Oxford University Press is a department of the University of Oxford. It furthers the University’s objective of excellence in research, scholarship, and education by publishing worldwide. Oxford is a registered trade mark of Oxford University Press in the UK and certain other countries.
Published in the United States of America by Oxford University Press 198 Madison Avenue, New York, NY 10016, United States of America.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, without the prior permission in writing of Oxford University Press, or as expressly permitted by law, by license, or under terms agreed with the appropriate reproduction rights organization. Inquiries concerning reproduction outside the scope of the above should be sent to the Rights Department, Oxford University Press, at the address above.
You must not circulate this work in any other form and you must impose this same condition on any acquirer.
Library of Congress Cataloging-in-Publication Data
Names: Falco, Gregory, author. | Rosenbach, Eric, author. Title: Confronting cyber risk : an embedded endurance strategy for cybersecurity / by Gregory Falco and Eric Rosenbach. Description: New York, NY : Oxford University Press, [2022] Identifiers: LCCN 2021037378 (print) | LCCN 2021037379 (ebook) | ISBN 9780197526545 (paperback) | ISBN 9780197526569 (epub) | ISBN 9780197526576
LC record available at https://lccn.loc.gov/2021037378
LC ebook record available at https://lccn.loc.gov/2021037379
DOI: 10.1093/oso/9780197526545.001.0001
1 3 5 7 9 8 6 4 2
Printed by LSC Communications, United States of America
For Frida, Milo, and Xyla, my Embedded Endurance strategy. —G.F.
For Alexa, Phia, and Max, because you keep me happy, human, and humble! —E.R.
Preface
Our digitally dependent world has a problem. Many leaders relegate cyber risk management to technical experts. By making cybersecurity a technical issue, leaders exacerbate the challenge of an already complex problem and increase their organization’s risk of being attacked. This book seeks to change that paradigm by providing both a strategy and recommended actions for leaders seeking to address cyber issues in their organizations. In short, this book is a cyber risk leadership guide for all types of non-cyber-experts: the senior executive worried about the scourge of ransomware hitting midsize companies around the world, the general counsel hoping to limit the potential litigation risk of a data breach, even the new network administrator hoping to understand the non-technical aspects of cybersecurity.
The book is centered around a series of core questions addressed in each chapter. While the book can be read cover to cover, it is also digestible in a modular fashion—allowing readers to choose the questions (chapters) that most interest them without requiring knowledge from previous chapters.
The questions are largely strategic in nature, and the subsequent material in each chapter offers both the 10,000-foot view as well as a deeper dive on each topic. They include:
• Why is cyber risk an issue?
• Who is attacking us?
• How do I assess our cyber risk?
• What do I need to know about cyber frameworks, standards, and laws?
• Who is responsible for cybersecurity?
• What risk prevention measures can I use?
• What risk resilience measures can I use?
• How do I embed cyber risk management in all aspects of the organization?
Each chapter contains six sections, which are designed to be independently readable. These are:
• Case Study—a real-world illustration of the topic at hand
• Why It Matters—the motivation for learning the chapter’s content
• Key Concepts—the ideas foundational to answering the chapter’s question
• Going Deeper—what the experts know
• Taking Action—how you can act on what you’ve just learned
• Main Takeaway—the Big Idea you carry to the next board meeting, strategy session, or water-cooler chat
The cases are not intended to serve as comprehensive summaries of incidents. Rather, each case represents the essence of the chapter’s challenge. Some cases describe incidents that occurred several years ago, while others are more recent. The older cases are as important as those that have captured recent headlines, since they have stood the test of time by exemplifying what not to do or how things can go wrong.
We have selected these cases and structured this book based on decades of combined practical experience developing and running cyber-resilient organizations in both the private and public sectors. We are confident the book’s content and design will empower you to get the answers you need, and thus better enable your organization to navigate a treacherous cyber threat and risk landscape.
This book is derived from work that we jointly completed for the HarvardX online course Cybersecurity: Managing Risk in the Information Age. We appreciate all the contributions from students, colleagues, and industry experts as we honed the Embedded Endurance strategy. We also would like to thank the tutors and GetSmarter team that help make the course a success.
We would also like to acknowledge that this material was licensed for publication courtesy of the President and Fellows of Harvard College.
We could not have completed this book without the tireless efforts of Cameron Hickert. Hickert was instrumental in shaping and writing the case studies, cryptograms, and overall context of the book. Hickert is among the top 1 percent of talent at Harvard University and is one of the most motivated and strategic critical thinkers that we have had the opportunity to work with in our respective roles across government, industry, and academia. As Hickert redefines the technology landscape through his AI research and development while engaging in political strategy formulation relating to China and other U.S. competitors across the digital landscape, we are certain he will emerge as a future leader in both industry and government.
Why Is Cyber Risk an Issue?
The importance of understanding and managing cyber risk for the organization
Case Study
On a Friday in May 2017, a North Korean cyberattack dubbed “WannaCry” gripped the globe.1 In the first few hours, 70,000 machines worldwide were infected.2 Only two days later, that number had ballooned to 200,000.3 The figure would have risen even higher, but a British cybersecurity researcher chanced upon a “kill switch” that crippled the attack.4
How It Happened
WannaCry was a form of ransomware. Upon infection, it encrypted a computer’s files, holding them hostage in the hopes of extracting a ransom from the user. Fortunately, before the attack, engineers had already released a software update inoculating computers against WannaCry. However, many organizations failed to apply the patch.5
The Impact
The worm’s final toll was immense: over 230,000 machines infected across more than 150 countries, tallying over $4 billion in losses.
Organizations as diverse as FedEx,6 Taiwan Semiconductor Manufacturing Co.,7 the University of Montreal,8 and Honda experienced significant operational outages.9
Particularly hard hit was the United Kingdom’s National Health Service (NHS). In all, the WannaCry attack cost the NHS more than $100 million.10 More than one in three trusts (the fundamental organizational units of the NHS) faced disruption due to the attack, nearly 20,000 appointments or operations were canceled, and multiple emergency departments were forced to divert patients elsewhere.11
Behind the Scenes
WannaCry did not specifically target the NHS, so what led to this dramatic impact? Two failures stand out.
The NHS’s first misstep was its cyber risk assessment process— more specifically, its response to previous assessments. Reaching as far back as three years before WannaCry, the United Kingdom’s Department of Health and Social Care had warned NHS trusts to migrate from old software. In the weeks just preceding the attack, NHS Digital (which runs information technology for the healthcare system) again warned trusts to apply the patch that would have prevented WannaCry from infiltrating their machines.12 But a report from the country’s national auditor found that the department “had no formal mechanism for assessing whether NHS organizations had complied with its advice and guidance.”13
Consequently, these updates fell by the wayside. In fact, only twothirds of the trusts had patched their systems before WannaCry.14 Moreover, when NHS Digital evaluated cybersecurity at eightyeight trusts—a pool representing one-third of all trusts—prior to the attack, not a single one passed the assessment.15
The NHS’s second failure was its lack of an effective cyber crisis plan. A Parliament report concluded that the system “had not shared and tested plans for responding to a cyber attack.”16
Such a strategy should include technical details, but the WannaCry chaos also exposed defects in the NHS’s people management. No formal backup communication system replaced the disabled email systems at various trusts. Instead, local NHS organizations resorted to an amalgam of mobile phones, WhatsApp, and pen and paper to transmit and record information.17,18 And, unsure of where to turn during the crisis, local NHS trusts contacted a hodgepodge of national and local bodies—even local police forces—to report the attack.19
These errors are manifestations of a deeper issue: the NHS failed to understand cyber risk as a systemic risk, both within individual trusts and across the national network. Still, as the Parliament report put it, “the NHS was lucky.” Beyond the fortuitous kill-switch discovery, the attack’s timing—on a summer Friday afternoon—helped the organization dodge an even greater disaster.
Learning to Do Better
The case study of WannaCry and the NHS’s response hints at an answer to the question “Why is cyber risk an issue?” This chapter will explore this topic and introduce the key components of today’s cyber landscape, in addition to explaining the necessity of adopting a systemic view of cyber risk. It will sketch the outlines of a successful cyber risk management approach that all readers can apply to the cybersecurity needs of their organization.
Why It Matters
In 1951, the Lyons Electronic Office I (LEO I) was introduced as the world’s first commercial computer. Initially used for administrative duties such as payroll and inventory record-keeping, it signified a groundbreaking step in the integration of computer systems with business processes. Seven decades later, it is difficult to conceive of any sphere of everyday life that isn’t affected by the
influence of computing technology. Moreover, computers are no longer the freestanding systems they were only twenty years ago. Whether embedded in a smartphone, a laptop, an office printer, or a car, almost every computer is part of an interconnected web of devices.
Interconnectivity comes at a cost. Rapid growth in the digital environment has created gaps in organizations’ cybersecurity awareness, making it easy for threat actors, such as nation-states and cybercriminals, to exploit widely known vulnerabilities. Consequently, cyber risk management, which is the process of preventing cyberattacks and maximizing organizational resilience to them, has developed into an essential requirement for senior executives and key leaders responsible for operations.20
The interconnectivity of the numerous parties relying on the internet to achieve various purposes has created a diverse cyber threat landscape. All entities, whether individuals, privately owned companies, or governmental organizations, must deal with the constant threat of cyberattacks. While many organizations believe that implementing robust cybersecurity measures is enough to protect their information systems from hackers, it is inevitable that all beneficiaries of the internet will have to confront cyberattacks at some point.21
Cyber risk management is broken. Today we live in a world of cyber “haves” and “have-nots.” The “haves” spend millions of dollars on the latest technical defenses to improve the perception of their organization’s security. Most of these defenses are Band-Aids. Those organizations in the “have-not” category wait for a disaster and then try to pick up the pieces. Neither approach is sustainable. You need a strategy and you need to take action.
Key Concepts
1. Cyber risk defined
2. Cyber risk management
3. Embedded Endurance: a cyber risk strategy
Cyber Risk Defined
Although it is impossible to fully predict where and when an attack might occur, any cyber risk strategy must start with a clear-eyed assessment of areas that require improved resource allocation.22 In this context, risk is defined as the product of threats, vulnerabilities, and impact, divided by mitigations.
Each of these components is defined here.
1. Threats: Your organization needs to consider any sources of intentional threats that could have a potentially negative impact on its assets. These intentional threats include insiders, cybercriminals, and nation-states.23
2. Vulnerabilities: Threats rely on vulnerabilities to undermine an organization’s cybersecurity, so it is crucial that the most significant vulnerabilities are identified and considered. Vulnerabilities could take the form of poor business processes, poorly educated employees, or outdated software.24
3. Impact: Your organization must take the potential impact of a cyberattack into account. Assessing the potential impact of a cyberattack involves understanding the effects that various threat scenarios could lead to. For example, an organization could assess the potential impact that a distributed denial-ofservice attack (an attack that restricts available bandwidth by flooding networks with unmanageable amounts of data) could have on its system, and how a critical failure of that system would affect critical business operations.25
4. Mitigations: As your organization takes steps to reduce threats, vulnerabilities, and their impact, it is important to account for these as part of your risk posture. Some mitigation activities are focused on addressing just one aspect of risk, whereas other mitigations are systemic and address each risk consideration across an organization.
Note that this definition of risk has one prerequisite: first you must identify all the assets that constitute your organization. This includes all physical or digital components such as computers, data, and intellectual property.26
There are three principal risk categories that an organization could face in the event of a cybersecurity incident:27
1. Business operational risk: The potential for direct or indirect loss that results from the failure of key business systems, processes, procedures, or people.
2. Reputational risk: The potential for loss or damage that results from harm caused to an organization’s reputation or public image.
3. Legal and compliance risk: The potential for loss or damage that results from legal action being taken against an organization for breaching the law or regulatory requirements.
Cyber Risk Management
The traditional approach to cybersecurity generally focuses on designing a defensive perimeter and network that attempt to prevent valuable assets from being hacked. This approach is based on an informed understanding of potential cyber threats to the organization. Although preventative approaches are crucial for securing assets from conventional methods of attack, stopping there results in an organization that has not truly prepared for the impact of a successful attack.
Rather than pursuing a simplistic security-focused strategy, modern organizations take a risk management approach to cyber. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level.28 Cyber risk management strategies foster cyber strength by considering critical business processes and allocating more resources to risk resilience, while also emphasizing the implementation of preventative
technical cybersecurity mechanisms to protect assets from cyber threats.29
As can be seen in the WannaCry case study, individual organizations’ cyber susceptibility can cause impacts well beyond their own organization. During the WannaCry attack, information technology failures within individual NHS trusts contributed to communication failures within those trusts, and ultimately to communication failures between trusts. Beyond the NHS trusts directly impacted by the ransomware, their cyber issues resulted in stress to their organization’s ecosystem of nearby civic systems and people, such as the police, who were inundated with calls for support during WannaCry. Globally, WannaCry spread from organization to organization; just as one person’s illness can spread from organ to organ or to other people, one organization’s cyber risk can increase the operational risk for other organizational components or for other organizations within the same ecosystem. For example, major ransomware attacks like WannaCry have disrupted many organizations’ global supply chains, which has resulted in the organizations’ inability to deliver goods and services. By adopting an Embedded Endurance strategy, digital assets and the organization overall will be buffered from some of the interdependent impacts of cyber risk, enabling sustained mission resilience.
Embedded Endurance: A Cyber Risk Strategy
Addressing cyber risk is a highly interdisciplinary challenge that requires the cooperation of stakeholders with diverse backgrounds.30 This is reflected in industry, government, and even academia. It is not always clear where one realm of expertise ends and another begins, which necessitates strong leadership that can play the role of traffic controller across the various parts of an organization that address cyber risk. For example, who gets to make the call that the ransom being demanded by attackers should be negotiated and
paid? A range of senior-ranking executives and officials will help to make these decisions, but often there are ego issues and multiple stakeholders to consider, so at the end of the day this engagement will not be successful without a strong leadership strategy.
Based on our decades of experience in the real-world trenches of cybersecurity and on research at Harvard, we developed a new strategy called Embedded Endurance. Embedded Endurance is a risk management strategy that applies preventative and resilience measures across the organization both holistically and at the component level to enable sustained mission success in light of persistent threats. The notion of embeddedness speaks to the component-level and interdependent nature of each digital asset and its cyber risk, where organizations are a “system of systems”—not unlike how the human body is an organism composed of many organs that work in concert. Endurance describes the need for sustainable operations of the system as a whole even in the face of inevitable threats over the long term. Embedded Endurance emphasizes the need to address attack prevention and the resilience of each digital asset while also accounting for the impact on the system’s overall operations.
An Embedded Endurance strategy embraces the reality of interdependent digital assets and provides an approach that addresses cyber risk management at both the micro level (people, networks, systems, and data) and the macro level (the organization). As part of an Embedded Endurance strategy, organizations address cyber risk as a systemic concern across interdependent ecosystems of organizations. Utilizing Embedded Endurance helps to reduce the shock waves across the overall system when one digital asset is impacted.
The Embedded Endurance cyber risk management strategy focuses on developing mitigation measures that minimize cyber vulnerabilities and maximize an organization’s ability to respond to cyberattacks. There are two types of mitigation measures: prevention and resilience.
• Prevention measures engage directly with the vulnerabilities that cause risk to actively ensure that harm does not occur. This engagement often takes the form of threat intelligence,
information sharing, and tools that can be employed to limit the interaction of threats with your organization.
• Resilience measures focus on bolstering the organization so that regardless of the impact of cyber incidents, the organization can continue operations and achieve its mission.
Cybersecurity is a multidimensional issue that requires organizations to take several variables into account to ensure that their information systems remain resilient to potential cyberattacks. An Embedded Endurance approach to cyber risk management should thus consider technical, human, and physical factors when securing systems, networks, and data.31
Technical Considerations
Technical considerations include all the tools and processes that protect the devices that could act as a potential entry point for unauthorized access to information systems.32 For example, due to rapid advancements in the Internet of Things (IoT), organizations must now consider the security of all conventional work-related devices connected throughout their networks, such as mobile devices and printers, as well as seemingly innocuous devices such as thermostats and electronic door locks.
Human Considerations
Human considerations include issues of governance, as described previously, as well as providing employee awareness training and fostering a culture of cybersecurity. Over the past decade, the scope of cyberattacks has expanded to reach far outside of the cyber dimension of information security. Although tools (in the form of software) exist to protect the devices that constitute an organization’s digital assets, many cyberattacks infiltrate systems through the users who have access to those assets.
It is therefore important that organizations equip their employees to recognize the types of social engineering attacks (such as phishing emails) that take advantage of human error and negligence. This
can be achieved through awareness programs and the fostering of a company-wide culture that emphasizes the value of cybersecurity.
Physical Considerations
In cybersecurity, physical considerations should complement technical and human considerations. Attackers often take advantage of physical access to information systems to execute their hacking activities. To do so, they may leverage poor physical access controls to facilities that house important digital components, or rely on social engineering techniques that trick users into granting hackers physical access to information systems.
Going Deeper
Investment Growth in Information Technology and Operational Technology
To remain competitive, both private and public organizations have invested in information technology (IT), financial technology (fintech), and operational technology (OT) to improve the speed and efficiency of their operations. An organization’s IT environment consists of hardware, software, and network resources, which may be housed within the organization’s facilities or based on a cloud service hosted by an external entity. Operational technology refers to digital systems that have both cyber and physical implications, such as smart meters, autonomous vehicles, and a variety of control systems that are digitally controlled but have physical impacts on their environment. Financial technology often has elements of both IT and OT systems. Interest in fintech has exploded in recent years given the growth of e-commerce platforms and the need for various financial mechanisms to enable these transactions, such as mobile payments. As the world continues the rapid transition to cashless, digital forms of payment, the risk to both individual organizations and the global economic ecosystem will increase.
Investing in these technologies benefits organizations in the following ways:
• Increased profitability: Profitability relies heavily on the efficiency of an organization’s processes. IT infrastructure provides managers with the tools and devices necessary to optimize critical business processes, allowing for improved profits over time and greater accessibility to information. OT can facilitate automation of business functions, which also can drastically increase the efficiency of an organization.
• Improved customer service: With IT infrastructure, businesses have easier access to customers’ information, allowing them to tailor their offerings to their customers’ needs. Furthermore, improved access to inventory management data can reduce response time and resolve lingering back-order issues. OT helps to provide seamless experiences for customers by enabling consistent control over certain functions.
• Efficient internal controls and communication: By centralizing information storage and controls, organizations can improve their oversight and actuation of the controls responsible for preventing and detecting operational issues. This allows for expedient feedback, which reduces the chances of harm to business operations or assets in the event of an unanticipated situation.
The Link Between Digital Infrastructure and Cyber Risk
While investing in information and operational technology is often an efficient response to the need for optimizing business processes and responding to customer demand, the WannaCry case study illustrates how this also exposes organizations to accompanying cyber threats with the potential to cause large-scale damage. This exposure has the added effect of increasing the variety of targets—what
is commonly referred to in cybersecurity terms as the “surface area”—for threat actors, who have a variety of motivations and employ ever more complex methods of attack.33
Given the multitude of threats in the current cyber threat landscape, it is important to keep in mind that cyberattacks have one thing in common: they are asymmetric in nature. This means hackers face relatively low risk and could gain disproportionately large rewards, whereas the defender often faces high risk and an impossibly large surface area to protect. Today, businesses cannot fully protect themselves from cyberattacks. This is why cyber risk management’s resilience tools are so essential.
Cyberattacks Connecting the Cyber and Physical Dimensions
Although the effects of cyberattacks are generally considered to be limited to information assets, the use of cyber-physical systems (physical systems that are integrated with online systems) has allowed the impact of cyberattacks to cross over from the digital to the physical sphere.34 The Internet of Things (IoT) refers to physical devices that are augmented with sensory technologies (such as smart thermostats), communications (such as Alexa and other smart speakers), and information-storing technologies (such as Favorite locations on your car’s GPS). These smart devices are designed to provide opportunities for integrating the physical world with the cyber world, thereby creating efficient services and processes that require minimal human influence.35
The drive to create smart devices has illuminated the fact that any vulnerabilities in devices connected to the Internet of Things could potentially be breached and exploited, leaving targeted devices open to criminal activity, and possible physical manipulation.36 There are various security concerns with IoT devices ranging from weak password authentication to generally bug-ridden and vulnerable software.
Taking Action
Given the complex and ever-changing nature of the cyber landscape, it is difficult to pinpoint a single risk management lever that can appropriately address all the vulnerabilities of a business’s digital systems. Embedded Endurance provides a steadfast cyber strategy for each business process. The most concrete action you can take to improve your organization’s cyber risk management starts with distributing and assigning responsibility for cyber risk.
Distributing and Assigning Leadership Responsibility for Cyber Risk
Organizations need to ensure that each stakeholder is aware of his or her role in maintaining cybersecurity processes and policies.37
• Every member of the organization: For a cyber risk strategy to be successful, every member of an organization must have a clearly defined role to play in protecting its critical systems, networks, and data. Outside of the reporting structure, cybersecurity should be considered a cultural value shared throughout an organization, rather than a technical process headed by a handful of actors.38 Most attacks take the form of malware and phishing, which are methods of intrusion that thrive on the negligence and mistakes of those they target.39
• Executive members: Executives need not become experts in the technicalities of cybersecurity, but it is important to distribute the responsibility for cybersecurity beyond the chief information officer (CIO) or the chief information security officer (CISO). In particular, the chief executive officer (CEO) needs to be ultimately accountable for cybersecurity, and the board of directors must ensure that he or she is executing on this portfolio.
• Risk committee: An emergent practice is for organizations to establish a risk committee comprising board members,
