Systemic Cybersecurity

Risk and role of the

Global Community:
Managing the Unmanageable
BRIEFING PAPER
NOVEMBER 2022
Images: Getty Images

Contents
Preface/Foreword/Introduction 3

1 The cybersecurity landscape 4

2 Understanding systemic cybersecurity risk 5

3 Classifying systemic cybersecurity risk 5

4 Responding to systemic cybersecurity risk 6

Acknowledgements 8

Disclaimer
This document is published by the
World Economic Forum as a contribution
to a project, insight area or interaction.
The findings, interpretations and
conclusions expressed herein are a result
of a collaborative process facilitated and
endorsed by the World Economic Forum
but whose results do not necessarily
represent the views of the World Economic
Forum, nor the entirety of its Members,
Partners or other stakeholders.

© 2022 World Economic Forum. All rights

reserved. No part of this publication may
be reproduced or transmitted in any form
or by any means, including photocopying
and recording, or by any information
storage and retrieval system.

Systemic Cybersecurity Risk and role of the Global Community: Managing the Unmanageable 2
November 2022 Systemic Cybersecurity Risk and
role of the Global Community:
Managing the Unmanageable

Systemic cyber risk

Cyberattacks are frequently becoming ‘cyber
events’ with systemic impact. How can
governments and businesses respond?

In February 2022, a cyberattack on commercial be difficult to predict and quantify, and even more
satellite services in Ukraine caused electricity- difficult to manage.
generating wind farms to shut down across
Central Europe. In July 2021, supermarkets in Traditional cybersecurity approaches are limited in
Sweden were forced to close their doors after their ability to understand and deal with systemic
a cyberattack on an IT services provider based risks due to their necessary focus on single entities,
in Florida, USA. In both cases, the rolling flow of systems and supply chains. As cybersecurity threats
disruption was neither predicted nor predictable. multiply, escalate and coalesce, it is imperative for
These incidents show how the technologies that the global community to treat cybersecurity risk
support businesses, infrastructure and societies as a systemic challenge that requires collective
are increasingly interdependent, and vulnerable. decision-making and coordinated action across
governments, the private sector and civil society.
Different technologies across a multitude of
organizations now have the same common This briefing paper outlines how the technology and
dependencies or weaknesses. This means the cybersecurity landscape is changing, why these
impact of cybersecurity incidents can cascade changes make cybersecurity risk management a
from organization to organization and across systemic issue, and how governments, international
borders. The risks this creates are systemic, organizations, the private sector and civil society
contagious and often beyond the understanding must collaborate to make society resilient to
or control of any single entity. Systemic risks can systemic cyber events.

Systemic Cybersecurity Risk and role of the Global Community: Managing the Unmanageable 3
 1 The cybersecurity
landscape
The World Economic Forum previously examined – In 2021, a piece of open-source logging
the issue of systemic cybersecurity risk in the 2016 software, Log4j, commonly used by apps and
Understanding Systemic Cyber Risk white paper. services across the internet, was exploited to
As predicted, societal reliance on technology has potentially compromise hundreds of millions
steadily increased since then as connected devices of systems.
and cloud-enabled services have become more
engrained into daily lives. – In April 2022, an attack by the ransomware
gang known as Conti showed it could cripple
What has also changed is the capability and ambition Costa Rica’s ability to collect taxes, issue
of cybersecurity threat actors, as well as the availability payments, buy and sell goods, and even
of attack opportunities. Cybersecurity experts have provide electricity.
feared that large-scale global cybersecurity attacks
would materialize in the future. In the years since, While each event’s technical details are different,
this fear has shown itself to be well-founded: they also share key characteristics. Isolated
cybersecurity attacks can become major
– In 2017, a popular piece of Ukrainian cybersecurity events, which are characterized by
accounting software was targeted to gain cascading effects across communities, economies
What has access to Ukrainian systems, referred to as the and governments.
NotPetya attack. The attack spread beyond
changed is
Ukraine, crippling international shipping among These sometimes have catastrophic
the capability
several other sectors, and resulted in estimated consequences, such as the NotPetya attack,
and ambition costs of $10 billion in total damages. which could threaten global critical infrastructure.
of cyberthreat Although emerging technologies are creating new
actors. Isolated – In 2020, SolarWinds’s IT management and opportunities for economic prosperity, they are also
cyberattacks can monitoring platform software was compromised, giving rise to new and highly complex risks. These
become major and attackers had the potential to gain access challenges are too big and too complex for any one
cyber events. to tens of thousands of organizations. organization to tackle.

Systemic Cybersecurity Risk and role of the Global Community: Managing the Unmanageable 4
 2 Understanding systemic
cybersecurity risk
Systemic risk refers to the possibility that a single same cloud company or Domain Name Services
event or development may trigger widespread failures (DNS) provider. This concentrates risk when a
and negative impacts spanning multiple organizations, shared service or commonly used technology is
sectors, or nations. Systemic risk is described in the disrupted by cyberattackers.
Forum’s 2021 report Beneath the Surface: Technology
Driven Systemic Risks and the Continued Need for This means that disruptions to organizations that
Innovation as a network of seemingly isolated risks do not appear to have a systemically important
that grow and spread across heavily interconnected role in the digital ecosystem can have unexpected
and deeply ingrained products, services and systems. consequences.

In cybersecurity, technological and comparative Preparation for systemic cyber events requires
advantages can incentivize different organizations, collaboration across the private sector, government
often from different sectors, to rely on the same agencies and civil society. For this to be effective,
third-party hardware, software, or service provider. there needs to be a common understanding of
For example, many firms might have a reliance on the risks that organizations are trying to identify
poorly maintained open-source projects, or on the and manage.

3 Classifying systemic
cybersecurity risk  
Technological Systemic cybersecurity risks can be broadly – Shared trust and confidence risks stem from
advantages can categorized by the source from which they originate activities with over-reliance on – and subsequent
incentivize different and the way they manifest or present themselves loss of – the trust that data and processes are
organizations within a broader system. While risks can manifest in accurate and reliable.
to rely on the a multitude of ways, they are likely to originate from
one of the following source categories: Systemic cybersecurity risks can manifest in a
same third-
multitude of ways and can provide another angle
party hardware,
– Common cause risks include those risks that through which risk could be understood.
software, or originate when multiple organizations utilize the
service providers. same hardware, software, or communication – Flow risks include the risks that flow from one
tools, which create the possibility that multiple organization to another through a multitude
failures may arise from a single underlying defect. of connection and interlinkages. This includes
risks that transfer along physical or operational
– Shared service risks refer to the risks generated connections between organizations (sometimes
by organizations that leverage the same cloud described separately as chain risks).
providers or social media platform, for exampleto
accelerate business operations, yet leave – Simultaneous emergence risks are those
themselves vulnerable to cybersecurity incidents risks that appear simultaneously across many
that the host provider could not anticipate. different organizations.

– Operational dependency risks occur when the – Behaviour risks are the risks propagated by
disruption in one organization’s operations, such many people or organizations changing their
as a shut down of an electricity grid, disrupts behaviour in a short period of time, such as
many other organizations’ operations, creating a when the COVID-19 pandemic caused many
cascading effect across multiple entities. people to work from home.

Systemic Cybersecurity Risk and role of the Global Community: Managing the Unmanageable 5
4 Responding to systemic
cybersecurity risk
Historically, the rate of technological innovation cyber event are felt. Instead, a whole of global
has outpaced regulation and policy actions, and society approach is required.
cybersecurity threat actors have continued to
rapidly learn and evolve. Effectively managing Stakeholders across governments, international
systemic cybersecurity risk at the speed and organizations, the private sector and nonprofits
scale required cannot be left solely to individual should identify the actions within their control
governments or organizations, who are only part of and coordinate across different organizations to
the chain through which the impacts of a systemic collectively address these problems.

Government policymakers

National governments can use their legal, regulatory – Continue to encourage and fund development
and financial capabilities to incentivize country- security and operations (DevSecOps) transitions
wide efforts to study, respond to and manage across government agencies
systemic cybersecurity risks. Even though systemic
cybersecurity risks often cross-national borders, – Establish explicit cybersecurity requirements for
countries can still take steps to understand the risks the standardization of development of hardware,
and lessen their vulnerability. Governments can: software and services that are provided to
government agencies
– Continue to coordinate attribution and legal
efforts to name, shame, sanction and arrest – Provide financial backstops for cybersecurity
threat actors in order to deter future large-scale insurance markets to incentivize cybersecurity
cybersecurity attacks insurance coverage and allow for coverage of
certain systemic cyber events that are too big
– Commission country-wide systemic for the private insurance industry to bear alone
cybersecurity risk research to quantify and
track country-level cybersecurity risk and high- – Coordinate to identify, prosecute and deter
impact sectors large-scale criminal activity that targets
critical infrastructure
– Shift from event-based, responsive
cybersecurity policies to proactive measures – Facilitate information sharing within the
that address cybersecurity risks as part of a national economy and engage with others on
larger, interconnected system an international level

Systemic Cybersecurity Risk and role of the Global Community: Managing the Unmanageable 6
 International organizations

International organizations can use their existing – Create confidence-building measures to reduce
platforms and decision-making processes to concerns over governments targeting key
develop new standards, propose international foundational elements of the internet
agreements and facilitate inter-governmental
dialogue and collective action. By centralizing and – Develop cybersecurity capacity funds to help
coordinating global action, they can better address build cybersecurity capabilities. This will support
systemic cybersecurity risks that cut across multiple lower-capacity countries to strengthen their
regions and types of governments. International cybersecurity postures and recover from large-
organizations can: scale cybersecurity attacks

– Establish global norms that prohibit state or – Charter an international working group to study
state-sponsored cybersecurity attacks against and measure systemic cybersecurity risks and
core open-source projects, common digital and identify common vulnerabilities and bottlenecks
other critical infrastructure

Private sector leaders

Incentivize talent The private sector is a powerful resource for risks and limit exposing customers or other
and knowledge cybersecurity talent, quick decision-making and organizations to these risks
exchange efforts innovation. Private sector organizations can take
with governments, steps to secure their operations, protect their – Support efforts to secure and maintain core
international customers against systemic cybersecurity risks, open-source infrastructure projects
and share best practices and lessons learned. The
organizations
private sector can: – Create and maintain software bills of materials,
and nonprofits.
which list the items that make up the
– Use a cybersecurity risk taxonomy to identify components for software products and services
an organization’s unique risk posture and
vulnerabilities beyond an organization’s – Incentivize talent and knowledge exchange
direct control efforts with governments, international
organizations and nonprofits to diffuse
– Set clear risk appetite standards and take innovative solutions across the global
measures to reduce exposure to cybersecurity cybersecurity community

Cybersecurity nonprofit leaders

Cybersecurity nonprofits play an important and – Integrate and amplify diverse voices
often overlooked role in the global cybersecurity and perspectives from across the global
ecosystem. Nonprofits are often seen as neutral cybersecurity community
experts, which allows these organizations to
bring together diverse voices, perspectives and – Educate organizations and individuals on
resources. These organizations can use their the characteristics and dangers of systemic
expertise to create, aggregate and disseminate cybersecurity risk
tools to educate and secure organizations and
individuals against systemic cybersecurity risks. – Create, aggregate and sustain tools, frameworks
Nonprofits can: and resources to help organizations of all sizes
proactively address and respond to systemic
cybersecurity risks

Systemic Cybersecurity Risk and role of the Global Community: Managing the Unmanageable 7
Acknowledgements
This briefing paper is based on conclusions Gabi Dreo Rodosek
from meetings of the World Economic Forum’s Professor; Founding Director, Research Institute
Global Future Council on Cybersecurity in its CODE, Universität der Bundeswehr München
2021-2022 session.
Cathy Foley
Chief Scientist, Government of Australia
Lead authors David Koh
Commissioner of Cyber Security and Chief
Executive, Cyber Security Agency of Singapore
Michael Daniel
President and Chief Executive Officer, Renju Varghese
Cyber Threat Alliance Fellow and Chief Architect, HCL Technologies

Colin Soutar
Managing Director, Cyber Risk, Deloitte Global Future Council on
Cybersecurity Manager
Global Future Council on
Seán Doyle
Cybersecurity Members Lead, Centre for Cybersecurity,
World Economic Forum
Louise Axon
Research Associate in Cybersecurity, With support from:
University of Oxford Anthony Fratta
Specialist Leader, Cyber & Strategic Risk, Deloitte
Christophe Blassiau
Senior Vice-President, Cybersecurity and Global Christopher W. Smith
Chief Information Security Officer, Schneider Electric Manager, Cyber & Strategic Risk, Deloitte

Maya Bundt Mackenzie Mandile

Director, Bâloise-Holding; Chair, Cyber Resilience Senior Consultant, Cyber & Strategic Risk, Deloitte
Chapter, Swiss Risk Association
Drew Herrick
Senior Consultant, Cyber & Strategic Risk, Deloitte

Systemic Cybersecurity Risk and role of the Global Community: Managing the Unmanageable 8
The World Economic Forum,
committed to improving
the state of the world, is the
International Organization for
Public-Private Cooperation.

The Forum engages the

foremost political, business
and other leaders of society
to shape global, regional
and industry agendas.

World Economic Forum

91–93 route de la Capite
CH-1223 Cologny/Geneva
Switzerland
Tel.: +41 (0) 22 869 1212
Fax: +41 (0) 22 786 2744
[email protected]
www.weforum.org