Large global corporations are unwittingly caught in the middle of a Global Conflict, as nation states battle it out in the domains of information, cybersecurity, and finance. Cybercrime in 2018 generated over $1.5T in profits globally, and individual cyber attacks like the 2017 NotPetya attack can cause over $10B in losses alone. With the special counsel investigating Russian interference in the 2016 US presidential election indicting 12 Russian intelligence officers, organisations of all size must assume a conflict environment and accelerate the maturity of their security posture.
See the full white-paper.
Acts of war and leaked nation state attack tools
The night before the Ukrainian Constitution Day on July 27, 2017, a major global cyber attack was underway in Eastern Europe. Later dubbed NotPetya, the hack caused more than $10B in damages globally, according to a White House assessment. At least 80% of all infections were in Ukraine, and the US, UK, and Australian governments all publicly blamed Russia. Not only is it hypothesised that a nation state actor was behind the attack, but the variant of Petya used in this attack took advantage of leaked NSA tools, an increasingly common phenomenon as nations leverage the work of other nation states and cybercrime groups. Mondelez (the parent company of Nabisco and Oreo), suffered a loss totalling over $100M, which Zurich Insurance denied coverage based on an exclusion in the policy for hostile or warlike action by a sovereign power. In fact, as it stands today, many insurance policies exclude coverage for incidents caused by hostile or terrorist activity because insurers don’t feel confident or can’t calculate a premium commensurate to the risk.
On July 27, 2016, Trump said: “I will tell you this, Russia: If you’re listening, I hope you’re able to find the 30,000 emails that are missing, I think you will probably be rewarded mightily by our press.” On the same day, Russian hackers first tried to break into Mrs. Clinton’s personal servers. In 2018, the special counsel investigating Russian interference in the 2016 election indicted 12 Russian intelligence officers in the targeting and hacking of more than 300 Democratic National Committee members. From phishing attacks, to monitoring and data theft, to money laundering, to attempts to break into state elections boards, Russian operatives engaged in a wide-ranging and strategic attack informed by live election details.
In late 2016, a group called The Shadow Brokers announced that they were able to acquire hacking tools from the National Security Agency including several zero-day exploits. After a few rounds of auctions and incremental releases, in April 2017, they released the most damaging set of cyber weapons yet. Experts warned that "This puts a powerful nation state-level attack tool in the hands of anyone who wants to download it to start targeting servers." The freely available powerful attack tools, combined with anonymous ransom payments enabled by cryptocurrency, permitted less sophisticated actors to build powerful ransomware leading to the famous WannaCry outbreak.
This conflict environment has created an always-breached context
On the one side you have powerful leaked nation state attack tools lowering the bar for attacker motivation. On the other side you have the decomposition and disintegration of the perimeter with SaaS apps, Cloud, Mobile, and so on. Increases in spending on security don’t seem to be slowing losses, showing that we can't just tactically spend our way to more resilient security postures. According to Gartner, corporates spent $114B on cybersecurity in 2018, up 12% from 2017, and should spend $124B in 2019, up another 9%. At the same time, it’s estimated that cybercrime generated over $1.5 trillion in profits in 2018, primarily from illegal markets, IP theft, and data theft. In the first quarter of 2018, there were 210 million fraudulent attacks, up 62% from the first quarter of 2017.
With the tools like the aforementioned leaks having blurred the lines between the small scale cybercrime operation and the most powerful countries’ actors, the largest and most interesting targets like Google and Facebook are breached more or less continuously. Assuming that the attacker is already in is the right state of mind for a modern-day CISO. As the saying goes: there are two types of companies: those who have been hacked, and those who don’t know they’ve been hacked.
Cyber maturity through organisation design and empirical operations
Given where we are today, we need to take a more holistic approach to cyber security. The most important part of your security risk management strategy is your people. It’s important to have a competent CISO and the FFIEC states "The CISO should be an enterprise-wide risk manager rather than a production resource devoted to IT operations." For a small company, the CIO might also be the CISO or might outsource the CISO role to a consulting company.
Once you have great people, the next item of business is to run an empirical operation and make data-driven decisions. Measure security posture against some standard framework (CIS20, NIST) as a reasonable baseline, but be aware of its flaws. Implement a thorough company risk gathering process to uncover possible risks hidden in the lowest level of organizational structure. Discuss scenarios and business impact to support an Enterprise Risk Management process. Leverage the ERM process to influence important strategic decisions by identifying and proactively addressing risks and opportunities that protect and create value for stakeholders.
For cyber risks specifically, these decisions can range from investing money and time into security tech and services to maintaining the financial integrity of a company through capital reserving, insurance, financing, etc. Furthermore, ERM is pivotal in an environment of increased regulatory and private scrutiny of corporate risk management processes and where the concept of due care (used as a test of liability for negligence) is an important factor in third-party litigation involving personal data and other breaches.
Cyber risk measurement is a frontier-difficulty heterogeneous modelling problem
We can better assess how to manage cyber risk by investing in organisation design and operations only when we can model the risk to properly insure it. Cyber risk quantification is an incredibly complex and heterogeneous modelling problem mainly due to the lack of pre-incident historical security data, and the lack of loss information available post-incident. The insurance industry has faced a similar risk underwriting problem in the past: natural catastrophe risk -- hurricanes, earthquakes, floods, etc. However, this challenge was eventually resolved by a company called RMS, which developed a hybrid approach, combining statistical models, historical data, engineering, and physical science expertise.
Enter Tower Street. With the cyber security annual spend reaching $120B and $5B on cyber insurance premiums, Tower Street brings a new level of maturity to ongoing security assessment, cyber risk quantification, and financial solutions. To drive the data component of our model we have collected information on over 30,000 unique incidents gathered from 16 different sources and combined them with more than 1,000 historical financial and exposure attributes. However, there is little information on the historical security posture of these companies and losses accrued after these incidents. To deal with this issue, one must utilize hybrid models where one part of the model can be empirical, and the other is filled using expert estimations, simulations, etc. This resulted in a fully Bayesian model bootstrapped using state-of-the-art expert elicitation methodology for both losses and security posture. As more data will be gathered through the inside-out assessments, the model will naturally become empirical over time, and the historical evidence will gradually outweigh the expert-initialized variables.
How to Fill Historical Data Gaps with Security and Financial Risk Assessment
The only way to develop a more well-rounded view of security risk is to obtain mission-critical sensitive inside-out data about the business’ financials and security operations. Outside-in data is easy to obtain, but offers a shallow view. Companies like Censys periodically scan all public internet IP addresses for open services and permit data searches. Others (like SecurityScorecard, BitSight) do external vulnerability scans to uncover externally visible vulnerabilities. While this approach may work for small businesses, it is likely not representative of complex corporates using technologies across multiple parameters intended to be misinterpreted as vulnerabilities. Our preliminary experiments on security features obtained from Censys (e.g. ratio of http to https, number of invalid certificates, etc.) combined with our historical breach dataset has shown that outside-in data are weak predictors of future breaches. The inside-out approach gets at much more granular data within the company, but it takes more work to obtain. To streamline this effort, we leverage tools and data already in use (internal vulnerability scanners, etc.) and partnerships with other vendors to i) identify sensitive data and business impact of breaches on various company revenue streams, and ii) evaluate the protective measures via a standardized security framework (CIS, NIST, ISO). The inside-out approach also helps to extract attack artifacts for use in collaborative defense.
The accurate estimation of financial losses due to cyber incidents remains problematic for both data-based and expert-based approaches. Existing datasets managed by Advisen and Ponemon aren’t comprehensive; Advisen misses many breaches not disclosed on sources they track, and Ponemon only includes breaches of smaller sizes (ranging from approx. 2,600 to 100,000 compromised records), and therefore isn’t an advisable source for enterprise risks. On the opposite side of the spectrum lie the purely expert-driven approaches, such as the Factor Analysis of Information Risk (FAIR) framework, which rely almost solely on expert-driven estimates that lack industry specifics and sufficiently narrow loss forms to be accurate. We have created a ‘loss event graph’ that maps the chain of events leading to losses on a per-industry basis; that graph contains 50+ potential losses that can incur due to a cyber attack, and allows us to make maximum use of available information from the data-based and expert-based approaches.
Cyber apocalypse: correlated and accumulated risk
Insurers, in particular reinsurers, worry about how to model correlated risk -- both in terms of pricing individual policies, and in terms of modelling the accumulation of risk at the portfolio level. The uncertainty that the financial community has around what kinds of correlated risk events are reasonably conceivable from a technical perspective seems to create a fear of doomsday scenarios. Attacks like WannaCry and NotPetya only serve to reinforce those fears. WannaCry cost upwards of $4 billion globally. A few months later, NotPetya cost organisations $10 billion in revenue. In separate studies by Lloyd’s of London and Cambridge Centre for Risk Studies, estimated damages from a coordinated global cyberattack could be in the range of $100B or more.
Availability of sophisticated nation state quality attack tools changes the threat landscape by creating a wider range of attacker motivations and access to powerful tools that can inflict serious financial losses. Corporates are caught in the middle of a conflict environment, which looks a lot like how the Anti-Money Laundering landscape has evolved in banking, with corporates taking on a role as first-line screener for the intelligence community under a heavy regulatory mandate. Against this landscape, the only rational move for corporates is to accelerate evidence-based investment in maturing your security risk posture. Come get started with a single click at Tower Street.
I recommend the following sequence of actions:
Assess your security organisation and how to design it.
Conduct a rigorous assessment of your security risk (as measured by a data-drive gap analysis of your security controls) mapped to your business assets and cash flows. A security Governance Risk and Compliance (GRC) firm can help with this. You can also get started with a single click at Tower Street.
Set strategy for investment in security technology and services to bridge gaps in your controls.
Transfer residual risk to the insurance market once you reach a target level of maturity.
See the full white-paper.