Across the world, there are four specific industry sectors at the highest risk of being devastated by cyberattacks. They also hold a big chunk of the world's debt -- to the tune of $11.7 trillion.
That's the sobering conclusion from a new report this morning from Moody’s Investors Service, a division of the credit ratings agency.
It found a major cyberattack could potentially bring banks, investment firms, securities exchanges and hospitals to financial ruin and prevent an organization from making good on some of what it owes. It's encouraging lenders to consider an organization's cybersecurity vulnerabilities before making loans in those sectors, the report says.
Organizations in those sectors are especially vulnerable because they’re highly reliant on computers and other connected technology and couldn’t simply do their work if a cyberattack took them offline, the report states.
That means the time during which an attack prevents an organization from doing business is likely to be longer than in other sectors — and that time offline can do more financial damage long-term than the information hackers steal or expose, Moody’s said.
An attack in one of those sectors would also have broad ripple effects, the report said, resulting in “far-reaching impact on other sectors.” A single successful attack on a large bank, for example, could “pose a systemwide risk” that affects the entire financial sector, the report notes.
The report considered both the direct damage from an attack and the effect on a company’s reputation, including how easy it would be for customers to go elsewhere.
Another 20 industry sectors — which hold an additional $12 trillion in debt — were rated “medium-high risk” or “medium risk,” Moody’s said. That includes critical sectors such as electric utilities, telecommunications, health insurance, pharmaceuticals and airports.
In many cases those sectors are at just as high -- or even higher -- risk for cyberattacks, but there are other factors that mitigate the damage an attack would cause to their creditworthiness, the report’s author Derek Vadala told me. For example, customers often have limited choices about phone and Internet suppliers, so it’s tougher to change providers — even in the wake of a major data breach.
As one example of how an attack could damage an organization's creditworthiness, the report highlighted the data breach of credit reporting agency Equifax. It was a cyber strike that was not only “unprecedented in terms of the number of consumers affected” — it compromised the personal information of more than 140 million people in the United States — but also had profound follow-on consequences, including hundreds of lawsuits and investigations by federal and state regulators. However, as the report notes, Moody’s did not ultimately downgrade Equifax’s creditworthiness.
The report focuses on “inherent cyber risk exposure,” which means it doesn’t take into account cyber protections that companies in each sector have put in place or other things they’ve done to mitigate their risk. The financial services sector, for example, is widely viewed as a leader in cyber defense — largely because it’s among the major targets for criminal and nation-state hackers.
Moody’s plans to dig into different sectors’ maturity in cyber defenses in a series of reports over the next several quarters, Vadala told me. Ultimately, the agency expects to integrate the danger posed by cyberattacks into its broader advice about how creditworthy various companies and industry sectors are, Vadala told me. However, there’s no time frame yet for when that will happen, he said.
The report also highlights how often key facts about a company’ cyber protections and vulnerabilities are unknown to creditors — especially in less regulated industries where companies aren’t required to disclose some breaches or to share significant details about the breaches they do report. In other cases, companies may have been breached but not even know it.
“One thing that has confounded this type of analysis, not only for us but for others, is there’s not a good strong public record of cyber events,” Robard Williams, a Moody's senior vice president, told me.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Michael Cohen, President Trump's former personal lawyer, told Congress that Trump knew in advance that WikiLeaks was planning to release hacked emails from the Democratic National Committee to damage Hillary Clinton's campaign in July 2016. “A lot of people have asked me about whether Mr. Trump knew about the release of the hacked documents of Democratic National Committee emails ahead of time. And the answer is yes,” Cohen told the House Oversight Committee. Cohen said that he was present during a phone call that Trump had with his longtime adviser Roger Stone about the email dump. Cohen claimed that Stone said WikiLeaks founder Julian Assange told him that the group was planning to release the emails.
Barry Pollack, a lawyer for Assange, denied that the call happened, The Washington Post reported. “It is ironic that while Stone and Cohen have both been charged with lying, and the public tries to untangle those lies, Mr. Assange apparently faces criminal charges in the Eastern District of Virginia for his role in publishing truthful information," Pollack said.
PATCHED: California counties must modernize their voting systems before the state holds it presidential primary election next year, Secretary of State Alex Padilla said in a news release. Several counties in California use voting systems that no longer meet the state's most recent certification and testing standards. “Some counties use machines that are so old that vendors no longer make replacement parts,” Padilla said. “Some counties utilize operating systems that are so old that they are no longer supported and security upgrades are not available. While county officials have worked diligently to keep equipment up and running, our democracy faces increasingly sophisticated threats from nefarious actors, both foreign and domestic.”
Outdated voting systems in the state will no longer be certified or receive conditional approval starting on Aug. 27, Padilla's office announced. Counties that may not be able to update their outdated systems by the time California holds its presidential primary on March 3, 2020, can request more time under certain conditions. “The state has demonstrated its commitment to the modernization of our election infrastructure,” Padilla said. “I’m urging all local elections officials to now follow suit.”
PWNED: Security researcher Bob Diachenko discovered that Dow Jones's Watchlist database of high-risk individuals was exposed online, TechCrunch's Zack Whittaker reported. The database, which contained more than 2.4 million records, was left on a server with no password by a company that had access to it — it's unclear which company is responsible for exposing the watch list. The database is a tool for companies to screen people with whom it could be potentially risky to do business. “That includes current and former politicians, individuals or companies under sanctions or convicted of high-profile financial crimes such as fraud, or anyone with links to terrorism,” according to TechCrunch.
While the information that is gathered to assemble the database originates from public sources and records, the fact that somebodyis included on the list is considered proprietary information. “The records we saw vary wildly, but can include names, addresses, cities and their location, whether they are deceased or not and, in some cases, photographs,” Whittaker wrote. “Diachenko also found dates of birth and genders. Each profile had extensive notes collected from Factiva and other sources.”
— Congress should provide states with “regular” federal funding to help them secure their election systems, a former senior Defense Department official told lawmakers at a congressional hearing. “The $380 million approved by Congress last year was an extremely important step forward; however, the states need a dependable source of funding to support the cybersecurity and upkeep of electronic voting systems,” Eric Rosenbach, who served as chief of staff to then-Defense Secretary Ashton B. Carter in the Obama administration, said in prepared remarks to a House Appropriations subcommittee hearing.
Rosenbach, now co-director of the Belfer Center for Science and International Affairs at Harvard University, also urged lawmakers to pass privacy legislation to protect citizens from misuse of their data by major tech companies. He also called on Congress to pass a law to help fight foreign information operations on social media platforms. “These firms have taken initial steps towards identifying and removing content pushed by foreign intelligence services to manipulate and divide Americans,” Rosenbach said in his written statement. “That said, Facebook’s disregard for [Americans'] privacy represents a significant national security vulnerability to our democracy.”
— More cybersecurity news from the public sector:
— Emotet represented “the most prominent malware threat” during the second half of last year, according to a report from the security company Gigamon released today. Researchers found a spike in Emotet malware campaigns in early November 2018 through late December 2018. Emotet carries out multiple kinds of malicious activities including stealing information and passwords, spreading spam and distributing other types of malware. The authors of the report wrote that “despite being well known by the security community, Emotet continues to infiltrate enterprises and [elude] security prevention tools and security professionals.”
— A researcher for an Australia-based security company built a hacking tool in part by studying CIA documents that WikiLeaks released in 2017, CyberScoop's Jeff Stone reported. The researcher, Wayne Ronaldson, said he doesn't plan to publicly release the code of his Overwatch Offensive hacking tool. However, he is scheduled to present his work at the RSA Conference next week in San Francisco. The tool allows hackers to collect screenshots and keystrokes from a compromised computer as well as covertly turn on the computer's micropone and perform more than a dozen other tasks, according to CyberScoop. “The tool sweeps up targeted information and sends it back to the command-and-control host at least once every 24 hours through an encrypted connection," CyberScoop reported.
— More cybersecurity news from the private sector:
- The Center for Strategic and International Studies holds an event on “China's pursuit of semiconductor independence.”
- The Center for Strategic and International Studies holds an event on “digital governance and the pursuit of technological leadership” on March 4.
Cohen's contentious clashes with GOP lawmakers:
Heavy rain brings flooding to Napa County, Calif.:
Tornado touches down during snow showers in New Mexico: