Friends,

As you know, Cyber Risk Report has not been published the last few weeks, and I’ve been off the radio since Mother’s Day. As I announced in May, I accepted an appointment working for an organization as their Strategic Advisor for the Pacific, where cyber policy will be a big part of my portfolio.

I anticipate Cyber Risk Report will be back very soon—there’s a few employer details that need to be finalized before I can continue. Your subscriptions will be extended.

Quick question!

I wanted ask for your opinion. Would you prefer Cyber Risk Report be published as:

1. A paid-access email newsletter, as it is today

2. A free email newsletter with advertising instead of subscription fees

3. A website / RSS feed instead of an email

If you wouldn’t mind, shoot me a quick reply with the option you prefer, or a note about whatever else you’d prefer that’s not listed. I’ll let y’all know the results afterwards, with a bit more background on why I’m asking.

Thanks! We’ll be back soon!

Dan

Dan Trimble
Publisher, Cyber Risk Report
dt@dantrimble.com
+1 415-400-3869

Good morning!

Welcome to this week’s issue of the Cyber Risk Report! We’re changing up the format a bit this week; thanks to everyone who provided feedback.

Cyber Risk Report is on the radio! Yes, we still listen to the radio in 2019, right? I recently started a series of cyber risk discussions on 860 AM, “Reimagine America” with Joyce Cordi. Our next session is Sunday, 12 May at 9am Pacific. Join us! If you’re not in the area, you can always catch the archive/podcast link by following @dtrimble.

And since we haven’t invented a transporter yet, if you are in California’s Central Valley, San Francisco, LA, NYC, or DC in the next 3 weeks and want to discuss cyber risk, I’d love to come by and chat with your team for an hour. Send me an email and let’s get something set up.

More paid subscriber content coming soon! I’ll be putting out a few deeper dives on specific cyber risk issues. Coming soon: how climate change is impacting cybersecurity; cyber risk in agriculture; and a public/private model for cyber risk assessment and network certification. Only paid subscribers will have access. What other cyber risks do you need to understand? Send an email or Tweet @dtrimble with your ideas.

What You Need to Know This Week

1. We’re losing the global cyber war. Aircraft carriers don’t help.

2. An “unhackable”, self-encrypting CPU.

3. Insurers denying coverage from cyber attacks as acts of war.

4. Congress finally gets serious about a national cybersecurity strategy — Cyber Solarium Commission

5. Port of Los Angeles breaking vital new ground with its Cyber Resilience Center

We’re losing the global cyber war. Aircraft carriers don’t help.

Background: The White House likes to pretend cybersecurity is a top priority because it issued a couple (uninspired and insignificantly updated) executive orders directing federal agencies to bolster cyber operations & workforces. But leadership, implementation, and especially funding don't match the rhetoric. On top of its never-ending cyber leadership paralysis, the White House is now seeking dramatic cuts to the DHS CISA and S&T budgets while also blindsiding the Navy and Pentagon this week. Without consulting SECNAV or SECDEF, the White House reversed its prior approval of $20 billion over 20 years for the Navy to spend largely on cyber and advanced technologies—in order to build another aircraft carrier.

Why It Matters: Kinetic wars are not going away, though many including myself argue they will be increasingly smaller in scale while non-kinetic conflict will be increasingly broader—and deeper—in scale. Nor is there no longer a need for strategic power projection, especially in the Pacific. But these are not our biggest threats today. Building a carrier the Navy didn’t want this money for is called planning for some theoretical future conflict. Meanwhile, we are--right here, right now--fighting a global cyber war we are LOSING. All the kinetic weapons and carriers in the world won't make a difference if we can't even secure and defend the defense networks and infrastructure it takes to man, equip, and power such forces.

An “unhackable”, self-encrypting CPU.

Background: Recognizing the limits of security technologies, DARPA in 2017 began funneling millions into R&D of theoretically hack-resistant processors. The University of Michigan spent their $3.4M prototyping Morpheus, a processor with security rather than scalability at the core of its design; built on open-source RISC-V architecture. Morpheus internally encrypts its own code and data, and shuffles it every 20 seconds—thousands of times faster than the fastest known electronic hacking techniques.

Geekery Sidebar: the randomized data Morpheus focuses on is known as “undefined semantics”—arcane parts of the processor’s architecture for storing things like code location and format. It is not needed by programmers, but is susceptible to reverse engineering by hackers. So Morpheus encrypts and randomizes to make it ostensibly “unhackable” (UM’s word choice—not mine!)

Why It Matters: Even among the few organizations who are forward-leaning and deeply security conscious, the most cutting-edge network security software and hardware won’t always keep up—perhaps especially so after we start seeing large-scale artificial intelligence malware. The largest SOC workforces will never have enough people chasing log files and the intrusion set of the moment. Cyber, as we know it, is a deeply reactive paradigm. That has to change. At a processor performance cost of only 1%, the demoed prototype successfully defended against every known type of control-flow attack. If we want to make a meaningful difference in mitigating cyber risk, we have to find solutions that block attacks from ever happening in the first place. We will need more in policy and governance—hacking has to be made unprofitable, vendors need better security baked into their products, companies have to be held accountable for leaving their networks vulnerable, and publicly-sensitive private networks ought to be externally certified. But if processor-level security can also meet the heavy operational requirements of all other modern CPUs without compromising performance, it might well be a significant stepping stone in the right direction. It’s certainly a better approach than the “patch-and-pray” cybersecurity strategy, let alone the more common “hoping to hell you’re not the first one” strategy.

Reference: the fun-sounding “Morpheus: A Vulnerability-Tolerant Secure Architecture Based on Ensembles of Moving Target Defenses with Churn”, study, University of Michigan ($15.00 paywall)

Insurers denying coverage from cyber attacks as acts of war.

Background: Some insurance companies are denying coverage against claims made in the aftermath of high-consequence cyber attacks, using their contracts terms that prohibit coverage due to “acts of war”. In the most recent example, Zurich Insurance has denied claims for the $100M loss suffered by Mondelez International outside Chicago. The owner of Oreo cookies and Ritz crackers, like many other less delicious companies, got hit hard by NotPetya in 2017. Merck, the pharmaceutical giant, also claimed a $700M loss from NotPetya; its more than 20 insurers also denied coverage—2 of them claiming war exemptions.

What You Need to Know This Week

1. North Dakota seizes control of cybersecurity operations from ALL public agencies in the state

2. State and local spending on cyber is less than 3% of its IT budget—and half have no cyber budgets

3. White House OMB does not track state or local cybersecurity spending

4. Cyber may not be prioritized under new DHS Secretary

North Dakota seizes control of cybersecurity operations from ALL public agencies in the state

Background: North Dakota’s governor, Doug Burgum (R), a former entrepreneur who sold his last company to Microsoft before entering politics, has signed into law ND2110, which hands control over all cybersecurity operations across all public agencies (municipalities, counties, schools, special districts, courts, etc.) to the state’s own Information Technology Department. It is the first state in the nation to centralize cybersecurity authorities over all public sector entities.

Why It Matters: This raises considerable questions about the qualification, training, and experience of the IT civil service staff in North Dakota, and risks over political pressures and other factors. But this law deepens North Dakota’s already surprisingly forward-leaning thinking in trying to solve cyber risk. I would argue there’s a slightly-better-than-zero chance small to medium sized local, county, school, and special district governments in a lot of states will be able to recruit and retain extremely expensive cybersecurity talent and master how to solve cyber risk on their own. There is no reason to believe small governments are less likely to be attacked. Yet traditional IT networks are hard enough to do this with. But it is even harder with the far more complex and operationally sensitive OT/Industrial Control networks, commonly used in cities and special districts. It is a steep hill to climb by rural, geographically distributed governments that don’t have the financial horsepower of larger states like California or New York. But even in such wealthy states, there are thousands of cities and special districts who are too small to afford dedicated cybersecurity operations and staff. And with a noticeable lack of MSSPs specializing in public sector security, this type of solution is an intriguing if untested idea. The scope of the bill starts with cyber defense, procurement, reviews/approvals for new equipment to be installed, responsibility for a unified cybersecurity strategy, and other areas. The scope expands in 2023.

Reference: North Dakota Senate Bill #ND2110, “Cybersecurity”

State and local spending on cyber is less than 3% of its IT budget—and half have no cyber budgets

Background: Section 630 of the 2017 Consolidated Appropriations Act requires the White House to provide an analysis of federal spending on cybersecurity, with the latest update showing an aggregate total of $17.4 billion—a 5% increase over the prior year. The White House’s latest report also includes analysis on non-federal spending — state and local governments, in particular. The data for their analysis is sourced from an outdated 2016 Deloitte-NASCIO study, despite a more recent and exhaustive 2018 study in which, for the first time, all 50 state CISOs participated. Nevertheless, little has changed. In fact, Deloitte-NASCIO declare cyber’s top challenges still persist largely unchanged—since 2010! The study documents nearly half of all US states have no cybersecurity budget; slower budget growth compared to 2016 among those that do; and that most states still spend less than 3 percent of their total IT budget on cyber.

Why It Matters: While most private and public sector entities still budget and execute cybersecurity within IT departments, such an approach ignores the holistic, organization-wide impact of cyber risk. The role of a CISO is not just to oversee cybersecurity operations, it is to be an integral risk manager to every function and department in an organization. The siloing of cyber spending and operations under IT diminishes its influence with an organization’s top decision-maker, and relegates its focus only to technological risk management, not more holistic organizational risk and strategic planning. But wherever they want to concentrate funding: cyber risk is growing exponentially as the attack surface broadens with every new device, and cyber crime is showing absolutely no signs of abating. The minuscule percentage of funding on cybersecurity by state and local governments may indicate a dramatic misunderstanding of cyber risk across the public sector. Or, it may indicate a calculus that falsely concludes accepting such risk is a more politically or financially viable strategy than mitigating through improved cybersecurity the losses that would be incurred from an actual attack. States and local governments have jurisdiction over far more than just their own networks—critical infrastructure providers, though often privately owned and operated, are frequently regulated or guided by public entities.

Reference: Consolidated Appropriations Act 2017, Public Law No. 115-31, amended 31 U.S.C. § 1105 (a)(35).

Reference: White House Budget Proposal FY2020, pgs. 305-310

Reference: Deloitte-NASCIO 2018 cybersecurity spending study: States at Risk

White House OMB does not track state or local cybersecurity spending

Background: Referencing the same OMB budget document and analysis from above, another key take-away is literally just a footnote in the White House’s analysis on cybersecurity spending. Footnote #4 on pg. 306 notes OMB does not collect any data on cybersecurity spending from non-federal entities, including states, local and county governments, and private entities.

Why It Matters: That such data is not tracked is not in and of itself surprising, but is indicative of a much broader problem—a collective government apparatus endlessly spinning its wheels on cybersecurity. Cyber has been a “priority” in Washington since at least 2010, but we still have no comprehensive vision and strategy for defending the collective, united states. There is much more to secure than just Defense networks. Election systems and critical infrastructure. State and local government networks. (Particularly among the states that share infrastructure across state lines or provide integrations to federal systems, thus making it more of a federal issue. Not to mentio states who cannot afford expensive cybersecurity operations or talent in the first place. If you are not even tracking the expenses and priorities of the states, it’s hard to argue you have an effective vision for a risk that affects the entire nation. If California’s agricultural farmlands or supply chains are attacked, it will impact nearly all the states and countless other countries. This makes cyber risk not just a California concern, but a national one. DHS has dedicated elements for each critical infrastructure sector and extensive coordinating entities, but state and local programs are piecemeal where they even exist at all. Partly, that is the understandable democratic process taking time to achieve consensus. But even the Trump Administration’s cyber executive order made few substantive changes from the Obama Administration’s, which itself was uninspired. And through mixed signals, eliminated positions, constant leadership turmoil, and strategic ambiguity, the current administration has de-emphasized cyber risk and policy outside of defense and intelligence operations. (Which have, to be fair, been greatly bolstered.) The administration eliminated the National Security Council’s senior-level cyber coordinator in 2018. It has provided little leadership to Congress in clarifying expectations, authorities, or roles for the State Department’s new cyber office—after first downgrading from Ambassador-status and then later disbanding the original office entirely. In an era where there are few international cyber norms and risks to all the states and the federal government are increasing exponentially, the lack of a coherent, unified plan is hindering any meaningful progress—both at a federal level, and in terms of guiding national-level priorities across the states.

Reference: White House Budget Proposal FY2020, p. 306

Cyber may not be prioritized under new DHS Secretary

Background: DHS Secretary Kirstjen Nielsen resigned in the past week, and is set to be replaced (acting until confirmed) by Kevin McAleenan, previously commissioner of Customs and Border Protection. There are still key cyber experts in federal service—particularly in the DoD—but at a policymaking, cabinet, diplomatic, and international affairs level, it’s an ever-shortening list.

Why It Matters: DHS has an almost unfathomably broad set of missions, each by itself deserving of prioritized national attention. Nielsen brought to DHS significant cyber experience, from private sector consulting and serving as an advisor to President George W. Bush. From election systems to forming the new/consolidated Cybersecurity and Infrastructure Security Agency (CISA) and the National Risk Management Center, she made cybersecurity an essential priority across DHS components. The loss of Nielsen is another in a long list of cyber experts who have either resigned, been fired, or forced out of the Trump Administration—Kirstjen Nielsen, Tom Bossert, Rob Joyce, among others. It seems unlikely McAleenan will either drive for such a priority or be able to offer a cyber perspective rooted in experience. He has extensive credentials in immigration and border security, and the administration has clearly made that the number one priority for DHS. Yet we are also in a cyber war against many adversaries, in an operating environment where cybersecurity is largely still unregulated, unlegislated, and uncoordinated within the U.S. and internationally.

Cyber Risk Report is published by global intelligence and cyber risk advisor Dan Trimble. Opinions are his own and do not necessarily reflect those of any organizations he works with.

What You Need to Know This Week

1. Russia is advancing and testing efforts to cut itself off from the global Internet

2. European Union recommends national risk assessments on 5G networks to mitigate security concerns

3. Insurance consortium introduces first-of-its-kind cybersecurity vendor review service

Russia is advancing and testing efforts to cut itself off from the global Internet.

Background: Russia has long promoted what it calls “Internet sovereignty”, in which it argues all countries should have total control over their own domestic cyberspace; the means of defending it against external attacks; and that other countries should not control the global DNS system. For the past few months, the Kremlin and Russian lawmakers have been advancing draft legislation and technical plans that aim to achieve that objective. It requires Russian ISPs to use only exchange points within country and approved by the Roskomnadzor (Russia’s telecom and censorship regulator), and replacing connectivity to the global DNS with its own internal DNS systems so traffic cannot be rerouted to exchange points outside the country. Russia was expected to conduct a test of this technologically difficult proposition on or about 01 Apr 2019.

Why It Matters: Russia has long argued this is necessary for its independence and security, while opponents (including large numbers of its own citizens) have argued it is a continuation of Russia’s long history of propaganda, political control, and censorship. Either way, attribution, already one of the toughest challenges in cybersecurity, becomes much harder when DNS is privately controlled; investigators would likely only be able to point to Russia in general rather than specific Russian actors. The lack of standardized behavioral norms in cyberspace has also been a protracted challenge to the global community, enabling countries to test limits and conduct operations with little legal or political recourse. Considerable efforts have been underway to develop standards, and this risks undermining and complicating efforts to do so. Also, while the Kremlin may see disconnecting from the global Internet as a defensive measure, it could also strengthen the efficacy of any Russian offensive cyber operations by insulating its private Internet from the consequences of any offensive attacks Russia were to launch against Internet infrastructure shared by the rest of the world.

Reference: Bill #608767-7 sponsored by senators Andrei Klishas, Lyudmila Bokovaya, and Andrei Lugovoi.

European Union recommends national risk assessments on 5G networks to mitigate security concerns

Background: 5G is a game-changer for communications—and cybersecurity. 5G should deliver massive increases in bandwidth and decreases in latency while using higher and more directional radio frequencies for improved efficiency. (Directionality improves efficiency because 4G towers send data in all directions, costing power and energy that deteriorates performance.) The 5G standard is transformative, with some experts considering it the next industrial revolution. 5G will probably increase the ubiquity of IoT devices exponentially, and the scale of use cases in countless vertical markets. Supply chain warehouses can replace wired and unreliable Wi-Fi and Bluetooth connections for a better-coordinated, lower interference standard with far greater coverage. Healthcare organizations can transfer huge image files and conduct remote treatments or monitoring. AI, virtualization, and cloud services will spread as speed and stability rises. However, with exponential growth in connected devices and data throughput comes exponential growth in an attack surface already hard to define and contain. The 5G standard magnifies known 4G vulnerabilities and introduces new ones. (Detailed technical analysis available from ETH Zurich, and a good overview from IBM).

Why It Matters: The EU’s recommendation to member states is more than just an acknowledgement of the security concerns in the 5G standard. The expected growth in ubiquity and performance from 5G is so significant it is expected to drive a fully mission-critical reliance on 5G networks in countless industries—far deeper so than with all earlier wireless standards. The EU’s recommendations acknowledge a 5G cyber attack against one member state will likely have economic repercussions that affect the EU as a whole, and has allowed for member states to ban specific companies they deem a national threat—but not required they do so. This incremental approach punts risk management to individual member states rather than developing a union-wide standard, and adds undue risk in that the EU’s piecemeal approach and slow timeline is undermined by the brisk pace with which 5G is being rolled out. EU member states and other countries are debating concerns over potential foreign exploitation enabled or exacerbated by 5G. In March, the European Parliament formally codified a resolution detailing concerns over Chinese technology in the EU, including allegations Chinese companies are delivering 5G hardware that may have backdoors enabling access into EU networks.

Reference: Commission Recommendation of 26 March 2019 on Cybersecurity of 5G networks. C(2019) 2335 final

Insurance consortium introduces first-of-its-kind cybersecurity vendor review service

Background: This week has seen several reports about third and fourth party cyber risk assessment (in particular, see the new BitSight and CeFPro report). Assessing cyber risk of internal security tech solutions and those of vendors up and down supply chains has been a perpetual problem; routinely overlooked in cyber strategic planning. There is also little legal or financial liability for companies whose incompetence or inaction allow cyber attacks to take place. Without that external driver, there is often not enough pressure on vendors to close vulnerabilities and build more secure products. Cyber vendors are also exercises in understanding shiny object syndrome: many products on the market do substantively the same thing, offering little defensive or preventative security value. Cybersecurity impacts everyone, including companies not blessed with the IT expertise and budgets needed to understand vendor offerings in-depth. This complicates their efforts to assess risk and implement mitigative solutions. This week, a consortium of insurance companies led by Marsh and advised by Microsoft launched “Cyber Catalyst” as a vendor review service to address these gaps. The program evaluates and designates solutions insurers deem to have sufficient efficacy in mitigating cyber risk.

Why It Matters: Though I have doubts over the technology and security expertise of insurance providers, this is a compelling first step towards what I have long considered a necessity: independently verifiable certification of compliance to reasonable security standards, financially incentivized. And that should happen not only within a company’s IT and security operations, but across all the underlying hardware, software, and communications vendors an organization is either directly or indirectly dependent upon. But as the reports discusses, there are several vital challenges in vendor cyber risk assessment, from data accuracy to a lack of continuous monitoring. This insurance offering helps independently mitigate risks — supposedly neither Marsh nor Microsoft have any input in the final adjudication of which vendors are effective enough to be designated “Cyber Catalyst”. Just as important, moving part of the risk burden to insurance and capital markets is potentially a critically-needed carrot — an incentive for profit-driven, cyber attack publicity-wary companies to achieve reasonable security standards and on-going compliance in exchange for reduced premiums.

Cyber Risk Report is published by global intelligence and cyber risk advisor Dan Trimble. Opinions are his own and do not necessarily reflect those of any organizations he works with.

Bloomberg reported this week that SCOTUS has allowed a customer lawsuit against Amazon’s Zappos to continue over a 2012 cyberattack that compromised 24 million customers.

This leaves the door open on liability for data breaches -- and sends an unmistakable signal to Congress and regulatory agencies to get their act together.

Why It Matters

I have argued time and again we won't move the needle on cyber risk until companies are held liable for attacks and privacy compromises. In cyber, liability should not simply be a calculation of how much damages a victim incurs from actual fraudulent transactions made using stolen data on that victim. A company's inaction or incompetence allows or enables that data to be stolen. That can be a vendor who leaves known vulnerabilities open in their software. Or a company like Zappos/Amazon who failed to prevent the exploit of that data on their networks.

Today, a data breach takes place, nothing happens. The attacked company takes a short-term stock hit. Maybe a token executive gets fired. They hire an incident response company to clean up and strengthen their network security -- or so we hope, without any independent scrutiny. They typically buy you a few months of credit monitoring. And that's it. The government holds nobody accountable. And shareholders don't hold boards accountable, because the companies they oversee are not held criminally or financially liable for their inaction or incompetence. And customers -- very often without even having a say in their relationship or data with the attacked company (e.g., Equifax) -- are left compromised ten ways till Sunday.

This SCOTUS ruling is a clear signal companies might be liable even if no actual damages materialize. This is not a terribly unreasonable scope of liability. Stolen data can take years before turning into fraudulent charges or identities, and it can be extremely difficult to definitively correlate such incidents without access to the stolen data compromised in the first place.