Manage Systemic Cybersecurity Risks
Learning Objectives
After completing this unit, you’ll be able to:
- Define the cybersecurity-resilience deficit.
- Describe the factors changing the cybersecurity risk equation.
- Explain the challenges of digital interdependence.
- List the three levels of cybersecurity risk propagation.
- Identify the five emerging challenges to securing the digital ecosystem.
This module was produced in collaboration with the World Economic Forum (WEF). Learn more about partner content on Trailhead.
The Cybersecurity-Resilience Deficit
Picture this: You are an operations analyst working to detect, respond to, and remediate security incidents on your organization’s network. Your organization recently purchased a new artificial intelligence (AI) detection tool that uses machine learning to identify anomalies on the network without the need to rely on the signatures, or footprints of attackers for detection. This helps you better identify zero-day threats that have never been seen before. The tool even uses AI to take actions, such as removing access to resources when it appears a user’s account has been compromised. As a cyber defender, you’re super happy this emerging technology has made your life easier.
But it turns out that malicious actors can use AI to their advantage. One day you come to work to discover that an attacker has used AI and machine learning to automate attacks against your organization, as well as several other organizations in your industry. The attacker used AI and ML to create malware that hunts for vulnerabilities, and decides which payload to deploy to take advantage of them. The attack was very targeted, minimizing the type of suspicious activity that would usually alert your organization that you were under attack. You now have an incident on your hands, and are wondering what the long-term impact of AI technologies will be on your ability to defend your network.
Whenever you introduce emerging technology into the digital landscape, you bring with it an inherent amount of systemic risk. In this case, although you are able to use AI-based detection tools to better defend against zero-day threats, attackers are also able to use AI to perpetrate more sophisticated attacks. As technology continues to evolve, new cybersecurity risks will continue to emerge.
Some of the systemic risks inherent in emerging technologies include:
-
Determination of liability for incidents, due to insufficient explainability for algorithmic (for example, AI-based decisions).
-
Reduced visibility into the business and technology risk from an external party, due to the increasing complexity of the digital ecosystem.
-
Difficulty assessing your organization’s aggregate risk exposure, due to the growing interdependence of technologies and organizations.
The dynamics of cyberspace have led to an increase in interdependency and interconnectivity across the globe. As a result, the risk to the supply chain has increased significantly. For example, you may have multiple vendors who communicate to each other through email in your supply chain. Attackers may take advantage of this connectivity and world events, such as the COVID-19 pandemic, to exploit these relationships. One example is tricking vendors into wiring money using phishing emails related to the pandemic.
Let’s take a closer look at the factors that increase the cybersecurity risks you face when adopting emerging technologies.
Factors That Change the Cybersecurity Risk Equation
Increased and Evolving Threats
Data breaches are on the rise. Criminals attack companies, hoping to get information they can use to turn a profit. Data compromises are on the rise. Types of data stolen include government-issued identification numbers, payment cards, account numbers, logins, passwords, and intellectual property (IP). Factors such as attack automation, computational speed, and advanced communications technologies amplify the depth and breadth of cyberattacks.
A Widening Attack Surface
An attack surface is any exposed area of a computing environment where an actor can maliciously or accidentally gain entry to a protected area or extract data out of it. For example, a virtual assistant on your smart device, speaker, or touch screens allows you to check the weather, play music, and control smart devices in your home with voice commands. While this may be convenient, it also widens the attack surface of your home.
Structural Weaknesses
Automation minimizes human intervention for operating and maintaining systems, but may also result in reduced human oversight. For example, banks may use automated lending decisions based on the results of algorithms, but this could negatively impact the availability of loans to minority groups, if the organization doesn’t apply sufficient human oversight to ensure the algorithms aren’t biased. Managing cybersecurity risks from automation will still require human intelligence to solve our toughest problems.
A Growth in Harm
The application of technologies to areas that have cyber-human safety implications, such as smart medical devices in healthcare, means that an associated technological failure could have grave consequences. Algorithmic bias is also a concern, as your organization might unwittingly use a decision-making algorithm that would create an unfair outcome that privileges one group of users over others, as in the example above. In both cases, the implications of cybersecurity risks grow as technology takes a place in more and more sensitive parts of our life, including those that have implications for human life.
The Challenges of Digital Interdependence
The emerging dynamics of cyberspace are increasing organizational interdependence and reliance on the digital environment, creating multiple sources of systemic risk. Let’s take a closer look at three levels of cybersecurity risk propagation that categorize how cyberattacks can penetrate multiple organizations, systems, and even economies.
Levels of Cybersecurity Risk Propagation
Level 1: Risks Penetrate Multiple Organizations
At this level, a vulnerability in one emerging technology, could result in risks penetrating multiple organizations simultaneously. This could result in increased incidents within a short period of time and spanning multiple supply chains.
Level 2: Risks Spread Across Shared Technology Service Providers
At this level, if multiple organizations are using the same shared technology service providers, a vulnerability in that provider could have far reaching impacts for the supply chain. This means that the impacts of a cybersecurity failure in one organization have the potential to spread across its dependent organizations with systemic consequences.
Level 3: Risks Spread Across Whole Economies and Societies
At this level, with emerging technology underpinning much of a country’s economy, a critical vulnerability could negatively impact an entire market or society. Cyber risks have the potential to spread across a widening scope of critical functions across industries and critical national infrastructures (CNIs).
Multiple sectors could fail, which would leave no alternative providers while sectors recover their systems. An example of this type of risk propagation is the SolarWinds attack. Hackers took advantage of a routine software update to the SolarWinds Orion software program—which provides network monitoring for various customers—to slip malicious code into the software and use it as a vehicle for a massive cyberattack. The attackers successfully compromised about 100 companies and a dozen government agencies, which impacted the financial, energy, and technology sectors.
Different countries define critical national infrastructures (CNIs) differently. In the US, 16 CNI sectors exist whose assets, systems, and networks are so vital that their incapacitation would have a debilitating effect on security, the economy, public health or safety, or any combination thereof. Examples include commercial facilities (such as movie theaters), communications (such as wireless providers), and dams (including municipal and industrial water supplies), to name a few.
Five Emerging Challenges to Securing the Digital Ecosystem
As systemic risk grows, your organization can no longer simply consider its own individual cybersecurity-resilience capabilities. Let’s look at five challenges the cybersecurity community faces.
Challenge |
Description |
|---|---|
|
Cybersecurity Skills Gap
|
There is a global capacity shortage in cybersecurity talent. As new technologies emerge, the existing skills gap in delivering cybersecurity services is likely to grow. |
|
Fragmentation of Technical and Policy Approaches
|
While emerging technologies are driving an increasing interdependence, each country and sector may have its own approach to implementing and securing them, leading to fragmented public policies. |
|
Insufficient Existing Operational Security Capabilities
|
Existing operational capabilities are not technically sufficient to address risks from emerging technologies, requiring new approaches to mitigate threats. |
|
Underinvestment in Secure Emerging Technologies
|
Many organizations do not prioritize security in their operations, which puts them at risk. |
|
Ambiguous Accountability
|
The supply chain is only as strong as its weakest link. Direct connections between your vendors and suppliers into your organization’s networks, systems, or data—along with potential interconnections among vendors—broaden the supply chain ecosystem and risk. This also comes with ambiguity regarding who is accountable if a cyberattack occurs. |
To address the cybersecurity skills gap, Trailhead’s Cybersecurity Learning Hub provides a free place for individuals and organizations of all levels to learn in-demand cybersecurity skills. The site is produced in partnership with the World Economic Forum's Centre for Cybersecurity, Fortinet, and the Global Cyber Alliance.
Sum It Up
You now have a better understanding of the challenges involved with the cybersecurity-resilience deficit. In the next unit, you learn more about how to address one of these challenges: ubiquitous connectivity. Let’s go!
Resources
