Redefining Cyber Risk for Modern Information Security Programs

By Lester Godsey, Chief Information Security Officer, Maricopa County

The following is the definition of cyber risk, per ChatGPT: “. . . the potential harm or damage that can arise from the use of technology and information systems, particularly in the context of cybersecurity. It encompasses the likelihood of a cyber threat exploiting vulnerabilities in an organization’s systems, networks, or digital assets, leading to adverse consequences.” While this characterization of cyber risk certainly holds true today, there are some factors in play that should make organizations rethink how they define cyber risk in the context of information security programs.

First, and perhaps foremost, is the expanded use of technology in society overall. The fundamental issue at hand is that technology is so pervasive in all aspects of our lives, professional and personal, that the potential for cyber risk is much greater and of a greater variety. Take, for example, Apple AirTags. Released in April of 2021, we have seen the adoption of this technology used for questionable and, in some instances, nefarious and illegal purposes. On a completely different note, how about the increased use of technology in building automation systems? HVAC, lighting, life safety, mechanical, and other building systems are more and more dependent upon the use of technology, some of which are known for their lax cybersecurity controls. The scope and scale of technology finding its way into our lives should force us to reconsider how we define cyber risk.

What about the actual risk at hand? ChatGPT’s definition focuses on exploiting vulnerabilities in systems, networks, or digital assets. Based on the reach that modern technology has today, is this the limit of the risk faced? What many organizations, especially the government, are seeing today is a blurring of lines when it comes to cyber versus physical, or kinetic risk. A big reason for that is social media. This technology platform, while created to be a digital means to share and connect with others, is being used, both unintentionally and intentionally, to spread mis, dis and malinformation. While problematic, how does this correlate to physical, let alone cyber risk? Social media has been shown to be both a threat vector as well as a source of intelligence when it comes to both cyber and physical attacks. For example, social media posts have been weaponized by state-sponsored actors against organizations, but especially government agencies. These posts are often used in conjunction with more traditional cyber attacks (e.g. DDOS, ransomware, intrusion attempts, etc.). Additionally, groups like hacktivists often use social media as a logistical tool or source of information sharing. Examples of such activities include the coordination of caravans designed to follow government employees via social media or the creation and sharing of dossiers of elected officials through these platforms. Fundamentally, social media services are communications services. What often starts on these digital platforms ultimately becomes kinetic or physical actions and, in some instances, consequences.

This expanding definition of cyber risk is not going away, as long as technology continues to give us new solutions like generative AI and the like.

So, if one accepts this new source of cyber, and by extension physical, risk, what do we do with this new realization? These neoteric variables need to be part of the risk calculus that our respective organizations go through. While this makes logical sense, it is easier said than done. Keeping in mind the cyber industry has frameworks in place, like NIST, to help measure risk, what are the industry standards in terms of mis, dis and malinformation? There are guides and incident response plans out there, but how is this relatively new threat vector being accounted for in the context of enterprise cyber risk?

More pragmatically, how does one monitor for not only mis, dis and malinformation, but also social media being a litmus for potential kinetic or physical risk? Most organizations don’t have the resources or expertise to monitor these platforms proactively. While there are tools and services in the market that provide cyber intelligence, they tend to focus on the dark/deep web. The threats we’re talking about are on public display, often reaching hundreds of millions of people on these commercially accessible platforms. It is impossible to manually search and inspect all public social media posts at this scale. In the case of social media platforms, most of them do not allow access to their data via API. All of this makes it incredibly difficult for organizations to find threat intelligence or indicators of enhanced cyber and kinetic threats efficiently and effectively.

For organizations, being aware that their definition of cyber risk may no longer adequately represent the true breadth of potential risk out there is the first step. Regardless of the organization’s ability to measure and quantify the risk, at least it becomes a known issue, one that can be discussed with executive management, who ultimately accepts any/all organizational risk.  One option that organizations may have is to explore a shared responsibility model where functions like communications, which are most likely already using social media and other technology to deliver their messaging, are the ‘canary in the coal mine.’ They more than likely see the posts that are negative, spreading mis information or the like – establish a protocol based on certain thresholds of when they should share that with your information security team/function. Additionally, more and more organizations, even in government, are starting to formally accept that this is a new need for their programs and are addressing it to the best of their abilities.

This expanding definition of cyber risk is not going away, as long as technology continues to give us new solutions like generative AI and the like. The trick is we should be cognizant of this and ensure we are constantly checking what is coming down the pike.