Cyber Risk Report for 05 Apr 2019

This week's cyber news in 5 minutes

What You Need to Know This Week

  1. Russia is advancing and testing efforts to cut itself off from the global Internet

  2. European Union recommends national risk assessments on 5G networks to mitigate security concerns

  3. Insurance consortium introduces first-of-its-kind cybersecurity vendor review service

Russia is advancing and testing efforts to cut itself off from the global Internet.

Background: Russia has long promoted what it calls “Internet sovereignty”, in which it argues all countries should have total control over their own domestic cyberspace; the means of defending it against external attacks; and that other countries should not control the global DNS system. For the past few months, the Kremlin and Russian lawmakers have been advancing draft legislation and technical plans that aim to achieve that objective. It requires Russian ISPs to use only exchange points within country and approved by the Roskomnadzor (Russia’s telecom and censorship regulator), and replacing connectivity to the global DNS with its own internal DNS systems so traffic cannot be rerouted to exchange points outside the country. Russia was expected to conduct a test of this technologically difficult proposition on or about 01 Apr 2019.

Why It Matters: Russia has long argued this is necessary for its independence and security, while opponents (including large numbers of its own citizens) have argued it is a continuation of Russia’s long history of propaganda, political control, and censorship. Either way, attribution, already one of the toughest challenges in cybersecurity, becomes much harder when DNS is privately controlled; investigators would likely only be able to point to Russia in general rather than specific Russian actors. The lack of standardized behavioral norms in cyberspace has also been a protracted challenge to the global community, enabling countries to test limits and conduct operations with little legal or political recourse. Considerable efforts have been underway to develop standards, and this risks undermining and complicating efforts to do so. Also, while the Kremlin may see disconnecting from the global Internet as a defensive measure, it could also strengthen the efficacy of any Russian offensive cyber operations by insulating its private Internet from the consequences of any offensive attacks Russia were to launch against Internet infrastructure shared by the rest of the world.

Reference: Bill #608767-7 sponsored by senators Andrei Klishas, Lyudmila Bokovaya, and Andrei Lugovoi.

European Union recommends national risk assessments on 5G networks to mitigate security concerns

Background: 5G is a game-changer for communications—and cybersecurity. 5G should deliver massive increases in bandwidth and decreases in latency while using higher and more directional radio frequencies for improved efficiency. (Directionality improves efficiency because 4G towers send data in all directions, costing power and energy that deteriorates performance.) The 5G standard is transformative, with some experts considering it the next industrial revolution. 5G will probably increase the ubiquity of IoT devices exponentially, and the scale of use cases in countless vertical markets. Supply chain warehouses can replace wired and unreliable Wi-Fi and Bluetooth connections for a better-coordinated, lower interference standard with far greater coverage. Healthcare organizations can transfer huge image files and conduct remote treatments or monitoring. AI, virtualization, and cloud services will spread as speed and stability rises. However, with exponential growth in connected devices and data throughput comes exponential growth in an attack surface already hard to define and contain. The 5G standard magnifies known 4G vulnerabilities and introduces new ones. (Detailed technical analysis available from ETH Zurich, and a good overview from IBM).

Why It Matters: The EU’s recommendation to member states is more than just an acknowledgement of the security concerns in the 5G standard. The expected growth in ubiquity and performance from 5G is so significant it is expected to drive a fully mission-critical reliance on 5G networks in countless industries—far deeper so than with all earlier wireless standards. The EU’s recommendations acknowledge a 5G cyber attack against one member state will likely have economic repercussions that affect the EU as a whole, and has allowed for member states to ban specific companies they deem a national threat—but not required they do so. This incremental approach punts risk management to individual member states rather than developing a union-wide standard, and adds undue risk in that the EU’s piecemeal approach and slow timeline is undermined by the brisk pace with which 5G is being rolled out. EU member states and other countries are debating concerns over potential foreign exploitation enabled or exacerbated by 5G. In March, the European Parliament formally codified a resolution detailing concerns over Chinese technology in the EU, including allegations Chinese companies are delivering 5G hardware that may have backdoors enabling access into EU networks.

Reference: Commission Recommendation of 26 March 2019 on Cybersecurity of 5G networks. C(2019) 2335 final

Insurance consortium introduces first-of-its-kind cybersecurity vendor review service

Background: This week has seen several reports about third and fourth party cyber risk assessment (in particular, see the new BitSight and CeFPro report). Assessing cyber risk of internal security tech solutions and those of vendors up and down supply chains has been a perpetual problem; routinely overlooked in cyber strategic planning. There is also little legal or financial liability for companies whose incompetence or inaction allow cyber attacks to take place. Without that external driver, there is often not enough pressure on vendors to close vulnerabilities and build more secure products. Cyber vendors are also exercises in understanding shiny object syndrome: many products on the market do substantively the same thing, offering little defensive or preventative security value. Cybersecurity impacts everyone, including companies not blessed with the IT expertise and budgets needed to understand vendor offerings in-depth. This complicates their efforts to assess risk and implement mitigative solutions. This week, a consortium of insurance companies led by Marsh and advised by Microsoft launched “Cyber Catalyst” as a vendor review service to address these gaps. The program evaluates and designates solutions insurers deem to have sufficient efficacy in mitigating cyber risk.

Why It Matters: Though I have doubts over the technology and security expertise of insurance providers, this is a compelling first step towards what I have long considered a necessity: independently verifiable certification of compliance to reasonable security standards, financially incentivized. And that should happen not only within a company’s IT and security operations, but across all the underlying hardware, software, and communications vendors an organization is either directly or indirectly dependent upon. But as the reports discusses, there are several vital challenges in vendor cyber risk assessment, from data accuracy to a lack of continuous monitoring. This insurance offering helps independently mitigate risks — supposedly neither Marsh nor Microsoft have any input in the final adjudication of which vendors are effective enough to be designated “Cyber Catalyst”. Just as important, moving part of the risk burden to insurance and capital markets is potentially a critically-needed carrot — an incentive for profit-driven, cyber attack publicity-wary companies to achieve reasonable security standards and on-going compliance in exchange for reduced premiums.

Cyber Risk Report is published by global intelligence and cyber risk advisor Dan Trimble. Opinions are his own and do not necessarily reflect those of any organizations he works with.