May 22, 2023
Several cybersecurity scoring companies provide a service that rates the cybersecurity posture of corporate entities. Their output, a cybersecurity score, is like a credit score and can be used to evaluate potential risks. A company’s score can be used by third parties to assess the security of the business, similar to how a credit score assesses an individual’s likelihood to pay a debt.
Multiple companies do this sort of assessment (e.g., ISS, BitSight, SecurityScorecard). Generally, these companies identify a range of IP addresses and/or domain names for a given company and then scan the public infrastructure in the target company’s range for known security flaws/vulnerabilities. The company then applies its algorithm, balancing several factors to determine the target company’s final cybersecurity score.
This approach can be deeply flawed for Internet Service Providers (ISPs) and other companies (e.g., Cloud Service Providers) whose business is the provision of IP address space to other firms. Most of these providers’ assigned IP ranges are customer-managed infrastructure, so scanning their entire range includes elements that are not the ISP or Cloud Provider’s infrastructure. In effect, these businesses get graded on their customers’ cybersecurity practices. These resulting scores often are inaccurate and do not reflect the ISP or Cloud provider’s security capabilities.
The flaws in this methodology have been a known issue since 2018 when the U.S. Chamber of Commerce (Chamber) and FICO Cyber Score (since acquired by ISS) created an initiative called the Assessment of Business Cybersecurity (ABC), which attempted to benchmark the cybersecurity risk of key industry sectors[1]. After releasing the initial findings, ISPs conveyed these shortcomings to FICO and the Chamber and were subsequently excluded with the following acknowledgment.
“While it is important to assess the risk of these firms individually, the inclusion in the ABC metrics of internet service providers (ISPs, infrastructure as a service providers (IaaS, telecoms, and cloud infrastructure providers with large IP address footprints controlled by IT and security teams outside their direct control could increase the likelihood of double-counting assets when such assets would be more appropriately attributed to the subscribing organizations. For these reasons, we have elected to exclude companies in this class and have adjusted the ABC and its various sub-indices.” [2]
Use of cybersecurity scoring services continues to grow, but these companies do not exclude ISPs and other like companies in their analysis. As such, ISPs spend considerable time answering customer questions and explaining why our published scores are inexplicably low. While our customers understand the flaws in the methodology, it would be optimal if we did not have to have this conversation, to begin with.
Proxy advisory services companies (ex. Glass Lewis and ISS) who score Environmental, Social, and Corporate Governance (ESG) for publicly traded companies are now using these same ill-conceived scoring services to grade a company’s cyber program and determine corporate ESG scores. While ISPs have been dealing with this issue over the past few years on a one-on-one basis with inquiring customers, it’s an entirely different situation when Wall Street is using these scores for market investment decisions. Further, recent SEC rulings have removed the obligation for these proxy advisory companies to notify the target company before publishing their findings and recommendations.
ISPs have engaged with all the major providers of these services, and there are substantive challenges to providing IP ranges associated with our “enterprise” as opposed to the broader IP range associated with use by our transport networks or customers. This challenge is compounded by the breadth of our networks, which would require accommodating issues such as dynamic DNS, IP assignment and Network Address Translation (NAT) protocols which the average enterprise does not use.
Due to the acknowledged limitations of cybersecurity scoring, we urge the companies that provide these services to exclude providers whose cybersecurity scores are based on unsound and erroneous methodologies. In the absence of such an exclusion, and because of the harm associated with misleading reporting, impacted industries are now compelled to share their concerns with government stakeholders in the U.S. and abroad.
[1] U.S. Chamber of Commerce. (October 11, 2018). FICO and U.S. Chamber Release First U.S. Cybersecurity Assessment | U.S. Chamber of Commerce. https://www.uschamber.com/security/cybersecurity/fico-and-us-chamber-release-first-us-cybersecurity-assessment
[2] FICO and U.S. Chamber of Commerce. (2019). Assessment of Business Cyber Risk Q1 2019.