When the Hacker Pulls the Plug (on Essential Services)
OPINION |

When the Hacker Pulls the Plug (on Essential Services)

THE IMPACT OF A CYBERATTACK CAN GO FAR BEYOND THE ECONOMIC AND INFRASTRUCTURAL DAMAGE SUFFERED BY VICTIMS, IF THEY ARE AGENTS THAT GENERATE SERVICES (AND VALUE) TO THE BENEFIT OF INDIVIDUALS, ORGANIZATIONS AND THE REST OF SOCIETY. THIS IS WHY A HOLISTIC AND MULTILEVEL APPROACH IS NEEDED TO BUILD DECISIONMAKING MODELS THAT REFLECT THE COMPLEXITY OF THE ECOSYSTEM

by Greta Nasi, Director of the MSc in Cyber Risk Strategy and Governance

A cyber-attack that affects the critical infrastructure and disrupts the essential services, such as electricity and telecommunication services, may significantly impact state security and citizens’ well-being beyond the specific value of direct losses suffered, since the disruption of an essential service may generate cascading effects on related activities (Zio, E. & Sansavini, G., 2011).  
 
To mitigate the effects of cyber-attacks on the disruption of essential services, the research community, policymakers, and operators have been focusing on the protection of the critical infrastructures underlying the services (Apt, J. et al. 2006). Several approaches, standards, and methodologies have been adopted to secure critical infrastructures' functioning, interdependencies, and reliability. However, what matters is the services those infrastructures provide and their value for the users who use these services. The current decision-making frameworks takes a narrow perspectivesand must be integrated into a broader paradigm emphasizing inter-organizational, network-based, and cross-sectoral relationship governance.
 
Moreover, much of the contemporary approaches to cybersecurity have been derived conceptually from prior "computer security" research conducted in related science and technology fields rather than framed across the multiple policy domains that the disruption of essential service provision may interfere with. This has generated a "fatal flaw" in cybersecurity theory, which has viewed critical infrastructure protection as a security business continuity challenge rather than an essential service disruption challenge. One of the main gaps in research and risk management framework is that the disruption of essential services is, by and large, something other than computer security and its interruption. On the contrary, the value of essential services is in the use that they enable. In turn, computer network continuity represents a necessary yet not a sufficient condition to generate value in the context of essential services. 
 
The Colonial Pipeline attack of May 2021 is an example of how the focus on the protection of critical infrastructure, however necessary, is not enough to ensure the safe and secure provision of essential services and greater individual and societal impact (Smith, S. 2022).
Colonial Pipeline is one of the largest oil pipeline companies in the United States. The company's decision to shut down its operations systems in response to a cyberattack on its information technology systems created ripple effects across the regional economy. It caused public panic, effects on other services (e.g., flight cancellations), and social distress, as consumers worried about continued access to gasoline. The Colonial Pipeline case shows how, due to the interconnectedness of essential services, hacks can disrupt not only the attacked organization, but also cause broader effects across other organizations, individuals, and society at large.
 
The safety and security of essential services cannot be understood and assessed only by identifying the vulnerabilities of the assets and infrastructures providing them, and modeling the risks from the associated hazards and threats. Lusch and Vargo (2014) argue that services have no intrinsic value—they are only a value promise. It is only when a service is used that stakeholders (e.g. customers, users, and other actors of the service provision) receive value (value-in-use). This usage occurs within service ecosystems, defined as relatively self-contained and self-adjusting systems of resource-integrating actors, processes and technologies, connected by shared institutional logics and mutual value creation through service exchange (Vargo & Lusch, 2014; Aarikka-Stenroos, L., & Ritala, P., 2017). The ecosystem perspective more accurately captures the reality of essential service delivery as it represents a foundational context of modeling decision-making for cybersecurity. The disruption of essential services due to a cyber-attack may impact the value across the entire ecosystem and, consequently, for all the dependent assets and services.
 
Therefore, we need to invest more in interdisciplinary research that accounts for multi-level analysis, and considers individual, organizational, ecosystemic and societal perspectives and their dynamic interplay to build decision-making models that capture the intricate dynamics and complexities of the ecosystem, providing a holistic understanding of the value at risk to support informed decision-making.

Latest Articles Opinion

Go to archive
  • The Flight of the Honest

    Migrants tend to be more honest than those who stay in their places of origin. As a result, those countries are deprived of social capital, with negative effects on productivity, growth and the quality of institutions

  • The Toxicity Threshold

    On the one hand, platforms and their algorithms appear to accommodate the presence of hateful content in users' feeds; on the other hand, online platforms have moderated toxic content from the beginning, even before steep fines were introduced. Perhaps a profitable strategy for them lies in the middle

  • How the National Living Wage Helps the UK's Poorest Households

    The UK's national living wage has just been raised by 10% and research shows it can be a successful policy tool to benefit poorer households

Browse the magazine in digital format.

View previous issues of Via Sarfatti 25

BROWSE THE MAGAZINE

Events

Mon Tue Wed Thu Fri Sat Sun
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30