Identifying Critical Infrastructure in a World with Network Cybersecurity Risk

Georgia Tech Scheller College of Business Research Paper No. 3693544

27 Pages Posted: 5 Oct 2020 Last revised: 3 Sep 2021

See all articles by Deven R. Desai

Deven R. Desai

Georgia Institute of Technology - Scheller College of Business

Christos Makridis

Stanford University; Columbia University - Columbia Business School

Multiple version iconThere are 2 versions of this paper

Date Written: September 16, 2020

Abstract

Covid-19 has highlighted the fragility of supply chains in a range of critical infrastructure: food, medicines, health care, information technology, communications, and more. This paper focuses on an under-appreciated supply chain risk—network cybersecurity—that was present before the pandemic and which the pandemic brings into sharper focus.

While the proliferation of digital services has created significant value and employment opportunities, it has also created a wide array of new cybersecurity vulnerabilities.

Vulnerabilities of DVRs, CCTVs, voting machines, and municipal systems, leading to denial of service attacks and ransomware hold ups are known. But, these examples miss a problem. Although these examples give the impression that only certain hardware and specific entities are affected, taking networked cybersecurity into account changes yields different conclusions. For example, given that enterprise software, which is common for work at home situations, is rapidly becoming a cybersecurity vulnerability, anyone connected by this software necessarily becomes a target too. Malicious cyber incidents, like data breaches, can have ripple effects across a network of businesses and sectors. Current definitions and regulations of Critical Infrastructure (CI) overlook this point.

We argue that the network dimension of cybersecurity supply chain risk is an important, under-studied aspect of the problem. Legal definitions of CI and the voluntary nature of cybersecurity governance leave gaps in the classification of CI and how to identify cybersecurity risk, particularly in the professional services sector. In addition, the voluntary nature of cybersecurity governance demands risk-based and objective measures to aid in identifying when to take steps on improving cybersecurity, but exactly what such metrics are is, at best, evolving.

We address both these problems. By drawing on a new dataset, we develop metrics that measure productivity effects and that captures network cybersecurity risk. This approach allows us to show that a major sector, professional services, is missed by current definitions of critical infrastructure, but could be captured if CI definitions accounted for networked cybersecurity risk. In addition, the approach aids voluntary participation in mitigating cybersecurity risk because it provides a way for any firm or sector to identify and assess the nature of its networked cybersecurity risk.

In short, networked cybersecurity vulnerabilities can adversely affect aggregate growth and national security objectives because of connectivity across firms and sectors. This work seeks to provide a path forward for understanding, defining, and protecting networked cybersecurity.

Keywords: Cybersecurity, data breach, input-output linkages, supply chain

JEL Classification: K23, K20, K29

Suggested Citation

Desai, Deven R. and Makridis, Christos, Identifying Critical Infrastructure in a World with Network Cybersecurity Risk (September 16, 2020). Georgia Tech Scheller College of Business Research Paper No. 3693544, Available at SSRN: https://ssrn.com/abstract=3693544 or http://dx.doi.org/10.2139/ssrn.3693544

Deven R. Desai

Georgia Institute of Technology - Scheller College of Business ( email )

800 West Peachtree St.
Atlanta, GA 30308
United States

HOME PAGE: http://scheller.gatech.edu/directory/faculty/desai/index.html

Christos Makridis (Contact Author)

Stanford University ( email )

Stanford, CA 94305
United States

Columbia University - Columbia Business School ( email )

3022 Broadway
New York, NY 10027
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
120
Abstract Views
1,357
Rank
212,673
PlumX Metrics