Identifying Critical Infrastructure in a World with Network Cybersecurity Risk

Abstract

Covid-19 has highlighted the fragility of supply chains in a range of critical infrastructure— food, medicines, health care, information technology, communications, and more. This paper focuses on an under-appreciated supply chain risk, network cybersecurity, that was present before the pandemic and which the pandemic brings into sharper focus. Between 2004 and 2016 the digital economy has grown nearly four times as fast as the rest of the economy according to the Bureau of Economic Analysis. The proliferation of digital services has created significant value and employment opportunities; it has also created a wide array of new cybersecurity vulnerabilities. Vulnerabilities of DVRs, CCTVs, voting machines, and municipal systems, leading to denial of service attacks and ransomware hold ups are known, but these examples miss a problem. Although these examples give the impression that only certain hardware and specific entities are affected, taking networked cybersecurity into account changes yields different conclusions. For example, given that enterprise software, which is common for work at home situations, is rapidly becoming a cybersecurity vulnerability, anyone connected by this software necessarily becomes a target too. Malicious cyber incidents, like data breaches, can have ripple effects across a network of businesses and sectors. Yet current definitions and regulations of Critical Infrastructure (CI) miss this point. We argue that the network dimension of cybersecurity risk is an important, under-studied aspect of the problem. Legal definitions of CI and the voluntary nature of cybersecurity governance leave gaps in the classification of CI and how to identify cybersecurity risk, particularly in the professional services sector. In addition, the voluntary nature of cybersecurity governance demands risk-based and objective measures to aid in identifying when to take steps on improving cybersecurity, but exactly what such metrics are is, at best, evolving. We address both these problems. By drawing on a new dataset, we develop metrics that measure productivity effects and that captures cybersecurity risk. This approach allows us to show that a major sector, professional services, is missed by current definitions of critical infrastructure, but could be captured if CI definitions accounted for networked cybersecurity risk. In addition, the approach aids voluntary participation in mitigating cybersecurity risk, because it provides a way for any firm or sector to identify and assess better the nature of its networked cybersecurity risk. In short, these networked cybersecurity vulnerabilities can adversely affect aggregate growth and national security objectives because of connectivity across firms and sectors. This work seeks to provide a path forward for understanding, defining, and protecting networked cybersecurity.