COMMENTARY: A single point of failure wreaks havoc and devastation whether in the physical or the cyber worlds. Over recent weeks, we have seen lives lost because of single points of failure in our nation’s flood mitigation systems in North Carolina. At the same time, nation-state adversaries have poked and prodded at single points of failure to launch cyberattacks on our critical infrastructure, defense, and intelligence networks.
Earlier this month, it was reported that the Chinese government infiltrated the networks of a U.S. broadband providers looking to access information from systems used to manage court-authorized wiretapping requests. And, earlier this year, a single software update from CrowdStrike simultaneously and without warning crippled millions of Windows computers worldwide, costing billions in economic damage.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
In addition, the scope, scale, and precision of the (presumed) Israeli operations that ignited the pagers and walkie-talkies of Hezbollah terrorists en masse stunned many last month and should serve as a sobering reminder of how deadly the result can be when an adversary exploits a single point of failure.
Single points of failure cause systemic risk – the risk that an event at a company or government agency level could trigger severe instability or collapse in an entire industry or economy.
Today, systemic risk within our defense industrial base threatens our national security. Simply put, we do not adequately understand the single points of failure within our technological systems, and until we do, none of us are immune to attack by a determined adversary.
There’s clear evidence that our adversaries could exploit our technological systemic risk to wage asymmetric war upon us. The scale and devastation of the CrowdStrike incident and the presumed Israeli operation that ignited Hezbollah’s pagers and walkie-talkies simultaneously and without warning were previously unimaginable. These incidents demonstrate how weaponizing systemic risk can degrade the resilience of an adversary and integrating physical and cyber can scale to amplify death and destruction.
What’s the solution? Government agencies and corporations are looking within their organizations, but not across. The Defense Department has hardened its critical assets from direct attack. Still, its siloed and bureaucratic design handicaps its ability to look across its suppliers and the suppliers of suppliers to identify single points of failure that our adversaries are looking to exploit.
We need to look at every entity's single point of failure, identify systemic risk across entities, and then act to shore up the resiliency of critical operations. For example, America identified that our failure to manufacture chips is a systemic risk and passed the Chips and Science Act in response. Chips are critical, but unfortunately, they are the tip of the iceberg, and lurking beneath the surface are other significant and invisible risks, such as software.
Interestingly, some best practices are emerging from the private sector. America’s public electrical utilities have demonstrated how an industry can band together to identify and mitigate systemic risk. Utilities have uncovered 10 publicly accessible software components installed on a disproportionate number of power management systems and are working to make these systems more resilient to attack.
The time has come for the Defense Department to similarly adopt a more collaborative approach with its industrial base, cutting across its numerous program office silos to identify systemic risks in its supply chains. Such risk assessment must account for all hardware and software components and the interplay between them. The Deputy Secretary of Defense should own this responsibility across the Defense Department and should work with the lead acquisition officers in each service to create a process to collaboratively identify these risks as well as means to mitigate them.
This task will not be easy, but we must do it quickly. We solved systemic risk for financial systems, so we can do it for our national defense. Humans habitually ignore systemic risk – maybe because it takes courage to go against the grain. I’m reminded of a quote from the Academy Award-winning movie about the few who saw the great financial crisis coming: The Big Short:
“But there were some who saw it coming. While the whole world was having a big ol’ party, a few outsiders and weirdos saw what no one else could. These outsiders saw the giant lie at the heart of the economy. And they saw it by doing something the rest of the suckers never thought to do: they looked.”
Let’s Look!
Alex Santos, co-founder and CEO, Fortress Information Security
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.