Introduction
There is growing concern about “systemic cyber risk”—the possibility that a single failure
somewhere in cyberspace could cause widening ripples with catastrophic consequences.
Whereas most cyber events have a narrowly defined set of victims, a systemic cyber
incident could do damage on a national or even a global scale—threatening the digital
infrastructure that entire societies, economies, and governments rely on to function. In
the last few months alone, two very different events illustrated distinct versions of the
problem.
On November 24, 2021, Chinese cybersecurity researchers disclosed a severe vulnerability
in Log4j—a low-profile software utility embedded in millions, or perhaps billions, of
consumer devices and enterprise systems around the world. The security flaw could
permit hackers to take total control of vulnerable machines with relative ease. The job of
fixing Log4j fell to a team of volunteer programmers at Apache, who took two weeks to
release a security patch. By that point, the hacking had already begun. The first patch was
then followed by a second patch and a third patch, as more security gaps were uncovered.
Meanwhile, organizations struggled to apply these patches because Log4j is often hidden
underneath layers upon layers of other software packages. Experts predict it will take
years to fully resolve the issue. Until then, innumerable victims remain vulnerable to
state-sponsored hackers, ransomware gangs, and other bad actors.
Compare the Log4j incident—a slow-rolling crisis actively abused by malicious actors—
with another recent global event that was shorter, sharper, and completely accidental. On
October 4, 2021, billions of users worldwide lost access to all Facebook services, including
Instagram and WhatsApp. This happened because a small error during routine
maintenance had unexpected and cascading consequences. An errant command was
entered, and a bug in Facebook’s auditing systems mistakenly allowed the command to
run, disconnecting all data centers. Misjudging the situation, Facebook’s DNS servers
reacted by automatically halting public advertisements, blinding the internet to
Facebook’s online location. Meanwhile, widespread network failures blocked Facebook’s
IT staff from accessing the affected systems, even physically, to restore them. Although
the outage lasted only six hours, that was a lifetime for many small businesses, family
networks, and others reliant on Facebook for their daily needs.
These different incidents point to a common set of underlying problems. While
organizations and consumers have more tools than ever to protect their data from loss or
compromise, improvements in individual defense have been offset by a heightened risk of
systemwide events. Many sectors of the global economy now rely on the same set of
critical technology products and services, concentrating risk into an unknown number of
possible failure points. The potential for catastrophe increases as developing nations
1
2
3
4
5
6
