Last week, Congressman Ed Perlmutter (D-CO) introduced the first bill in Congress pertaining to cyber insurance, The Data Breach Insurance Act (H.R. 6032). This legislation would provide a tax credit equal to 15 percent of their cyber insurance premiums to organizations that purchase this coverage and adopt the NIST Cybersecurity Framework. This “two-prong approach” will ideally increase companies’ cybersecurity defenses on the front-end, as well as help them recover from a cyber incident.
Additionally, the tax credit will help offset some of the costs associated with adopting the NIST cybersecurity framework: risk assessments, hardware/software upgrades, employee education and vendor testing, according to a recent press release. “With the adoption of a cybersecurity framework preventing breaches on the front end and insurance to protect businesses on the back end, this legislation provides a two-pronged approach helping businesses take the necessary steps to address this growing threat,” explained Perlmutter. The full text to H.R. 6032 can be found here.
In other news, the House passed a bill on Wednesday that would allow Small-Business Development Centers (SMBCs) to assist small business on cybersecurity matters. The Improving Small Business Cyber Security Act (H.R. 5064) will help solve the cyber “expertise gap” that small businesses face and will address the assertion that cybersecurity laws pertain to and unfairly assist larger businesses.
The bill was sponsored by Richard Hanna (NY-22) of the House Small Business Committee, which would take the role of increasing the number of cybersecurity programs offered by SMBCs. While Govtrack gives this bill a 36 percent chance of being enacted, President Barack Obama’s recent pressure to push focus on cybersecurity might help this bill become a reality. It is also important to note that the Department of Homeland Security (DHS) found that 31 percent of all cyber-attacks target small businesses. Nonetheless, 59 percent of SMEs still do not have a data breach response plan – a problem H.R. 5064 hopes to tackle.
The Federal Bureau of Investigation (FBI) recently issued a PSA asking ransomware victims to support the fight against ransomware through “reporting ransomware incidents regardless of outcome.” Ideally, this will allow law enforcement to better understand the growing number of ransomware threats, initiate ransomware investigations and contribute insight to ongoing ransomware cases. With more information regarding ransomware victims, the PSA explains, the FBI can work with law enforcement to determine who cybercriminals tend to target and who is behind the attacks.
In the first few months of 2016, the number of ransomware cases increased exponentially – one version of ransomware supposedly compromised an estimated 100,000 computers a day. However, it has been a challenge for the FBI to fully understand the scope of the problem as many cases go unreported. The document also provides defensive strategies for individuals and businesses to follow and makes it clear that the FBI recommends never paying a ransom for a variety of reasons. There are no guarantees the victim will ultimately regain their data and doing so would provide the incentive to launch more attacks. To report such information, the FBI asks to contact their local FBI office or file a complaint with the Internet Crime Complaint Cente at www.IC3.gov. The FBI explains the following information can be useful when investigating ransomware cases:
- Date of Infection
- Ransomware Variant
- Victim Company Information
- How the Infection Occurred
- Requested Ransom Amount
- Actor’s Bitcoin Wallet Address
- Ransom Amount Paid
- Overall Losses Associated with a Ransomware Infection Victim Impact Statement
Tom Ridge, former secretary of the Department of Homeland Security (DHS), was a recent cybersecurity panelist at the Corncordia Summit in New York. While first mentioning the recent incidents in New York and New Jersey, he also explained that “Notwithstanding the pain and horror associated with a physical attack, the potential for physical, human and psychic impact with a cyber-attack, I think, is far more serious.” And not only is it hacker groups with financial motives, but now we see countries hacking one another as an “element of national power,” said retired U.S. Army General Keith Alexander, “not only to collect information but to hit other countries. It’s continued and will continue to grow.”
In order to combat cybercrime, the panel agreed that better information sharing is pivotal, particularly between government departments, as well as between the government and private sector. Reginald Brothers, Homeland Security’s undersecretary for science and technology, particularly stressed the urgency for better information-sharing. Taking points from all three panelists: cyber-attacks are worsening, they are coming from all over the world and from all types of actors and if we want to successfully combat cybercrime, the private sector must work with the government to join forces.
On Tuesday, Center-Forward, a non-partisan organization seeking to advance centrist positions in D.C., hosted a panel titled Cybersecurity: A Critical Conversation to address the cyber landscape in Washington, D.C. The panelists included Andy Ozment, Assistant Secretary for Cybersecurity and Communications at DHS; Christopher Krebs, Director of Cybersecurity Policy at Microsoft; and Andy York, Executive Director of Federal Affairs at GM.
Ozment of DHS explained that while they often “help people fight fires,” they have been placing much emphasis on prevention as well and strive to assist three “customers:” private sector, state/local/tribal governments and federal civilian government branches through risk assessment, better information-sharing and incident response assistance. As for the effectiveness of CISA – the Cyber information Sharing Act – it is still too soon to tell. DHS just issued their final guidelines, something private organizations have been waiting on before participating in the program.
Krebs of Microsoft discussed the shortage of talent in cyberspace. He explained we must train the younger generation in computer science and cybersecurity starting at a very early age. He also expressed the need for the public and private spheres to get along. While they are currently at odds regarding key issues such as encryption and information-sharing, progress will not be made if we cannot work together. Krebs also predicts that as we enter a new election cycle, we will see encryption resurface as a top issue. This issue, he explained, is not security-v-privacy, it’s security-v-security, with different views on what constitutes best cybersecurity practices.
Lastly, GM’s York discussed the ongoing legislative debate regarding interconnected and autonomous vehicles, explaining that legislative action should not hinder our technological advances. One thing they could all agree on is that the next administration should not “re-litigate” cybersecurity issues that have been advanced in the Obama administration. While each administration has its own way of doing things, we should continue to address the current challenges and keep in mind the progress of the last 18 months.
The leaked NSA hacking tools are reportedly now being used on Cisco customers, according to a recently published advisory. The NSA has relied on software flaws to penetrate the computers of foreign targets. While security experts have recommended the agency disclose these bugs to the companies, several of the hacking tools were accessed by cybercriminals and put on the internet for all to see. Unfortunately, Cisco found that some of their vulnerabilities were being used on their customers. In the advisory, the company announced, “Cisco Product Security Incident Response Team (PSIRT) is aware of exploitation of the vulnerability for some Cisco customers who are running the affected platforms.”
“It’s not if but when your data will be breached,” claims Rick Hindmand, a healthcare attorney and IT expert. With more than 100 million healthcare records compromised in 2015 and 11 million patient records stolen alone in June 2016, Hindmand’s statement has become more relevant than ever, and should cause big and small healthcare providers to take heed of cyber-security insurance.
The advantages of cyber insurance extend beyond the mere cost coverage. “The insurance company will typically have a panel of attorneys, and you can usually choose from several,” Hindmand explained. “They also have forensic experts that they work with who have experience working with just these kinds of issues.” As an added incentive for organizations to be vigilant of protocols and security, the insurance firm is only likely to pay a claim if due diligence can be demonstrated.
The reality is that cyberterrorism and ransomware against the health industry are increasing and cyber insurance can significantly reduce the financial, emotional and time burden caused by data breaches.
On Thursday, Yahoo Inc. disclosed a security breach that occurred in late 2014, affecting at least 500 million of its one billion users. It is postulated that the cybercrime was carried out by a “state-sponsored actor.” Stolen account information includes names, dates of birth, email addresses, telephone numbers and encrypted and unencrypted security questions and answers. While further investigation by the law enforcement is still being carried out, Yahoo states that current prognosis does not indicate that there has been theft of payment data, bank account information or unprotected passwords.
This news occurs at an exceptionally sensitive time for Yahoo as the $4.8 billion acquisition by Verizon Communications Inc. is projected to close by early 2017. Verizon provided a statement claiming that they were notified of the security breach within the last two days but still have “limited information and understanding of the impact.” As of now, Verizon “will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities.
Riley & Co. analyst Sameet Sinha believes that the incident is unlikely to affect the Yahoo-Verizon deal since “data breaches have become part of doing business” nowadays. He goes on to use Microsoft Corp’s $26.2 billion buyout of LinkedIn, in June following their May disclosure, as an example. In terms of the stock market, Yahoo shares rose by 0.8 percent to $44.49 in afternoon trading, while shares of Verizon increased 0.9 percent to $52.35.
A recent report from the U.S. Government Accountability Office (GAO), presented to the President’s Commission on Enhancing National Cybersecurity, revealed that the number of “cyber incidents reported by federal agencies jumped more than 1,300 percent, from 5,503 to 77,183, over the 10 years through fiscal 2015,” according to a recent Washington Post article. The GAO first put the security of federal information on its “high-risk” list in 1997, but the problem has increased exponentially since then. “Over the last several years, we have made about 2,500 recommendations to agencies aimed at improving their implementation of information security controls,” explained Gregory Wilshusen, DAO’s director of information security issues. “These recommendations identify actions for agencies to take in protecting their information and systems.”
While the public sector lags far behind in cybersecurity, especially compared to the financial industry, in the last 18 months, President Obama and his administration have ramped up focus on cybersecurity through establishing the Cybersecurity National Action Plan (CNAP) as well as the President’s Commission on Enhancing National Cybersecurity. Industry experts have reiterated that regardless of who wins the presidential election, the next administration should focus on continuing the efforts, not re-litigate them.
Digital security firm Gemalto found that data breaches have increased 15 percent in the first half of 2016, compared to the previous six months, according to its latest Breach Level Index study. The U.S. leads the world in the highest number of breaches with 728 occurring every second. The UK was cited as having the second highest volume, with an average of only 61. Additionally, the global healthcare sector was the most sought after, accounting for 27 percent of all breaches. While the healthcare sector was only responsible for five percent of total compromised records, governments lost the majority – 57 percent – of all compromised records.
Contrary to prevalent eye-catching headlines on foreign cyberterrorism being one of today’s biggest security concerns, the reality is that companies are most vulnerable from the inside. IBM found, in their 2016 Cyber Security Intelligence Index, that 60 percent of all attacks were carried out by insiders, with three-quarters of the attacks involving malicious volition and one-quarter involving inadvertent circumstances.
While industries may vary in the value and volume of their assets, and the technological security system used to defend such assets, the common factor between all sectors is people: the trusted employers with access to company intelligence. With people involved, human error caused by unwitting insiders will always be a major factor in breaches; a prime example is an IT admin whose full access to company infrastructure can catalyze a small mistake into a costly fiasco. On the other hand, there are trusted employers with malicious intent, who will steal intelligence to sell to competitors or to settle a personal vendetta against the company. Lastly, the more espionage factor is the ability of expert cybercriminals to hijack employee identity and system through malware or phishing attacks.
Even with the advancement of artificial intelligence, managers need to be more vigilant and focus their security efforts to obtain greatest returns on protection. A simple but tactical solution would be to place the strongest defenses and most frequent monitoring on the business’ most valuable data and assets. Such basic security tactics must not be taken for granted. The human factor can also be used as an advantage. Since people are creatures of habit, applying deep analytics and AI can determine each employee’s respective patterns and flag the security system when deviations in behavior arise. In particular, a greater vigilance should be placed on key insiders with access to critical assets, such as IT admins, executives and at-risk employees.