Steve Ranger on ZDNet reports on a recent presentation by Microsoft President Brad Smith. Like other tech-saavy observers, Smith worries about a Cyber Arms race that is out of control, and is in favor of doing something about it. See his blog post: “The Need for a Digital Geneva Convention“.
One of the chief criticisms of an international treaty for the control of cyber weapons is that countries simply would not agree to it because there is a risk of lessening nation state power. After all, why would a nation-state agree to limit its own cyber weapons.
Since the Russian Federation is a powerful actor in the cyber realm, it may be useful to examine its national cyber security objectives and then extrapolate to estimate Russia’s positions in any proposed international negotiations.
Figure 1 – Inference of Russian Negotiating Positions in connection with cyber warfare and related information operations.
Much of Russia’s Information Security Doctrine (ДОКТРИНА информационной безопасности Российской Федерации) is defensive in nature. Consequently, the threat recognized by the Russian Federation is the same as in other countries, including those in the European Community and United States.
Financial Crimes and Privacy Cyber Crimes. All countries recognize that financial crimes or stealing of personal information on citizens by hackers are criminal acts. In the Russian Federation, these are recognized also as serious crimes. The practical result is that Russia will be open to negotiations on any international treaty that strengthens law enforcement of international cyber crimes involving theft of money or personal information.
Hacking and Attacks on Cyber Infrastructure. Like in other countries, hacking attacks that are aimed at harming cyber infrastructure are illegal in Russia. Recent reports indicate the Duma (the Russian Congress or Parliament) is considering strong prison sentences for anyone convicted of harming cyber infrastructure through hacking. Again, the practical result is that negotiations that aim to increase international cooperation to combat this type of hacking should be possible between Russia and other nations.
Extradition Treaties. There have been a number of cases in which Russian authorities have wanted a criminal hiding in the West to be handed over, and a number of cases in which criminals located in Russia have been targeted for arrest outside of Russia. For the time being, there is no automatic way to handle extradition. Some countries, such as Israel, simply refuse to extradite their own citizens. We can expect that Russia might be willing to engage in negotiations with a limited purpose of agreeing to extradition arrangements for cyber criminals that are located overseas and yet through their criminal actions inflict harm in Russia. In order to have reciprocity, Russia would need to agree to hand over Russian citizens when they are indicted abroad for cyber crimes.
The general problem with extradition is that each nation handing over its citizens must be confident that the type of justice the person will receive in the receiving country is comparable to the standards found in their own country. For the time being, many countries do not recognized the Russian legal system as having sufficient level of quality to provide credible guarantees. Nevertheless, it might be possible to engage in negotiations, providing there is discussion of a special type of legal protocol for cyber-crimes. This would be a potentially useful area for international legal scholarship and exchange of information. There are many problem, not the least of which is the rules for evidence required for conviction. Nevertheless, until there are such arrangements in place, any extraditions will be handled by nation states on a case-by-case basis.
Information Operations Targeting Russia. In the Russian way of thinking, there is a danger of information operations being conducted by foreign parties against Russia. These are divided into two classes: Class 1 are actions taken inside Russia by organizations that have some connection, usually funding, from non-Russian sources; Class 2 are information operations conducted outside of Russia, even aimed at citizens of other nations, that harm the image of Russia or otherwise sow discord.
Although the Universal Declaration of Human Rights (Всеобщая декларация прав человека) is generally used as a basis for arguing that it is the right of every individual to communicate (even criticize) freely, Russia can plausibly argue that Article 29 ¶2 places limits on communications that disturbs morality, the public order, or general welfare of a nation. The concept of public order (ordre publique) is very broad in nature. The consequence is that Russia has a legal argument. In addition, Article 30 prohibits information and communication that has the effect of destruction of rights and freedoms. As a consequence, Russia has an argument that their broad definition of information threats to Russian sovereignty and public order are legal.
To go even further, it would by extension and analogy be possible to reference the United Nations Charter Articles 41 & 42 which give each nation state an inherent right of self-defense. As such, any nation should be able to defend itself against information operations that are a threat to its sovereignty or public order. The counter-argument to this line of thinking is that when the UN Charter was written, these articles referred specifically to military (kinetic) threats. So since information operations are not kinetic threats, then these self-defense articles do not apply. The counter-counter-argument that can be made is that although these Articles definitely apply to kinetic military operations, the major powers involved in the Second World War (Вели́кая Оте́чественная война́) all were heavily involved in various types of information operations. Therefore, since information operations at the time of the signing of the UN Charter were considered to be an inherent aspect of warfare, we can infer that the United Nations Charter and its inherent right of self-defense for nation states as seen in Articles 41 & 42 are inclusive of information operations.
The implication is that although it might be possible to engage Russia in discussions regarding an international agreement regarding control of information operations, the likelihood of success would be minimal because there is a conflict between the danger of information operations, and the need for freedom of the press. In addition, Russian media channels such as RT and Sputnik might be criticized in Europe or the United States in the same way CNN or Voice of America (VOA) might be criticized in Russia. So the consequences are that Russia would be required to place limitations on the content of RT and Sputnik and all of its foreign media operations in exchange for other nations to do the same. These are unrealistic expectations for either Russia or any other nation to agree to, therefore, we can assess there is a very small chance we will see any successful negotiations on the international control of information operations conducted by nation states or major media channels. An additional complication is that the Internet already provides free access to most of the world’s television channels. (See Free Internet TV.)
Default to National Control. Since we can expect no international agreement to limit or control information operations, the only defensive solution is for nation states to take actions within their own territory to limit the supposedly corrosive influence of foreign information. This is the default position of the People’s Republic of China, and a number of other countries. Russia has not been as strict as China in this regard. The United States may be considering taking steps to limit the information operations of Islamic terrorist organizations such as ISIS (Daesh). This would represent a remarkable departure from a policy of almost 100% freedom of information.
Terrorist Propaganda. Terrorist propaganda has been around for a long time, but the current debate is over control of ISIS (Daesh) propaganda that is being transmitted through various social media channels over the Internet. This may cause asyngnotic networks to emerge and trigger terrorist attacks. (See “The Cyber Intelligence Challenge of Asyngnotic Networks“.) The current trend is for nation states to consider censoring this information. Again, this will be done at the nation-state (default) level of control.
An additional argument that Russia might make in justifying these types of actions is found in Article 41 of the United Nations Charter. Here, the article specifically mentions “means of communications” as something that can be interrupted in order to maintain international peace and security.
Religious Dimension to Information Operations. There are arguments made that there should be no control over religious communications across borders, and that to limit these flows of information is to repress religious rights. The counter-argument is that there is no protection provided in any society for information of any type, even religious information, if it promotes hatred or racism, or incites violence. Therefore, “religious” communications from ISIS (Daesh) can be banned in all countries for public safety reasons. There is no “right” to transmit information that may cause people to become violent and endanger peace and security. No international agreement is needed to allow this type of censorship, as these rights of nation states already are written into treaties and agreements.
International Control of Cyber Espionage. Every nation spies, and every nation knows it. Espionage is information collection and analysis conducted by a nation state as a part of its national defense. Russia has a tradition of cooperating in sharing intelligence information under extremely limited circumstances, and when doing so is mutual, and the entire sharing operation is mutually beneficial. These agreements are made on a bilateral basis, and are not published or registered, so are beyond the scope of this analysis. Since every nation has an inherent right of self-defense, there will never be an international agreement to limit or control espionage, even that conducted via the Internet (“cyber espionage”).
By a Presidential Decree of December 5, 2016, Russia adopted a revised information security doctrine (ДОКТРИНА информационной безопасности Российской Федерации). What can we learn from this document that would anticipate Russian policy positions in international negotiations aimed at getting more cyber security for the world?
(Below is the original Russian. Above is not a translation, but instead is a gloss that summarizes the implications of the Russian doctrine. The pertinent Russian phrases have been underlined.)
II.7. Recognizes that information technology has developed into an international phenomena that is cross-border in nature.
(7. Информационные технологии приобрели глобальный трансграничный характер и стали неотъемлемой частью всех сфер деятельности личности, общества и государства.)
II.8(d). Suggests that the government of Russia desires to work at building an international political-legal framework that will help to stop use of information technology that harm stability and sovereignty. This is expressed as the desire for international agreements that will stop foreigners from using cyber to injure Russia’s “information space”.
((д) содействие формированию системы международной информационной безопасности, направленной на противодействие угрозам использования информационных технологий в целях нарушения стратегической стабильности, на укрепление равноправного стратегического партнерства в области информационной безопасности, а также на защиту суверенитета Российской Федерации в информационном пространстве.)
III.10. The international flow of information into Russia may help terrorists, extremists or other illegal activities. For example, under this way of thinking, the introduction of ISIS (Daesh) propaganda into muslim communities inside Russia is a serious cyber threat.
(Возможности трансграничного оборота информации все чаще используются для достижения геополитических, противоречащих международному праву военно-политических, а также террористических, экстремистских, криминальных и иных противоправных целей в ущерб международной безопасности и стратегической стабильности.)
III.10. There is a threat of information technology being introduced into Russia without having undergone adequate security testing, and without being integrated with the over-all national efforts at cyber security. (The United States does not have any such program.)
(При этом практика внедрения информационных технологий без увязки с обеспечением информационной безопасности существенно повышает вероятность проявления информационных угроз.)
III.12. Covert action by government secret organizations uses cyber for psychological warfare. In Russia, there is a view that human rights organizations (and others) may be secretly funded by foreign governments to weaken Russia. By “weaken” Russian doctrine means “destabilization of the political and social situation”.
(12. Расширяются масштабы использования специальными службами отдельных государств средств оказания информационно-психологического воздействия, направленного на дестабилизацию внутриполитической и социальной ситуации в различных регионах мира и приводящего к подрыву суверенитета и нарушению территориальной целостности других государств. В эту деятельность вовлекаются религиозные, этнические, правозащитные и иные организации, а также отдельные группы граждан, при этом широко используются возможности информационных технологий.)
III.13. Terrorist organizations use cyber to both sabotage Russia’s technical infrastructure, but also to distribute propaganda.
(Различные террористические и экстремистские организации широко используют механизмы информационного воздействия на индивидуальное, групповое и общественное сознание в целях нагнетания межнациональной и социальной напряженности, разжигания этнической и религиозной ненависти либо вражды, пропаганды экстремистской идеологии, а также привлечения к террористической деятельности новых сторонников. Такими организациями в противоправных целях активно создаются средства деструктивного воздействия на объекты критической информационной инфраструктуры.)
III.14. Hacking and computer crime targeting financial assets and private information.
(14. Возрастают масштабы компьютерной преступности, прежде всего в кредитно-финансовой сфере, увеличивается число преступлений, связанных с нарушением конституционных прав и свобод человека и гражданина, в том числе в части, касающейся неприкосновенности частной жизни, личной и семейной тайны, при обработке персональных данных с использованием информационных технологий.)
III.16. Governments of various nations use cyber to (a) attack Russian infrastructure; (b) conduct cyber espionage; (c) influence political and social stability.
(16. Состояние информационной безопасности в области государственной и общественной безопасности характеризуется постоянным повышением сложности, увеличением масштабов и ростом скоординированности компьютерных атак на объекты критической информационной инфраструктуры, усилением разведывательной деятельности иностранных государств в отношении Российской Федерации, а также нарастанием угроз применения информационных технологий в целях нанесения ущерба суверенитету, территориальной целостности, политической и социальной стабильности Российской Федерации.)
III.19. Internet governance is not equitable between nations. This is a threat because it makes it problematical for Russia to work at creating a system of international information security.
( 19. Состояние информационной безопасности в области стратегической стабильности и равноправного стратегического партнерства характеризуется стремлением отдельных государств использовать технологическое превосходство для доминирования в
информационном пространстве. Существующее в настоящее время распределение между странами ресурсов, необходимых для обеспечения безопасного и устойчивого
функционирования сети “Интернет”, не позволяет реализовать совместное справедливое, основанное на принципах доверия управление ими. Отсутствие международно-правовых норм, регулирующих межгосударственные отношения в информационном пространстве, а также механизмов и процедур их применения, учитывающих специфику информационных технологий, затрудняет формирование системы международной информационной безопасности, направленной на достижение стратегической стабильности и равноправного стратегического партнерства.)
Cyber insurance has emerged as a dynamic and growing sector. In the United States alone, it is expected to earn more than $20 billion in premiums by 2020. Almost without exception, cyber insurance is written for individual organizations, usually corporations. There is a growing risk, however, that a giant cyber catastrophe might take place in which the failure of one information system will trigger a chain reaction between firms, leading to a massive systemic breakdown across entire sectors in the economy. If this happens, it will provoke a crisis across the insurance industry, not unlike the effects of the 1906 earthquake in San Francisco.
[These are a set of notes compiled from a recent Infragard meeting. This blog entry is copied from a pdf file, so there may be glitches in the formatting in a few places.]
By 2013, cybercrime had a global impact of more than $3 trillion dollars, making it larger and more profitable than the world’s drug trade.1 In the UK, 55% of businesses have been hacked, and worldwide, 36% report the same. In 2015 there were around 80,000 cyber security incidents and in 2,100 of those cases, significant amounts of data were either lost or compromised.2
The FBI reports 12,000 corporations have been victim to email money transfer scamming, and the costs to business of this fraud alone is $2 billion a year.3 The corporate controller of an established grain trading and storage company Scoular was tricked by fake emails into wiring $17.2 million into an offshore bank account. In January 2015, Xoom was tricked into transferring $30.8 million into an overseas account. Ubiquiti Networks was tricked into transferring out $46.7 million.4 Table 1 on the following page shows a few of the largest hacks.5
These numbers are suspect, because most corporations never report a cyber incident. Most companies have tremendous incentives not to report because of fear their reputation will be damaged. Since these giant dollar amounts are only for those cyber incidents that are reported, they probably represent less than 1 of the actual problem. Most believe the actual number 4 of serious cyber incidents is much larger, even 2-3 times larger.
Ransomware. There are so many different types of cyber attacks, it is difficult to list them all, and any list soon would be obsolete. One new trend is so-called “ransomeware”, which locks of all of your enterprise data, and then demands money to unlock it.6 Ransomeware is becoming more common, and companies thus far have failed to develop any effective way to defend against it. The recent trend is for the extortion payments to be made in Bitcoin,7 an untraceable virtual currency. It appears that 2,453 ransomeware incidents were reported to the FBI in 2015, and about about $24 million was paid out. This is for the United States alone, and this data only mentions what was reported.8 Ransomware is good business. A full set of stolen medical data on an individual can go for up to $50 dollars on the black market. Hollywood Presbyterian Hospital in Los Angeles paid a ransom of $17,000 in bitcoin to get its data back.9 To create a phishing page and mass spam email costs $150 dollars. Good crypto ransomware costs about $2,000 on the dark net. So only eight users need to be caught to make a profit. The Cryptowall ransomware earned more than $18 million in 2014, but again that is what was reported.10
PII. Loss of personally identifiable information (PII) can have serious consequences. In the Ashley Madison breach, the embarrassment caused two suicides. In the breach of the U.S. Office of Personnel Management by a foreign intelligence service, believed to be the People’s Republic of China, the highly detailed information on all persons with a security clearance in the U.S. government was revealed. The national security consequences are incalculable.11
Botnets. Botnets12 have shown the ability to compromise millions of computers in a single attack.13
Some organizations have funded serious research to assess cyber risk. For example, cyber is now part of the formal work of risk managers in the London Stock Exchange Group.14 And the same is echoed in other financial centers around the world.
There are many efforts underway to prepare for major data breaches. Companies recognize they are increasing in frequency, but most data breach preparadness programs often fail to deal with all aspects of a cyber incident.
There is little faith companies will be able to to deal the with consequences of a data breach. Plans on the book are not considered to be effective, and one reason is that they are not regularly reviewed. More training and awareness plans are needed, and top management needs to be more involved.
In many companies, a number of different managers are responsible for management of a data breach including a) the Chief Information Security Officer; b) the Compliance Officer; c) The Head of Business Continuity Management; d) the Chief Information Officer; e) the Chief Risk Officer; f) the Chief Security Officer; sometimes g) the Head of PR and communications; h) the General Counsel; i) the Chief Privacy Officer; or j) Human Resources. Around 1 of companies do not have a person designated to handle a major 4 data breach.15
The reality is that no information system is safe. There simply is not a perfect information system anywhere. For those organizations that wish to invest in penetration testing, the results more or less always are the same — every system is vulnerable. If there is a determined effort, then any system can be broken. And since there is no invulnerable information system, and this fact is combined with the regulatory and litigation costs, it is easy to see how it cyber insurance is a boom market. At least for now.
We can divide operational losses into four classes: a)Intangible;b)Tangible; c) Operational; and d) Litigation.
Intangible. Loss of intellectual property such as a) compromise of patents; b) illegal reproduction of copyrighted matter; or c) theft of trade secrets. These losses can have downstream effects such as competitive displacement (loss of position in the market). There also can be significant compromise of the organization’s reputation. This sometimes can have a disastrous effect on market valuation.16
Tangible. A cyber attack can result in the real loss of goods and services.17 For example, shipment of goods might be diverted, or money might be stolen. In a more serious light, cyber attacks can compromise the physical infrastructure of a building, or other installation, e.g., nuclear power plant, resulting in extraordinary damage.18 Hacking to steal cash is a major criminal activity in cyberspace.19
Operational. Any cyber incident is a traumatic event for IT personnel, and can be a career-ender. Systems must be restored back to working condition. There can be a number of costs for this both direct and indirect including: a) diagnosis and forensic investigation for fault- determination; b) restoration of most recent reliable backup; c) replacement of hardware that has been completely disabled; d) preservation of evidence in case of possible investigation by law enforcement; e) hiring of external consultants and others to help with clean up; and f) lost business during interruption. Post-incident actions can take weeks or even months to be finished completely.
litigation In a 15 month period during 2015 and the end of 2014, in the United States, 240 firms filed data privacy law suits and 70 firms filed data breach suits.[19] Organizations face substantial risk of litigation in several dimensions: a)Federal and State regulatory authorities who seek to impose penalties; and b) Consumers or others who file a class action suit in order to recover damages, or even potential damages; and c) Other third parties (not class of plaintiffs) who are damaged by the cyber incident. The Federal and State penalties vary greatly, but if the maximum allowable amount of penalty if reached, the results can be substantial, and even result in bankruptcy. The damages obtained in a class action suit can be devastating, and even if there is no finding of fault, simply the litigation costs in defending against these suits can be very large.
Table 3 on the next page summarizes a few of the calculations that might be made from a cyber incident for a corporation.20 Which costs are the largest will depend on the particular circumstances of the enterprise. For ex- ample, the loss of personal information such as credit card numbers, social security numbers, or addresses on customers easily can trigger a gigantic class action suit that eventually can results in very large damages.21
There are three dimensions of risk from a legal and regulatory perspective. First, there is a rising threat of class action suits that attack a cyber crime victim must endure; Second, there are a number of enforcement actions at the Federal level and these actions seek to impose substantial fines;22 and Third, similar regulatory issues are found at the state level. See Table 4 on the following page.
In the past ten years, around 543 million records have been lost from over 2,800 data hacks. Approximately $13.3 billion has been lost by consumers in 2010 alone.23
In the 15 month period from the third quarter of 2013 until the third quarter of 2014, 110 class action suits were filed against 25 unique defendants, which means that companies often face multiple class action suits at the same time. Around 80% of class action suits were aimed at retailers who accounted for only 14.5% of data breaches that were publicly reported. Up to 24 different legal theories were used to justify these suits including a) negligence; b) Unfair, Deceptive or Abusive Acts and Practices (UDAP; c) breach of contract; d) problems with data breach notification (required by Federal and State statutes); e) unfairness; f) invasion of privacy; g) unjust enrichment; and others.24
Any organization that sustains a cyber attack may find they must respond to all three risks at the same time. They can be facing a class action suit, a Federal investigation with the threat of fines, and also legal and regulatory action at the state level. Any one of these dimensions of risk can lead to debilitating costs, all three simultaneously can be a catastrophe.
It is interesting to note that Health Insurance Portability and Accountability Act (HIPAA), Fair Debt Collection Practices Act (FDCPA), Electronic Communications Privacy Act (ECPA), Video Privacy Protection Act of 1988 (VPPA), Computer Fraud And Abuse Act Reform (CFAA) and the CAN-SPAM Act of 2003 were the least used theories in these suits.
The term “standard of care” is a legal concept that is used in determining whether or not a party of negligent, and thus subject to tort action. In general, if the defendant can show that they have met a reasonable standard of care, then they are not negligent.25
In a number of FTC actions26 have resulted in settlements with corporations, and these settlements are summarized in a consent decree.27 A common element of these settlements is that the corporation recognizes a duty to establish, implement and maintain a “comprehensive privacy program” that is “reasonably designed” to address risk. This program typically includes a) designation of accountable employees; b) identification of fore- seeable risks; c) design and implementation of “reasonable privacy controls and procedures” to address reasonably foreseeable risks; and d) development and use of “reasonable steps” to retain security vendors.
A problem is that there is no clear path an organization may take to meet the necessary “standard of care”. There are a number of standards that may apply. For example, a) there may be specific laws in place that define clearly how information must be handled — examples are the HIPAA28, GLB29, and SOX30 laws in the United States; b) there may be a number of state laws that determine when a consumers or others must be notified of a cyber incident and how consumers and their information must be protected; c) there are numerous other regulations and guidelines; d) companies can use recognized industry standards; e) or they can adopt best practices that are determined by a community of their peers. In addition, there are recognized cyber security frameworks from organizations such as NIST31 and the ISO.32
Particularly when faced with the threat of a class action suit, many companies fold. Particularly after the legal fight that leads to a class action being “certified”,33 many companies simply give up the fight and settle. Sony settled for $15 million when its PS2 gaming platform network was compromised. St. Joseph Hospital settled for $28 million.34 Many indus- try observers argue settling is a bad idea because it simply invites further litigation.
Liability without negligence. A number of cases both decided and still sub judicae indicate a mixed message regarding potential risk going for- ward. One important trend is the more active role of the U.S. government in extracting penalties from organizations that are hit by cyber attacks. The company gets blamed. How the Federal Trade Commission (FTC) obtained its statutory authority to go after hacked companies is peculiar. In the Wyndham Worldwide case,35 it was ruled that the FTC has authority to regulate a corporation’s cyber security. This is based on the unfairness language in § 5 of the FTC act.36 At first glance it appears somewhat astounding that vague language such as “unfair” and “deceptive” can be used to open up a gigantic regulatory enforcement area in cyber litigation. In other words, a company engages in “unfair” practices when it is hacked. This appears to be blaming the victim.
There are even more surprises. The law in the United States is not settled. There is currently a disagreement between different circuits37 regarding whether or not identity theft is actionable if the plaintiffs are unable to show any harm. See Table 6. In one Federal Trade Commission (FTC) case, the Administrative Law Judge (ALJ) ruled against imposing penalties on a corporation that had been hacked because the FTC had “failed to demonstrate that consumers had suffered concrete injury from two data breaches”. Although it is a fundamental principle of jurisprudence that penalties should not be imposed if there is no demonstration of harm,38 it appears this case is being appealed, and according to experts, the ruling likely will be over-turned.39 If it is overturned, the result will be that companies will risk having large fines and penalties imposed by the FTC even if there is no showing of harm from the data breach they have suffered.
Cyber risk is challenging to understand because it has a trifecta of dimensions. First, it is based on complex technological systems that can be understood only by teams of highly-trained engineers; Second, there are a number of regulatory rules that bring about severe financial penalties for any organization that may suffer from a cyber incident; Third, the sweep-up operational costs that must be endured by a compromised organization can be vast, and have a very long tail. Losses caused by cyber incident can be substantial, but not necessarily easy to calculate. So given the regulatory and technological uncertainty, understanding the fully-loaded risks in this segment of the insurance market is difficult.
This suggest the following conclusions on the regulatory side:
The world’s insurance industry has a track record of reasonable management, stability and growth that occasionally is interrupted by surprise, chaos and near collapse. The explanations for this phenomena of always falling into a risk trap vary. But there are two inter-related phenomena that appear to have transformed the risk landscape for the insurance industry.
Urbanization. The gradual concentration of human activity into gigantic urban centers has compressed into relatively small geographic areas multiple institutions, infrastructures, and persons;
Complexity. This urbanization has been made possible only by stellar advances in technology. But these technologies create a vast web of inter-connections and dependencies between different social and infrastructure systems. And interdependencies can be a platform for a cascade or “chain reaction” of events.
Losses keep getting larger. In 1970 they were only a few billion, but in 2010 there were economic losses of more than $400 billion of which only around $125 billion were insured.40 Nevertheless, during 2015, the insurance industry “has proven to remain functioning and stable in the midst of an often challenging economic and financial environment”.41
The earthquake that destroyed San Francisco in 1906 was a near disaster for the world’s insurance industry. There were hundreds of buildings insured for earthquake coverage. Each owner had a separate policy. Everything was compartmentalized. Like today, residents of San Francisco were prepared for a small tremor once in a while, or even some minor damage. Once in a while owners could expect some damage, but nothing terribly serious. And the insurance policies had been written with this in mind.
But in 1906 the type of event that comes along rarely visited its wrath on that fair city. First, the earthquake was so severe as to collapse both small and medium-sized buildings. Then the earth started to make even larger displacements. San Francisco had invested in much infrastructure. One improvement was the provisioning of natural gas for lighting and heat. But the movement of our earth was too great. The gas mains broke, and it did not take long for fire to break out. Pictures of the time show the horrible scale of the disaster. See Figure 3 on the following page.
Although concrete, bricks, steel and morter were being used in larger structures, the vast majority of buildings were made from the wood found in the generous forests still populating the surrounding countryside. Wood burns. The buildings burned, and burned, and burned. For all practical purposes we can say that most of San Francisco simply burned to the ground. Everything was destroyed, hundreds of dwellings and all their contents. A disaster. One of the great disasters of the century or of all time.
The Call-Chronicle-Examiner newspaper on April 19th, 1906 said it all in its headlines: “Entire City of San Francisco Danger of Being Annihilated”; “Big Business Buildings Already Consumed”; “30,000 Smaller Structures Swept Out and Remainder are Doomed”; “Panic-Stricken People Flee”; “Heartbreaking Scenes at the Pavilion”; “Loss is $200,000,000”; “San Jose is Ruined”; “Earthquake and Fire, San Francisco in Ruins”; “No Hope Left for Safety of Any Buildings”; “Whole City is Ablaze”; “Church of Saint Ignatius is Destroyed”; “Buildings are All Ruined”; “Newspaper Row is Gutted”; “Theaters Ruined”; “Residences Burning”; “Dead in Street”.42
Insurance claims. As the insurance claims started to come in, it quickly became clear that the primary carriers were going to be far over their limit. That is when the reinsurance treaties were activated. The shockwave of liability started to reverberate all the way back along the treaty chain to Munich, and Zurich, and London. The amount of damage was greater than the entire state budget of California.
Something had to be done to limit the liability and reduce the payouts. One of the first responses from the insurance community was to attempt making a distinction between earthquake insurance and fire insurance. Policyholders were told that although their earthquake insurance claims were to be honored, “they were not related to fire insurance, and would not cover damages for fire”. It seems at first the law was on their side in particular Clayburgh v. Agricultural Insurance Company of Watertown, N.Y., and Pacific Heating & Ventilating Company v. Williamsburgh City.
As can be expected, once word got around that the insurance companies were attempting to squelch on their payouts, this caused a public uproar.
The California legislature got involved. Without going into details, we can sum up the situation as follows. It soon became clear that if the involved insurance companies wanted to continue to do business in the United States, then they would have to make the payouts.43
Even though premium rates are “firming”,44 the insurance sector is cautious about cyber. Michel Liès who recently retired from being the chief executive of Swiss Re stated that insurance companies were finding it difficult to understand future claims for cyber.45 Julian Enoizi of Pool Re agrees that a better model is needed to under the business of cyber insurance.The insurance broker Marsh, in the UK, has hired the former head of GCHQ46 (the British NSA) to draft a study of cyber resilience of London’s financial community.47 Nickel [33] created a high-level model of cyber risk: L = F × E × S where L is the total cyber risk losses for an insurance client; F is the frequency or number of attacks per unit of exposure; E is exposure, which interestingly is defined as the number of statt with unencrypted access to customer data; and S severity, which is defined as the average size of loss per attack. These values are surmised using a number of different attack types including a) viruses, worms trojans; b) malware; c) stolen & lost devices; d) botnets; e) web-based attacks; f) phishing & social engineering; g) malicious code; h) malicious insiders; or i) denial of service.
But this type of effort does not consider wider system effects. Major reinsurance companies are working on a Global Earthquake Model (GEM) that examines a number of inter-connected effects with “a unified framework for seismic hazard and risk modeling, data collection, and risk assessment at lo- cal to global scales”. There is no evidence of a Global Cyber-incident Model (GCM) being developed.48
Nevertheless, in spite of these cautions, protection from the cost of the effects of cyber attacks is a new form of insurance. By the end of 2014, there were at least 60 companies offering it.49 It is popular primarily in the United States and in 2016 has a gross premium income of between $2 and $3 billions dollars. This is expected to rise to more than $10 billion by 2020, and this growth in premiums represents a CAGR of more than 40% percent.50 Similar optimistic forecasts ($25 billion by 2025) have been stated by Willis Towers Watson insurance brokers.51 There are warnings, however, that many underwriters are writing premiums for cyber insurance that are “very thin”.52
Apart from caution on the part of providers, there are other barriers to cyber insurance. Many businesses state they “don’t need” coverage. Around a third think they are covered already under other policies. A tenth complain about premiums being too high. And the insurance response may not match needs. Only 18% of policies cover cyber extortion, such as through ransomware. More than half insurers and insurance agencies do not have dedicated cyber risk teams. More than ninety percent of companies offer cyber only as an endorsement on existing policies.53 See Table 7 based on Nickel [33].
Identify exposure. According to AIG,54 the first step in considering cyber insurance is identification of possible exposures. Factors to consider include:
Cyber event scenarios. The compromise of corporate information can arise from either internal or external forces. Internally, your own employees might become involved in theft of information. Card skimming is an example of this type of abuse. There may be instances of negligence, for example, when an employee loses their laptop, smartphone or tablet, which contains sensitive information. And as mentioned earlier, your vendors (considered “internal”), might be the source of a compromise.55 Here a question arises regarding whether or not there is a system of indemnification between your organization and a vendor being relied upon. To determine this, the vendor contracts must be examined. Do not be surprised if the vendor’s contract has excluded the possibility of indemnification.
Externally, the organization faces a number of adversaries including individual hackers, organized crime, and even cyber espionage agents of foreign governments. Much of this activity is concerned with theft of information. Stolen customer or health records can be sold on the black market. Hackers can also send in malware to disrupt system, or to act as hidden agents for later theft of information. In the UK, for example, one satellite TV vendor destroyed the market position of a competitor by breaking their encryption, making it possible for consumers to access the competitor’s signals without paying. But for the most part, viruses and malware do harm, but without any specific benefit to the writer. External hacking can also disrupt a business, and we mentioned elsewhere, ransomware can be used to extort vast sums of money. So considering both internal and external sources of disruption, there are a number of different scenarios that an organization must be prepared for.
Getting insurance for cyber-related business interruption (BI) currently is the strongest driver of increased demand for cyber insurance. Other important coverage drivers of demand include a) Regulatory defense expense; b) Computer fraud; c) Funds transfer fraud; d) Cyber-related contingent business interruption (CBI); e) Cyber extortion; and f) Internet media liability. Insurance carriers sell a) standalone policies; as well as b) endorsement56 policies. Most cyber endorsements are written for Errors & Omissions (E&O). Other endorsements are for a) Other professional; b) Directors and officers liability insurance (D&O); c) Business-owners Policy (BOP); d) Crime; e) General Liability (GL); f) Healthcare medical malpractice; g) Lawyers professional; h) Property; and i) “other”.57
There are two types of cyber insurance coverage available: Third party and first party.
Third party. Third party coverage focuses on covering payments that must be made to third parties in case of a cyber incident. Examples of third parties include government agencies, that may impose fines; individuals who may sue in tort for the downstream effects of a cyber incident or other businesses that might be harmed by a cyber incident the organization is responsible for. A good example is a privacy event in which confidential information leaks out. There is a duty of any organization to protect confidential information, whether it is in printed form or online. Failure in this duty can lead to violation of Federal or state statutes. For example, the loss of credit card information on customers would be a violation of the Payment Card Industry Data Security Standard (PCI DSS). And as discussed elsewhere, a single incident can trigger Federal, State and consumer tort actions all at the same time.
First party. First party coverage is aimed to help the organization that has become a victim of a cyber incident. Depending on what is involved, the potential liability of the aggrieved firm might change drastically. Some of the covered items in this line of insurance might include: a) Consultation costs. Experts might be brought in to examine what has happened. Legal experts may be consulted to understand further the potential liability of the firm, and take a leadership role in crisis management. Legal counsel may well be needed to assess liability and to minimize further potential exposure to risk. b) Forensic experts might be brought in to first determine how the cyber incident occurred, and then to advise on what steps need to be taken to recover and restore the system in a way so that further damage is avoided. c) State mandates may compel the organization to notify all parties of what has happened. Depending on the numbers involved, notification can be a giant exercise, and there are many details to manage, including the precise wording of what to say, so that even further liability is not incurred. d) It may be necessary to put in place ID- or Credit-monitoring. e) Recovery must be had for lost data as systems are restored. This sometimes may mean re- creation of lost data form physical records, if there are any that can be used.
Other possible payouts might be triggered by a) Network interruptions that result in loss of income because the transactions processing capabilities of the firm are temporarily suspended. For some firms in financial services, the transactions/second rate is so great than even a few minutes of pro- cessing. b) Cyber extortion is another area where large payouts might be required.
The insurance situation at this time is an exact parallel to what happened at the turn of the last century in San Francisco. Just as at that time each house and building had purchased a separate policy for earthquake insurance, so today each corporation has purchased a separate policy for its cyber insurance.
And so in the same way that the earthquake in 1906 broke the gas mains and caused a city-wide fire that burnt the city to the ground, a major cyber event will be capable of crossing over from one information system to another, and from one company to another and causing a mega-disaster of unprecedented proportions. Technology observers warn of a “cyber 9/11”.58 But they are not alone, key government leaders familiar with the financial services sector echo the same warning.59
There is little indication that chain-reaction type risks such as those encountered in the great earthquake of San Francisco in 1906 are being accounted for.60
So where does that leave us today? If these observers are correct, it suggests the following:
* Director of Scientific Intelligence, Barraclough NY LLC, 135 East 54th St 4B, New York, N.Y. 10022-4509 USA
1 Source is McCarthy [1] quoting a Europol document EU Serious and Organised Crime Threat Assessment [2].
2 Data is from Verizon, quoted by Ralph [3].
3 Reported by Stern [4] who is quoting a survey taken by PwC.
4 Reported by Scannell [5] which provides details on various clever impersonation techniques used.
5 Adapted from Balkhi [6].
6 Ransomware is a type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction. Some forms of ransomware systematically encrypt files on the system’s hard drive, which become difficult or impossible to decrypt without paying the ransom for the encryption key, while some may simply lock the system and display messages intended to coax the user into paying.
7 Bitcoin is a digital asset and a payment system. The system is peer-to-peer; users can transact directly without an intermediary. Transactions are verified by network nodes and recorded in a public distributed ledger called the block chain. The ledger uses bitcoin as its unit of account. The system works without a central repository or single administrator, which has led the U.S. Treasury to categorize bitcoin as a decentralized virtual currency. (Source: adapted from Wikipedia)
8 Reported by Secureworld [7]. There are also many useful statistics on malware, botnets, Spam, and other problems in a comprehensive OECD document [8].
9 Reported by Ralph [9].
10 Data from Scott and Spaniel [10] at p. 29. See also Kaminska [11] who compares ransomware to a passage in Augustine’s City of God “For what are robberies themselves, but little kingdoms?” (Book IV, Chapter 4.)
11 These government employees were left with no assistance for legal protection against foreign tort and criminal charges, as detailed by Roche [12].
12 A botnet is a number of Internet-connected computers communicating with other similar machines in which components located on networked computers communicate and coordinate their actions by command and control or by passing messages to one another. They have been used many times to send spam email or participate in distributed denial-of-service attacks. The word botnet is a combination of the words robot and network. (Source: Wikipedia)
13 See Messmer [13] who gives examples: a) Zeus, 3.6 million; b) Koobface, 2.9m; c) TidServ, 1.5m; d) Trojan.Fakeavalert, 1.4m;e) TR/Dldr.Agent.JKH, 1.2m;f) Monkif, 520,000; g) Hamweq, 480,000.
14 Reported by Stafford [14].
15 This information is paraphrased from a Ponemon Institue research report [15].
16 In the London financial market, reports of a cyber security problem with a bank had a large enough effect on reputation to lower its stock price enough to allow the bank to be taken over by another. In financial services, the price of shares for a company can be sensitive to cyber-security problems. After all, in banking, reputation for security and reliability is an important part of customer trust.
17 In the Lakisha Pettus case, it was alleged that cyber was used to divert “hundreds of thousands of dollars” of “shipments of luxury goods and jewelry to and from warehouses and stores”. See Vance [16].
18 Gugerli [17] (p. 190) writes that the insurance industry has had a difficult time in assessing the risks of nuclear power. “[I]t was almost impossible to assess their [nuclear power plants] potential risk, because there was (almost) no experience of accidents to fall back on.”
19 One hacking group stole more than $1 billion from 100 banks in a period of two years according to Viebeck [18] quoting Kaspersky Labs.
20 Based on Roche [20], but modified with information from Gerson [21].
21 See, for example, a discussion of the TJX, Inc. case in Bishop [22].
22 According to Batterman [23, p. 6] in the UK, data protection legislation can impose fines of up to £ 500,000. 23 Data is from Romanosky et al. [24]. The consumer loss data is quoting Bureau of Justice Statistics compiled by the U.S. Department of Justice [25].
24 This information is found in a report from Bryan Cave LLP http://www.bryancave.com report [26]. It is interesting to note that Health Insurance Portability and Accountability Act (HIPAA), Fair Debt Collection Practices Act (FDCPA), Electronic Communications Privacy Act (ECPA), Video Privacy Protection Act of 1988 (VPPA), Computer Fraud And Abuse Act Reform (CFAA) and the CAN-SPAM Act of 2003 were the least used theories in these suits.
25 In tort law, the standard of care is the only degree of prudence and caution required of an individual who is under a duty of care. The requirements of the standard are closely dependent on circumstances. In “Baltimore & Ohio R. Co. v. Goodman, 275 U.S. 66”. United States Reports (Supreme Court of the United States) 275: 66. October 31, 1927 it notes that “In an action for negligence, the question of due care is not left to the jury when resolved by a clear standard of conduct which should be laid down by the courts.”
26 There have been more than 70 consent decrees according to S. M. Gerson [21]. Most of the legal and regulatory discussion herein is based on Gerson’s presentation at an Infragard meeting March 21, 2016.
27 A consent decree is an agreement or settlement to resolve a dispute between two parties with- out admission of guilt (in a criminal case) or liability (in a civil case) and most often refers to such a type of settlement in the United States.
28 The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104–191, 110 Stat. 1936, enacted August 21, 1996) was enacted by the United States Congress and signed by President Bill Clinton in 1996.
29 The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to ex- plain their information-sharing practices to their customers and to safeguard sensitive data.
30 The Sarbanes–Oxley Act of 2002 (Pub.L. 107–204, 116 Stat. 745, enacted July 30, 2002), also known as the “Public Company Accounting Reform and Investor Protection Act” (in the Sen- ate) and “Corporate and Auditing Accountability and Responsibility Act” (in the House) and more commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law that set new or expanded requirements for all U.S. public company boards, management and public accounting firms. There are also a number of provisions of the Act that also apply to privately held companies, for example the willful destruction of evidence to impede a Federal investigation.
31 The National Institute of Standards and Technology (NIST) is an agency of the U.S. Department of Commerce. Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, in February 2013. The Or- der directed NIST to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices – for reducing cyber risks to critical infrastructure. See http://www.nist.gov/cyberframework/
32 The International Organization for Standardization (ISO) is an independent, non-governmental international organization with a membership of 162 national standards bodies. Through its members, it brings together experts to share knowledge and develop voluntary, consensus- based, market relevant International Standards that support innovation and provide solutions to global challenges. The Central Secretariat is based in Geneva, Switzerland. See http://www. iso.org
33 Class actions are governed by Rule 23 of the Federal Rules of Civil Procedure. The prerequisites must be met for a class to be certified. “One or more members of a class may sue or be sued as representative parties on behalf of all members only if: (1) the class is so numerous that joinder of all members is impracticable; (2) there are questions of law or fact common to the class; (3) the claims or defenses of the representative parties are typical of the claims or defenses of the class; and (4) the representative parties will fairly and adequately protect the interests of the class.” http://www.law.cornell.edu/rules/frcp/rule_23
34 In re Sony Gaming Networks and Customer Data Security Breach Litigation, and St. Joseph Hospital System of California. Cited by Gerson [21].
35 FTC v. Wyndham Worldwide Corp. Third Circuit.
36 Section 5 of the Federal Trade Commission Act (FTC Act), Ch. 311, §5, 38 Stat. 719, codified at 15 U.S.C. §45(a) prohibits entities from engaging in unfair or deceptive acts or practices in interstate commerce. “(1) Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful. (2) The Commission is hereby empowered and directed to prevent persons, partnerships, or corporations, [except certain specified financial and industrial sectors] from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.” According to the IT Law Wiki “In the data security context, the Commission has challenged the failure to implement reasonable safeguards to protect the privacy of consumer information, where the failure causes substantial injury without offsetting benefits, as an unfair practice.” See http://itlaw.wikia.com/wiki/Section_5_of_the_FTC_Act.
37 The term “circuit court” refers to different appellate courts in the United States. There are 11 circuits and each circuit covers a number of states in a region. If there is disagreement between rulings in different circuits, then eventually the issue will be decided by the Supreme Court.
38 See comments of Patricia M. Wagner of Epstein Becker & Green, PC [23, p. 11] “In terms of damages related to the plantiffs in the litigation, there should be actual demonstrated harm. Theoretical or potential for harm is not sufficient.”
39 The case is In re LabMD, Inc. Observations are from Gerson [21].
40 See Figure 2 in the Global Reinsurance Forum report [27]. 41 Comments from the International Association of Insurance Supervisors [28] who also note that a) there is increased competition; b) premiums have come under pressure for non-life insurers and reinsurers in the commercial lines, property and catastrophe markets; c) investment yields for (re)insurers have declined slightly; d) there has been a “surge of mergers and acquisitions (M&As); “more than 10 percent of the global reinsurance industry is currently involved in major mergers activity”.
42 The newspaper is digitized by the National Endowment for the Humanities; http:// chroniclingamerica.loc.gov/lccn/sn82015732/issues/.
43 See extensive discussion by James [29].
44 According to Swiss Re [30, p. 14].
45 Quoted by Atkins [31] who noted that reinsurance accounts for 85% of Swiss Re’s revenues. Swiss Re has found that “the premium income was not significant” from cyber and recommended being “massively selective” in choosing which policies to write or treaties to accept.
46 Government Communications Headquarters (UK) http://www.gchq.gov.uk/.
47 Reported by Ralph [32]. One motivator for the move was that in January 2016 HSBC’s personal banking and mobile applications were brought down by a cyber attack, raising questions about the entire sector.
48 See details on the GEM initiative in the report of the Global Reinsurance Forum [27, p. 28]. Perhaps a few cyber earthquakes need to occur before the reinsurance industry begins to study the issue in the same level of depth as they do earthquakes.
49 Higgins [34].
50 Similar data is quoted by Ralph [3]. This also is the source of the information on Pool Re mentioned above.
51 Quoted by Ralph [35].
52 Freeman [36, p. 4], “Insurers wrote layers of major retailers at minimum premiums that now look thin to say the least.” Her analysis contains a detailed look at the Target incident. “The company reported $61 million pretax expenses related to the breach, but expected $44 million in cyber insurance payments against this figure. . . . [it is] estimated that the total exposure to Target could be $450–$500”.
53 Data is from Stubel [37] citing a study from Hanover Research [38].
54 See presentation of Saeed [39].
55 Swiss Re writes “A large insurer typically needs to deal with hundreds of third-party partners across dozens of countries, and the IT systems of these partners can be vulnerable to security breaches.” [30, p. 24].
56 An endorsement is a written document attached to an insurance policy that modifies the policy by changing the coverage afforded under the policy. Insurance endorsements are important additions to an insurance policy.
57 This data comes from a survey done by PartnerRe [40].
58 Naughton [41] who writes “There is another, deeper, fear – that the mysterious botnets that have been assembled by the merchants of malware may one day be used in some co-ordinated way to engineer a massive global event — cyberspace’s equivalent of 9/11, if you will.”
59 See comments of Ben Lawsky, head of the New York Department of Financial Services, quoted by Viebeck [18].
60 See David Gugerli’s discussion [17] of the effects on the insurance industry of the 1906 earthquake.
[1] Thomas McCarthy. Briefing on cyber security. Private briefing for Infragard, March 21 2016. McCarthy is the Principal Security Consultant for Nuix.com nuix.com.
[2] European Policy Office. The eu serious and organised crime threat assessment (socta). Technical report, Europol, The Hague, Netherlands, 2013.
[3] Oliver Ralph. Pool Re should ‘evolve’ to cover cyber attacks and pandemics. Financial Times, February 22 2016.
[4] Stefan Stern. Ceo email scam is wake-up call for boards. Financial Times, March 16 2016.
[5] Kara Scannell. Cyber crime: How companies are hit by email scams. Financial Times, February 24 2016.
[6] Syed Balkhi. 25 biggest cyber attacks in history. List 25 Blog, May 6 2013.
[7] SecureWorld Post. Fbi warns of increasing ransomware attacks. Databreach Today Reports, March 13 2016. https://www. secureworldexpo.com/fbi- warns- increasing- ransomware- attacks.
[8] OECD Working Party on Information Security and Privacy (WPISP). Computer viruses and other malicious software – a threat to the internet economy. Technical report, Organisation for Economic Co- operation and Development, Paris, 2009.
[9] Oliver Ralph. Malicious attacks account for bulk of data loss. Financial Times, March 8 2016.
[10] James Scott and Drew Spaniel. The ICIT ransomware report – 2016 will be the year ransomware holds America hostage. Technical report, Institute for Critical Infrastructure Technology, Washington, D.C., 2016. http://www.icitech.org.
[11] Izabella Kaminska. On the economic power of ransom. Financial Times, March 9 2016. FTAlphaville Blog.
[12] Edward M. Roche. When the intelligence community is exposed – the U.S. must protect its employees from foreign lawsuits. The Washington Times, August 31 2015.
[13] Ellen Messmer. America’s 10 most wanted botnets. Network World, July 22 2009.
[14] Philip Stafford. BoE set to review market risk managers. Financial Times, March 6 2016.
[15] Ponemon Institute LLC. Is your company ready for a big data breach? Second Annual Study on Data Breach Preparedness, September 2014. http://www.experian.com/assets/data-breach/brochures/ 2014- ponemon- 2nd- annual- preparedness.pdf.
[16] Cyrus R. Vance Jr. Lakisha Pettus indicted for intercepting deliveries of designer clothes and products. Press Release from the New York County District Attorney, January 7 2016.
[17] David Gugerli. The Value of Risk: Swiss Re and the History of Reinsurance, chapter Reinsurance Comes into Its Own 1860-1960, pages 147–236. Oxford University Press, Oxford, United Kingdom, first edition, 2013. See pps. 168-171 for details on the San Francisco earthquake of 1906.
[18] Elise Viebeck. Wall street regulator warns of ‘cyber 9/11’. The Hill, February 26 2015.
[19] Scott Flaherty. Cyber litigation: The next big thing? The American Lawyer, January 1 2016.
[20] Edward M. Roche. Internet and computer related crime: Economic and other harms to organizational entities. Mississippi Law Journal, 76:639– 665, 2006-2007.
[21] Stuart M. Gerson. Legal aspects of cyber insurance. Private briefing for Infragard, March 21 2016. The author is at the law firm Epstein Becker & Green, P.C. in Washington, D.C. and New York City.
[22] Derek A. Bishop. No harm no foul: Limits on damages awards for individuals subject to a data breach. Shidler Journal of Law Communications and Technology, 2008.
[23] Herbert Smith Freehill. Data protection and cyber security litigation. Corporate Disputes, October-December 2015.
[24] Sasha Romanosky, David Hoffman, and Alessandro Acquisti. Empirical analysis of data breach litigation. Journal of Empirical Legal Studies, 11(1):74–104, March 2014.
[25] Bureau of Justice Statistics. Identity theft reported by households, 2005– 2010. Technical report, U.S. Department of Justice, Washington, D.C., 2011.
[26] Josh Zeetoony, David; James. 2015 data breach litigation report. Technical report, Bryan Cave LLP, n.d. references 19
[27] Global Reinsurance Forum. Global reinsurance: strengthening disaster risk resilience. Technical report, The Geneva Association, Basel, September 2014. http://www.grf.info.
[28] Macroprudential Policy and Surveillance Working Group (MPSWG). 2015 global insurance market report (gimar). Technical report, International Association of Insurance Supervisors, Basel, January 6 2016.
[29] Robert A. James. Six bits or bust: Insurance litigation over the 1906 San Francisco earthquake and fire. Western Legal History, 24(2):1– 39, Summer/Fall 2011. Available at https://www.pillsburylaw.com/ siteFiles/Publications/SixBitsorBustInsuranceLitigation.pdf.
[30] Kurt Karl, Thomas Holzheu, Clarence Wong, and Paul Ronke. Global insurance review 2015 and outlook 2016/17. Technical report, Swiss Re, Zurich, 2015.
[31] Ralph Atkins. Swiss Re chief cautions on cyber security risks. Financial Times, February 23 2016.
[32] Oliver Ralph. Former spymaster to help fight City cyber crime. Financial Times, February 11 2016.
[33] Loren Nickel. Cyber risk analytics. In Miscellaneous Papers. Southern California Casualty Actuarial Club, May 15 2014.
[34] Kelly Jackson Higgins. Cyberinsurance resurges in the wake of mega-breaches. Information Week Dark Reading, October 2 2014.
[35] Oliver Ralph. Safe drivers offered pizza and films by insurers. Financial Times, February 22 2016.
[36] Emily Freeman. State of the cyber insurance market – ten lessons learned from major retailer breaches. Technical report, Lockton Companies, San Francisco, August 2014.
[37] Shiela Strubel. Here’s why you arn’t selling more cyber insurance. Weekly Industry News blog, November 12 2014. http://www.piawest.com/ blogpost/1199781/202434/.
[38] Market Insight Center. Cyber insurance survey prepared for iso. Technical report, Hanover Research, November 2014. http://www.verisk. com/downloads/emerging- issues/cyber- survey.pdf.
[39] Shiraz Saeed. Briefing on cyber insurance. Private briefing for Infragard, March 21 2016. The presenter is a product specialist for cyber liability at AIG Property Casualty.
[40] Advisen Ltd. Cyber liability insurance market trends: survey. White Paper, October 2015. partnerre.com.
[41] John Naughton. The cyberplague that threatens an internet armageddon. The Guardian, April 30 2011.
Robbing banks. Cyber crime. It was reported today that hackers broke into the United States Federal Reserve computer system and took $100 million dollars of money out of the account for Bangladesh. Part of the money was moved through gambling casinos in the Philippines.
Around the world, government are building cyber weapons. Many are tested, others lay in wait until they are needed. We already have seen that in times of conflict, cyber weapons are an integral part of warfare.
Two Islamic terrorists came into the United States. Syed Rizwan Farook moved to San Bernardino California, made friends with people at his place of employment, and served the numerous elderly patients there. When the time came, he murdered a number of people, shortly after those same people had thrown for him a birthday party. “Animal”, “Scum” are two appropriate words for Farook.
In the course of the investigation it was determined that the terrorists used an iPhone. The FBI wants to read its contents. The problem is that Apple’s iPhone security prevents access. If someone more than ten times uses the wrong pass code to access an iPhone, it will erase itself.
At the core of the problem is the reality that Apple’s technology for the iPhone is actually secure. No one, not Apple, no one, has access to the encrypted personal information held on your iPhone. That is why ApplePay is so successful. When it is used, the merchant never knows your identity or even your credit card number.
The FBI through a court order is asking Apple to develop software that would disable this protection mechanism. It would allow a brute force cryptologic attack against the iPhone. The term “brute force attack” refers to the submission of different codes over and over until the right code is found, then the phone will be unlocked.(*)
So far, Apple is resisting the court order. The argument on Apple’s side is that (1) Apple is not being asked to provide information, but instead is being asked to write software for the FBI; (2) If the US government forces Apple to do this, then any government (read China, Russia) would start to demand the same thing; (3) if this happened, then the iPhone no longer would be secure because eventually the secrets of how to dismantle its protection would leak out to hackers; (4) Apple would be put at a disadvantage because it would be unlikely that a foreign phone maker such as Samsung could be forced to comply. And there are other reasons also.
One hacker has argued that it is easy for Apple to break the iPhone security:
“On a technical level, Apple could carry out the order by creating a RAM disk signed by the company’s production certificate for the specific ECID of the suspect’s iPhone. This solution would allow Apple to use existing technologies in the firmware file format to grant access to the phone ensuring that there is no possible way the same solution would work on another device.” (comments of Will Strafach, “Legendary iPhone hacker weighs in on Apple’s war with the FBI“)
There also are broader issues involving the balance of national security and privacy. Where should the balance be, and who is to make that determination? This is going to be a difficult problem to solve.
What should be the power of governments to protect their people? And what rights or privileges should be sacrificed in order for the government to accomplish this objective?
There are powerful arguments on either side. But the way this is heading is fairly clear: Secure systems might eventually be made illegal.
Note (*) The Order Compelling Apple, Inc. To Assist Agents in Search, No. ED 15-0451M, In the Matter of the Search of An Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, California License Plate 35KGD203 relies upon the All Writs Act, adopted in 1789 and listed as 28 U.S.C. § 1651. It says that:
The Director of National Intelligence, James Clapper, has warned that Russia and China have been working hard at developing capabilities to shoot down U.S. satellites. This purpose of building this capability is to has the capability to disable U.S. military communications.
In the United Nations Charter, signed on 26 June 1945 in San Francisco, it always has been recognized that the cut off of communications is an important sanction that can be imposed against a nation states. For example, Article 41 states:
“The Security Council may decide what measures not involving the use of armed force are to be employed to give effect to its decisions, and it may call upon the Members of the United Nations to apply such measures. These may include complete or partial interruption of economic relations and of rail, sea, air, postal, telegraphic, radio, and other means of communication, and the severance of diplomatic relations.”
China is developing so-called “Satellite Killers“. In addition, there is a fear of electromagnetic pulse (EMP) effects from high-altitude nuclear bombs. EMP has the potential to wipe out large parts of the entire telecommunications and computing infrastructure of the United States.
All of these developments show that in the future, if there is war, then attacks against the cyber infrastructure will be as important as those against any other target.
It is difficult to see how these developments could be controlled with a cyber arms control treaty.
Written by our Guest Author: Herbert O’Yardley
For reasons that will forever remain unknown, Roche has invited me to make another entry on his soon to be “must read”, viral blog (which if I had a computer and Internet access I might even visit from time to time). So I’ll just say right now that if I were you, I would not read this – and I don’t even know what it’s going to say yet! I just know that it is probably right, and that that is almost certainly a BAD thing. But…..What do I know? I’ve been wrong about everything lately; except the Fed. And you don’t want to get me started on that – although my thoughts from 5-6 years ago may still be on my own blog if you can find it.
For Christmas this year, I bought my Old Man a Chess Set – which was not that easy to find for obvious reasons, like anyone under 35 (or maybe even much older) would rather play some video game or be part of a multiplayer, online gaming platform. Now before we go any further, stop and think about that for a minute. Chess is a very complex game; perhaps the most complex ever created. In fact, I can remember a time – not so long ago – when an IBM computer beating a Grand Master was an international media event heralding the coming of the new “Information Age”. Strategy in Chess has been studied by some of the brightest minds in History, and forms the basis for much Military, Political and Business Strategy, although you might never guess that from the results of so-called “strategies” in those fields. But however complex the strategies in Chess may be, and however sophisticated the tools of analysis, the strategies required in instantaneous, multiplayer “Cybergames” are orders of magnitude more complex. This means that using standard tools like Game Theory to develop and evaluate a possible Cyber Treaty (or Cyber War for that matter) is like using a magnifying glass to study Particle Physics (which I’m sure most of us have tried at some point).
Last Summer, I finally threw away a dozen or so Math books that I had held onto since College. Of course now I know it was a big mistake, but at the time it seemed like the thing to do. Among these were several books on Linear Algebra. Linear Algebra is particularly germane to a discussion of Strategy, War and Treaties because it allows the theoretician to create a set of rules and then study their consequences on a group of predetermined parameters. As such, it forms the basis for Game Theory. Game Theory had limited practical value even in its heyday due to the deterministic nature of the structure and rules of a game on its ultimate outcome. But in a world were even the best players have no idea what they are really doing or the true costs of their actions, where there are no “rules” – only winning and losing, and were the non-rules change at random or the at whim of the strongest players, there is not much room for Theory or Strategy, only the survival of the fittest – or the least fit if you prefer.
Of course, Roche and I have already tried to apply Game Theory to other contexts – this time to Business Strategy – and proposed the ill-fated concept of “Super-Games” – which I think I once said was our ticket to a Nobel Price (Wrong Again.). The Mathematics of Supergames have been explored to a limited extent; but while they are extremely sophisticated, they do little more than expand the structure and length of a game, allowing more complex strategies to be executed. Our approach added several more levels of complexity by allowing the rules to change without notice and players to enter and exit at random. It also added the notion of asymmetry – which allowed certain players to act outside the existing structure of the game, as well as allowing the formation and dissolution of coalitions and other partnerships, and the sharing of information and the use of deception. All of this is of course prevalent in the Business World. We made no claims about being able to formalize the Mathematics behind such a system, but we were able to create a simple set of rules which defined this Supergame, and reach some very tentative conclusions about the role of Strategy under these conditions. The fact that the paper was rejected by at least 24 journals reflects the imagination and insight of the Business World. But I don’t need to tell you that. All you have to do is watch CNBC for a few minutes or read the front page of the Fox Street Journal. Unfortunately, this “MBA Mentality” – as I like to call it – has infected every part of Society and Government, including the Civil Servants (if there still are such things) who would draft and negotiate a Cyber Treaty – or start a Cyber War – which is increasingly probably one and the same thing.
Traditional Theories and Strategies don’t offer much guidance in a World based on Cyber- and Super-Games. This is because the individuals involved in both treaty negotiation and potentially sanctionable behavior are likely to be far more capable of circumventing standard safeguards than previous generations. For actors raised on rapidly changing environments, both the contents and the enforcement mechanisms of any treaty must be based on a new set of principles that is far more complex and flexible than traditional methods to have any chance of success. Particularly in Technology-based environments, capabilities and actions move so quickly that it is literally possible for a treaty to be obsolete before it has even been negotiated. Thus, sanctionable behavior must be defined in a broader, non-specific way, which works against the basic nature of treaty negotiation. Similarly, new mechanisms must be devised to tie parties to sanctions and unwanted outcomes in an immediate and costly way.
At some point Roche and I looked into identifying the “necessary and sufficient” conditions for successful International Treaties based on historical analysis and a review of the literature. To my surprise, this was not a subject of great interest, although a few conditions received some attention, and are probably worth noting. I will mention three which should be useful in the present context: 1) The treaty should include all relevant parties in the negotiations, 2) Violations must be clearly defined and sanctions specified in advance, and 3) All violations and sanctions must be handled in a non-discriminatory way. Although these principles are still “necessary” and useful guidelines, they are clearly not “sufficient” to guarantee a successful Cyber Treaty due the rapid, unpredictable changes endemic in the basic structure and nature of the activities involved. Thus, devising a successful Cyber Treaty will be extremely difficult and require great knowledge and creativity. In other words, just forget about it.
But there is still one Law of Game Theory that’s hard to argue. Make the Rules, and you may have a better chance of winning. But that’s only if you’re smart enough to see clearly several moves in advance. And that’s still not easy, even for the experts. Of course, if all else fails you can always just kill your adversary, or better yet, beat him to death with a hammer or cut off a few of his fingers. Just watch “Casino” again and see what I mean. In any case, it’s probably best not to bet against the House.
Ever once in a while I come up with a good idea, and in the context of a Cyber Treaty here it is. If the use of new Internet and Social Media Technology really is changing the way individuals think and act – and there is no doubt that it has had profound effects – particularly with regard to the rapidly changing, interactive, strategic situations you might find in Cybergames, then it makes sense to let this “new breed” play a key role in structuring a Cyber Treaty – even if they are only 13 years old kids, failing most subjects in school, who couldn’t carry on an intelligent conversation with their favorite Action Hero. (Just remember, these are the Bankers, Doctors, and Lawyers of tomorrow.) So instead of Governments or International Institutions drafting and negotiating a treaty to limit Cyber Weapons and Warfare, why not let the individuals most familiar with the (un-) realities of Cyberspace create the treaty through an open, interactive platform designed for this purpose. The site could be set up as either a Cybergame or a Wikepedia-like knowledge platform where ideas and actions could be vetted and tested by the community. For example, a game could be developed which closely resembles the actual structure of the global Political Economy, with Nations, National and International Institutions, various types of Infrastructure, and other Economic, Social and Political factors. Players would seek ways to disrupt and destroy other nations, and through their strategies and actions, safeguards could be developed to minimize the results of those activities. Over time it should be possible to identify a set of rules or procedures which would ultimately eliminate the treat of Cyber War, and these principles could form the basis of a future Cyber Treaty. Of course this has probably already been going on for a long time in a basement somewhere in Virginia……and Moscow, and Beijing, or at a University or Tech company in a town or city near you.
Anyone who has ever read anything I’ve written in recent years knows that I am extremely pessimistic about any sort of remedial action to improve the Sorry State of Man and the World. For me, these activities typically fail to either address the core problems, or provide a lasting solution to even the most superficial aspects of the mess we have created. They may be done in good faith and have the best intentions, but in the end nothing ever changes, and things just seem to get worse. Until we all understand that we are in this (sinking) ship together, no Treaty, Threat or Action is going to stop War, Hate and Stupidity. It will only give one group of idiots a temporary advantage over their rivals, and in the process breed more hate and resentment, causing another round of stupidity which wastes (limited) global resources, human energy and time. We have to do better, as individuals, nations and members of whatever communities we populate. I still believe it’s possible. But it’s getting increasingly difficult to Keep the Faith.
Herbert O. Yardley
By Herbert O. Yardley, guest editor.
A friend of mine likes to joke that if the Grid ever goes down, everyone under the age of 35 will be dead within 3 days from starvation, media withdrawal and having to think for themselves. This fits well with the claim that “We are just 7 meals away from anarchy” thanks to the introduction of Just-In-Time inventory control to the nation’s (and world’s) food delivery system. So perhaps there is something to this Cyber Treaty thing after all.
But, as one who has never owned a cell phone, does not have Internet access, has never banked, traded stocks or made a purchase online I see things from a different perspective. Sure a Cyber Attack could throw the global financial system into chaos; but can it really do more harm than the World’s Central Banks or the large cadre of Harvard MBAs trading trillions of dollars, marks and yen unsupervised on a 24/7 global basis have already done? I doubt it. And even if some high level global Strategist tries to meltdown a few “enemy” nuclear reactors, or shutdown Facebook or Amazon for a few weeks; is that any more dangerous than Curtis Lemay (the Head of SAC) purportedly violating Soviet airspace at the height of the Cuban Missile Crisis in hopes of provoking an incident that would justify a US first strike? Estimated “fallout”, 150-250 million dead, but the near total destruction of the USSR’s military capability. So let’s put things into perspective here.
The real question – which no one is even asking, let alone trying to solve – is this: “How can we improve basic Human Nature so that War of any kind, Hate, and the so-called “Strategic” calculus that has contributed so much to the present sorry state of the World are no longer acceptable to even the most Neanderthal Governments and persons?”. I may be crazy, but I believe this problem can be solved, and in less than 3 generations if the “best and brightest” from all nations and fields resist the temptation to work for and enable the worst elements which seem to dominate Government and Business.
For reasons that remain obscure, I read the Bible last Summer for the first time, and among other things the story of the Tower of Babel stands out in my mind, particularly in the current context. For me there are two key lessons: First, the God of the Bible is a jealous, hateful, petty god, who feared the potential power of a united Mankind, particularly one that could build a tower to Heaven (This, like everything else, was explored in a classic South Park which provides further insight into the matter). As a result He destroyed the Tower, and replaced a universal language with a multiplicity of tongues so that men could not communicate with each other. The rest as they say is History. But perhaps even more disturbing is the idea that Man was made in this God’s image. While that would seem to explain everything, it almost certainly guarantees a future Cyber War since new technologies provide a vehicle for seamless global communication which poses a serious threat to current national and international institutions and the established global power structure. Roche and I have addressed this issue elsewhere using a new concept we call Asygnosis. Unfortunately, the idea was universally panned by the academic community and remains unknown, although we still discuss it occasionally.
The problem, of course, is that to those desperately seeking to maintain their fragile grip on global Wealth, Power and Control, Cyber Weapons and Cyber Warfare seem like a cheap, expedient option. And since the old “Military-Industrial Complex” has been replaced by a Military-Technology alliance, “What’s good for Google is good for the global strategic position of the US” as Charlie Wilson might have said – although we can rest assured that he’s rolling over in his grave at the very thought of such a thing. The same goes for tech companies in other countries. In a world defined by two-dimensional computer and cell phone screens, whoever controls the flow of data, financial and economic transactions, and communications thinks they control everything. But as a former Painter I can assure you that no matter how closely a two-dimensional surface appears to represent Reality, it is at best no more than an Illusion. And in the case of many new technologies, they promote a very convincing “illusion” which has a plethora of dangerous implications; the threat of Cyber Warfare being just one of them.
The main problem with much new Telecommunication and Internet Technology (and I have been talking about this for at least a decade) is the “de-humanizing” – for lack of a better word – effect it has on users. This is clearly evident in the general loss of “intimacy” among people, and the inability of almost everyone to deal effectively with simple social interactions and situations. For me, the epiphany came a few years ago during a family Christmas gathering when my nieces and nephew – who were sitting on a couch next to each other – texted among themselves rather than turning their heads and speaking face to face, which would of course have included anyone present in their conversation. It is important to stress that it is exactly this type of technology-driven social interaction that makes the likelihood of a Cyber War so high. As “reality” becomes condensed to a computer or cell phone screen, the real “human” costs and consequences of any action become irrelevant. Instead, the calculus becomes: “How many hits would a major Cyber Attack get on YouTube or other Social Media platforms, and how can that response be controlled and monetized to the fullest?” And don’t think some of the “smartest” minds haven’t already figured this out. In fact a recent study of the top ten topics on Social Media in 2015 included no less than 6 major disasters, including the 2 Paris Bombings and the Earthquake in Nepal. So don’t discount a Cyber War as part of a major Corporate or Political advertising campaign.
The other major problem with many new technologies is the false sense of knowledge and reliability they offer users. Once again Roche and I explored this subject in a widely rejected study of an Intelligence-based software product. The only difference we could find in the results of this product versus conventional methods was that its users were far more confident in their mediocre results. Once again this bodes ill for the coming Cyber War, since Strategist are likely to downplay or neglect altogether the true costs of attack and at the same time feel extremely confident about their (mis-) calculations. Wikepedia is a poor substitute for Knowledge. Of course, the irony here is that the most developed nations have the most to lose in an all-out Cyber War, since the third or more of global population that still struggles for food and clean water on a daily basis would remain largely unaffected by a major Cyber Attack.
There is, however, one thing for sure. The day after the Great Cyber War the Sun will still rise, birds will still sing, and the Earth’s vegetation will continue to convert sunlight, water and carbon dioxide into energy for growth and oxygen. (Note that this may not have been the case after the Great Nuclear – Nuckuler for you Republicans – War that so many dreamed of for so long.) There is unfortunately another (near) certainty. And that is that the remnants of Human Civilization will soon reassemble, led by the most malevolent, egomaniacal elements to quickly rebuild barriers to fellowship and free expression. It will not take long before the lessons of the last Cyber War lead to the development of even more powerful methods to address perceived threats and control the “masses”. So, Cyber War or Cyber Treaty? The answer lies in whichever suites the whims and perceived interests of the most powerful at the moment, especially if the projected results might hurt their competitors even more than themselves. Flip a coin. Either way we all lose.
I like to say that we have the ability to turn this World into a true Paradise – eliminate Hunger, Disease, Fear and Want; and that’s all before breakfast. The only barrier is Human Nature. Improving that is a problem worthy of our full attention and dedication. But what do I know? I’ve been wrong about everything lately.
December, the supposed holiday time for most of the world, was filled with substantial coverage of the world’s raging cyber war. Newsweek Magazine carried a special edition on The Art of (Cyber) War. It noted that a federal government database had been hacked so that the highly personal information for 21 million government employees information was published. It also notes that “by 2018” we can expect that the U.S. Department of Defense will deploy a new cyber defense program that will include a “task force” to protect America. Here is some more information. The Identity Theft Resource Center reported 641 data breaches in 2015. It also reported that “more than 175 million [U.S. citizens] people had their information exposed in data breaches in 2015”.
Companies such as Sift Science were reporting rapid growth: “Every day, businesses worldwide rely on Sift Science to eliminate fraud, slash costs, and grow revenue. Our cloud-based machine learning is powered by 5,000+ unique fraud signals and a network of 1,500+ websites (and growing).” Sift uses “large scale machine learning technology” to analyze data and connect “thousands of seemingly unconnected clues left behind by fraudsters.” Artificial intelligence (AI) is being used to catch Internet fraud. Machine intelligence (The Helix(TM) Security Engine) also is being used by Lookout, a security firm that focuses on the mobile phone market.
Not only the United States is concerned. Salìh Biçakcī from Kadir Has University in Turkey reports that cyber attacks against Turkey are increasing, and that “the state is not prepared for approaching cyber wars”. Turkey has been under a Distributed Denial of Service (DDoS) attack for most of December. Biçakcī argues that Turkey’s government is not set up for the type of coordination needed to withstand a determined cyber attack. Many other governments must be having the same thoughts. Biçakcī has authored such documents as The Rebirth of NATO between New War and Cyber Security and The role of information technology in responding to Terrorism. Because of ties between Turkey and ISIS, Anonymous attacked Turkey’s banking sector, according to TechWorm. Anonymous warned “Dear government of Turkey, if you don’t stop supporting ISIS, we will continue attacking your Internet, your root DNS, your banks and take your government sites down“. Anonymous “took 400,000 [Turkish] sites offline for 7 days“.
Anonymous has published a chronology of events in its war against ISIS. It calls the action “OpISIS”.
In India, Tarun Vijay a member of the Bharatiya Janata Party (BJP) has been demanding that India set up a separate ministry for cyber security. As reported in the Indian Express, “[I]n the last five months 50,000 cyber attacks have been reported and nearly half of India’s internet population was being hit by cyber attackers”.
The above summarizes only a few events in December. As stated earlier, cyber war and cyber weapons are multiplying. They are one of the most important tools of today’s warfare. A set of Cyber Arms limitation talks are surely needed.
cyberarmscontrolblog 