BLUF – In supply-chain and operational resilience/ business continuity discussions we focus on areas within our span of control, whilst ripple impacts are felt from further. How we understand effects and engage those in our ecosystem with whom we’ve not bonds helps shape how we plan for circumstances beyond our control.

Background

Perhaps you saw the ransomware disclosure from the Norwegian shipping management firm, DNV. Few details are available, though we know about seventy clients and over a thousand ships were impacted. Whilst we’ve not seen reports of impacts to the shipping companies yet, we can expect some delays. DNV was responsible for ships’ crewing and maintenance.

Indirect incidents affecting our operations force us to further question supply chain risks, responsibilities, and our need for visibility across the ecosystem. If a compromise is not against your organization or your vendors, you have limited investment and lack in control – but if the compromise is still within your supply-chain ecosystem the risk doesn’t abate – though the responsibilities to your downstream clients may.

Before we go further, let’s define terms for this discussion

• Direct impact is to yourself or an organisation where you have a locus of control (e.g. your organisation’s computer/server is hacked and impacts your ability to work. You may recover data from in-house backups as the boxes are rebuilt).
• Indirect impact is still felt by you or your organisation, however there is no means to control (e.g. an app provider used by your organisation was hacked, affecting your ability to complete a function as the service is not functioning. You are impacted but won’t be resetting their devices.)

Similar, when looking at orders of effect

• First order is same as direct.
• Second order is separate from but connected to your organisation. Both upstream and downstream, these are in direct contact with you or your organisation.
• Third order is the second order’s other connections, from a vendor/client perspective. These may impact their operations, in turn potentially impeding yours. These vendors/clients are not directly tied to the first order organisation.
• Fourth order and etc can be drawn out – though the further from First we look, it is difficult to link cause to impact. Other potential factors either raise doubt or may or may not be considered.
• Ecosystem is an organisation’s up /downstream up to at least the third order.

The prior mapping discussions (1, 2, 3) show the utility in visual representation of aggregate data within your organization. There is value in mapping out an organisation’s ecosystem to third order.

Why an ecosystem, rather than the sector (or region)?

The answer lies in the value we find in our ecosystem and the potential resilience we can foster between connections found between first and third order. Whilst we have sector-related cyber security/ intel meetings and can share similar troubles and best practices, there is little vested interest in our near-peer competitors (unless we are talking sectors interwoven like financial services).

We want to create resilience within our ecosystem. The better we understand our second and third order interconnections, the better we can see where pebble risks start. With the right NDAs in place we uncover opportunities for mutual aid constructs.

Now, wait a minute…why would you want to engage and potentially share information with others in your ecosystem, especially ones with whom you’ve no contractual obligations?

Because the cyber landscape is becoming increasingly untenable.

Because insurance is realising their absorbed costs.

Because deterrence is absent, retribution remiss.

Because risks aren’t accepted but expected.

Because crisis is not a wave, but a tide.

Because we need resilient ecosystems.

In the case of DNV, they may have still been compromised – but with better visibility through the ecosystem the probabilities are less, similarly the relative impact to their seventy clients would be less. When working through a compromise, few things are harder than trying to explain what you’re not sure of, to others demanding answers. Properly framed, those clients would know very shortly after DNV did – and could go to their Plan B as well.

Framed within a context of business continuity, there is potential to extend resilience outside organisation borders, in both directions. Shared threat indicators, visibility from different vantages, and coordinated communication raises the ecosystem’s baseline bar. We are not going to change the landscape and the threats it contains. Resilience is unaffected by it. If minor adjustments improve our ecosystem resilience, we reduce loss otherwise absorbed.

We may not make the internet a utopian positives space, but with ecosystem-wide harm reduction, we can bring those negatives to zero.

-scl