Diving deeper into federal cybersecurity attacks
New strategies for cyber risk management
Beneath the surface of a cyberattack is intended to shed light on a broad set of mission impacts that are overlooked in most conversations about cyber risk. By viewing cyber risk through a wider lens, agencies can ultimately improve their ability to survive and thrive in the face of increasingly likely cyberattacks.
- Assumptions can be misleading
- Fifteen cyberattack impact factors
- Understand impacts
- Scenario takeaways
- Going forward
A fundamental shift is occurring in the management of cyber risk. The idea that cyberattacks are increasingly likely—and perhaps inevitable—is beginning to take hold among secretaries and agency leaders. Agency leaders are realizing that our world is interconnected, mostly by using technologies designed for sharing information, not protecting it. They recognize that they have to trust people—their own employees and the third parties with whom they interact—to handle sensitive information and operate critical infrastructure. And more and more, they see that the intimate connection between their strategic agenda and the creation of cyber risk makes it infeasible for them to lock everything down and always put security first.
Beneath the surface, cyberattacks can have a much more significant impact on agencies. But the tolls they take are not universally understood and are much more difficult to quantify.
Agencies can understand the effects of these less obvious impacts, though, by employing a multidisciplinary approach that integrates deep knowledge of cyber incidents with mission context, valuation techniques, and financial quantification. This understanding should help federal government leaders rethink how to prepare for these type of events.
The impact valuation approaches used in this paper are designed to help the federal government to:
- Prioritize funding for federal cybersecurity defense in alignment with potential impacts
- Establish pre-existing agreements with external parties to swiftly respond and help reduce damage
- And/or create sufficient loss reserves to address the financial impact of incidents
There are many ways a cyberattack can affect an agency, and as a direct result citizens and the private sector and the impacts will vary depending on the nature and severity of the attack. In general, there are 15 “impact factors” that agency leaders should consider when preparing for federal cybersecurity incidents. Some are well-known, direct costs commonly associated with federal cybersecurity breaches; others are more far-reaching, intangible costs that are more difficult to quantify and often hidden from public view.
These impact factors play out across a cyber incident response lifecycle that can be broken down into three phases, which usually overlap one another and can extend differently over time, depending on the type of attack. Some of the impact factors are typically associated with one of the three phases and may represent one-time costs, such as the technical investigation. Other impact factors, such as legal costs or damages from intellectual property loss, recur or are present throughout the recovery process.
Federal cybersecurity scenario takeaways
“Above the surface” costs commonly associated with data breaches may only be the tip of the iceberg and are relatively small compared with the overall impacts.
Scenario A shows that even in an attack involving typical data theft, the classic “above the surface” costs associated with data breach response may not be the most significant over the course of the incident.
Federal cybersecurity incidents can spillover into the private sector with substantial impacts.
Federal agencies may be held responsible when their cyber incidents cause damage to private or other external organizations. As shown in Scenario B, these organizations may seek to recover these costs in addition to the damage the agency incurred. Federal agencies, and supporting contractors, may need to reevaluate how they approach self-insurance by either creating appropriate set-aside funding (loss reserves) or exploring private insurance.
The impact of a cyberattack plays out over years following an incident.
The immediate triage phase is costly, but the long-term efforts may take a far greater toll. Long after intruders are removed and public scrutiny has faded, the impacts from a cyberattack can reverberate over a multiyear timeline. Legal costs can cascade as stolen data is leveraged in various ways over time; it can take years to recover pre-incident growth and profitability levels, and brand impact can play out in multiple ways.
Recovering from an attack is not just a technical effort.
Although cyberattacks are conducted through technology-based means and can cause very significant damage to infrastructure, equipment, and applications, the major damage will usually be to mission and business value, not to IT assets. Cyber incident response is not primarily a technical effort. As the scenarios demonstrate, the technical work to investigate, analyze, clean, and repair computer systems is soon overshadowed by efforts to manage citizen, customer and third-party relationships, legal matters, investment decisions, and changes in strategic course, which are significant leadership activities.
For many agencies, becoming truly resilient to cyberattacks calls for a shift in mindset that changes how they perceive cyber risk management and potential impacts. It requires organizational transformation that broadens the scope of involvement at the top of the agency and instills focus on risk, not just technology controls. It involves the ability to reprioritize and refocus investments on mitigating likely outcomes, based on a broad understanding of attackers' motives and the ability to anticipate high-impact scenarios.
Many will find the following to be useful first steps:
- Convene the right team
- Identify top risk areas and assets
- “Right-size” spend to reduce incident impact
- Modernize what “readiness” means
- “Do more than prepare”