Last week, MITRE, a non-profit organization that maintains the Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) programs warned of a possible loss of funding.
This created significant concern in the cybersecurity community.
In the days following, cybersecurity practitioners commented broadly on the cyber related implications related to a loss of funding and resulting shutdown of the CVE and CWE programs.
Fortunately, since the initial warning from MITRE, the US Cybersecurity and Infrastructure Security Agency (CISA) has “executed the option period on the contract to provide MITRE with the financial support necessary to ensure there will be no lapse in critical CVE services“1.
So while the crisis has been averted for the next eleven months, I believe the funding scare gives us an opportunity to seriously think about the issue of systemic cyber risk and why it’s useful to look at this through an institutional lens just as much as a technical one.
Contents
Systemic Risk
In simplest terms, systemic risk is the risk that a problem in one part of a system can spread causing the whole system to fail.
Think of it like a chain with a weak link. If that link breaks, the entire chain falls apart.
You’ll see the term used commonly in financial services, where if a large institution fails, it can set off a domino effect that brings down other, usually smaller, firms.
It’s easy to find parallels anywhere systems are highly connected and dependent on each other – utilities, global supply chains, public health, etc.
a chain is no stronger than its weakest link
Systemic Cyber Risk
The concept of system risk is not new to cybersecurity professionals. It’s been regularly discussed and written about over the last ten years2 3 4 5.
We’ve been mindful for a while now that a cyber event on an individual digital system could trigger significant disruption or loss which impacts not only the original system but also cascades into related systems.
We’ve considered scenarios such as a cyber attack on critical infrastructure (e.g. the power grid) which creates a cascading failure affecting multiple companies and their IT systems.
We’ve spent considerable time thinking about how over reliance on a major cloud provider or software company could affect thousands of businesses at once in the event of a cyberattack.
The Crowdstrike, MOVEit, and Solarwinds incidents are close examples of what is at stake when it comes to systemic cyber risk.
However, while we seem to be mindful of the potential impact of a systemic cyber risk event, it seems to me that there is still a disproportionate level of focus on technical triggers rather than institutional ones.
The Lesson In The MITRE Funding Scare
I believe it is in our collective interest to think a bit more clearly about institutional issues such as the dangers of governance and funding failures and the MITRE funding scare gives us an ideal opportunity to do just that.
These institutional issues are commonly overlooked in traditional IT risk assessments, which are often heavily skewed towards technical risks around topics such as artificial intelligence, cloud security, ransomware, data protection, phishing, and insider threats.
This is particularly concerning as much of the infrastructure that we rely on to support businesses today and keep them secure is highly interconnected, interdependent and has a high degree of system fragility. In essence, we could be ignoring systemic cyber risk factors.
Fortunately, the cyber community has started the necessary work by considering the security practices of vendors and how best to assess them, technical supply chain attacks and more general business continuity concerns.
We now need to expand this focus to ask hard questions about the non-technical failure of the digital systems that we depend on. From the reports of numerous cyber professionals we have an idea as to what a loss of funding for the CVE program could mean.
Institutional issues for consideration
Similarly, what would it mean for digital society if the unpaid, overworked or underappreciated maintainers of critical open source packages, many of them individuals, stopped their efforts.
This has manifested as recently as 2022 with colors.js where the maintainer broke thousands of apps by inserting an infinite loop to protest large-scale exploitation of open source6.
In 2016, a software engineer after a dispute with a company, removed a tiny utility (left-pad) he had created impacting thousands of software projects including those at companies such as PayPal, Netflix and Facebook7.
We can also ask, what could be the fallout if ICANN, the Internet Corporation for Assigned Names and Numbers, the governing body for the internet, which is responsible for among other things overseeing root DNS servers, top level domains and IP address allocation, were to be subject to a large scale compromise.
Looking beyond the possible technical triggers could lead us to consider issues such as geopolitical pressure, stewardship failures and corruption. This isn’t a stretch of the imagination as in the lead up to the October 2016 formal handover of ICANN stewardship, concerns were raised around ICANN’s future accountability and international legitimacy8 9.
There are other potential institutional weak points as well, all capable of leading to systemic cyber risk events – publicly available threat intelligence feeds facing funding challenges or changing access policies, loss of trust in major certificate authorities due to poor governance, and community efforts such as OWASP losing legitimacy, fragmenting or simply failing due to volunteer burnout.
Next Steps After The MITRE Funding Scare
Where do we go from here?
A useful first step may be for organizations to rethink the IT risk assessment process and ensure training is provided to security and risk teams so they are better positioned to acknowledge and recognize non-technical dependencies and institutional risk factors.
In this regard, building cross functional partnerships with those outside of the technology team may be a useful way to broaden the scope beyond the technical.
Cyber professionals should consider using the strengths of finance teams and their innate understanding of what various financial indicators can mean in terms of a company’s sustainability. Similarly, legal teams may be well positioned to identify significant concerns around governance or contractual arrangements.
With this support in place, cyber and risk professionals should begin mapping critical institutional dependencies. It is entirely possible that for some, this mapping may already be happening as part of the business impact analysis process, if not, then this is an activity that should be expedited.
It’s important that we understand the second, third and possibly even the fourth level dependencies that support critical IT and business processes. Using the MITRE situation as an example, it’s fair to argue that a well mapped workflow should have identified that the vulnerability management, patch management and security incident management programs all have a common critical dependency – the CVE program.
Assuming you have similarly critical choke points or potential single points of failure, it’s prudent to not only create contingency plans but to also consider, where possible, developing your own alternative or redundant systems.
If the latter is not possible, you can consider supporting community efforts to build this redundancy or petition those in policy, governance or oversight roles (e.g. lawmakers, regulators or standard setting bodies) to use their influence to address systemic risk factors.
Finally, while systemic cyber risk is commonly seen as a matter largely beyond the control of any one individual entity, the MITRE funding scare should be forcing us to deepen our understanding of how we could be the origin of, or affected by cascading or widespread failures, and not just those of a technical nature.
References
- https://www.csoonline.com/article/3963190/cve-program-faces-swift-end-after-dhs-fails-to-renew-contract-leaving-security-flaw-tracking-in-limbo.html ↩︎
- Understanding Systemic Cyber Risk, https://www3.weforum.org/docs/White_Paper_GAC_Cyber_Resilience_VERSION_2.pdf ↩︎
- Quantifying Systemic Cyber Risk, https://www.aon.com/unitedkingdom/insights/quantifying-systemic-cyber-risk.jsp ↩︎
- Systemic cyber risk, https://www.esrb.europa.eu/pub/pdf/reports/esrb.report200219_systemiccyberrisk~101a09685e.en.pdf ↩︎
- Mitigating systemic cyber risk, https://www.esrb.europa.eu/pub/pdf/reports/esrb.SystemiCyberRisk.220127~b6655fa027.en.pdf ↩︎
- https://www.businessinsider.com/developer-sabotages-open-source-github-code-libraries-protest-corporations-2022-1 ↩︎
- https://www.businessinsider.com/npm-left-pad-controversy-explained-2016-3 ↩︎
- https://www.npr.org/sections/alltechconsidered/2016/09/26/495396014/republicans-say-obama-administration-is-giving-away-the-internet ↩︎
- https://www.internetsociety.org/blog/2015/09/globalizing-iana-the-internet-society-submits-comments-to-the-icg/ ↩︎