|Software liability and cyber insurance seem inevitable but you can never reach them - they are singularities.|
There's a gravity in the policy world to try to "solve systemic information security risk" via one of two horrible ideas:
- Cyber Insurance
- Software Liabilities
These twin black holes spin around each other, generating gravity waves that can be felt from every other part of the information security universe.
The latest musing into this quixotic adventure is Rob Knake's idea to have the Federal Govt backstop universal cyber insurance - eventually leading to massive SEC-level controls over every company in America:
|There are not good ideas. Also, email-spoofing is not what anyone does when it comes to phishing in 2016 - which is a weird technical detail to have in this paper at all.|
From a technical perspective, the idea is also bankrupt. As Rob himself points out, we don't know what WORKS when it comes to securing things, and even if we knew what worked in the past, we would not know that it would continue to work in the future.
And yet, you have seen a burgeoning market for security products which offer guarantees, often backstopped by insurance companies who treat it like a marketing wager, such as this one by Cymmetria. In this end, this may be as "good as we get" when it comes to how insurance is going to work in this space.
The following is the most hilariously scary part of the recommendations:
|Yes, nobody will have a problem with THAT clause.|
Remember, when Rob says this will encourage the adoption of best practices, what he means is "We are going to mandate how you run your networks, even though we cannot secure our own."