Wednesday, November 30, 2016

The event horizon of software liability and cyber insurance

Software liability and cyber insurance seem inevitable but you can never reach them - they are singularities.

There's a gravity in the policy world to try to "solve systemic information security risk" via one of two horrible ideas:

  • Cyber Insurance
  • Software Liabilities

These twin black holes spin around each other, generating gravity waves that can be felt from every other part of the information security universe.

The latest musing into this quixotic adventure is Rob Knake's idea to have the Federal Govt backstop universal cyber insurance - eventually leading to massive SEC-level controls over every company in America:
There are not good ideas. Also, email-spoofing is not what anyone does when it comes to phishing in 2016 - which is a weird technical detail to have in this paper at all.
As much as AIG would love to be the middleman in a massive new insurance market for which we have no actuarial data, but where the risk is pushed onto the US Taxpayer , the reality is there are some risks you cannot insure. Insurance was created during the Great Fire of London, but fire does not choose to burn down only the houses of the insured to cause maximum damage to the taxpayer the way a cyber adversary would. This system would be built to create an additional vulnerability on the state that another state could take advantage of.

From a technical perspective, the idea is also bankrupt. As Rob himself points out, we don't know what WORKS when it comes to securing things, and even if we knew what worked in the past, we would not know that it would continue to work in the future.
The smart thing to do is not try to build a new, trusted email, but just not to trust email. I don't know why Knake is so hot on email spoofing. Also, I want to point out that when an APT does their job right, you never know you took damage. What exactly are we insuring?

And yet, you have seen a burgeoning market for security products which offer guarantees, often backstopped by insurance companies who treat it like a marketing wager, such as this one by Cymmetria. In this end, this may be as "good as we get" when it comes to how insurance is going to work in this space.

The following is the most hilariously scary part of the recommendations:
Yes, nobody will have a problem with THAT clause.
The job of protecting against a systemic massive 9/11-style attack from a nation state in the cyber domain is rightfully the federal government's. But you can't replace a robust and realistic policy program with a Flood Insurance for Cyber. When Keith Alexander went around asking banks to give him access to their incoming traffic with a black box, they all said no, and for good reasons. Rob argues that not only should we go further than a black box doing network inspection, but this should apply to every company. It's a massive power grab and, luckily for all of us, a non-starter.

Remember, when Rob says this will encourage the adoption of best practices, what he means is "We are going to mandate how you run your networks, even though we cannot secure our own."

No comments:

Post a Comment