Wednesday, June 22, 2016

The Unexpected Strategic Benefits of Cyber Insurance

James McFarlin

Managing any organization's cybersecurity risk in today's environment of rampant cybercrime has become a critical management responsibility in organizations of all sizes.

Recent organizations experiencing major losses from cybercrime include the IRS (700,000 tax returns), Anthem Healthcare (100 million+ health records), even the NY Federal Reserve, which had $81,000,000 stolen from its customer's accounts in February.

According to the US Chamber of Commerce, businesses with fewer than 100 employees experience 71% of all cybercrime attacks. This is due to the relative ease of breaching organizations that many times do not make the investment in cyber defenses and employee training.

Ransomware, the current cybercrime method of choice, is up ten-fold in the first quarter of 2016 over the 2015 period. Recent ransomware targets include hospitals such as Hollywood Presbyterian in Los Angeles, city governments and even police departments.

Protection comes with a cost. But the consequences from a breach or scam can be vastly greater and can place the viability of the business in jeopardy.

For perspective on this topic, I turned to Cybersecurity insurance expert Roberta Anderson, partner and head of the cybersecurity practice in the Pittsburgh office of the global law firm K&L Gates.

"Recovery from data breaches is a time-intensive, distracting and resource-consuming process that impacts not only the operation of the organization but potentially its relationships with customers, suppliers and financial partners.

"Every organization has its crown information jewels, whether it be customer data, financial records, or proprietary business tools. These must be protected. Seeking to limit their losses following attacks, many organizations are investigating cyber insurance as a means to help them recover and to maintain financial viability.

"Cybersecurity is becoming increasingly recognized as more of a management and organizational cultural issue than a technology issue. The four words that cause cyber vulnerability more than anything else are 'Cybersecurity is IT's problem.'"

Clearly, cybersecurity events will happen. What is essential is to plan for them so they do not take you down if they occur.

Ms. Anderson added, "One of the true values of evaluating cyber insurance is that it causes the organization to look at cybersecurity practices, network protections, data backup and employee training - which in turn actually reduces their risks because of the increased awareness and planning. Management ends up with a roadmap for improved cyber security. This alone is worth the cost of the insurance."

Smaller firms, she emphasized, should sit down with their insurance agent, look beyond their general liability policies and evaluate cyber coverage: "The risks of not providing financial cushion from cyber intrusions are simply too high for most small organizations to deal with successfully."

The net-net of the conversation with Ms. Anderson: "Those with cyber insurance benefit from both a greater peace of mind and improved cybersecurity practices. These are gifts most do not expect but which many receive."

Tuesday, May 10, 2016

Cyberwarfare Goes Mainstream

James D McFarlin

After years of operating in the shadows, cyber weapons are making their presence known in conflicts across the globe.

An NSA-provided map of the United States depicts more the 600 cyberattacks from China over the past five years, making the nation look like a well-hit target from the shooting range.

On December 23, 2015, presumably Russian-led cyberattacks against Ukraine's electric grid took out power to 230,000 citizens in the dead of winter.

The U.S. Navy is concerned enough about China's aggressive moves in the South China Sea to resume training its sailors in navigation using the sextant after a 25 years absence, all in the case of Chinese-led cyberattacks which disable shipboard digital navigation systems.

What is going on here?

Offensive cyberweapons have become increasingly recognized as a must-have capability for protecting and advancing national interests. The result, according to a recent report in The Wall Street Journal, is a "near-frantic and destabilizing global digital arms race" with more than two dozen countries actively building their cyber caches.

Iran's cyber strategies are of particular concern. Whether it be the destruction of some 30,000 Saudi Arabia national oil company computers which came closing to bringing the organization to collapse or continuing attacks against U.S. banking online networks and most recently the breaching of the Bowman Avenue Dam in New York, Iran makes little secret of its cyber reach or ambitions.

As stated recently in the Financial Times, Iran's cyber capabilities have matured from just one more option in their toolkit to a strategic military capability for projecting power. Iran, the article states, is "poised to do something with cyber that will change the way the world looks at it."

How are these escalating global cybersecurity risks going to play out? We don't know. But we do know there is little sense of urgency and even less tangible U.S. strategy to deal with such imminent threats.

In a recent U.S. Senate testimony, asked if he were concerned enough about potential cyber grid attacks to categorize them as acts of war, Lt. Gen. Vincent Stuart replied that if the military had a "much fuller definition of the range of threats in cyberspace it could then begin thinking (emphasis mine) about such consequences."

Homeland Security secretary Jeh Johnson stated his lack of concern when quoted in Ted Koppel's book "Lights Out" as saying that he just doesn't believe such (cyber) attacks will happen.

With this level of denial in full force, the next depiction of attacks against the United States may well be that of a tattered, empty shell, hollowed out from sea to shining sea.

Thursday, April 21, 2016

A New Paradigm in Cybersecurity

James McFarlin

The wide majority of networks and applications powering American businesses, government agencies and military services are aging legacy systems in which security was not a primary design criteria - perhaps not a criteria at all.

With the massive worldwide growth of the Internet and the security risks which accompany this global net mean that we are now paying the price for this design omission.

Cybersecurity for these legacy systems is largely 'bolted on,' an arrangement which provides security ranging from marginally adequate to nonexistent - think the massive Office of Personnel Management (OPM) personnel information misappropriation and Sony Pictures Entertainment theft, system destruction and threats of extortion.

But technology is not the only force in cyber secure operations. Misdirected or lack of executive oversight is a major factor. A recent study, The Accountability Gap: Cybersecurity and Building a Culture of Responsibility, found that while chief information security officers are spending more time in front of boards, information exchange is too often truncated by both the lack of cyber knowledge among board members and the communication ineffectiveness on the part of the technical officers.

The study found the "inability of technical officers to quantify and convey the actual impact of a breach," which limits its importance to the C-suite executives making decisions on cybersecurity budgets and staffing.

Accountancy and consulting firm Deloitte believes the issue to be even deeper. With cybersecurity now affecting virtually all aspects of the organization,"increased focus must be given to addressing a cultural change in the organization." In this new paradigm, "An integrated risk philosophy is mandatory, where cyber risk management and technology must be on an equal footing."

Some organizations, however, have begun top define cybersecurity as a risk management function, thus forcing the viewing of cyber risks into business terms. For many, this is a major transformation which will not come easily.

How long will such alterations take? Cultural change is difficult. But the reality of today's world means cyber breaches will deliver not only financial costs, but risks in customer retention, potential damage to reputation, brands, and in some cases, interruption of business operations.

Addressed in this view, implementing a mindset which incorporates a paradigm shift in organization thinking has become essential and increasingly, urgent.

A recent cybersecurity assessment from accountancy EY placed the issue in perspective, advising that, in cybersecurity, "High alert must be your constant state."

Monday, November 16, 2015

Paris Attacks Tighten US Cyber Options

James McFarlin

The drums of war are sounding closer.

The barbaric ISIS Paris attacks of November 13th, preceded by the bombings in Lebanon and take down of the Russian airliner over Egypt on top of more than 770 reported ISIS terrorist attacks from 2013 to the present are the latest acts aimed at destabilizing and ultimately destroying Western civilization.

More attacks are coming. A US security official remarked today that Paris was certainly "not the only action in the ISIS pipeline." In confirmation of that belief, a video released by Islamic State threatens attacks against Germany, London, Washington DC and other US cities,

America faces threats from 'lone wolf' Islamic extremists and - coming soon - threats from attackers arriving in the waves of Syrian refugees scheduled to hit the nation's shores.

But such threats are dwarfed by the potential damage and massive loss of life from cyberattacks against US power and other critical national infrastructure targets.

There is a growing consensus that ISIS cyber threats to the US are increasing and becoming more immediate. Admiral Michael Rogers, director of the National Security Agency and US Cyber Command, believes such attacks are "much more a matter of 'when' rather than 'if'' during his time in command."

ISIS has been widely recognized for its social media prowess in recruiting, radicalization, training and fundraising. But those actions are just the beginning. John Cohen, a former counter-terrorism coordinator at the Department of Homeland Security, believes that "It is only a matter of time until we start seeing ISIS-type organizations using cyber warfare techniques in a more expanded way."

And with America's near-total dependence on computer networks, it has much more at risk than many other nations, and certainly more than extremist groups, which have little to lose.

What is the US to do to deter such actions? Based on the success of cyberattacks throughout the breadth of America's institutions, from banks and retailers to defense contractors and government agencies, it is evident that existing cyber defense capabilities are not adequately effective.

In a sign of recognition that defensive measures must be supplanted or supported by more aggressive tactics, the US has recently accelerated its move toward increasing its offensive cyber weapons capabilities.

But more than a battle of technologies, cyber defenses are evolving into a battle of wills. With the exception of its Stuxnet computer virus targeting Iran's nuclear program, the US has been reluctant to deploy offensive cyber weapons, citing the possibility of such actions triggering counterattacks.

During such indecision, the risks mount. And for America's future, they are huge. Let's hope it does not take a cyber-9/11 attack to trigger America's resolve to deploy offensive cyber weapons to prevent what can be a major calamity.

Wednesday, October 21, 2015

Smaller Businesses Under Increasing Cyberattack

The latest data breach investigations study by Verizon showed that 71% occurred in businesses with fewer than 100 employees.

Ensuring data security for smaller firms is increasingly a game of 'risk and consequences.' Cyber criminals want personal and financial data and will strike when they want and how they want to get it. The most common consequences for small firms are financial loss, customer disruption and extensive recovery efforts.

Cybercriminals will take customer or financial records, donor or client information and proprietary business information critical to the success of the business.

Their goal may be schemes such as data theft, extorting payment for returning a computing network to a working state or submitting fake invoices for payment.

The question for many businesses is what to do about these threats. Turning the problem over to IT does not solve the problem. Cybersecurity is a team sport involving technicians, management and employees.

The largest proportion of data breaches occur because employees are either not following established data security procedures or lack such procedures to follow. Both of these vulnerabilities are addressable.

Steps as basic as providing employee training can limit cyber risks substantially. Excellent training courses are available via the Homeland Security website, where vendors such as SANS Institute offer their products.

Training will not be enough to tame cybersecurity exposure unless security becomes part of the culture of the organization, i.e., "This is how we do business."

Risk and consequences. Limit the former or expect the latter.

Saturday, July 18, 2015

Cyberattacks Have Consequences

James McFarlin

Whether it involves the Office of Personnel Management, the IRS or Department of the Navy, few days go by without news of new cyberattacks against the United States.

Perhaps because there are few examples, little is said about the consequences to the assailants from such attacks.

The Preface of "Aftershock, A Novel" [see image on right] previews a possible scenario of consequences which occur at the highest levels when cyberattack response spins out of control. In today's ever-present cyber-threat environment, this description is worth reading, particularly the foreshadowing presented in the final paragraph. An adaptation:

The early rays of the weak winter sun have yet to seep through the dense morning fog as the first attacks strike San Francisco.

     Power is the first to go, stilling electrical equipment and draping the city in a carpet of darkness. Electric Muni buses stall in the streets. Lacking control signals with which to operate, Southern Pacific trains sit motionless on their tracks. The Bank of America tower, Transamerica Pyramid and other skyscrapers hang over the city like shadowed spires, towering monuments from an age past.

     Attempts to use smart phones yield only the wailing cadence of circuits-busy signals. Land lines, cable and Internet transmissions have vanished as though they never existed, reducing television and computer screens to blank, darkened slates of glass. Only battery-powered devices cling on to their electronic lives, although without connection. It is a world where Internet connections no longer exist.

     Anxious residents cluster in small groups in the streets outside their homes, hands stuffed in jacket pockets for warmth. As to whether they had experienced an earthquake - they thought not. Nor were there claims of having heard explosions. Many clutch laptops, iPads and smart phones, anxiously searching for answers. But answers were not to come.

     The absence of sound envelopes them like a cloak. Conversations turn from nervous banter to speculation, whispers of possibilities, but to no result except to feed a spreading dread of events imagined but not known, growing fears felt but not spoken.

     Residents toss personal belongings into their vehicles and rush to leave the city, only to find bridges and arteries out of San Francisco barricaded by armed squads of National Guardsmen. 

     Growing anxieties are fueled by the sounds of military helicopters and accompanying drones clawing their way over the city like massive birds of prey. Something big, something bad, is happening in the City by the Bay.

     As residents recoil from the shock of the morning's events, 3,000 miles away in the nation's capital an aftershock of infinitely greater magnitude threatens to trigger massive worldwide repercussions in the days to come.

Monday, July 6, 2015

Exploring America's Lack of Cyber Strategy

James McFarlin

The emperor's clothes are coming off. A series of high-profile cyberattacks against government agencies are blasting open the true seriousness of the internal weaknesses in America's lack of cyber preparedness.

And the world is watching the undressing. Articles and commentary in traditional print media to professional journals and blogs are increasingly critical of not only America's cyber weaknesses but its lack of seriousness in addressing the issue.

The recent Wall Street Journal article "We're Losing the Cyber War" addresses years of Obama administration passivity in the face of repeated digital attacks. The Office of Personnel Management attack, in which 18 million or more federal employee employment records, including security clearances, is a case in point. While the data loss is calamitous in its own right, the lack of responsibility shown by the agency's management can only be viewed as arrogant, and lacking responsibility.

OPM director Katherine Archuleta, in a Senate hearing investigating this loss, stated "I don't believe anyone is personally responsible. If there is anyone to blame it is the perpetrators." This display of self-defiance was offered with a straight face in spite of the fact that the OPM Inspector General's office had warned the agency for more than three years of its widespread cyber defense weakness, warnings that largely went unheeded.

Perhaps feeling pressured by this attack as well as network breaches in the Internal Revenue Service, Department of State, US Army, and others, the White House then issued a directive for agencies to plug their gaping holes in cybersecurity. A "30-day "cyber sprint" was initiated, where agencies were ordered to shore up their defenses. This in spite of the fact that they had largely failed to do so for years.

At least two thoughts come to mind here. The first is the absolute naivete of this exercise, which has been described as everything from a smokescreen to hype to a hail Mary. The second: Where have these priorities been? House Oversight and Government Reform Committee Chairman Jason Chaffetz (R-Utah), stated "The cyber race started fifteen years ago," and that this action was "coming too late" to be effective.

We face a serious national security threat from the cyber realm. When will this be taken seriously? Lee Hamilton, co-author of the 9/11 Commission Report, perhaps stated our problem best. In an update to that report issued on September 11, 2014, he said: "One of the problems in 9/11 was the lack of imagination of the terrorist threat facing us. Let's not make that same mistake in the cyber realm."

Seems as though we did that undressing some time ago.