Good morning!

Welcome to this week’s issue of the Cyber Risk Report! We’re changing up the format a bit this week; thanks to everyone who provided feedback.

Cyber Risk Report is on the radio! Yes, we still listen to the radio in 2019, right? I recently started a series of cyber risk discussions on 860 AM, “Reimagine America” with Joyce Cordi. Our next session is Sunday, 12 May at 9am Pacific. Join us! If you’re not in the area, you can always catch the archive/podcast link by following @dtrimble.

And since we haven’t invented a transporter yet, if you are in California’s Central Valley, San Francisco, LA, NYC, or DC in the next 3 weeks and want to discuss cyber risk, I’d love to come by and chat with your team for an hour. Send me an email and let’s get something set up.

More paid subscriber content coming soon! I’ll be putting out a few deeper dives on specific cyber risk issues. Coming soon: how climate change is impacting cybersecurity; cyber risk in agriculture; and a public/private model for cyber risk assessment and network certification. Only paid subscribers will have access. What other cyber risks do you need to understand? Send an email or Tweet @dtrimble with your ideas.

What You Need to Know This Week

1. We’re losing the global cyber war. Aircraft carriers don’t help.

2. An “unhackable”, self-encrypting CPU.

3. Insurers denying coverage from cyber attacks as acts of war.

4. Congress finally gets serious about a national cybersecurity strategy — Cyber Solarium Commission

5. Port of Los Angeles breaking vital new ground with its Cyber Resilience Center

We’re losing the global cyber war. Aircraft carriers don’t help.

Background: The White House likes to pretend cybersecurity is a top priority because it issued a couple (uninspired and insignificantly updated) executive orders directing federal agencies to bolster cyber operations & workforces. But leadership, implementation, and especially funding don't match the rhetoric. On top of its never-ending cyber leadership paralysis, the White House is now seeking dramatic cuts to the DHS CISA and S&T budgets while also blindsiding the Navy and Pentagon this week. Without consulting SECNAV or SECDEF, the White House reversed its prior approval of $20 billion over 20 years for the Navy to spend largely on cyber and advanced technologies—in order to build another aircraft carrier.

Why It Matters: Kinetic wars are not going away, though many including myself argue they will be increasingly smaller in scale while non-kinetic conflict will be increasingly broader—and deeper—in scale. Nor is there no longer a need for strategic power projection, especially in the Pacific. But these are not our biggest threats today. Building a carrier the Navy didn’t want this money for is called planning for some theoretical future conflict. Meanwhile, we are--right here, right now--fighting a global cyber war we are LOSING. All the kinetic weapons and carriers in the world won't make a difference if we can't even secure and defend the defense networks and infrastructure it takes to man, equip, and power such forces.

An “unhackable”, self-encrypting CPU.

Background: Recognizing the limits of security technologies, DARPA in 2017 began funneling millions into R&D of theoretically hack-resistant processors. The University of Michigan spent their $3.4M prototyping Morpheus, a processor with security rather than scalability at the core of its design; built on open-source RISC-V architecture. Morpheus internally encrypts its own code and data, and shuffles it every 20 seconds—thousands of times faster than the fastest known electronic hacking techniques.

Geekery Sidebar: the randomized data Morpheus focuses on is known as “undefined semantics”—arcane parts of the processor’s architecture for storing things like code location and format. It is not needed by programmers, but is susceptible to reverse engineering by hackers. So Morpheus encrypts and randomizes to make it ostensibly “unhackable” (UM’s word choice—not mine!)

Why It Matters: Even among the few organizations who are forward-leaning and deeply security conscious, the most cutting-edge network security software and hardware won’t always keep up—perhaps especially so after we start seeing large-scale artificial intelligence malware. The largest SOC workforces will never have enough people chasing log files and the intrusion set of the moment. Cyber, as we know it, is a deeply reactive paradigm. That has to change. At a processor performance cost of only 1%, the demoed prototype successfully defended against every known type of control-flow attack. If we want to make a meaningful difference in mitigating cyber risk, we have to find solutions that block attacks from ever happening in the first place. We will need more in policy and governance—hacking has to be made unprofitable, vendors need better security baked into their products, companies have to be held accountable for leaving their networks vulnerable, and publicly-sensitive private networks ought to be externally certified. But if processor-level security can also meet the heavy operational requirements of all other modern CPUs without compromising performance, it might well be a significant stepping stone in the right direction. It’s certainly a better approach than the “patch-and-pray” cybersecurity strategy, let alone the more common “hoping to hell you’re not the first one” strategy.

Reference: the fun-sounding “Morpheus: A Vulnerability-Tolerant Secure Architecture Based on Ensembles of Moving Target Defenses with Churn”, study, University of Michigan ($15.00 paywall)

Insurers denying coverage from cyber attacks as acts of war.

Background: Some insurance companies are denying coverage against claims made in the aftermath of high-consequence cyber attacks, using their contracts terms that prohibit coverage due to “acts of war”. In the most recent example, Zurich Insurance has denied claims for the $100M loss suffered by Mondelez International outside Chicago. The owner of Oreo cookies and Ritz crackers, like many other less delicious companies, got hit hard by NotPetya in 2017. Merck, the pharmaceutical giant, also claimed a $700M loss from NotPetya; its more than 20 insurers also denied coverage—2 of them claiming war exemptions.

Why It Maters: Those who follow cyber risk know the debate over whether a cyber attack constitutes such an act has been raging for years. The Tallinn Manual attempts to foster some international norms, and many countries including the U.S. have some quasi-doctrinal framework in place for cyber warfare. But nations are still reticent to call it “war”, even when publicly declaring a nation as the perpetrator. After the U.S. had completed its assessment of 2017’s NotPetya and attributed the attack to Russian cyber actors targeting Ukraine, insurers saw that as an opportunity to say these attacks are acts of war, and thus, exempt from any coverage. Insurers are understandably fearful. It reminds of me of that old road trip game, the Six Degrees of Kevin Bacon. Someone was connected to someone who was connected to someone who was connected in Ukraine. The attack was targeted to Ukraine, but grew exponentially, hitting countless companies who were not specifically targeted. APM Maersk lost terminal operations in numerous large, major ports worldwide, setting them back at least $300M. Merck, $700M. Mondelez, $100M. For insurers, premiums are modeled on actuarial analysis derived from millions of historic data points. We don’t have such history with cyber, and we’re now talking about unpredictable, accidental attacks against networks that are not independently certified, and can risk hundreds of millions or more in losses. Building an insurance business model for such risk is not easy. More importantly, this underscores the underlying lack of consensus on how to handle cyberspace—especially since many of these insurance policies and terms were written before cybersecurity was a generally acknowledged risk. Using “war” as a catch-all may be conveniently doable when a country names another one as the adversary, but it’s grossly simplistic to say these companies were mere collateral damage in an “armed” conflict between nation-states—the traditional definition of war.

Reference: Tallinn Manual 2.0, Cambridge University Press

Congress finally gets serious about a national cybersecurity strategy — Cyber Solarium Commission

Background: In 1953, President Eisenhower was faced with a deepening national threat from Russia’s growing stockade of nuclear weapons, and a sharply divided cabinet who couldn’t come to an agreement on an approach. He launched the “Solarium Project” — named literally after a solarium in the White House where Eisenhower can be seen cooking quail. The project was staffed with three separate panels of experts; each armed with exactly the same intelligence and an objective to present a recommended national course of action. The commission remains a text book example of long-term strategic planning; arguably one of the nation’s most successful. Recognizing cyberspace offers similar-scale challenges and sharply divided constituencies, U.S. Senator Ben Sasse (R-NE) called for a Cyberspace Solarium Commission through the 2019 NDAA. The commission was formally launched this week. By 1 Sep 2019, its 14 members must recommend a unified national strategy built on one or more of three strategic frameworks under consideration—deterrence, norms-based regimes, and cyber persistence.

Why It Matters: The commission is being chartered to address deeply important questions. How as a nation do we operate in cyberspace, and within what left and right limits? When does a cyber attack become an act of war? What are the appropriate governmental or private response options to different levels of effects against our interests in cyberspace? What are the roles of private and public sector entities? The kinds of questions that need to be answered by the commission have been mired for years in unending bureaucratic machinations and sharply divided stakeholders. Internationally, it’s not much better, though 2018 did see the adoption of three UN resolutions about nation-state behavior in cyberspace. Placing a long-term strategic planning charter into a public/private commission with a singular focus has the potential to shatter some of these obstacles and deliver recommendations that might light a path forward and tie together the myriad of national cyber strategies, orders, and programs under a common strategic objective. Whether or not as a nation we embrace a new strategic plan for cyberspace is another matter entirely. This is an incredibly tall order for a Congress that routinely proves how utterly incapable it is of compromise, and an Administration who is, at best, indifferent over cybersecurity. But you have to start somewhere, and the piecemeal approach is causing the U.S. to lose ground. The commission has me, for the first time in a while, hopeful we might make meaningful headway in national cyber policy.

Reference: John S. McCain National Defense Authorization Act for Fiscal Year 2019, Section 1652, pgs. 5515-505 to 5515-511.

Port of Los Angeles breaking vital new ground with its Cyber Resilience Center

Background: The Port of Los Angeles has kicked off a planning process for a multi-industry, multi-sector Cyber Resilience Center. At its core, the center would seem to share information on cyber threats and operations, but do so across a broad swath of stakeholders from port authorities to port operators, train systems, trucking, and more. And even more importantly, potentially enable rapid response across all these sectors. The Port of Los Angeles is no stranger to cyber — 2017’s NotPetya attack saw APM Maersk terminal operations hit hard in Los Angeles.

Why It Matters: If you’ve never seen the ports of Los Angeles and Long Beach, it’s a sight to behold—containers as far as the eye can see. Though estimates vary, most I’ve seen have these two ports combined accounting for half of all economic trade shipments in and out of the U.S. It is a staggeringly large and complex operation; the technology in ports of this scale is impressive—and deeply vulnerable, perhaps especially across ports’ countless industrial control and automation systems. Ports are mission-critical elements of the most economically vital industries in the world. Ports and the waters around them are also intended for specific use cases. So if a port is taken out by a cyber attack, you can’t simply move ships to another terminal or another port nearby unless those just happened to be configured for the same requirements. When it comes to cybersecurity, movements have been underway for several years, but understanding let alone managing these risks is a puzzle of immensely complicated laws and policies. On one level, port technology is operated by private companies, but the efficacy of their cyber defenses would clearly be of outsized public interest. But ports are also not just ports—they are lynchpins of supply chain management and the movement of goods not only across oceans, but then onto trucks, trains, and other intermodal transportation systems. Each element of that supply chain is independently managed, independently regulated, and with virtually no cross-over planning, risk analysis, or intelligence sharing. What if a cyber attack sends a voltage spike to the electric substation far away from the port that serves primarily or only that customer? It may destroy all the network components in the port downstream that are connected to that substation, and no one would have known. The port’s efforts with this resilience center are commendable, and a good first step towards building a cyber resilience that recognizes the attack surface is far broader, far deeper, and far more consequential than most efforts plan for.

… and that’s what happened this week in cyber risk.

If you’ve enjoyed reading this, tell your friends to sign up online at cyberrisk.news — or post a link in your company Slack team!

Give a gift subscription

I’m Dan Trimble. I help companies understand cyber risk and how it impacts industries, strategy, and public policy. Need help?

Cyber Risk Report is published by global intelligence and cyber risk advisor Dan Trimble. Opinions are his own and do not necessarily reflect those of any organizations he works with.