Wednesday, November 30, 2016

The event horizon of software liability and cyber insurance

Software liability and cyber insurance seem inevitable but you can never reach them - they are singularities.


There's a gravity in the policy world to try to "solve systemic information security risk" via one of two horrible ideas:

  • Cyber Insurance
  • Software Liabilities

These twin black holes spin around each other, generating gravity waves that can be felt from every other part of the information security universe.

The latest musing into this quixotic adventure is Rob Knake's idea to have the Federal Govt backstop universal cyber insurance - eventually leading to massive SEC-level controls over every company in America:
There are not good ideas. Also, email-spoofing is not what anyone does when it comes to phishing in 2016 - which is a weird technical detail to have in this paper at all.
As much as AIG would love to be the middleman in a massive new insurance market for which we have no actuarial data, but where the risk is pushed onto the US Taxpayer , the reality is there are some risks you cannot insure. Insurance was created during the Great Fire of London, but fire does not choose to burn down only the houses of the insured to cause maximum damage to the taxpayer the way a cyber adversary would. This system would be built to create an additional vulnerability on the state that another state could take advantage of.

From a technical perspective, the idea is also bankrupt. As Rob himself points out, we don't know what WORKS when it comes to securing things, and even if we knew what worked in the past, we would not know that it would continue to work in the future.
The smart thing to do is not try to build a new, trusted email, but just not to trust email. I don't know why Knake is so hot on email spoofing. Also, I want to point out that when an APT does their job right, you never know you took damage. What exactly are we insuring?

And yet, you have seen a burgeoning market for security products which offer guarantees, often backstopped by insurance companies who treat it like a marketing wager, such as this one by Cymmetria. In this end, this may be as "good as we get" when it comes to how insurance is going to work in this space.

The following is the most hilariously scary part of the recommendations:
Yes, nobody will have a problem with THAT clause.
The job of protecting against a systemic massive 9/11-style attack from a nation state in the cyber domain is rightfully the federal government's. But you can't replace a robust and realistic policy program with a Flood Insurance for Cyber. When Keith Alexander went around asking banks to give him access to their incoming traffic with a black box, they all said no, and for good reasons. Rob argues that not only should we go further than a black box doing network inspection, but this should apply to every company. It's a massive power grab and, luckily for all of us, a non-starter.

Remember, when Rob says this will encourage the adoption of best practices, what he means is "We are going to mandate how you run your networks, even though we cannot secure our own."


3 comments:

  1. Quotigo offer Uber Insurance easily. Snatch Insurance for your engine and COE Result. Get Car Insurance Quotes and Motor Insurance Singapore at Lowest costs. Here are items for the Uber Insurance, Grab Insurance, Motor Insurance, COE Result, Car Insurance Quotes and Car Insurance Singapore, Car Insurance Quote Online, Motor Insurance Singapore and DBS DriveShield or Cars Insurance.

    ReplyDelete
  2. Thank you so much for the post you do. I your post and all you share with us is up to date and quite informative, i would like to bookmark the page so i can come here again to read you, as you have done a wonderful job. panda security

    ReplyDelete
  3. I really thank you for the valuable info this great subject and look forward to more great posts. Thanks a lot for enjoying this beauty article with me. I am appreciating it very much! Looking forward to another great article. Good luck to the author! All the best!horizon data sys

    ReplyDelete