Potential Categories of a Cyber Attack Space Topography

The concept of topography, specifically related to cyber attack spaces, has been rattling in my head for the past few months. What are the shapes of current cyber attack spaces? What are the shapes of future cyber attack spaces? What might a person include as categories (and elements of the categories) of cyber attack spaces that a cyber topography would include?

If cyber loss modelers, or CISOs or other corporate professionals responsible for risk management (including development and management of a corporation cyber risk management system), or insurance actuaries charged with pricing cyber insurance don’t know the shape of current and future cyber attack spaces, how can each (respectively and in some supporting combination):

• model cyber losses and the reach of cascading systemic cyber loss events throughout the categories that describe the shape of possible cyber attack spaces and associated cyber attacks?
• create cyber resilient and cyber secure corporations?
• set terms and premiums (and reserves and surpluses) for the cyber insurance they offer?

Defining (cyber attack space) topography

Here are two definitions of “topography” from the Merriam-Webster dictionary:

• The configuration of a surface including its relief and the position of its natural and man-made features;
• The physical or natural features of an object or entity and their structural relationships.

It’s possible (more than possible?) that I am taking liberties with the term ” cyber topography”. I think of “cyber topography” as an ever-continuing dynamically changing shape of never-ceasing, ever-expanding interconnected and interdependent set of digital artifacts, physical artifacts with digital contents and (non air-gapped) physical artifacts. I am equating “cyber topography” with “cyber attack space topography”.

I unapologetically take liberty in thinking about what “cyber topography” is because I don’t see any end in sight of the continually unfolding and refolding topography of cyber attack spaces.

Nor do I see any end in sight of the nature and number of cyber attacks emerging and wrecking havoc on any company (including its employees, clients, prospective clients, suppliers, partners and other members of the various ecosystems the company participates) that has any activity of any process enabled by a connection to the web.

The predators will always be many steps ahead of the prey in the Cyber Age, regardless of whatever cyber security regulations governments mandate that corporations adhere to or face consequences of non-compliance.

Four Bold Claims

With a notion of topography or cyber attack space topography in hand, I want to turn to four bold claims and then consider potential categories and associated elements of a cyber attack space topography:

Bold Claim #1: I don’t believe any person knows the shape of the cyber topography of the current cyber attack space(s) that have generated cyber attacks.

Bold Claim #2: I don’t believe any person knows the shape of the cyber topography of future cyber attack spaces yet-to-unfold.

Bold Claim #3: I don’t believe that a growing volume of collected data will accurately resolve either Bold Claim #1 or Bold Claim #2. (Corollary: I don’t believe that there is a “right set” of data to be collected to use in cyber loss models to resolve #1 or #2 above.)

Bold Claim #4: I don’t believe that the growing crescendo of hubris from cyber loss modeling firms will accurately resolve either Bold Claim #1 or Bold Claim #2.

Potential elements of a cyber attack space topography

Why consider cyber topographies?

Why think about cyber topographies? Because as increasingly more digital artifacts and physical artifacts with digital content are connected to the web, most (all?) of these newly added entities are interconnected and/or interdependent to one or more of the already existing entities connected to the web in some spatial or interspatial fashion.

Each entity, existing or newly added, serves as a vector for cyber attacks that impact more than merely the attacked entity: every cyber attack is essentially a systemic cyber attack. For me, the debate about systemic cyber attacks is the degree or extent that insurance professionals should care regarding whether to sell cyber insurance, and if yes then the terms of the policy, coverage limits, premiums, claim reserves and surpluses, and whether and how much to cede to reinsurers. Of course, insurers may decide to sponsor an ILS cyber Cat bond, front a cyber captive, or refer the applicant to an E&S insurer.

Cyber topography categories

Any topography of cyber attack spaces could be created by connecting – and considering the current and future interconnections and interdependencies of – the elements of each category shown below alone and also in combination with one or more elements from one or more categories.

Further, the creation of a topography must take into consideration that new elements will be added to each category and that new categories and elements will also emerge.

Obviously, the element of Time should be incorporated.

As my initial list, I’ve developed the following potential 27 categories and selected elements within some of the categories to create a topography of a cyber attack space:

1. Company:
   • Brand / Reputation
   • Member of one or more ecosystems of companies providing market, sales, distribution, customer service, consulting, legal services, public relations, marketing communication, and other enablement or support to one of more aspects of commerce of a “central / hub company”
   • Industry Associations the company belongs to or could
   • Industry Regulators of the markets the company conducts commerce
2. People:
   • Employees of a company that have been or could be cyber-attacked
   • Suppliers of a company in an ecosystem of companies that have been or could be cyber-attacked
   • Clients (retail or commercial clients) of a company in an ecosystem of companies that have been or could be cyber-attacked
   • Prospects of a company in an ecosystem of companies that have been or could be cyber-attacked
   • Sales and/or distributors of a company in an ecosystem of companies that have been or could be cyber-attacked
   • Employees of any company participating in one or more ecosystems of companies providing market, sales, distribution, customer service, consulting, legal services, public relations, marketing communication, and other enablement or support services to one of more aspects of commerce of a “central / hub company
3. Biometric Matrices of:
   • people working for any company in an ecosystem of companies that have been or could be cyber-attacked
   • people conducting commerce with any company in an ecosystem of companies that have been or could be cyber-attacked
   • people providing third-party services or products to any company in an ecosystem of companies that have been or could be cyber-attacked
   • people who used to work for any company in an ecosystem of companies that have been or could be cyber-attacked
4. Biometric Capture Devices for any “people” above in #2
   • Retina Scan Devices
   • Fingerprint Capture Devices
   • Voiceprint Capture Devices
5. Data flowing into and out of the company and/or stored in the company:
   • Structured data
   • Unstructured data
   • Semi-structured data
   • From Data Brokers
   • From Low-Earth Orbit Satellites
6. Software:
   • Business Systems: Systems of Record, Systems of Engagement, Systems of Finance, Systems of Collaboration and Communication, Systems of Insight / Analytics, …
   • E-mail addresses
   • Instant Messaging (IM)
   • Project Management Software
   • Office Productivity Software
   • Packaged Software including CRM, BMS (broker management systems)
   • Unpatched software
   • Out-of-date software (developed, maintained, and deployed in-house; developed, maintained, and deployed by a 3rd party technology firm; developed and deployed by a 3rd party technology firm but maintained in-house)
   • Logistics software
   • Billing software
   • General Ledger and Accounting software
   • APIs
   • IT assets recycled / reused / repurposed
   • Video solutions used in various commerce initiatives (onboarding new employees; onboarding clients; onboarding suppliers; product development / service initiative collaboration)
7. Computers & Computer Peripherals
   • Mainframes
   • Hubs
   • Routers
   • Ports
   • Printers
8. Business Office Equipment (connected to the web)
   • Fax Machines
   • Telephones / Communication Consoles
   • Contact Center Devices & Solutions
   • Printers
9. Physical Artifacts (whatever you can touch and that have been shown to be, or could be, cyber attacked through air-gaps)
10. IP-enabled Physical Artifacts / Animals with Digital Content
    • IoT devices (there are about 15+ billion IoT devices in 2023, inclusive of AVs, Hospital Devices, Drones, Fish Tanks, Robots used in warehouses, Commercial Fleet Vehicles)
    • Farm animals with IP-enabled sensors on them or in them
11. Immersion Solutions
    • Augmented Reality
    • Virtual Reality
    • Avatars
    • Metaverse
    • Holograms
12. Mobile Devices
    • SIM cards / eSIM software
    • Smart Phones
    • Laptops
    • Smart Tablets
    • Chatbots / Virtual Assistants
13. The Internet / Web
    • DNS
    • IPv4 wireless connection
    • IPv6 wireless connection
    • Routing Protocols
    • Ethernet Cables
    • Fiber Optics
    • Subnet Configuration
    • TCP and UDP Protocols
    • HTTP Protocols
    • SMTP Protocols
    • FTP Protocols
14. IT and/or Mobile Device Assets
    • recycled
    • reused
    • repurposed
15. Cloud Service Providers
    • Microsoft
    • Amazon
    • Google
    • Other technology firms providing their own cloud services (e.g. Salesforce, Oracle, …)
16. Hidden and un-triggered malware residing in:
    • company IT and Telco systems
    • cloud deployments
    • mobile devices
    • IoT devices
17. Auto Repair Shops & Their web-enabled communication capabilities
18. Banks & Their web-enabled communication capabilities
19. Investment Firms & Their web-enabled communication capabilities
20. Social Media Apps (used by employees of a company, or any companies participating in an ecosystem, or used by clients or prospects of a company)
21. Commerce & Healthcare Apps
    • General Delivery apps
    • Specific store apps
    • hospital medical records /appointments apps
22. Web Video Conferencing Solutions
    • Zoom
    • WebEx
    • Teams
    • Google Meet
    • Other (?)
23. Search Engines
    • Google
    • Bing
    • Duck Duck Go
    • Other (?)
24. Navigation Systems
    • Google
    • Apple
    • Garmin
    • Tom-Tom
    • HERE
    • GPS
    • Earth-Orbit Satellites
25. Social Media
26. Web Apps
    • Ride-Sharing Apps
    • Delivery Apps
    • Grocery Shopping / Delivery Apps
    • Restaurant Reservation Apps
    • Entertainment Apps
    • Media Apps
    • Self-Discovery Apps (e.g. 23&Me, Ancestry)
27. Gaming Consoles & Software
28. Additions to my list and/or Still to emerge

Hurdles to creating a topography of cyber attack spaces

There are some key hurdles to creating, or even using, a topography of cyber attack spaces, including:

• Almost all humans think linearly rather than in multiple dimensions;
• Almost all humans have no concept of the decades of time to come and the impact of living and working in a world shaped by mobile, digital, web-enabled, cloud-accessible capabilities;
• Too many of us have been surrounded primarily by physical artifacts most of our lives;
• Too many insurance professionals believe that cyber risks are just another risk in the very long history of risks the industry has lived with and successfully managed;
• Too many insurance professionals believe all we need is to collect more data for cyber loss models so corporations and their insurers can “get a handle” on current and emerging cyber attacks;
• Too many people believe that governments should issue cyber regulations and that will help slow down (or possibly stop) cyber attacks from happening.

I’m definitely guilty of thinking linearly.

However, although at my age I’ve been surrounded by physical artifacts most of my life, I fully realize that society is moving very quickly to becoming a digital artifact-based economy (or “intangible assets” if you prefer).

My vision of the “Big Picture” of cyber topography

When I think of the “big picture” of cyber topography or the topography of cyber attack spaces, I visualize a never-ending spreading malignant virus, deep red in color, that is continually sweeping around our planet unabated and unstoppable.

The topography is changing minute-by-minute, if not more quickly, as increasingly more digital artifacts and more physical artifacts with digital content are added to the cyber space. The topography continues to unfold and fold inward and refold and unfold again within itself as more interconnections and interdependencies are created feeding a larger, more malignant virus.

The virus is negatively impacting any and all activities of life, commerce, entertainment, media, healthcare, education, travel, law & order, political processes, court processes, and hiring and firing processes at a minimum.

I found this multi-dimensional illustration (Bing.com) but its complexity doesn’t even begin to capture the complexities of the always-changing cyber attack space topography.

I have too little mental acuity to see or understand how government cyber regulations are ever going to stop – or even come close to slowing down – this never-ending unfolding of a dynamically changing topography of cyber attack spaces. For me, it would be like attempting to stop the emergence and expansion of a Black Hole in Space.

Fining corporations – and/or doing worse to specific members of the management team – because the corporation has been cyber-attacked (once or more times) only generates life-time income to the Plaintiff’s Bar and adds them and governments to the list of expenses that corporations must plan to pay out. Neither fining nor shaming will stop corporations from being cyber attacked once or multiple times.

This virus of cyber attack spaces (and cyber attacks) will be with society for … well, for an unknowable large number of decades to come. My four Bold Claims will remain true. Government cyber regulations won’t help organizations which have been or are repeatably cyber-attacked.