SSL, DNS, and HTTP enumeration, the discoveries
and insights derived from these datasets, especially around the identification of systems unknown to IT teams, led to the
ep
expansion of Project Sonar to include the scanning of UDP services. Today, Project Sonar conducts internet-wide
surveys across more than 70 different services and protocols to gain insights into global exposure to common
vulnerabilities.” https://www.rapid7.com/research/project-sonar/
75 Yang Liu, Armin Sarabi, Jing Zhang, and Parinaz Naghizadeh, Manish Karir, Michael Bailey, and Mingyan Liu. Cloudy
with a Chance of Breach: Forecasting Cyber Security Incidents, PROCEEDINGS OF THE 24TH USENIX SECURITY SYMPOSIUM,
Washington DC (2015); Jing Zhang, Zakir Durumeric, Michael Bailey, Mingyan Liu, and Manish Karir, On the
Pr
17
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
Draft
file-sharing and remote administration protocol” that allows malicious attackers to gain control over
ed
an organization. Although Microsoft has endeavored to reduce SMB exposure, many organizations
still continue it, perhaps because they use an old version of Windows. Similarly, Telnet is a cleartext
iew
protocol that allows a user to directly login to a server and network equipment and to run scripts at
the operating system level. This means that a malicious attacker could gain access to usernames,
passwords, or even data that is being transmitted. Moreover, there is no technical justification for
ev
running Telnet services, particularly as it has been replaced with the Secure Shell (SSH) Transport
Layer Protocol, “which provides encryption-in-transport and encourages the use of digital
r
certificates when authenticating connections.”78
We now develop a measure of the “productivity supply-chain effect” of each industry in the
er
economy, which incorporates information about a sector’s productivity and its connectivity with
pe
others in the economy.79 Denoting 𝑦𝑦!(#) as the contribution of real output in sector 𝑖𝑖 to sector 𝑗𝑗 and
𝑦𝑦# as real output in sector 𝑗𝑗, we define the “productivity supply-chain” effect as follows:
where we now weight the indirect effect from in sector 𝑖𝑖 to sector 𝑗𝑗 based on the output in the
tn
connected sector 𝑗𝑗. The term 𝑦𝑦!(#) is important because it captures the relative contribution of one
sector to another, proxied using the 2018 Bureau of Economic Analysis (BEA) input-output tables.
rin
These tables are produced largely from businesses’ income statements and balance sheets,80
which allows the BEA to convert information about income into production after accounting for
the cost of goods sold, inventories, and more. While the Economic Census, conducted by the
ep
78 T. Ylonen and C. Lonvick, The Secure Shell (SSH) Transport Layer Protocol, THE INTERNET SOCIETY (Jan. 2006) at
Pr
https://tools.ietf.org/html/rfc4253.
79 We use the North American Industry Classification Standard (NAICS) codes to define sectors.
80 See https://www.bea.gov/resources/methodologies/concepts-methods-io-accounts
18
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
Draft
Census Bureau, is the primary source for the input-output tables every five years, data from other
ed
annual surveys, including Bureau of Industry and Security (BIS),81 fills in the gaps over remaining
years. Specifically, we use the “industry-by-industry” total requirements table, which shows “the
iew
production required, both directly and indirectly, from the industry per dollar of delivery to final use
of the industry.”82 Importantly, we exclude industry 𝑖𝑖’s contribution to itself from these estimates. In
this sense, we see the dollar-value of intermediate and final goods and services each sector sells to
ev
every other sector, which we scale by the total economic activity in that sector. These data are
available at a six-digit North American Industry Classification System (NAICS) level, but we use the
r
two-digit major sectoral classification because we are constrained by the availability of Rapid7 data
for only the Fortune 500, meaning that aggregations of the Fortune 500 within narrow sector
er
classifications will produce a fairly sparse and unrepresentative dataset.
pe
We can also define the “network cybersecurity risk effect” similarly as follows:
We now compare the direct effect with the effect across sectors. For example, Figure 1 plots
tn
the two together for logged real GDP (“productivity”). We see that there is a correlation of 0.38:
sectors with larger real GDP also have larger cross-sector effects. Table 1 also enumerates these by
rin
sector, ranked from lowest to greatest. While educational services has the lowest productivity effect,
professional services has the greatest. Figure 2 plots an analogous relationship for cybersecurity
ep
81 While the BIS focuses heavily on conducting surveys over firms that are concentrated in the defense sector, more
generally, they assist in helping federal agencies understand the important material suppliers and the competitiveness
Pr
ANALYSIS (2006).
19
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
Draft
vulnerabilities based on the number of exposed ports at a sectoral level. Interestingly, the correlation
ed
between an industry’s own exposure and its network cybersecurity risk effect is only 0.10.
iew
r ev
er
pe
ot
tn
rin
ep
Pr
20
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
Draft
Figure 1: Comparison of 2018 Real GDP and Productivity Supply Chain Effect, by Sector
ed
iew
r ev
er
Notes.—Sources: Bureau of Economic Analysis, 2018. The figure plots the logged real GDP in 2012 prices and billions
of dollars with the logged “productivity supply chain effect,” which is measured by taking the sum across the product of
the contribution of sector 𝑖𝑖 to sector 𝑗𝑗 and real GDP in sector 𝑗𝑗. The observations are weighted by 2018 employment.
pe
Figure 2: Comparison of 2018 Cyber Exposure and the Cyber Network Effect, by Sector
ot
tn
rin
ep
Notes.—Sources: Rapid7, 2018. The figure plots the logged number of exposed ports that are not recommended as per
the Rapid7 Project Sonar scan on the Fortune 500 companies with the logged “cyber network effect,” which is measured
by taking the sum across the product of the contribution of sector 𝑖𝑖 to sector 𝑗𝑗 and the number of cyber vulnerabilities
in sector 𝑗𝑗. The observations are weighted by 2018 employment.
Pr
21
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
Draft
ed
Industry Productivity Effect Cybersecurity Effect
Educational services, health 55.1 27.9
care, and social assistance
Retail trade 227.6 90.5
Other services, except 406.8 291.4
iew
government
Construction 453.0 218.4
Utilities 455.5 315.9
Arts, entertainment, 560.2 424.1
recreation, accommodation,
and food services
ev
Government 651.8 484.7
Agriculture, forestry, fishing, 791.5 324.6
and hunting
Mining 1146.3 438.4
r
Information 1146.4 534.9
Transportation and 1343.2 827.5
warehousing
Wholesale trade
Finance, insurance, real
estate, rental, and leasing
1653.5
3530.8
er 749.1
2710.7
pe
Manufacturing 3976.2 2567.7
Professional and business 4733.4 4314.8
services
Notes.—Sources: Bureau of Economic Analysis and Rapid7, 2018. The table reports the productivity supply chain and
cybersecurity network effects, ranked by industry according to the productivity effect.
ot
Before continuing, we note that our approach is flexible, but constrained to the availability
tn
of quality data. In particular, although it might appear concerning that information services ranks
fairly low in its cybersecurity effect—that is, even below transportation and warehousing—that is a
function of the way sectors are classified by the BEA. Whereas the four-digit NAICS sub-sector
rin
5182 is “Data Processing, Hosting, and Related Services,” many of the other sub-sectors in the
information services major category include newspaper publishers, motion picture and video
ep
industries, recording studios, and radio, television, and cable broadcasting. If our Rapid7 data
included more than the Fortune 500 companies, we could further disaggregate and quantify the
Pr
cybersecurity effect for NAICS 5182 (among others), but we focus only on major sectors.
22
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
Draft
ed
V. Implications of and Recommendations for Taking Supply Chain and Cross-Sectoral
Cybersecurity into Account
iew
The traditional approach to measuring cybersecurity risk has involved classifying certain
sectors as critical infrastructure. This classification strategy, however, faces limitations due to the
ev
have grown fast in the networked economy. Our approach directly addresses these shortcomings by
accounting for intersectoral linkages, such as the contribution of professional services to traditional
r
CI sectors. To the extent that every sector relies, at least partially, on information and professional
er
services, risks in these sectors become the “weakest link” for all other sectors.
Our approach also allows for the possibility of differences within sectors. For example,
pe
attacks against the federal reserve might be more threatening than attacks against community banks
from the perspective of aggregate system risk. So too for attacks on the professional services sector
as compared to agriculture. This comparison does not mean that agriculture should not be deemed
ot
CI. It suggests that agriculture may have less cross-sectoral cybersecurity risk than the other sectors,
for now. As agriculture embraces networked farm devices from automated farming to managing
tn
supply chains for feed, production, and distribution, testing their cross-sectoral cybersecurity
becomes ever more important. Indeed, under our approach, should agriculture pose greater cross-
rin
sectoral risk over time, such risk would be detected and hopefully fixed before a catastrophic
Our measurement is admittedly coarse since we work at a major sectoral level. We do not
disaggregate to the firm, or even to a more detailed industry classification level, because of our data
Pr
limitations. Nonetheless, to the extent that data on firm linkages exist, then our empirical approach
23
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
Draft
In general, the approach offers a way to allow any sector or firm to work within the NIST
ed
Framework and promises pathways for more work in the area. That is, as more granular,
disaggregated data becomes available, we illustrate a broader methodology that we hope will be of
iew
use for researchers and practitioners down the road. For example, given that the Department of
Commerce has detailed firm-level data on input-output linkages, a collaboration with a cybersecurity
firm could lead to a much more granular measurement of network cybersecurity risk.
ev
Based on these results, we offer three policy recommendations. First, this new evaluation of
cybersecurity risk should guide the priorities in CISA and other federal authorities. Although their
r
role has focused on aiding the traditionally classified CI sectors, our analysis shows that there might
be more influential nodes in the network that matter for aggregate risk. Put simply, given limited
er
resources, agencies should focus their efforts where they matter most.
Second, to enable CISA to improve how it assesses cybersecurity risk, NIST and the Bureau
pe
of Industry and Security (BIS)—both centered within the Department of Commerce—should
coordinate assessment of cross-sectoral cybersecurity risk. In addition, NIST should provide annual
ot
or biannual re-evaluated guidance assessing three cybersecurity risk categories—1) firms that display
systemic risk because of their size and connectivity, 2) sectors that display sufficiently large risk
tn
based on the firms in the sector and their connectivity to the rest of the economy, and 3) firms
and/or sectors that pose lower cross-sectoral cybersecurity risk because of size and connectivity.
rin
Third, federal agencies that currently do not interact with one another, but hold important
data for understanding supply chain linkages, should begin sharing data and mapping out nodes in
the digital network. For example, the Bureau of Economic Analysis and Census Bureau could share
ep
data on economic activity at an establishment level and map out the inputs that go into aggregate
24
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
Draft
In addition, our work has implications for cybersecurity and national security beyond these
ed
recommendations. No matter how one defines CI within the U.S., one can consider the mapping
and closing of cybersecurity holes in CI as a defensive action. Yet, understanding supply chain risk
iew
also has implications for offensive cybersecurity, which reflects a broader shift in policy and practice
away from cyber diplomacy .83 This shift has been happening in practice at the NSA and Cyber
Command,84 including even an attack on ISIS.85 As one paper argues, to bolster deterrence of
ev
foreign adversaries and augment offensive capabilities, there must be substance behind threats and
demonstrated capacity.86 An assessment of such an approach is beyond the scope of this paper. For
r
example, an assessment might ask whether such an approach would create a race for cyberattacks or
what international law implications arise under such an approach. Nonetheless, we note this shift as
er
our approach’s focus on better understanding the key nodes in the broader economic network that
are vulnerable is important for not only defensive capabilities, but also for offensive efforts against
pe
adversaries should the government wish to pursue such a course. There are, however, some extra
In general, once authorities understand and effectively map out internal U.S. vulnerabilities,
that approach can be applied to other countries using estimates of their industrial composition and
tn
offensive approach will require better data and inter-agency cooperation. First, understanding
rin
cybersecurity vulnerability in the U.S. as a defensive matter likely provides insights into similar
vulnerabilities outside the U.S. Thus, agencies such as NIST building the internal vulnerability map,
ep
83 See e.g., Emily Goldman, From Reaction to Action: Adopting a Competitive Posture in Cyber Diplomacy, 3 TEX. NAT’L.
SECURITY REV. 84 (2020) at http://dx.doi.org/10.26153/tsw/10950.
84 See e.g., Garret M. Graff, The Man Who Speaks Softly—and Command A Big Cyber Army, WIRED, Oct. 13, 2020 at
https://www.wired.com/story/general-paul-nakasone-cyber-command-nsa/.
85 See Dina Temple-Rason, How the U.S. Hacked ISIS, NPR, Sept. 26, 2019 at
Pr
https://www.npr.org/2019/09/26/763545811/how-the-u-s-hacked-isis
86 See Mark Montgomery and Erica Borghard, Cyber Threats and Vulnerabilities to Conventional Strategic Deterrence, 102 JOINT
25
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
Draft
may need to share insights with agencies such as Cyber Command. The offensive context will also
ed
have particular needs for international mapping. For example, Space Force could likely play a role by
leveraging satellite imagery resources to map out the linkages in other countries’ economic networks.
iew
The internal and international maps may then need to be combined to prevent an attack from
having a boomerang effect. Recall that that Stuxnet and notPetya showed that a cybersecurity
vulnerability in a particular region and technology status quo could spread beyond intended targets
ev
and even boomerang back to from where the attack originated.87 If an internal map shows that U.S.
systems are relatively secure—-because of precautions and/or fewer systems have a certain
r
vulnerability—as compared to other regions, one might develop attacks less likely to have a
information gained by understanding cross-sectoral and supply chain vulnerabilities. The core point
pe
is that by understanding where such vulnerabilities exist, the government, CI sectors, and particular
companies should all be better set-up to take positive steps to address cross-sectoral and supply
ot
chain risk.
tn
VI. Conclusion
Our research highlights the linkages across sectors and the implications for measuring
rin
cybersecurity risk in the broader network. At the immediate level, our research offers three concrete
policy actions. As a matter of cross-sectoral cybersecurity risk, our work calls out the need to
ep
understand such risk and offers a method to measure such risk. Although much more research
remains to be done, especially with better data that allows for greater disaggregation, our coarse
Pr
26
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544
Draft
ed
might be overly simplistic. In addition, we create a replicable methodology that can be of even
greater use with the right data. Our results highlight the transmission of shocks throughout sectors,
iew
while also showing that more empirical work is needed to quantify the actual effect sizes of data
breaches and other malicious cyber incidents on the full range of firms in a network. Future work
along these lines should provide guidance on the social welfare effects of cyber-attacks and could
ev
lead to the formation of a credible cyber insurance sector.
r
er
pe
ot
tn
rin
ep
Pr
27
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3693544