Identifying Critical Infrastructure in a World with Network Cybersecurity Risk

20 Pages Posted: 5 Aug 2021

See all articles by Christos Makridis

Christos Makridis

Stanford University; Institute for the Future (IFF), Department of Digital Innovation, School of Business, University of Nicosia; Arizona State University (ASU); Department of Veterans Affairs (VA)

Deven R. Desai

Georgia Institute of Technology - Scheller College of Business

Multiple version iconThere are 2 versions of this paper

Date Written: August 2, 2021

Abstract

Covid-19 has highlighted the fragility of supply chains in a range of critical infrastructure— food, medicines, health care, information technology, communications, and more. This paper focuses on an under-appreciated supply chain risk, network cybersecurity, that was present before the pandemic and which the pandemic brings into sharper focus. Between 2004 and 2016 the digital economy has grown nearly four times as fast as the rest of the economy according to the Bureau of Economic Analysis. The proliferation of digital services has created significant value and employment opportunities; it has also created a wide array of new cybersecurity vulnerabilities. Vulnerabilities of DVRs, CCTVs, voting machines, and municipal systems, leading to denial of service attacks and ransomware hold ups are known, but these examples miss a problem. Although these examples give the impression that only certain hardware and specific entities are affected, taking networked cybersecurity into account changes yields different conclusions. For example, given that enterprise software, which is common for work at home situations, is rapidly becoming a cybersecurity vulnerability, anyone connected by this software necessarily becomes a target too. Malicious cyber incidents, like data breaches, can have ripple effects across a network of businesses and sectors. Yet current definitions and regulations of Critical Infrastructure (CI) miss this point.

We argue that the network dimension of cybersecurity risk is an important, under-studied aspect of the problem. Legal definitions of CI and the voluntary nature of cybersecurity governance leave gaps in the classification of CI and how to identify cybersecurity risk, particularly in the professional services sector. In addition, the voluntary nature of cybersecurity governance demands risk-based and objective measures to aid in identifying when to take steps on improving cybersecurity, but exactly what such metrics are is, at best, evolving.

We address both these problems. By drawing on a new dataset, we develop metrics that measure productivity effects and that captures cybersecurity risk. This approach allows us to show that a major sector, professional services, is missed by current definitions of critical infrastructure, but could be captured if CI definitions accounted for networked cybersecurity risk. In addition, the approach aids voluntary participation in mitigating cybersecurity risk, because it provides a way for any firm or sector to identify and assess better the nature of its networked cybersecurity risk.

In short, these networked cybersecurity vulnerabilities can adversely affect aggregate growth and national security objectives because of connectivity across firms and sectors. This work seeks to provide a path forward for understanding, defining, and protecting networked cybersecurity.

Suggested Citation

Makridis, Christos and Desai, Deven R., Identifying Critical Infrastructure in a World with Network Cybersecurity Risk (August 2, 2021). Georgia Tech Scheller College of Business Research Paper No. 3898193, TPRC49: The 49th Research Conference on Communication, Information and Internet Policy, Available at SSRN: https://ssrn.com/abstract=3898193 or http://dx.doi.org/10.2139/ssrn.3898193

Christos Makridis (Contact Author)

Stanford University ( email )

Stanford, CA 94305
United States

Institute for the Future (IFF), Department of Digital Innovation, School of Business, University of Nicosia ( email )

Nicosia, 2417
Cyprus

Arizona State University (ASU) ( email )

Farmer Building 440G PO Box 872011
Tempe, AZ 85287
United States

Department of Veterans Affairs (VA) ( email )

810 Vermont Avenue NW
Washington, DC 20420
United States

Deven R. Desai

Georgia Institute of Technology - Scheller College of Business ( email )

800 West Peachtree St.
Atlanta, GA 30308
United States

HOME PAGE: http://scheller.gatech.edu/directory/faculty/desai/index.html

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
172
Abstract Views
856
Rank
164,702
PlumX Metrics