Cyberterrorism: Infinite Risk, Infinite Exposure
It’s no longer a secret. For a number of years, the Chinese military have been initiating cyber attacks against US companies. Mandiant Corp., an Alexandria, VA computer security firm, recently confirmed that they traced thousands of cyber attacks against 141 US companies to a specific 12-story office building in the financial district of Shanghai, which houses a Chinese military unit.
The report says this particular military unit stole “technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreement and emails and contact lists” from more than 20 US industries. While there wasn’t specific evidence linking the attacks to destruction of American infrastructure per se, the report concluded that the unit stole potentially sensitive data from electric utilities and chemical companies that would allow the Chinese to manipulate critical American infrastructure such as power grids and other utilities. According to Mandiant Security Director Richard Bejlich, “by virtue of the access that they have, they could cause some damage. They wouldn’t even have to do it on purpose.”
Cyber attacks against government agencies and businesses worldwide are on the rise. While China and Russia are singled out as the biggest state-sponsored actors, Iran’s cyber capabilities have also increased in depth and complexity. Iran’s military recently claimed that it brought down an American drone by hacking into the drone’s guidance systems.
America’s infrastructure is the most vulnerable to these attacks. In 2012, the energy sector accounted for 41% of the 198 cyber incidents tracked by the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). One incident, a “spear-phishing” campaign against 23 gas pipeline companies managed to compromise the systems of two companies and collected data that would allow the attacker to gain remote control over the systems. Other incidents included water and public utilities.
The second major target is financial institutions. Non-state actors such as hacker groups like Anonymous and LulzSec have been carrying out consistent campaigns of denial of service (DoS) and website defacements, including intrusions into NASDAQ and the International Monetary Fund.
In September and October 2012, an Islamic terrorist group (Izz ad-Din al-Qassam Cyber Fighters associated with Hamas) launched widespread denial of service attacks against a group of banks including the websites of J.P. Morgan Chase, Bank of America, U.S. Bancorp, PNC Financial Services and SunTrust Banks. Their stated motive at the time was to protest distribution of an anti-Islamic video, but the attacks have continued. The group launched more attacks in December 2012, and has continued their attacks well into 2013.
What’s in a word? Hacktivism, Cyber Attacks, Cyber Threats or … Cyber Terrorism?
Even the US government doesn’t agree on a single definition for cyber terrorism. Barry Collin, a senior research fellow at the Institute for Security and Intelligence in California, created the term “cyber terrorism” in 1997, defining it as the convergence of cybernetics and terrorism. In the same year Mark Pollitt, a special agent for the FBI, offered his working definition: “Cyber terrorism is the premeditated, politically-motivated attack against information, computer systems, computer programs, and data which result in violence against noncombatant targets by sub-national groups or clandestine agents.”
Should state-sponsored attacks such as those attributed to the Chinese military or Iran’s military attack on an American drone be considered cyber attacks or cyber terrorism? What about the Islamist Cyber Fighters attacks on the American financial system? Are those attacks cyber extortion, hacktivism, cyber attacks or cyber terrorism? And, more importantly, who decides when an act of cyber terrorism has occurred? And, even further, it an event is declared an act of cyber terrorism, what are political and/or economic repercussions of such as action either by a government authority or other ‘trusted source”?
Over the past decade, tough regulations about disclosing exposure to security risks and incidents of data breaches have been put in place and are now on the books in nearly all 50 US states. For the first time, the US Securities and Exchange Commission issued guidance on public companies’ disclosure of their cyber security risks. The SEC guidance states that corporate executives must apply the same diligence and disclosure to cyber security risks that they apply when giving the investment community a heads-up on any other operational risk facing their company.
According to intelligence community officials, cyber threats will one day surpass the danger of terrorism to the US. James Clapper, director of national intelligence, says that cyber security is already at the forefront of national security concerns, along with terrorism, proliferation of weapons and espionage. “In the last year, we observed increased breadth and sophistication of computer network operations by both state and non-state actors,” he said in prepared testimony before Congress. Clapper also said that the greatest challenge is providing timely and actionable warning of attacks. “Attribution remains a difficult technical challenge, but the government is increasingly sharing threat information and the range of cyber security technologies that agencies are implementing to thwart attacks.”
Leon Panetta, former US Defense Secretary told the Pentagon and American intelligence agencies in October 2012 that the “increase in cyber threats could become as devastating as the September 11, 2001 attacks if they aren’t stopped.” In addition, he noted that “attackers are targeting the computer control systems that operate chemical, electricity and water plants, and those that guide transportation throughout the country.”
Panetta said at that time that the Pentagon is “finalizing the most comprehensive change to our rules of engagement in cyberspace.” These rules of engagement will clarify that “the Pentagon has a responsibility … to defend the DoD’s (Department of Defense) networks … and is prepared to defend the nation and our national interests. Nevertheless, securing cyberspace is not the responsibility of the US military, or even the sole responsibility of the US government. The private sector, government, military and our allies all share the same global infrastructure – and we all share the responsibility to protect it.”
The Pentagon has made progress in sharing information with private companies, expanding a program to share unclassified cyber security information with defense contractors to 64 companies. The Department of Homeland Security is also working on a project to share highly sensitive cyber security information with commercial Internet service providers. However, Panetta has said, “Information sharing alone is not sufficient. Working with the business community, we need to develop baseline standards for our most critical private-sector infrastructure including power plants, water treatment facilities and gas pipelines.”
Congress attempted to pass a cyber-security bill in 2012, but failed after business and privacy groups opposed it. Business groups said the proposed legislation was government overreach; privacy groups feared it might lead to Internet eavesdropping. The measure would have increased information-sharing between private companies and US intelligence agencies. It also established voluntary standards for businesses that control power grids or water treatment plants.
A legal review on the use of America’s growing arsenal of cyber weapons concluded that the President of the United States has the broad power to order a pre-emptive strike if the US detects credible evidence of a major digital attack from abroad, according to officials involved in the review.
That decision prompted the Obama Administration to issue an executive order addressing the cyber risks to industries seen as critical to US infrastructure. The order calls for an inter-agency process to facilitate coordination and guidance of policies designed to “increase the volume, timeliness and quality of cyber threat information shared with US private sector entities in order to help these entities better protect and defend themselves against cyber threats.”
Specifically, the order says that “within 120 days, the attorney general, the secretary of Homeland Security, and the director of National Intelligence must each issue instructions to produce unclassified reports of cyber threats to the US homeland that identify a specific targeted entity.” It also calls for voluntary information sharing between the government and eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure. However, participation in the program is voluntary and the entity must be identified as an eligible candidate to participate. The order significantly broadens the scope of entities that can be classified as being “critical infrastructure”.
Following the release of the Mandiant research and the stepped up rhetoric about the threat of cyber attacks on critical US infrastructure, the interest in cyber liability insurance has increased dramatically.
Insurance can play a key role as companies search for better ways to manage and reduce their potential financial losses from cyber attacks. It’s important to know that most traditional insurance products such as property and general liability do not cover claims stemming from cyber events (attacks or terrorism). As a result, the insurance business created a new product - cyber liability insurance - which is designed to respond to cyber perils.
Cyber liability insurance focuses on two types of risk: first-party and third-party risks. First-party coverage includes loss of business income resulting from a data breach, the cost of repairing and restoring computer systems if there is a virus that destroys business software and data, costs associated with forensic analysis and crisis management to respond to a data breach incident.
Third-party risks such as data breach incidents result from unauthorized access to information or personally identifiable, non-public information like bank account number, credit card numbers or Social Security numbers.
“Cyber liability coverage has greatly evolved since the first products were introduced to the market in the late 90’s,” states John Coletti, XL’s Technology & Cyberliability Underwriting Manager. He added, “The initial products responded to a company’s liability exposure when they moved their retail operations from a brick-and-mortar model to an Internet-based model.” With the passage of breach notification laws, businesses realized they had an uninsured exposure sitting on their balance sheet resulting from the costs required to respond to a breach. This created a meaningful expansion of coverage. Today carriers are asked to reimburse insureds for data breaches and to provide the expertise necessary to handle a breach on an Insured’s behalf. Colettti adds, “One thing for certain is that the cyber liability exposures underwriters are looking at today will be substantially different in the future. Regulations and advances in technology such as cloud computing guarantee it”
Most states have a data breach notification law and there are a number of federal regulations as well as state and federal statutes on this issue. When there is a data breach incident, businesses are required to comply with these laws and regulations – i.e., specifically notifying potential victims of the breach. Third-party insurance covers the financial damages an identity-theft victim might incur from the breach. First-party coverage reimburses the insured for the costs of notifying the individuals whose information was or may have been breached. Some of these policies will even cover the cost of setting up theft monitoring services for the potential victims. Most cyber liability policies will pay the defense costs an insured incurs resulting from an investigation by a regulatory agency. Some may reimburse the insured for fines. Additionally, insurers may provide pre-breach services including network assessment solutions that are customized to meet the insured’s budget.
Emerging products are becoming available to fill many of the gaps in coverage. Some products combine first and third-party coverage for many cyber exposures including those involving privacy, hackers, viruses, network disruptions and online advertising and publications. These specialized coverages go by many different names: cyber liability, network security liability, data breach liability, security and privacy liability, and privacy breach coverage. In addition, specialized suites of policies marketed as cyber security policies offer a variety of protections and services such as business interruption insurance that covers direct losses from being hacked and post-breach responses including hiring forensic experts and the use of credit-monitoring services. But, it should be noted that many of these policies indirectly or specifically exclude cyber terrorism.
One of the latest innovations from insurers is a broadened business interruption trigger that may provide coverage for loss of income if an insured’s system suffers an outage due to a failure of technology or failure of computer security. And, coverage for risks associated with cloud computing is now available for losses suffered from the failure of an insured’s cloud provider.
There is plenty of capacity in the global insurance market, with over 40 insurers offering multinationals protection through network security and risk insurance coverage. Contracts are generally written to provide a year of coverage and limits of up to $400 million an occurrence can be secured through a combination of primary and excess carriers. Premium costs vary greatly and are dependent upon numerous factors: insured’s size, type of business operations, its security and the amount of customer information it keeps on file, and the use of third party vendors to store its data or carry our computer operations. Costs range from $10,000 per million dollars of coverage to $50,000 per million dollars of coverage. Large corporations typically take large retentions in the million dollar range, while a small company would take a retention or deductible. Captives offer another risk transfer option. Today, there are about 25 captives offering network risk insurance, up from approximately 2 to 3 only 3 years ago.
But, what if there were a cyber terrorism event such as an attack on a power grid or an ISP provider? Would the ensuing loss of electricity and/or Internet service be covered under a cyber liability insurance policy? How would the industry or the government aggregate such an event? Who or what agency is responsible for declaring that a cyber attack may be a cyber terrorism event threatening the nation’s infrastructure? How should a business look at cyber terrorism? If your business involves critical US infrastructure, what do you need to do to protect your company, the citizens and the country against a cyber threat?
The insurance industry, like everyone else involved in this critical issue, is still evolving. Insurance companies are continuing to accumulate more actuarial data, based on the loss history of various industries, each corporate customer’s use of technology and the corporation’s own level of security. My advice is to talk to your insurance broker and your insurance carrier about your company’s specific vulnerabilities. If the coverage you need isn’t readily available in today’s market, many insurance companies will tailor the coverage specifically to your needs or the needs of your business and/or customer.
By Thomas Dunbar, Chief Information Risk Officer, XL Group Ltd. Mr. Dunbar is responsible for XL Group’s overall Information Risk Management program, including the company’s information risk and security strategies, tactics, planning, governance, architecture and operations. He is a member of the IT Leadership team, the Operations Risk Committee, and the Data Privacy Committee. He joined XL in 2002 as their first Global CISO.
XL Group is the global brand used by XL Group Ltd’s insurance subsidiaries. In the US, the insurance companies of XL Group Ltd are: Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Insurance Company of New York, Inc., XL Select Insurance Company, and XL Specialty Insurance Company. Not all of the insurers do business in all jurisdictions nor is coverage available in all jurisdictions.