Welcome to the Cybersecurity 202! I asked yesterday for your best, funniest and most insightful cyber analogies and some great ones came in. Keep sharing them here. Note the rules

We'd still like to know what you think about our redesign here

Below: Apple made an emergency patch for a bug exploited by Pegasus malware and CISA may get more than $650 million in Democrats' reconciliation bill. 

Cyber insurance companies are often more reactive than proactive

Insurers are sometimes doing more harm than good as U.S. companies are pummeled with ransomware and other cyberattacks.

Yes, these firms provide policies that pay out in the event of a cyber attack. But often, there's insufficient focus on prevention.

For example:

  • Some insurers don't verify companies are doing what's necessary to prevent such attacks in the first place. That's similar to providing fire insurance without ensuring a company has functioning sprinklers and fire extinguishers.
  • In other cases, insurers agree to cover companies that represent good cyber risks, but they don't check whether those companies are keeping their protections up to date as cyber threats grow and evolve.
Got insurance?

As of now, there's no industry standard for how well a company must be protected to get cyber insurance

“People view cyber risk as they would the risk from a hurricane or wind damage. But it’s not like that,” Vishaal Hariprasad, CEO of the cyber insurance firm Resilience, told me. “It’s driven by humans, so you have to always be updating. You have to have a mind-set of continuous controls and continuous maturation.”

The upshot: Insurers are paying out for more and more cyberattacks. The cost of those attacks is driving up cyber insurance premiums, making it harder for small- and medium-sized organizations to afford coverage. And there's little incentive for companies that already have cyber insurance to do more than the bare minimum to protect themselves. 

Benchmarks

Hariprasad was one of four insurance executives who joined a White House cybersecurity summit with industry leaders last month

During the summit, Hariprasad urged government officials to help the cyber insurance industry develop a common set of cybersecurity standards for their customers, he told me. 

Since the meeting, executives from the Commerce Department's National Institute of Standards and Technology have kept in touch with the insurance firms about how government data and standards can contribute to those benchmarks, he said. 

“Any one company increasing their cyber hygiene is great, but if everyone in aggregate meets a standard baseline that makes attacks much harder,” he said. 

All cyber insurers impose some requirements on their customers, but they vary widely in how rigorous those requirements are and how extensively the insurer verifies companies are actually meeting them. 

Until recently, insurers could impose less rigorous cyber standards and verification procedures and still not pay out too much in claims. That's generally changed with a surge of ransomware attacks in recent years. Those attacks, in which hackers lock up a victim's computers and demand a payment to unlock them, can be far more costly and damaging than standard data breaches. 

Money, money, money

Ransom payments from companies increased 341 percent to a total of $412 million during 2020, according to blockchain research firm Chainalysis.

Even if victims don't pay a ransom, they frequently must pay large sums of money to replace infected computers and other equipment, as well as the costs of lost business and lawsuits that result from the breach. 

Between 2019 and 2020, cyber insurers charged companies more for premiums and still lost a greater percentage of those payments in insurance claims, according to an annual study by the insurance firm Aon. 

Premiums increased 21 percent during that time. Meanwhile, insurers paid back 67 percent of 2020 premiums in claims compared with 44 percent in 2019. 

Moving forward

Ideally, the insurer requirements would be based on general cybersecurity principles that government and industry broadly agree on, Hariprasad said. 

  • Those include patching digital bugs quickly, requiring multiple authenticating procedures before employees can access company networks and limiting people to just accessing the networks and data they need for their jobs. 
  • But those requirements should be tailored for companies of different sizes and in different industries with different sorts of digital vulnerabilities. 

Insurers could also play a more active role, sharing information about new threats with their customers and ensuring they're protected, Hariprasad said. 

“People respond to financial triggers and that’s the value of insurance,” he said. “If we properly tailor products and offerings, we can provide the right data-driven incentives [for companies to protect themselves].”

The keys

Apple patched a bug used by NSO Group's Pegasus spyware to hack victims

Hackers have been able to secretly infect Apple iPhones, MacBooks and Apple Watches by exploiting the bug since February, Craig Timberg, Drew Harwell and Reed Albergotti report. The hack could renew pressure on NSO Group and the Israel government, which approves export licenses for Pegasus.

“We wouldn’t have discovered this exploit if NSO’s tool wasn’t used against somebody they shouldn’t be targeting,” said John Scott-Railton, a researcher for Citizen Lab, which is based at the University of Toronto’s Munk School of Global Affairs and Public Policy and alerted Apple to the bug. 

NSO's customers use Pegasus in targeted attacks, including against dissidents and journalists, according to reporting by The Washington Post and media partners. Apple stressed in a statement that the bug was “not a threat to the overwhelming majority of our users” but said the company will “continue to work tirelessly to defend all our customers.” 

NSO Group declined to respond in detail to Citizen Lab's report, only saying that it “will continue to provide intelligence and law enforcement agencies around the world with lifesaving technologies to fight terror and crime.”

Today, House lawmakers debate giving CISA hundreds of millions of dollars

The House Homeland Security Committee will discuss a proposal to give the Cybersecurity and Infrastructure Security Agency between $655 million and $865 million as part of a $3.5 trillion reconciliation package of government funding priorities. 

The largest chunk of proposed funding would give the agency $400 million to implement President Biden's May cybersecurity executive order, which aimed to boost the federal government's cyber defenses. 

Other major components include:

  • $210 million for general operations, proposed by Chairman Bennie G. Thompson (D-Miss.)
  • $100 million for cybersecurity workforce development and education efforts
  • $50 million to expand and operate a program that flags potential security flaws for organizations
  • $50 million for cybersecurity information sharing and response resources for state, local, tribal and territorial governments
  • $25 million for a national campaign to promote multifactor authentication
  • $20 million to expand international cooperation on protecting critical infrastructure
  • $10 million to support the development of plans to maintain and secure the U.S. economy in response to a “significant event”

President Biden will nominate a surveillance critic to a post on the Federal Trade Commission

The nomination of law professor Alvaro Bedoya will boost expectations that the FTC will heavily scrutinize companies that sell facial recognition and other surveillance technologies, Drew Harwell reports. Bedoya, the founder of Georgetown Law’s Center on Privacy & Technology, has long worked to highlight the negative effects of emerging surveillance technologies on marginalized communities.

Bedoya would replace FTC Commissioner Rohit Chopra, who Biden nominated to lead the Consumer Financial Protection Bureau. Chopra is waiting to be confirmed by the Senate. 

Government scan

Kiersten Todt is joining CISA as chief of staff, the agency announced. The role will focus on long-range planning “to enable and empower CISA's workforce,” among other priorities, the agency said. 

Todt was executive director of former president Barack Obama’s Commission on Enhancing National Cybersecurity in 2016. She also helped develop the National Institute of Standards and Technology's cybersecurity framework for industry in 2014. She previously worked as managing director of the Cyber Readiness Institute and president of the cybersecurity consulting firm Libert Group Ventures. 

Cyber insecurity

Encryption wars

Daybook

  • Gen. Paul Nakasone, who leads the NSA and U.S. Cyber Command; National Cyber Director Chris Inglis and others speak on the second day of the two-day Intelligence and National Security Summit today.
  • Chris Krebs, the former director at the Cybersecurity and Infrastructure Security Agency, keynotes the Insider Risk Summit today.
  • Rep. John Katko (R-N.Y.), the top Republican on the House Homeland Security Committee, and Google executive Jeanette Manfra, a former CISA official, discuss cybersecurity at a Washington Post Live event today at 12:30 p.m.
  • Stanford University’s Program on Democracy and the Internet hosts a webinar on E.U. technology and cybersecurity proposals on Thursday at noon.
  • Rep. Jim Langevin (D-R.I.), Southern Company CEO Tom Fanning and others discuss cyber threats to critical infrastructure at a Carnegie Endowment for International Peace event on Friday at 12:30 p.m.
  • Former Undersecretary of State Keith Krach and former U.S. Agency for International Development Deputy Administrator Bonnie Glick speak at a Center for Tech Diplomacy at Purdue event on semiconductors and supply chains on Sept. 21 at 9:10 a.m.

Secure log off

That's a cyber wrap. Thanks for reading. See you tomorrow.