Multibillion-dollar energy giants, rail companies and other corporations should take out insurance policies for damage caused by hackers, a White House official has suggested. The government apparatchik is working on a so-called Cybersecurity Framework of best practices to safeguard America's critical infrastructure - think …
Maybe just making those at the top of said companies liable for losses (or open to prosecution) from ill thought out IT systems being public facing, when the main driving factor to do so is cost-reduction and good IT advice is ignored or not sought, would cost us all a lot less?
Re: Cheaper option?
The simple solution is to make it illegal to put the control of critical infrastructure on the web in the first place.
Re: Cheaper option?
well, yes, but if we're just going to make it illegal to be stupid, there may be a few unintended consequences ...
We should also make it illegal to have sex without a condom: after all, the simplest way to prevent the spread of STDs is to ensure that critical infrastructure cannot come into contact with other critical infrastructure that may already be infected with a virus. I call this the "Latex gap doctrine".
"How do I insure myself against" governments/politicians/agencies* "making poor decisions in pursuit of" policy / votes / beliefs *
* delete as appropriate
The insurance industry AND LEGAL PROFESSION must look forward to this
Its a pure profit scam for them
charge extortionate premiums each year
Never pay out if claimed against because you were hacked
that unreported vulnerability that allowed your system to be hacked breaches our terms of policy
Please refer this matter to your system provider you need to SUE / claim against them for providing unsecure Software
How 'bout instead ...
... uh, maybe air-gap your sensitive systems?
Ain't exactly rocket-science ... Been working here for a third of a century.
Re: How 'bout instead ...
I was thinking the exact same thing. You don't want an outside source hacking your sensitive systems? Don't have your sensitive systems connected to the outside source.
If you need to have it connected to an outside source, do so behind a well configured hardware firewall, and a single client system that only allows access from specified IPs.
Re: How 'bout instead ...
Air gap is a good first line of defense, but...
Stuxnet has already shown how to jump the air gap.
Isn't this how the Krays started ...
"Nice little data centre you've got there. Be a shame if anything happened to it."
says the man from the agency you have most to fear from.
Maybe the whole NSA/PRISM project was dreamt up by a shadowy cabal of insurance companies ?
The insurance scheme...
... is probably a backdoor way of convincing companies to use airgaps and test and improve their security. I would presume the insurance companies will write in minimal standards of security protection to the agreements (much like mandating locked doors and burglar alarms). It's a sad state of affairs, but I bet security will be taken a lot more seriously when there is an insurance policy that could be invalidated.
I love the smell of lobbyists in the morning.
1) A group of people comes together and throws money into a pot
2) ...so that, in case an incident "X" occurs (the probability of said incident and the cost of remediation having been ascertained through empirical observation)
3) ...the contents of the pot may be used for remediation
4) ...and the probability of the pot contents going below 0 is "small enough" over the lifetime of the pot
Yes, we have no values for anything of the above.
Let that not stop us to demand "insurance". Most "insurance" these days is just another legislative trick to part people and their money and pump the money to well-connected entrenched interests.
Yeah. Guess WHO is gonna pay for that "insurance"?
This is addition to the cost that go into actually securing the infrastructure in the first place.
Can they calculate realistic premiums?
The insurance industry is of course based on very accurate statistics (eg for life expectancy, car insurance, etc) for very common events, and reliable, though not quite so accurate, statistics for likelihood and impact of less common things such as shipwrecks and oil refineries blowing up.
Accurate and reliable statistics for likelihood and impact of hacking attacks and other types of cyber-crime are impossible to come by, partly because of the reluctance in reporting such things, and partly because the affected parties don't know the extent of the damage.
Which suggests to me that the insurance premiums wll be sky-high.
Re: Can they calculate realistic premiums?
Probability that you will be hacked: 100% ;-)
In addition to what auburnman said above, this might also be a back door way of forcing companies to report statistics.
Re: Can they calculate realistic premiums?
Insurance companies are a part of the finance industry that's served us so admirably, unselfishly and altruistically over the last few decades...
Shame on those who suspect that the fine-print exclusions will basically mean "Whatever happens, we ain't paying out and your premiums will double next year".
Uberrima fides, anyone?
Nothing is impossible...
...for those who never have to do things for themselves.
In this particular case, I would recommend first installing an in-sewer-ants scheme against hare-brained schemes.
Einstein famously postulated that a problem which can not be suitably described can not be solved. Let us apply this gem to the above.
What is the problem ? Certain services are deemed so critical to the functioning of society that a large scale failure of said services wil cause untold damage to society.
So HOW exactly will in-sewer-ants protect society against -say- a catastrophic failure of the water supply or electricity grid, for example by terrorist attack ? My guess...not whatsoever. Utility companies may (or may not, if their in-sewer-ants is anything like the ones over here) receive a large chunk of change after a claim, but this money will most certainly not be paid out immediateley, the insurers will go to great lengths to weasel out of coughing up, and all the while the great unwashed masses will still not have their electricity or water supply restored. Receiving a great deal of money will not make new HT masts appear magically.
I would understand mandating critical systems be insulated from non-critical sysems, e.g. nuclear power plants not being attached in any shape or form to commercial backbones. AFAIK this may already be the case. Or water companies be mandeted to invest in a minimum backup water capacity which can be rolled out in a hurry. But money after a disaster ? Not really.
Re: Nothing is impossible...
based on your example insurance in the event of a terrorist attack the answer is normally bugger all protection from insurance.
most policies have exclusions for terrorist activity, strikes, riots and civil commotion plus physical damage incurred during a process of mass social uprising, revolt or military coup
Buy shares in security certification firms NOW
Because you'll not be able to get insured without some form of certification pretty soon if this all goes through.
Watch which firms are being invested in or bought by large insurance co's or (already owned by) their backers.
good intentions gone wrong?
To me it seems like a piece of legislation with started under sensible enough assumption that owners of critical infrastructure should be encouraged, by strongest means possible (i.e. financial ones), to secure their computer systems.
One (apparently) sensible way to go about it is to force them to take insurance against loses incurred by their users should anything wrong happen to this infrastructure, due to insecure IT. Obviously, in such case, the insurance premiums would be directly related to probability of security breach, which in turn obviously depends on actual quality of security in place. This means that those who have secured their systems best, would pay the least.
Of course, this is not how politics works. It seems like someone(s) hijacked the idea and turned it into something totally unreasonable.
so who is liable for the internet breach
If you have some application servers in AWS, some in Google and / or some in Azure, storage in some other on-line vendors space and some on site kit as well, all of which communicate application /data over the (public domain) internet, who is liable for the breach in security when someone sniffs the traffic between end points? Regardsless of the encryption used, there still a serious security hole that would probably be excluded from insurance cover.
Are the insurers going to employ lots of CLAS consultants to assess the risk and who will foot the cost for that - oh look the person being insured....
Shutting the Stable Door
Insurance is the classic example of what's known as 'risk transfer' - rather than mitigating the risk via controls, you simply move it so that it's someone else's responsibility. The big problem with this is that it doesnt actually work in terms of risk prevention - a classic case of bolting the door long after the horse has fled,
I would have to assume that, as in the UK, all power companies (as an example of CNI) in the US must have a licence to operate. Would it not therefore be rather a more useful idea for that licence to be conditional on the production of the results of independent six-monthly penetration testing to demonstrate that controls in place (if any) actually do work?
And wouldnt that be a good idea for Mr Cameron's much-vaunted cyber-security initiative?
Re: Shutting the Stable Door
"Insurance is the classic example of what's known as 'risk transfer' - rather than mitigating the risk via controls, you simply move it so that it's someone else's responsibility. The big problem with this is that it doesnt actually work in terms of risk prevention - a classic case of bolting the door long after the horse has fled"
It works this way sometimes. But more often in business environments the extreme cost of the no-mitigation strategy forces the Board to spend money to lower the premium. Boards never like spending money on things that don't make a profit, such as security, but will spend to reduce cost, such as premiums.
And when your insurance company refuse to pay because your system was hacked because of an unreported exploit
"" I'm Sorry Your Policy cannot pay out as you failed to take reasonable precautions ""
"" we will have to raise your premiums Again ""
THIS HAS THE MAKINGS OF INSURANCE EXPLOITATION
pay your EXTORTED premium and they can / will always refuse to pay out claims saying its your fault you were negligent
If there was a genuine market for this companies would already be buying it. If you have the money you can insure almost anything ot against almost anything. Guitarists insure their hands, f1 drivers insure themselves against injury etc. If you are a multinational company and want to insure yourself against losses from hacking then I'm sure there are a bunch of companies willing to take your money. Very few insurance policies (motoring in the UK was one for a while) lose money for the company, the companies wouldn't last long otherwise, so why turn down money. It may take some figuring out how much to charge, but I'm sure they can cope with that.
As far as answers to a problem go, this is one of the worst in a long time. I agree with the comment above about making ceo's responsible. There needs to be a move away from regarding IT departments as money pits that don't generate revenue.
Would making those in charge liable for poor decisions fix this? Yea. Will it happen? Not in this reality. The concept of people who make decisions being held accountable for said decisions is way, WAY too scary for politicians to agree to it. Imagine if THEY ended up being held responsible for the stupid shit they pull!
Yes, the Obama Administration is at it again, with another relief act for insurance companies. How about this: take critical infrastructure OFF the net! . But no, we're fixated on monetizing failure...
"Multibillion-dollar energy giants, rail companies and other corporations should take out insurance policies for damage caused by hackers, a White House official has suggested."
Who will then take a cushy job in the insurance industry when the current President's term finishes...
Next Major Attack....
Hitting multiple customers of the same insurance company to force large setlements and ultimatly cripple the insitution. :P
What about, you know...
...Paying enough money for IPSEC people know what they hell they are doing and letting them do their damn job?
Get used to the new and virtual reality for life. IT is not going to change any other way
There is no defense or successful attacking position against superior, freely shared intelligence, which when being creative and more widely rewarding in a new direction, is disruptive and even destructive in other directions and situations/status quo holding patterns, which have exclusive and inequitable, perverse and corrupting secrets to hide from discovery and greater general knowledge.
Deny it by all means, and render yourself the deluded fool in the white house on the hill and a puppet to others great fortune and grand designs.
Indemnification against hackers?
"Multibillion-dollar energy giants, rail companies and other corporations should take out insurance policies for damage caused by hackers .. it's likely companies running vital services will be the first to sign up. And, obviously, it needs private insurance giants in the mix to offer indemnification against hackers."
What do the original suppliers of the software provide in regards to indemnification?
I'm cracking up, again
Instead of paying people to 'maintain' the system, online companies and government, would rather pay more, much more, for insurance. And where does that money come from, why, the consumer and citizen, of course. The irresponsibility of corporations and government is astounding.
- iPad? More like iFAD: We reveal why Apple ran off to IBM
- +Analysis Microsoft: We're making ONE TRUE WINDOWS to rule us all
- Climate: 'An excuse for tax hikes', scientists 'don't know what they're talking about'
- Analysis Nadella: Apps must run on ALL WINDOWS – PCs, slabs and mobes
- Apple: We'll unleash OS X Yosemite beta on the MASSES July 24