We Should Have Known SolarWinds Would Be a Target

Deven R. Desai is an associate professor of law and ethics and associate director of machine learning at the Georgia Institute of Technology. @devendesai

Christos A. Makridis is an assistant research professor at Arizona State University, a non-resident fellow at Baylor University’s Institute for Religious Studies, Stanford University’s Human-Centered AI Institute, and MIT Sloan’s Initiative on the Digital Economy, and a senior adviser at Gallup. Follow him on Twitter and Instagram @camakridis.

The recent revelation of the SolarWinds hack provides an illustrative and timely example of how cybersecurity vulnerabilities can affect every organization, with the company’s enterprise software, a network monitoring system, installed at government agencies, including the Departments of Commerce, Defense, and Treasury, tech giants such as Cisco, Intel, Nvidia, and VMware, and hospitals and universities. Our research shows the SolarWinds breach should come as no surprise. The risk of these supply chain hacks is much higher than previously acknowledged, due to the high level of connectivity across different sectors in the economy.

The United States recognizes sixteen designated sectors as critical infrastructure, including transportation and financial services, “whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” Sixteen sectors sounds comprehensive, but what if structural changes in the economy, like the ongoing pandemic, elevate the importance of some sectors over others? Will such a list still be comprehensive? Moreover, what if the something like the pandemic raises the importance and vulnerability of systems that connect different sectors?

Enterprise software shows how vulnerabilities affect every sector. Even before the COVID-19 pandemic, many industries relied on Virtual Private Networks (VPN) and Remote Desktop Protocols (RDP) to enable work away from the office. In the first half of 2020, enterprise ransomware hit “all-time high[s]” often by exploiting VPNs and RDPs, with RDP exploits being “regarded as the single biggest attack vector for ransomware,” according to one cybersecurity firm. The infamous WannaCry malware incident in 2017 relied on Server Message Block (SMB) protocol vulnerability [PDF]. And yet, SMB vulnerability persists as a problem exacerbated by VPN and RDP software issues. In another ransomware attack , an auto part supplier suffered an attack that started with its RDP and then went on to exploit SMB and other vulnerabilities. 

Our research investigates whether the current approach to classifying sectors as critical infrastructure potentially misses an important aspect of cybersecurity—a phenomenon that we call “network cybersecurity,” which refers to how the inherent connectivity across sectors in the broader economic network propagates risk through the supply chain. This blind spot means that sectors with the greatest output and most cyber-vulnerabilities are not on the current list of critical infrastructures. In response, we offer a way to understand network cybersecurity risk and thereby identify what should be deemed critical infrastructure and when increased cybersecurity measures are needed.

We draw on proprietary data from Rapid7, which provides services to organizations and some data to the public for purposes of strengthening U.S. cybersecurity. We combine the data from Rapid7 with data from the Bureau of Economic Analysis, which allows us to measure how much (in dollars) each sector contributes to every other sector in the economy. We create two measures of the networked cybersecurity problem—one that captures productivity effects, and one that captures cybersecurity risk. We then calculate the contribution of risk that each sector gives to every other sector.

We find two main results. First, some sectors that typically would not be considered a cybersecurity risk rank fairly high, namely professional services. That shouldn’t come too much as a surprise: every sector, including those within the current interpretation of critical infrastructure, use professional services. Second, we found that the correlation between an industry’s own cybersecurity risk and its network cybersecurity risk is very small, whereas the correlation was much larger between a sector’s productivity and the productivity of its supply chain.

This is easiest to see in professional services. Even though professional services might not be traditionally defined as critical infrastructure, every sector uses these services, so any vulnerabilities inherent in it will necessarily propagate across the network. This illustrative example is important since it shows that a sector’s own cybersecurity risk is hardly a proxy for its overall risk—the actions of other sectors greatly influence others depending on their connectivity.

Our research led us to two policy recommendations. First, the National Institute of Standards and Technology (NIST) and the Bureau of Industry and Security should share more data with one another and coordinate over an assessment of cybersecurity risk. Given that we have shown the current classification of critical infrastructure is incomplete, NIST could issue guidance that is re-evaluated over time for firms that reside in each of the following risk categories: firms that display systemic risk because of their size and connectivity, sectors that display sufficiently large risk based on the sum total of the firms in the sector and their connectivity to the rest of the economy, and firms in sectors that are lower risk. Such a classification would significantly help in prioritizing precautionary actions, in addition to providing investors and the broader market information about vulnerabilities.

Second, the network approach to evaluating cybersecurity risk should guide the priorities in the Cybersecurity and Infrastructure Security Agency (CISA) in the Department of Homeland Security. Although their role has focused on aiding the traditionally-classified critical infrastructure sectors, our analysis shows that there could be more influential nodes in the network that matter for aggregate risk. This argument is reinforced by the recent SolarWinds breach, of which the full consequences are still being assessed. Given limited resources, CISA should focus their efforts where they matter most. Moreover, CISA and NIST should coordinate to create standards that are informed by actual cybersecurity risks.