Skip to main content

Emerging Systemic Risk Issues: Discussion from the Second Cybersecurity and Technology Futures Event

March 1, 2019

Author:

Connor Herriford

This event was the second in a series of events. The first focused on privacy. The next one will focus on Artificial Intelligence (AI). It will be on March 6 at 3pm in the Peterson Room in the Allen Library on the UW campus. The full schedule can be found here.

The increasing interconnectedness of society as a result of technological advancement presents global challenges, especially in the form of systemic risk. Systemic risk has been traditionally considered in relation to financial systems, with the 2008 global financial crisis being one of the best examples of the dangers of systemic risk. In relation to cybersecurity and technology, systemic risk usually describes an event or attack that impacts an element of critical infrastructure that is so central to overall technological infrastructures that it creates a cumulative effect across the entire system, potentially even threatening public safety.

Speakers from the public and private sector spent the afternoon of February 6 addressing the issue of systemic risk, calling attention to future challenges and potential threats. The speakers were Mary Gardner, Chief Information Security Officer, F5 Networks; Annie Searle, Lecturer, UW Information School and principal of ASA Risk Consultants; and Michele Turner, Senior Manager in Business Resiliency-Corporate Business Continuity and Risk, Amazon. Jackson School of International Studies’ Lecturer Jessica Beyer was the moderator of the panel. Speakers discussed the issue of systemic risk from the perspective of their deep expertise, rather than commenting as a representative of their places of employment.

Ms. Gardner has a background in security, compliance, and risk management in a variety of industries – including healthcare, finance, and transportation logistics – and offered a unique perspective of systemic risk. To set the stage, Ms. Gardner discussed WannaCry, a ransomware attack that infected thousands of computer networks in 2017. The targets were widespread, but Ms. Gardner specifically called attention to the attacks on European and US hospitals. Since the operational systems between the hospitals and third party vendors are interconnected, the attacks caused cascading damages that extended beyond the hospital’s infrastructure. To further elaborate on healthcare risks, Ms. Gardner presented an additional example of an attack on oil and gas concerns that bled over to the medical industry where the damages sustained were comparable to those of other large scale ransomware attacks. In this case, the ransomware infection extended to third party medical vendors – damaging records for the months prior to the attack. With no transcriptions of the patient visits, hospitals had to piece together patient records. Not only does this demonstrate the cascading systemic threat present in cyberattacks, but it emphasizes the necessity for cyber-resilience in all areas of a variety of industries. Ms. Gardner finished by noting that cybersecurity is an important component in controls and legislation.

Ms. Turner spoke from within her 25+ years of experience as a subject matter expert in business continuity, addressing areas such as governance, risk, and compliance. She focused on the maturity of persistent cyber threats as well as the marriage between business processes and technology. Ms. Turner began by stating that threat actors have adapted their hacking processes in a matured and evolved manner. She cited WannaCry and SamSam, ransomware attacks that have had devastating consequences, as an example of the ever-evolving threat adaptions of hackers. No longer are hackers resorting to email and clickbait phishing, but rather they are infiltrating networks by guessing passwords – typically by means of default credentials. She argued that to address this – companies, industries, and governments need to update and upgrade their existing policies. Moreover, Ms. Turner accentuated the need for companies to analyze operations from a business continuity perspective; asking questions such as: What are we doing? What are the potential risks involved? And what would be the impact if these risks were to arise? By assessing operations from a comprehensive view, businesses can adopt a proactive approach to limit the impact of systemic risk threats. For this to occur, Ms. Turner stated, there needs to be a marriage between business processes and technology that establishes operation protocols and regulations.

Annie Searle further elaborated on the points presented by Ms. Gardner and Ms. Turner while also providing insight on how systemic risk impacts various industries. Ms. Searle began by asserting that systemic risk extends beyond the financial system. Similar to Ms. Gardner, Ms. Searle referenced WannaCry and the devastating consequences it had on the healthcare system, often via third parties involved. Ms. Searle then cited Stuxnet, an attack on an Iranian nuclear plant’s uranium centrifuges, as an example of the rapid advancement of systemic manipulation of technology to illustrate the point that it can cause physical results. Ms. Searle then noted that ransomware most often targets the financial and healthcare sectors, as these often deliver the most lucrative returns for hackers. To address this, she argued that there needs to be continuous monitoring of infrastructure and networks as well as frequent patching of exploitable vulnerabilities. To achieve this, there needs to be an increase in industry communication and collaboration. Additionally, contingency plans must be developed to take a proactive rather than reactive stance in the event of an attack. Ms. Searle closed by mentioning the necessity of incident response teams to address the aforementioned concerns.

The talk was the second in a series of talks on Cybersecurity and Technology Futures. The first talk focused on privacy. The next talk is on March 6, 2019 at 3pm in the University of Washington’s Allen Library’s Peterson Room. The speakers include: Delight Roberts, Senior Compliance and Policy Manager, Microsoft; Sujatha Sagiraju, Senior Program Manager, Microsoft; and Hannaneh Hajishirzi, Assistant Professor, UW Computer Science and Engineering. Annie Searle, Lecturer, UW Information School will moderate.

The speaker series is sponsored by the University of Washington’s Jackson School of International Studies, Information School, and Women’s Center with support from the Carnegie Corporation of New York.

This publication was made possible in part by a grant from Carnegie Corporation of New York. The statements made and views expressed are solely the responsibility of the author.