The “Big Boys” Market – Ransomware Insurance

 

The Underwriter's New Suit

In the 3 June FT, Ian Smith had an article Cyber Premiums Jump in Face of Acute Threats.

Two quotes from the article and my reactions.

Surge in attacks prompts vigilant insurers to question clients closely about culture, attitude to security and training.

And 

Nor are insurers simply jacking up prices. They are also becoming more vigilant about controls at the companies to which they sell cover.

A big “shout out” for the use of “vigilant”.

The clear implication is that many, perhaps most, have been asleep at the switch.

If you’ve been following my “Big Boy” series of posts, you know I like to puncture the unwarranted myth of the imaginary “sophisticated” investor.

In that vein let’s reflect on Ian’s article using my own personal experience.

When I went to take out an insurance policy on Chez Arqala, my insurance company asked a raft of questions.

• About smoke detectors, their locations, and presence of fire extinguishers and other such equipment.

• I was also asked if we have a home security system, whether in addition to intrusion detection it also had a fire detection capability. Was it set to ring up the authorities? Who were the providers of the home security system?

• Did it have a back-up battery in case of power disruption?

• How far we were from the nearest fire station?

• Whether we stored any flammable or dangerous materials in the house.

• Other than the little people who live with Madame Arqala and me we were clean on that score.

No questions about culture, though. 

I guess he could tell just by looking at me. Or perhaps at Madame Arqala.

The decision to “write” the policy and the premium depended on our answers to those questions as well as our post code.

It boggles the mind that insurance companies writing cover multiples of that provided our house wouldn’t be asking similar questions for cyber cover.

And come to think of it, quite a lot more.

Apparently, they were not doing this.

Now to be fair, the general “take” on insurance underwriting standards is that only life insurance consistently makes a profit.

With other “lines” irrational exuberance and shoddy standards lead to highly cyclical swings in profits.

So much for the “big boys” of insurance. 

At least they are not an outlier among the "big boys"

Colonial Pipeline: Why Do Cyber Attacks Keep Succeeding? Answer in Picture Below

 

The news media is full of reports on the Colonial Pipeline ransomware attack. 

This isn't the first case of cybersecurity failure by a business. 

Sadly it's not likely to be the last until something is done.

Why do events like this happen?

The simple answer is that companies fail to take the necessary steps to protect critical infrastructure despite warnings.

Here’s a February 2020 alert from the US’s Cybersecurity and Infrastructure Security Agency to pipeline operators.

That warning describes:

1. the nature of the attack, tools used -- apparently an “off the rack” hacking program

2. the results of the attack

3. 19 mitigation steps -- many of which are "common sense" 

The unnamed company in this case, did not think that its BCP need include cybersecurity.

If you look at the attack results, you’ll see that the vulnerability was Microsoft software.

As my elder and wiser brother has remarked more times than I care to hear:

There is no need to worry about “microchips” in medicines. Microsoft has never developed a product that works flawlessly.

If you look at the CISA alert for Colonial Pipeline, guess what you will find?

Significant repetition from the alert above given some 15 months earlier.

And as above a lot of these recommended steps seem fairly easy to implement.

So what causes the failure to prepare?

Management and organization incompetence is no doubt responsible in some cases.

But on its website, Colonial Pipeline states that it is “Committed to Excellence”.

It is a private company reportedly owned by Shell, Koch Industries, KKR with a Korean pension fund, and several other pension funds and financial firms.

You would expect that it has first class management.

And the financial, technical, and human resources to take appropriate measures. 

It was quite a profitable enterprise based on its 1Q2019 financials.

It has demonstrated security “awareness” in other areas.

CP’s website has a “captcha gate" to keep out undesirables. I was, however, allowed entrance after performing a few Turing tests.

I don’t know whether this is a new feature installed after the ransomware attack (closing the proverbial barn door) or has been there for a long time.

Even stricter is the security for access to investor information.

You have to submit a request to CP’s Investor Relations Department with personal details and a justification of your need to know.

And they note they just might refuse your request!

Talk about cybersecurity! 

At least with respect to financial and corporate information.

Because the ransomware attack was successful, one might infer that similar security measures were not in place to protect pipeline operations.

Improving cybersecurity requires expenditure.

Sometimes management are unwilling to spend the money.

So what is to be done?

Repeated failures in cybersecurity suggest that faith in companies properly managing their affairs is more often than not misplaced.

As well, the invisible hand of the market appears to not only be invisible but also consistently absent in these cases. 

If Hometown Deli in New Jersey is shut down by a cyber attack, it’s one thing.

If a major pipeline is shut down, it’s another.

In one case it causes inconvenience. 

In the other it harms national security.

In the latter case -- a failure of the market -- the prudent approach is strict regulation along with substantial fines and other penalties.

If a critical infrastructure company cannot figure out on its own that cybersecurity is critical,  a statute will make it a requirement and penalize a company financially and otherwise, e.g, revoke its license to operate critical infrastructure, if it fails to develop and implement one.

Related post here.

A Timely Reinforcement of Points from My Post on SolarWinds

Funny I always thought it was ἀνάμνησις. 
At least that's what I remember.

 

A while back I wrote about the underlying factors that make hacking “events” like SolarWinds possible and weaken information security. If you missed that “gem”, you’ll find it here.

Part of that post dealt with the risks posed by companies with offices in “risky” foreign countries that 

1. might expose them to local government pressure to disclose information;
2. allow local employees—whether pressured or not and one would expect the pressure a local government could exert on its citizens would probably extend to more than a concern for profit—to engage in activities that breached security of information; or
3. provide a local access point for those foreign governments or other malign actors in those countries to penetrate the companies’ security systems and access information without inside co-operation.

In last Wednesday’s FT, Tom Mitchell wrote about the US Department of Justice’s complaint against a PRC national resident in the PRC and formerly employed by Zoom.

Before going further, it’s important to note that at this point the DoJ has only made allegations against the individual as stated in its press release.

The charges in the complaint are allegations, and the defendant is presumed innocent unless and until proven guilty. If convicted of both charged conspiracies, Jin faces a maximum sentence of ten years in prison.

Two other points to note:

1. Companies are subject to the laws of the jurisdictions in which they operate, particularly, where they have offices.
2. The complaint does not allege hacking or surveillance of other than residents of the PRC.

You can read the DoJ press release here.

Here is the accompanying statement by an FBI Special Agent as part of the request for an arrest warrant. The “bits” about the “rectification plan” and involvement of the former employee and other officers of the company are quite “interesting”.

And to round out the picture, Zoom’s perspective on the DoJ complaint.

I think the lessons here are clear. 

On a corporate level, if you are concerned—as well you should—about the security of your corporate information and communications, or if you are worried about the security of your own internal systems: 

1. it’s a wise idea to avoid dealing with companies that have offices in jurisdictions of “risk”
2. in that regard you cannot rely only on the registration or domicile of the company but have to look deeper into shareholding, management as well as location of its network of offices. Not every company in the USA is pure as the driven snow. Nor every company in Switzerland.

On a personal level, if you are using the services of a company with exposure in a jurisdiction of risk, and are concerned about human rights, including your own, it may be equally a wise idea not to use that provider. 

Equally, you might be well advised to inquire whether the provider of a free service/app routinely sells the personal information, contacts, location history, or other aspects of its customers’ life to others. 

There are no truly “free” services, just like there is no free lunch.

It is probably not a good idea to rely on the kindness or conscience of strangers, particularly those focused on their own profitability.

SolarWinds - What's Behind Events Like This?

Not Every Server Needs to Be Connected to the Internet

See additional comments here.

There's a lot in the press about the SolarWinds breach.

What's largely missing from the discussion is a hard look at why events like this happen.

It is more than the fact that there are "hackers" out there. Some very sophisticated. 

What I want to explore are two factors—that are in the control of those being hacked—and that I believe facilitate hacking.

Note I am not saying that curing these will stop all hacking. Any more than locking your door or installing an alarm system will stop all burglars.

But I think it will reduce the damage done.

Largely these factors are a matter of mindset: 

1. responsibility "shifting" associated with outsourcing
2. the private sector's focus on profit maximization.

To the first point, responsibility "shifting" or perhaps more accurately "abandonment"

When services are outsourced, often the responsibility for managing the risks associated with the outsourced "bits" appears to be outsourced as well.

No doubt some checks are performed on the service provider's procedures and controls leading to the granting of access to the outsourcer's systems. Probably the same sort of box-ticking that goes on with AML efforts.

Or in some other way an entity is allowed to use the company's systems based on some determination that the provider is a "trusted" counterparty.

Here I'm thinking of the self-described "secure" portals for the distribution of "safe" apps for smartphones. Or other similar "portals" for PCs.

In the first case, the outsourcer doesn't seem to place redundant controls on its systems to monitor and supervise the service provider's access. Or control the volume of information that is allowed to exit its systems.

Nor apparently does the "portal" check each app it distributes for malware. Admittedly with the number of apps on these platforms that would be quite a task.

What I think underpins a great deal of this reliance on third parties to do there job is the unwarranted belief that the operation of the "free" market results in companies delivering the best products at the most competitive costs. 

Third party suppliers or creators of apps will make sure their security is ironclad—as much as that is possible—because if they fail, a competitor who is more secure and cheaper will displace them.

I also suspect that most governmental customers believe the even greater myth that the private sector is inherently more capable, innovative, and flexible than they are.

Not only will private sector "George" do it, but he will do it perfectly.

Side Comment: There's a lot of focus these days on this or that conspiracy theory or other material misinformation. Of which there seem to be quite a lot floating around.

You don't hear anything about the economic theory on which the assumptions regarding the "free" market and superiority of the private sector are based. A theory whose main proof is a tautological set of assumptions and assertions not related to what has gone on in the past, goes on now, and will no doubt go on in the future in the real world.

Yet, when compared to some of this other rubbish, it is very likely, a more damaging piece of material mis-information than the more discussed others.

Some examples of pathologies.

Example #1 No Due Diligence, Please, They're American 

AA's older and wiser brother relayed to me a recent conversation he had about computer system security.

He noted that the USA firm that his interlocutor used for a key service had a world wide network of staff and offices, including in the Russian Federation and Pakistan.

My brother opined that it was highly likely that employees in those offices had access to the computer network in the USA of the company, and its products and programs. And likely to the confidential information of the interlocutor's entity that was stored with that company.

He noted common perceptions about criminal activity and other security/intelligence risks in those countries.

He also opined that the activities of the interlocutor's entity and the identity of its customers might be of keen interest

He then asked how the interlocutor's company managed these risks.

His clear impression was that none of these risks had been identified much less considered based on the response he received. 

"As a USA company, the service provider is a "trusted counterparty" and is presumed (note that word) to be managing that risk."

As to other due diligence, it seemed to be limited to determining the USA company had the lowest price.  No inquiry into ownership.

Example #2” Sometimes George Doesn’t Do It Even for Himself 

According to recent press reports, Microsoft admitted that the SolarWinds “hackers” had gained access to Microsoft’s source code.

That code is the heart of Microsoft’s products and profitability. 

It would seem that this would be one of the most carefully guarded secrets of all those entrusted to Microsoft’s care.

Probably even more closely guarded than any information they were “safeguarding” for third parties.

Bonus Lesson: So much for the private sector’s presumed superiority over governments. 

Examples #3 Not Every Castle is “ حصن الأبلق “ 

3A ToTok

For some time, both the Apple and Android stores allowed the ToTok chat app to be distribued through their portals because its creators were a "trusted" party.

Some 12 or 13 months ago, the NY Times reported that this app – strangely the only chat app allowed in the UAE—was likely being used by the UAEG to spy on UAE residents, including non citizens.

3B Zoom

Another "trusted" app distributed through self-identified "secure" sites, used at one point by corporations and some governments to conduct confidential meetings due to Covid restrictions on in person meetings. Including HM's PM.

Turns out that at least some of the conversations were routed through servers in the Peoples' Republic of China.

A flaw now "corrected" according to press reports.

To the second point, profit maximization.

Adding to the problem is the private sector's well known focus on profit maximization.

One possible example is the SS7 legacy vulnerability in phone systems that allows "hackers" to track cell phone locations and intercept messages.

Not only to the benefit intelligence services but also of use to common criminals. You can read about it here. 

The SS7 system was implemented some 50 years ago.

The vulnerability has been publicly known since at least 2008.

If AA's arithmetic is correct, that's 12 years. 

During that period, members of the US Congress have raised their august voices in concern. 

The ITU has held meetings. 

The press has reported on repeated use of this vulnerability by foreign governments. Most recently here. 

It has not been fixed.

Why? 

Can you think of a better explanation other than a stubborn reluctance to spend money?