GAO Says Insurers Limit Coverage in High Risk Areas

When insurance companies first started writing cyber risk insurance, it was unbelievably profitable. They were writing many policies and not processing many claims, so they were very happy.

Over the last few years customers discovered that it did not make any sense to buy insurance and not make a claim when a bad event happened. That started making insurance companies nervous. Events like SolarWinds only makes things worse.

Last fall, as part of the National Defense Authorization Act, the GAO was chartered to survey the cyber insurance landscape.

The GAO interviewed folks at the Treasury, industry trade associations, a large cyber insurance provider and others to understand the landscape and come up with some suggestions on what to do.

The first thing the GAO discovered is that the number of people who decided to be “self insured” has gone down a lot. Their report says that the percentage of insurance clients opting for cyber coverage rose from 26% in 2016 to 47% in 2020. No one likes writing a check for a million dollars out of their own checkbook. That is good because it increases the risk pool.

But cyber is different than many other coverages. It is not local. If there is a fire in one city it does not cause claims in another. But with cyber, attacks are not geographically constrained.

With an increase in claims, insurers responded.

For example, they reduced coverage limits to healthcare and education, two sectors that had finally decided that insurance was not optional. The healthcare sector saw one of the largest increases in demand between 2016 and 2020.

Recently, underwriting capacity has contracted, especially in high risk sectors such as healthcare, education and public entities. Brokers say this is due to the fact that insurers are worried that these sectors are not prepared to repel attacks. As a result, they are declining to write coverage or charging higher premiums.

In fact, the GAO says, underwriters are increasing scrutiny everywhere and for some that could mean that cyber risk coverage may become unaffordable. When underwriters review a company’s cyber risk program, they may decide that it is not strong enough and the risk of providing coverage is too high.

Policies are also becoming more clear about what is covered or, more importantly, what is not covered. That means that customers need to read those policies way more carefully than they have in the past. Insurance underwriters are unlikely to say “although we covered ‘x’ last year, we are not going to cover ‘x’ this year”. It is more like “see if you can figure out what we removed from the policy this time”. And, oh yeah, your premium is going up.

Part of this is due to the insurance underwriters’ inability to predict risk. When it comes to, say, fire insurance, underwriters have a couple hundred years of data to use to predict with and, if anything, buildings are becoming safer. When it comes to cyber, realistically, underwriters have 5-10 years worth of relevant data and the risk factor is anything but safer.

Another factor is the new rule by Treasury that paying ransoms could land you a 20 year all-expenses-paid vacation in a federal “crossbar hotel”. Insurance companies tend to pay the ransom as the least expensive way to fix their problem. If they can’t do that, costs – and risk – go up.

The industry says that they need more incident data. The bad news is that more data will likely show more previously unreported events, making underwriters even more nervous.

What does that mean to you and me? It means that it may be harder to find coverage, the underwriting process may be more invasive, the premiums may be higher and the coverage may be more restrictive. Plan for it.

Finally, if your broker is not an expert in cyber coverage, you may not get the best advice. A broker who writes a couple of policies every now and then is not going to spend the time to learn enough to give you the best advice.

Credit: Health IT Security

Security News for the Week Ending May 28, 2021

The UK Might Beat Us to Regulating MSPs

In the US, anyone can become a managed service provider. Unfortunately, customers may think that comes with security, but usually it does not. The UK is about to create a legally binding cybersecurity framework for managed service providers. This may be the first step at forcing businesses to formally assess the cyber risks of their supply chain. Needless to say, MSPs are not happy about the added cost and responsibility. This comes just as the US begins to force defense contractors to do the same thing. Credit: The Register

Section 230 Preempts FCRA

The law is kind of twisted. Section 230 of the Communications Decency Act shields Interactive Computer Services like Facebook from being sued for content they did not create. In this case, a person tried to sue a company that publishes aggregated data from credit bureaus (basically a version of a credit bureau) for not following the rules of the Fair Credit Reporting Act by correcting faulty data. The company’s defense was that they didn’t create the data, so you can’t sue them. Congress (or the Supremes) need to clean up this mess – and it is and has been a mess forever, but that ruling is just not right to the consumer. They have ZERO recourse, according to this court. Credit: Professor Eric Goldman

NSA Tells Defense Contractors – Don’t Connect IoT/IIoT to the Internet

NSA released a guide to protecting operational technology systems (what we call IoT or Industrial IoT), geared to the National Security System, the Defense Department and the Defense Industrial Base. It is, of course, applicable to anyone. They start with the obvious. An unconnected OT system is more secure than one connected to the Internet. It also provides guidance for protecting OT systems that are connected to the Internet. Whether you are required to follow this or not, if you have IoT systems, this is a good read. Credit: Nextgov

Expect Higher Prices (and Longer Wait Times) for Computers

As the worldwide chip shortage continues (and is expected to continue for at least the rest of this year), PC makers plan to pass on costs to buyers. This likely will continue as buyers have not reduced demand as a result of higher prices. Companies like Dell are reporting strong financial results. Inventory is, however, way down, so expect to take any system that is available or wait for a while. Vendors will likely move available parts to higher margin products, leaving lower end products “out of stock”. Credit: ZDNet

New Bluetooth Attack Affects 28 Chips Tested

A new Bluetooth impersonation attack, called BIAS, allows a malicious actor to establish a secure connection with the victim, without having to authenticate. This attack does NOT require user interaction. The researchers tested the attack against Apple, Qualcomm, Intel, Cypress, Broadcom, Samsung and other chips. There is not a fix yet, but fixes are expected. Credit: The Hacker News

Executive Order on Cybersecurity Part 3

This executive order is a big one – and very aggressive. Here is part 3 of what is in it. I am going to keep doing this until I get all the way through this almost 40 page document.

In part 2, I provided the abridged version of section 4 of the EO. This is the full version.

If you develop software, this is going to be your best practices guide. Correction, this is going to be your minimal acceptable practices guide.

YOU SHOULD ASSUME LARGE COMMERCIAL BUSINESS CUSTOMERS WILL BE ASKING YOU ABOUT YOUR COMPLIANCE WITH PART, WITHOUT REGARD TO WHETHER YOU SELL TO THE GOVERNMENT. THIS IS YOUR NEW REQUIREMENTS SPECIFICATION. FOR MANY OF THEM, NON-COMPLIANCE WILL MEAN DISQUALIFICATION FROM CONSIDERATION AS A VENDOR.

Sec. 4.  Enhancing Software Supply Chain Security. 

Supply chain is, of course, what was at the root of the SolarWinds attack and the Exchange server attack, so doing something to shore that up only makes sense.

  • Within 30 days, NIST will solicit input from government, industry and academia to identify existing or develop new standards, tools and best practices for improving supply chain security.
  • Within 6 months NIST must publish guidelines to enhance software supply chain security based on the conversations above.
  • Within a year NIST must publish additional guidelines, including rules for updating what has already been released.
  • Within 3 months of releasing the preliminary guidelines, NIST must issue guidance including standards and procedures for: secure software development processes, generating and producing documents to provide that they are following such practices, using automated tools to maintain trusted code, producing reports on the results of using such tools and making a summary available publicly, maintaining and providing a Software Bill of Materials (SBoM), running a vulnerability disclosure program, attesting to all of these practices and attesting to the extent possible, to the integrity and provenance of any open source software used. THIS ITEM WILL BE A HUGE CHALLENGE FOR MOST ORGANIZATIONS.
  • Within 60 days NTIA will publish a minimum standard for what needs to be in an SBoM.
  • Within 45 days NIST and the NSA will define what is covered by critical software. That software is what this EO applies to.
  • Within 30 days of the above, CISA will identify a list of categories of software and products that meet the definition of critical software.
  • Within 60 days of the EO NIST will publish guidance for security measures for critical software. Note that the timeline of these last 3 items is very tight. Then OMB has 30 days to make sure that agencies are following this guidance. This includes making sure that new software acquisitions follow these rules. Agencies can request an extension which will be reviewed on a case by case basis. Waivers will also be possible, but only for a limited time period and only in exceptional cases.
  • Within a year DHS, the AG, OMB and the OEG will recommend FAR changes to the FAR council. The FAR council will then review and amend the FARs.
  • Once the FARs are updated, agencies must REMOVE software that does not meet the new FAR requirements from and IDIQ contracts, FWACs, BPAs and multiple award contracts – basically all of the large purchasing vehicles that the government uses.
  • OMB will require agencies using legacy software acquired before EO to either comply with the new requirements or get either an extension or a waiver.
  • Within 60 days NIST and the NSA will release software testing guidelines.
  • NIST will create a pilot program for labelling consumer IoT products for security capabilities. They will do this in a way that “incentivizes” manufacturers to participate.
  • Within 9 months the FTC will see if they can force participation in an IoT security labelling program via any existing laws (such as section 5 of the FTC act).
  • Within 9 months NIST and the FTC will identify secure software development practices to be part of the consumer IoT security labelling program above.
  • Within a year NIST will review these labelling programs for effectiveness and determine what improvements need to be made.
  • And, finally for this section, after a year, the Secretary of Commerce shall report to the President on what progress has been made regarding the requirements of this section.

NIST Prepares Post-Quantum Encryption Standards

Long before quantum computing becomes “main stream”, state actors will have access to it. In part, because they command large budgets; in part because it is important to them.

Why do they care? Because, it will allow them to decrypt both communications that they intercept going forward and communications that they have intercepted in the past and stored. That is a game changer.

While we can make things more difficult with perfect forward secrecy (PFS), which requires each message to be separately decrypted, there are plenty of places were PFS is not being used.

NIST, the part of the Department of Commerce, is responsible for creating encryption standards used by most of the government (except for the spies) and all of the commercial sector, and has been working on this problem since 2016. They are not there yet, but this week they made an important announcement.

They plan to announce finalists for new standards roughly by the end of the year.

Then they have to document them as standards and put out the documents for public comment. Possibly, rinse and repeat.

They expect approved standards by 2024 – an 8 year process.

THEN COMPANIES NEED TO IMPLEMENT THEM AND INTEGRATE THEM INTO SOFTWARE AND HARDWARE PRODUCTS.

They have selected 8 algorithms as candidate standards.

And just to make sure that things don’t get away from them, they are also looking at 7 backup standards.

These standards use different strategies, not just different implementations of solving the same problem. (Like RSA encryption uses the hard problem of factoring large prime numbers. That is not quantum proof, but that is an example of one strategy). So we potentially have 15 different problems which NIST thinks will be hard for even quantum computers to break. If they are wrong about one, they have 14 more. Backups with backups to the backups.

Look for NIST to release draft proposals in a few months. Then we have more wait. But at least this seems like light at the end of the tunnel.

For software developers, that means work, documentation and testing. Plan to be doing that around 2024.

Credit: SC Magazine and NIST

Could America’s Healthcare Suffer Similar Fate to Ireland’s

About ten days ago Ireland’s healthcare system was forced to shut down its computers due to a ransomware attack. Ireland’s health minister said the attack was having a severe impact on the health and social services.

In today’s healthcare world, having doctors and hospitals run without computers means no patient charts and a very labor intensive process to take care of emergencies. Many healthcare visits get cancelled.

BBC is reporting that there were actually two separate attacks. Because they have to figure out how deep the hackers burrowed into the network, it will take a while to recover. That will also depend on how good their backups are and how well they have planned for a situation like this. It also depends on how quickly they were able to contain it so that maybe, not every computer was infected.

The system has some 2,000 software applications to rebuild and as of a couple of days ago, some appointments are still being cancelled.

Unlike the Colonial Pipeline company or CNA insurance, Ireland says they are not paying the hackers. That might be an indication that after Not Petya, they started taking security more seriously and have better disaster recovery and business continuity plans.

Just to understand, this is the only safe way to recover from an attack – they are having experts build a completely new, separate network and rebuilding systems on that network. That is a huge amount of work. Some of these systems have been in use since the 1980s, so likely their security model is a bit old.

Could this happen in the U.S.?

Well, probably not, but maybe.

One thing that is different between the U.S. healthcare system and the healthcare system in Ireland is that in Ireland there is basically one healthcare system for the entire country. In the U.S. there are probably millions of separate healthcare systems – from individual doctors, to clinics, to private hospitals to public ones. Each one uses their own healthcare system.

BUT, there are common weaknesses. Many medical facilities have outsourced their systems to one of a few big providers. While these providers likely spend a lot of effort trying to protect their systems, they are a common weakness.

Going back to 2015, Epic, one of those shared health records systems, said that their software contained the records on 54% of Americans and 2.5% of patients worldwide. While they have a lot of competitors and even Epic doesn’t house all of those records in one system, that would be the one place to attack if you wanted to maximize the harm. Likely both Epic and the feds realize this.

So could an attack like what we saw in Ireland happen in the U.S.? It seems that is definitely possible. Hundreds of hospitals in the U.S. have already been hit by ransomware attacks and likely thousands of other medical practices have too – just more quietly.

Unfortunately, this is likely to get worse before it gets better.

What can help is getting better prepared. That is what, likely, allowed Ireland to flip hackers the bird.

It is also, likely, what forced CNA insurance to pay a $40 million ransom. Ransom demands are getting higher, so assume that whatever people paid last year is obsolete this year.

Are you prepared? Or you hoping that you are lucky? Luck is not a strategy.

Credit: Metacurity, BBC, WSJ

Security News for the Week Ending May 21, 2021

Teslas can be Hacked via a DRONE Without any Owner Interaction

Researchers have shown how they can hack a Tesla from a done without the owner even being aware that he or she is being attacked and particularly, without the owner being involved in the takeover of the car. The attack, called TBONE, was reported to Tesla under its bug bounty program. The attacker can open the doors (and therefore steal anything inside), modify configuration items like driving mode, steering and acceleration modes, but the drone can’t (yet) drive the car. The drone has to be within a 300 feet radius of the car to execute the attack. Of course, the attacker could also be sitting in a parked car nearby – doing the attack from a drone is just cooler. As a result, Tesla issued a patch that stopped using the vulnerable component, but, apparently, many other car makers still use it. Credit: Security Week

FBI’s IC3 Logs 1 Million Complaints in 14 Months

The FBI’s Internet Crime Complaint Center (IC3) took SEVEN YEARS to register its first million complains. The most recent million only took 14 months. Obviously, the IC3 is better known now, but this only considers people who go to the effort to file a complaint. This represents a 70% increase in complaints between 2019 and 2020. This is not a great trend. Credit: Dark Reading

Let the Lawsuits Begin – Bitcoin Speculation is, Well, Speculative

Bitcoin is worth somewhere between $1 and $50,000, depending. Depending on what? Depending on the mood of social media. Right now 1 coin is down about $15,000 from a week ago. That is timed to when Elon Musk said that his starting of DogeCoin was a joke. The drop also times with Musk saying that Tesla would no longer accept cryptocurrency for cars. He said they were concerned about all of the energy needed for Bitcoin mining. Assume lawsuits will follow, even though they don’t seem to have any merit. In the meantime, there is billions of dollars lost in speculation. Credit: Vice

Darkside Gets Taken to Hacker’s Court

For Not Paying Other Hackers

Darkside is the hacking group behind the Colonial Pipeline attack. After the attack, they were so toxic that they shut down – after taking all their Bitcoins with them. The problem with that is that they ran a ‘hack as a service’ model, so they owe other hackers lots of money. Therefore, the crooks are turning to the court system. No, not that court system. The hackers own court system. Just part of their business model. The good guys have been tracking this; they even have screen shots. To the hackers, it is just business. Credit: Threatpost

Attack on Florida Water Plant Was Not Its First

The Florida water treatment plant that was hacked earlier this year and nearly poisoned the entire town — that was not the first attempt on the plant. It turns out that a vendor that builds water treatment plants (infrastructure) hosted malicious code that was designed to attack water treatment plants in general. It is not clear that the attacks were successful. It looks like the hackers who had compromised that infrastructure vendor were only in the reconnaissance stage – collecting information about the visitors, but in the time window that the malware was active, 1,000 folks visited that web site. Clearly, the hackers are after the infrastructure. You could threaten to kill people or even destroy the plant. That would probably get them paid off. Credit: The Hacker News