After more than seven months, Commission on Enhancing National Cybersecurity has finalized its report on the Cybersecurity National Action Plan (CNAP) and is submitting it to President Obama. The Commission, which consists of “top strategic, business and technical thinkers from outside of Government,” according to a recent Politico article, was established as part of Obama’s effort to enhance the nation’s cybersecurity posture. The report is expected to be available to the public soon.
Members of the Commission explained the report focuses largely on short-term recommendations, with “market-based solutions rather than government regulations,” such as incentives and voluntary standards. The objective of CNAP is to enhance the nation’s long-term cybersecurity structure in both the public and private spheres. However, Kiersten Todt, executive director of the Commission explained that “the urgency of these issues is now. So what we hope is that many of these recommendations will be able to be executed.”
It is unclear how President-elect Donald Trump will handle the executive order and the Commission’s recommendations in the report, but the Commission has stated that a nonpartisan approach has been a key focus. Experts on the matter said that the nonpartisan nature of the executive order could give Trump a “rare opportunity to build on the work of President Obama.” Stanford University cyber researcher and Commission member, Herb Lin, also explained that “the political environment is very different now than it was before the election,” and that the Commission was “very scrupulous about not compromising the nonpartisan nature of the report.” The Commission consists of both Republican and Democratic representatives.
Trump has emphasized the need for the incoming administration to take a strong stance on hackers while simultaneously building out offensive cyber capabilities. The President-elect has vowed to create a “cyber review team” and change the nation’s stance on cybersecurity in the first 100 days of office, meaning he may choose to start fresh with his own agenda instead of building on that of Obama’s.
Inside the beltway and around the nation this week there has been zero escape from prognostications on what a Trump administration means for every issue imaginable. So, we’ll pile on…what about cyber? Well, we, at The Council, expect cybersecurity to be a significant issue. That statement seems obvious but the Republican platform actually includes a section advocating for “a free market for cyber insurance and makes clear that users have a self-defense right to deal with hackers as they see fit.” While the latter part has many nervous, we could see cybersecurity (and insurance) garner more oxygen than expected in the first 100 days (especially given the highly publicized hackings ahead of the election). On the surface, the President-elect’s cybersecurity stance doesn’t seem to vary much from President Obama’s policies. However, his pro-national security and law enforcement approach to cybersecurity is different and Trump will have to delicately balance between business interests and national security.
As we look to our parochial areas of interest, we are well positioned to effectively represent Council members as things heat up on the hill in 2017. Sen. John Thune is a major cyber player as chairman of the Senate Commerce Committee and we look forward to continuing to work with him on issues stemming from critical infrastructure cybersecurity. The Council supports a single standard for breach notification, and we believe good legislative opportunities will develop there. Lots to unfold so stay tuned. We will skip next week because of the holiday but will be back after. On behalf of The Council, we wish everyone a wonderful Thanksgiving.
For years the insurance industry has invested in incentive programs to help reduce risk and prevent claims. For example, health insurers may lower premiums to encourage good lifestyle choices just as carriers may offer discounts when homeowners install smoke detectors and security systems. A recent Information-Management article explains that these incentives are a win-win for policyholders, who can invest their saved money on a safer home or healthier lifestyle, and for the insurance company, due to a reduction in claims. If discount incentives are proven to reduce risk, theoretically an organization with the latest cybersecurity technologies and proper cybersecurity polices will claim after a cyber-attack or data breach.
Although the cyber insurance market is beginning to gain traction, the industry is still young and many organizations are not taking cyber-threats seriously, despite brokers’ encouragement to purchase cyber insurance as a stand-alone policy. While a cybersecurity incentive policy would theoretically reduce cyber-risk, there are several reasons why carriers have been slow to adopt such policies. For one, cyber insurance is not regulated the same way auto and home insurance is – policies vary drastically and prices are not standardized. Additionally, an organization with the best cybersecurity is still susceptible to a breach due to employee negligence. How can one guarantee an organization is keeping up with best cybersecurity practices? Nonetheless, as the market matures, discount incentives could serve and a motivation to purchase a cyber policy as well as increasing an organization’s cybersecurity posture on the front-end.
Data from Privacy Rights Clearinghouse (PRC) found that state and federal government agencies disclosed of 203 data breaches throughout the past five years. What’s more, the 203 breaches resulted in nearly 47 million stolen, compromised, or exposed records, which does not include data breaches where the government agency did not disclose the number of compromised records. However, the number of breaches and exposed records is generally less compared to most private companies, as data maintained by PRC suggest that financial and insurance companies, retailers, and other businesses disclosed 950 breaches accounting for 245 million records. Nonetheless, government breaches often attract more attention due to significance of the information, such as personally identifiable information (PII) and financial information. Click here to see the seven largest government data breaches
While recent data breaches and hacking attempts on government entities have spotlighted growing cybersecurity concerns with Russia, it turns out that Russia has a cybersecurity problem of their own. Kapersky lab, an international cybersecurity and anti-virus provider headquartered in Moscow, claims to have blocked more than 73 million hacking attempts with malicious attachments in Q3 2016. Of all the organizations targeted by cybercriminals, banks led the way accounting for 27 percent of the phishing attempts. According to the report, the overall number of attempted hacks increased 37 percent compared to the previous quarter. What’s more, spam with global email traffic has also increased dramatically, with six in ten of all emails containing spam. While spam is often just “unwanted advertising … the majority of malicious spam emails during the past quarter contained ransomware, which is yet more proof of the rising epidemic of this type of malware,” said Daria Gudkova, Head of Content Analysis and Research at Kaspersky Lab.
Adm. Michael Rogers, head of the National Security Agency (NSA), recently explained to the Wall Street Journal CEO Council that “uneven” cooperation among the private sector and the government has led to a “literal onslaught” of malicious cyber-attacks from both state-sponsored hackers and cybercriminals across the globe. What’s more, the number of hackers is “so large and so diverse” that cybercriminals are nearly impossible to identify before a hacking attempt is made. Nearly two-thirds of hackers are looking to hack personal and financial information for monetary gain while the rest are said to be state-supported hackers. To assist the government in the war against cybercrime, Rogers explained that company execs must personally engage in cybersecurity, which cannot be the sole responsibility of IT departments in this day in age. “You need to shape the discussion,” he said. “I don’t pretend that this needs to totally dominate your life, but there is a significant role for you to play.”
In a poll at the CEO conference, just 9 percent said they would never trust the government with their information during a cyber-attack. However, 34 percent said they would cooperate only if it was their own company being attacked. Lastly, 57 percent would “readily cooperate.” While the government has made recent efforts to increase cyber threat information sharing, particularly through the Cybersecurity Information Sharing Act (CISA) and DHS’ free Automated Indicator Sharing (AIS) capability, private entities have so far been slow to participate. Nonetheless, Rogers explained to the group of CEOs, “If you want me to defend something, I can’t do it from the outside,” he said. “I can’t defend something if I don’t have access to the network structure – it’s like fighting with one hand tied behind your back.”
An 18-year-old named Meetkumar Hiteshbhai Desai created a malware bug that was designed to send DDoS attacks to public service answering points (PSAPs). The virus worked by first compromising iPhones and from there contacting various emergency personnel services. As a result, 911 call centers were unable to tell which calls were coming in from the malware and which were actual calls for help. In total, The Department of Homeland Security revealed that call centers in up to 12 different states were affected by the bug before it was shut down. Desai had attached the virus to a link on social media, which resulted in nearly 150,000 views prior to the page being shut down. He was arrested on three counts of computer tampering. In a world where social media is the largest platform for communication, Desai’s malware highlights the growing ability for malware to reach a multitude of hosts in a very short amount of time.
The Lansing Board of Water and Light was forced to pay a $25,000 ransom due to a cyber-attack that held the company’s main controls hostage. The attack originated when an employee unknowingly opened an email which contained the ransomware. While the Michigan-based company estimated a total of $2.4 million dollars in both damages to internal operations from the attack and upgrades to prevent future cyber breaches, all but $500,000 of that sum was covered by insurance. In response, the BWL Board of Commissioners’ Committee agreed unanimously to implement a new information technology communication policy, which hadn’t been updated since 2007.
In what preliminary reports are indicating could be one of the biggest breaches of 2016, the Friend Finder’s Network (FFN) and the six properties operating under its domain, including Adult Friends Finder, have been breached. The breach was triggered by local file inclusion vulnerability (LFI) and resulted in over 412 million users being compromised. Most passwords were stored with SHA-1 encryption, which is too weak to thwart off modern attackers. Experts are saying that this breach could be worse than the one that occurred at MySpace earlier this year. Consequently, the FFN breach is likely to cause a domino effect of smaller breaches resulting from password reuse and spear-phishing. The breach at FFN indicates a growing need for data systems to update and modernize security as the cyber landscape continues to grow and evolve.
Over the past several weeks, we have seen a spark in Distributed Denial of Service (DDoS) attacks across the globe. Kaspersky Lab, an international cybersecurity provider based in Moscow, has confirmed that 5 of Russia’s largest banks, including Sberbank, have been experiencing persistent DDoS attacks over the past several days. At the peak of the DDoS attacks, Kaspersky Lab reached over 660,000 requests per second. Experts believe that the hackers have carried out these attacks through the botnet of a hacked Internet of Things device, similar to the recent DDoS attack on Dynamic Network Services Inc. (Dyn) in the United States. While the origins of the attacks are unknown, some speculate that they have originated from anger about Russian involvement in the U.S. elections. In response to the attacks, the Online Trust Alliance (OTA) has produced a framework for a kite mark standard in securing IoT devices. While this DDoS attack on Russian banks was just one of 68 in total this year, experts say it is one of the largest they have ever seen.