In the last few decades, technology has come to occupy a greater role in our day-to-day lives than ever before. But as it continues to grow more essential to our daily activities, technology is also increasingly being used against us, primarily through cyber attacks.
Policymakers, security experts, and journalists frequently cite terrifying statistics about the rapidly growing number of cyber attacks. For example, according to a White House audit, the U.S. government was hit by more than 77,000 "cyber incidents" in 2015. The government of Japan said that 128 billion cyber attacks were made against the country’s critical infrastructure last year. Some of the reported incidents were very serious, such as the hacking of the Office of Budget Management’s personnel records, resulting in the theft of highly sensitive information about 22 million people, but most of those incidents did not actually involve significant data breaches or disruptions to organizational operations.
In the wake of a cyber attack, it can often be difficult to determine just how significant and consequential it was. It can be even more difficult for policymakers and organizational leaders to think strategically about how to invest their cybersecurity resources in ways that protect their most important IT systems. How can we assess the seriousness of different types of cyber attacks and risks in terms that policymakers, organizational leaders, and the public can understand?
Researchers at the Center for International and Security Studies at Maryland (CISSM), in the University of Maryland (UMD) School of Public Policy have invented the Cyber Disruption Index to facilitate risk assessment and improve communication among different types of stakeholders in government, the private sector, academia, and the media. The CISSM framework differentiates between exploitative and disruptive cyber attacks (e.g. those that steal information and those that disrupt operations). It also discerns among five kinds of disruptive cyber events, ranging from website defacement to destruction of equipment. Three dimensions of actual or potential cyber events are estimated to calculate a score on their Cyber Disruption Index: scope, magnitude, and duration. Those scores can then by plotted on a risk matrix to compare the consequences of different types of events and holistically assess the risk of damaging cyber attacks.
Charles Thomas Harry, vice president for cyber and analytic solutions at Orbis Operations and CISSM research scholar, and Nancy Gallagher, director of CISSM and a research professor at the School of Public Policy, were inspired to invent the framework after observing that lack of a shared vocabulary and method for comparing different types of cyber events caused many policy makers to misstate the seriousness of cyber threats and confuse serious threats with relatively minor occurrences.
"To better derive better policy, we need vocabulary, method, and risk assessments that help non-technical audiences understand the nuances in this complex field," said Harry.
Several cyber risk frameworks exist, but they only evaluate vulnerabilities of specific computers in an organizational network. Harry’s and Gallagher’s framework is the first to map the relationship between an organization’s IT infrastructure and its core mission, enabling organizational leaders and managers to understand how different types of attacks, as well as simultaneous campaigns that affect different parts of an organization’s network, would impact the organization’s ability to provide goods or services.
"By approaching the problem from the top down rather than the bottom up, we have developed a unique approach that allows decision makers to interact with their technical staff in a more meaningful way," said Harry. Gallagher added that, "using a common language and risk assessment methodology can also help government officials, private sector executives, and academics understand each other’s different concerns, evaluate tradeoffs, and cooperate to ensure that critical infrastructure is protected against high-consequence threats."
Harry and Gallagher plan to launch a new company that will lease the framework for analysis and training purposes in government and private organizations. They hope policy makers and organizational leaders will use the framework to collaboratively tackle issues of cybersecurity, and that organizations will incorporate the framework into their IT risk assessment workflows.
The researchers' hopes have already become a reality in Japan, where they recently held a series of workshops for the Japanese government in preparation for the 2020 Olympics with the help of Executive Director for the Maryland Global Initiative on Cybersecurity Dan Ennis, Director of the Center for Public Policy and Private Enterprise David Mussington, and Ph.D. student Naoko Aoki. By using Harry’s and Gallagher’s framework, the Japanese government has been able to start holistically evaluating cyber threats to critical infrastructure, thereby reducing the scale of the problem to a more manageable size.
The Cyber Disruption Index and Framework has been nominated for the 2016 Invention of the Year Award in the information sciences category. The winners will be honored at "Innovate Maryland," a special Celebration of Innovation and Partnerships on April 12, 2017 as part of the University of Maryland's "30 Days of EnTERPreneurship."
February 23, 2017
UMD Researchers Change the Game on Cyber Attack Evaluation
Did You Know
UMD's Neutral Buoyancy Research Facility, which simulates weightlessness, is one of only two such facilities in the U.S.