Cybersecurity

Black Hat USA 2025 | Digital Dominoes: Scanning the Internet to Expose Systemic Cyber Risk

Black Hat
Black HatMar 8, 2026

Why It Matters

Accurate, internet‑scale modeling of systemic cyber risk enables insurers and regulators to anticipate cascading failures, close the protection gap, and protect the broader economy from digital domino effects.

Key Takeaways

  • Internet‑scale scans reveal hidden aggregation points in digital supply chain
  • Recent cyber incidents exposed cascading risks across healthcare, auto, airline sectors
  • Traditional cyber‑cat models misaligned; they ignore dynamic, adversarial nature
  • New graph‑based approach maps vendor dependencies for granular risk quantification
  • Policy shifts toward continuous monitoring, sub‑limits, and risk transfer mechanisms

Summary

The Black Hat USA 2025 talk introduced a novel method for measuring systemic cyber risk, branding it as a "digital domino" problem where failures in a single vendor can topple entire industry chains. Morgani, head of cyber catastrophe modeling at Coalition, demonstrated how internet‑scale network measurements can map the hidden dependencies that bind healthcare, automotive, and airline ecosystems, exposing aggregation points before they cause widescale outages.

He highlighted three recent cascades—Change Healthcare’s collapse of U.S. health‑care infrastructure, CDK Global’s disruption of 15,000 auto dealers, and CrowdStrike‑related airline traffic failures—to illustrate that traditional cyber‑cat models, borrowed from natural‑catastrophe frameworks, are ill‑suited for the dynamic, adversarial nature of cyber threats. These models focus only on insured firms, ignore broader economic fallout, and suffer from a lack of real‑world validation, leading to over‑inflated risk estimates and a persistent protection gap.

The presentation underscored concrete policy responses, from SEC 8‑K reporting and NIST guidelines to executive orders and the creation of CISA’s critical‑infrastructure directives. By building a continuously updated, graph‑based map of vendor‑to‑organization dependencies—leveraging data from millions of internet‑scale scans—Coalition can deliver granular, data‑driven risk scores that differentiate a regional outage from a global service collapse.

For insurers, regulators, and corporate risk officers, this approach promises more accurate pricing, targeted underwriting controls, and a clearer path to proactive mitigation. It also offers a framework for public‑policy makers to prioritize interventions that close the systemic protection gap, ultimately strengthening the resilience of the digital economy.

Original Description

Policymakers and risk owners face significant challenges in managing systemic cyber risk, largely because few tools use empirical data to accurately identify and quantify it. But that data is essential to (1) identify vendors and technologies that require targeted measures, (2) track how systemic cyber threats evolve compared to non-cyber risk, and (3) assess the effectiveness of targeted interventions. Traditional approaches rely on backward-looking models or hypothetical scenarios—methods that can't keep pace with today's fast-moving, complex digital infrastructure. What's needed are real-time, data-driven insights that empower decision-makers to take meaningful action.
We address this gap by leveraging internet-scale scanning to build a dynamic, empirical map of concentration risk—showing how systemic vulnerabilities spread across networks, technologies, and vendors. In a first-of-its-kind live demonstration, we will unveil a new risk visualization platform that highlights how risk concentrates within and across sectors, including those supporting critical national functions.
Our findings challenge conventional wisdom. Many assumed sources of systemic risk have limited real-world impact, while some overlooked technologies (e.g., large industry-specific white label SaaS vendors) carry significant potential for cascading failures across society. Drawing from real-world examples in sectors such as financial services and manufacturing, we demonstrate how this platform—and the dynamic models behind it—can support more informed, data-driven policy interventions. Participants will leave with a clearer understanding of the systemic risk landscape, as well as actionable insights for developing smarter, more resilient national cyber strategies.
Participants will be able to:
- Define the Unseen: Understand systemic cyber risk in the real world—down to specific technologies, vendors, and interdependencies in the digital supply chain.
- Track, Quantify, Predict: Monitor how cyber threats evolve, compare risk levels across sectors, and assess impact alongside traditional risk categories.
- Test What Works: Evaluate potential policy interventions using dynamic, empirical models grounded in real infrastructure data—not theoretical scenarios.
By:
Morgan Hervé-Mignucci | Head of ERM Analytics, Coalition, Inc.
Presentation Materials Available at:

Comments

Want to join the conversation?

Loading comments...