So, you gonna foot this '$200bn' hacking bill, insurance giants asked Multibillion-dollar energy giants, rail companies and other corporations should take out insurance policies for damage caused by hackers, a White House official has suggested. The government apparatchik is working on a so-called Cybersecurity Framework of best practices to safeguard America's critical infrastructure - think …
We should also make it illegal to have sex without a condom: after all, the simplest way to prevent the spread of STDs is to ensure that critical infrastructure cannot come into contact with other critical infrastructure that may already be infected with a virus. I call this the "Latex gap doctrine".
This post has been deleted by its author
The insurance industry AND LEGAL PROFESSION must look forward to this
Its a pure profit scam for them
charge extortionate premiums each year
Never pay out if claimed against because you were hacked
that unreported vulnerability that allowed your system to be hacked breaches our terms of policy
Please refer this matter to your system provider you need to SUE / claim against them for providing unsecure Software
I was thinking the exact same thing. You don't want an outside source hacking your sensitive systems? Don't have your sensitive systems connected to the outside source.
If you need to have it connected to an outside source, do so behind a well configured hardware firewall, and a single client system that only allows access from specified IPs.
... is probably a backdoor way of convincing companies to use airgaps and test and improve their security. I would presume the insurance companies will write in minimal standards of security protection to the agreements (much like mandating locked doors and burglar alarms). It's a sad state of affairs, but I bet security will be taken a lot more seriously when there is an insurance policy that could be invalidated.
Insurance:
1) A group of people comes together and throws money into a pot
2) ...so that, in case an incident "X" occurs (the probability of said incident and the cost of remediation having been ascertained through empirical observation)
3) ...the contents of the pot may be used for remediation
4) ...and the probability of the pot contents going below 0 is "small enough" over the lifetime of the pot
Yes, we have no values for anything of the above.
Let that not stop us to demand "insurance". Most "insurance" these days is just another legislative trick to part people and their money and pump the money to well-connected entrenched interests.
Yeah. Guess WHO is gonna pay for that "insurance"?
This is addition to the cost that go into actually securing the infrastructure in the first place.
The insurance industry is of course based on very accurate statistics (eg for life expectancy, car insurance, etc) for very common events, and reliable, though not quite so accurate, statistics for likelihood and impact of less common things such as shipwrecks and oil refineries blowing up.
Accurate and reliable statistics for likelihood and impact of hacking attacks and other types of cyber-crime are impossible to come by, partly because of the reluctance in reporting such things, and partly because the affected parties don't know the extent of the damage.
Which suggests to me that the insurance premiums wll be sky-high.
Insurance companies are a part of the finance industry that's served us so admirably, unselfishly and altruistically over the last few decades...
Shame on those who suspect that the fine-print exclusions will basically mean "Whatever happens, we ain't paying out and your premiums will double next year".
Uberrima fides, anyone?
This post has been deleted by its author
...for those who never have to do things for themselves.
In this particular case, I would recommend first installing an in-sewer-ants scheme against hare-brained schemes.
Einstein famously postulated that a problem which can not be suitably described can not be solved. Let us apply this gem to the above.
What is the problem ? Certain services are deemed so critical to the functioning of society that a large scale failure of said services wil cause untold damage to society.
So HOW exactly will in-sewer-ants protect society against -say- a catastrophic failure of the water supply or electricity grid, for example by terrorist attack ? My guess...not whatsoever. Utility companies may (or may not, if their in-sewer-ants is anything like the ones over here) receive a large chunk of change after a claim, but this money will most certainly not be paid out immediateley, the insurers will go to great lengths to weasel out of coughing up, and all the while the great unwashed masses will still not have their electricity or water supply restored. Receiving a great deal of money will not make new HT masts appear magically.
I would understand mandating critical systems be insulated from non-critical sysems, e.g. nuclear power plants not being attached in any shape or form to commercial backbones. AFAIK this may already be the case. Or water companies be mandeted to invest in a minimum backup water capacity which can be rolled out in a hurry. But money after a disaster ? Not really.
based on your example insurance in the event of a terrorist attack the answer is normally bugger all protection from insurance.
most policies have exclusions for terrorist activity, strikes, riots and civil commotion plus physical damage incurred during a process of mass social uprising, revolt or military coup
To me it seems like a piece of legislation with started under sensible enough assumption that owners of critical infrastructure should be encouraged, by strongest means possible (i.e. financial ones), to secure their computer systems.
One (apparently) sensible way to go about it is to force them to take insurance against loses incurred by their users should anything wrong happen to this infrastructure, due to insecure IT. Obviously, in such case, the insurance premiums would be directly related to probability of security breach, which in turn obviously depends on actual quality of security in place. This means that those who have secured their systems best, would pay the least.
Of course, this is not how politics works. It seems like someone(s) hijacked the idea and turned it into something totally unreasonable.
If you have some application servers in AWS, some in Google and / or some in Azure, storage in some other on-line vendors space and some on site kit as well, all of which communicate application /data over the (public domain) internet, who is liable for the breach in security when someone sniffs the traffic between end points? Regardsless of the encryption used, there still a serious security hole that would probably be excluded from insurance cover.
Are the insurers going to employ lots of CLAS consultants to assess the risk and who will foot the cost for that - oh look the person being insured....
Insurance is the classic example of what's known as 'risk transfer' - rather than mitigating the risk via controls, you simply move it so that it's someone else's responsibility. The big problem with this is that it doesnt actually work in terms of risk prevention - a classic case of bolting the door long after the horse has fled,
I would have to assume that, as in the UK, all power companies (as an example of CNI) in the US must have a licence to operate. Would it not therefore be rather a more useful idea for that licence to be conditional on the production of the results of independent six-monthly penetration testing to demonstrate that controls in place (if any) actually do work?
And wouldnt that be a good idea for Mr Cameron's much-vaunted cyber-security initiative?
"Insurance is the classic example of what's known as 'risk transfer' - rather than mitigating the risk via controls, you simply move it so that it's someone else's responsibility. The big problem with this is that it doesnt actually work in terms of risk prevention - a classic case of bolting the door long after the horse has fled"
It works this way sometimes. But more often in business environments the extreme cost of the no-mitigation strategy forces the Board to spend money to lower the premium. Boards never like spending money on things that don't make a profit, such as security, but will spend to reduce cost, such as premiums.
And when your insurance company refuse to pay because your system was hacked because of an unreported exploit
"" I'm Sorry Your Policy cannot pay out as you failed to take reasonable precautions ""
"" we will have to raise your premiums Again ""
THIS HAS THE MAKINGS OF INSURANCE EXPLOITATION
pay your EXTORTED premium and they can / will always refuse to pay out claims saying its your fault you were negligent
If there was a genuine market for this companies would already be buying it. If you have the money you can insure almost anything ot against almost anything. Guitarists insure their hands, f1 drivers insure themselves against injury etc. If you are a multinational company and want to insure yourself against losses from hacking then I'm sure there are a bunch of companies willing to take your money. Very few insurance policies (motoring in the UK was one for a while) lose money for the company, the companies wouldn't last long otherwise, so why turn down money. It may take some figuring out how much to charge, but I'm sure they can cope with that.
As far as answers to a problem go, this is one of the worst in a long time. I agree with the comment above about making ceo's responsible. There needs to be a move away from regarding IT departments as money pits that don't generate revenue.
This post has been deleted by its author
Would making those in charge liable for poor decisions fix this? Yea. Will it happen? Not in this reality. The concept of people who make decisions being held accountable for said decisions is way, WAY too scary for politicians to agree to it. Imagine if THEY ended up being held responsible for the stupid shit they pull!
There is no defense or successful attacking position against superior, freely shared intelligence, which when being creative and more widely rewarding in a new direction, is disruptive and even destructive in other directions and situations/status quo holding patterns, which have exclusive and inequitable, perverse and corrupting secrets to hide from discovery and greater general knowledge.
Deny it by all means, and render yourself the deluded fool in the white house on the hill and a puppet to others great fortune and grand designs.
"Multibillion-dollar energy giants, rail companies and other corporations should take out insurance policies for damage caused by hackers .. it's likely companies running vital services will be the first to sign up. And, obviously, it needs private insurance giants in the mix to offer indemnification against hackers."
What do the original suppliers of the software provide in regards to indemnification?
Instead of paying people to 'maintain' the system, online companies and government, would rather pay more, much more, for insurance. And where does that money come from, why, the consumer and citizen, of course. The irresponsibility of corporations and government is astounding.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
