UNDERSTANDING SYSTEMIC RISK AND ASSESSING SYSTEMIC RESILIENCE: CYBER AND BEYOND
The two preceding calendar years have both ended in the exposure of software vulnerabilities resulting in massive fallout. In December 2020, we learned of the Sunburst attack on SolarWinds’ Orion network management system, which raised fresh concerns about an adversarial nation-state’s ability to conduct extraordinary intelligence gathering and military planning by cyber intrusion. In late 2021, a critical vulnerability in Log4j, an activity logging programme maintained by the Apache Software Foundation was remediated. Within a week of its discovery, malicious actors had exploited the Log4j vulnerability in an attempted compromise of half of all corporate networks globally. The scale on which these tools are utilised, and their apparent insecurity, made the information security community wonder at both moments whether the long feared ‘cyber Pearl Harbor’ had finally come.
The Log4j and Sunburst attacks are often cited in narrow, disparate discussions about the need for improved application security requirements in narrow debates about software supply chain security and third party risk management. These events instead expose a larger constellation of challenges and portend dire risks to our digital infrastructure than organisations may be ready to confront. Log4j’s ubiquity in open source and proprietary software suggests a dependence unsupported by a willingness among users to verify and fund its security. In the case of Sunburst, remarkable levels of digital trust placed by tens of thousands in just one company – SolarWinds – made it the perfect poison pill for a foreign adversary. These two incidents, among a slew of others in recent years, should attract attention to systemic cyber risk: the possibility of a node in widely relied-upon digital infrastructure so critical that its failure might produce cascading financial, operational and societal disruption.
Jul-Sep 2022 Issue
Good Harbor Security Risk Management