August 26, 2019
Surveying Wreckage of Cybersecurity
by Jesse Lyon
Cybercrime costs the world economy $600 billion a year, and there is no foreseeable future in which the cost of a breach decreases.
On Jan. 1, 2001, it would have been beyond human ability to predict, with precision, most of what has happened in the first 20 years of the 21st century. Certainly, no one was expecting that following September to dramatically alter the geopolitical landscape of the world, nor was anyone expecting the U.S. to use UAVs (unmanned aerial vehicles) to eliminate targets, terrorist or otherwise. Perhaps more crucially, though, people were not expecting to have a substantial chance of having the security of their lives drastically diminished over the course of the following 20 years due to hardware and software engineers, some of whom were “dark knight” software engineers, hackers. However, more than any other occurrence since the start of this century, the cyber realm has, and will continue to have, profound impacts on nearly every aspect of our lives regardless of where we live globally.
It is only fitting then, as we review the lessons we have learned, to examine their inextricable links to and impacts on cyber liability and technology E&O.
Let us start with some numbers. Of breaches that have compromised 30,000 records or more, there have been at least 266 since 2001. Each year since 2001 there have been no fewer than 13 such breaches.
In 2014, the global average cost of a data breach was $3.5 million. Today, the number stands at $3.9 million, based on an average records size of approximately 26,000. In the U.S. in 2018, the average cost of a breach was $7.9 million, and today it stands at $8.2 million.
According to a 2001 CSI/FBI Survey, the aggregate loss for firms reporting data that year was close to $456 million. For mega breaches, the cost of losing 50 million records in 2018 was $350 million; this year to date it stands at $388 million. Essentially, two mega breaches today would likely equate to all of the losses that were sustained in 2001.
In 2014, cybercrime cost the world economy at least $400 billion, and today the figure stands at $600 billion. Calculating the cost of any breach with exactitude is difficult, but the above figures are reasonable cost approximations. Certainly, it is clear from the information available that the cost of a data breach is significant.
More concerning is that there is no foreseeable future in which the cost of a breach decreases. The future is also bleak where the amount of unwanted system intrusions is concerned. After all, as the cost of doing business in countries like China and India increases, those increases will have a direct upward correlation with the cost of data breaches.
Furthermore, the number of people on this planet continues to rise, as does the number of devices connected to the Internet. The passage of privacy laws, like the General Data Protection Rule (GDPR) in the E.U. bloc, will also force the cost of data breaches upward.
The numbers are rising in multiple ways, and they are not in favor of cyber liability and technology E&O insurers or their clients.
Despite the staggering numbers, cyber breaches are treated with an uncommon tolerance. If San Francisco, New York City, London, Dubai, Singapore and Hong Kong all lost power for seven straight days each year, then the energy providers to those areas would be lambasted and perhaps face new, more reliable competition. However, despite all the damage that hackers are causing, not enough resources are being put into place to prevent the next cyber breach. The mega cyber breach of Capital One in 2019 would seem to validate this conclusion.
We have also learned that the rule of law is far less bothered by data breaches than other types of incidents. After the sinking of the Titanic in 1912, governments and shipbuilders enacted major changes to try to ensure that such a disaster would never happen again. After the 1956 sinking of the SS Andrea Doria, training was mandated on the use of radar and a change to radar screens was required. Shipping accidents are now rare. Governments forced changes in the design and operation of nuclear reactors after disasters at Three Mile Island (1979) and Chernobyl (1986), and worldwide energy companies got the message. In contrast, each year since 2005 has included at least one major to moderate data breach somewhere. Some years, like 2013 and 2014, saw at least three major data breaches. Often the worst penalty the exposed organization faced was not levied by any governmental agency but by a private organization like American Express or Visa. (The E.U. has the strongest and most exacting data privacy legislation. The state of California also has admirable privacy laws. Elsewhere, strong data privacy laws are the exception.)
Perhaps one of the most shocking aspects of the first part of the 21st century is the lack of accountability in the private sphere for CEOs, boards of directors and other senior individuals. If an entry-level employee were to take a photograph of a client’s banking records, even by accident, that would be more than enough for dismissal. The employee could even face civil and criminal penalties. In contrast, in the aftermath of the June 2017 NotPetya attack on the international shipper A.P. Moller Maersk, its CEO was not dismissed nor was he criminally charged even though the attack on Maersk cost the organization no less than $300 million. The CEOs of Marriott International and Target also retained their positions despite the data breaches those organizations suffered in 2013 and 2018, respectively.
When a director or officer can neglect the legal duty of care owed to an organization, then the profitability and even the continued existence of the organization is at risk. Such failed diligence constitutes gross negligence!
There is an interesting communication pattern with regard to data breaches as evidenced by Target (2013), Equifax (2017) and Capital One (2019). In this routine, a statement is released by the CEO. The CEO says how she or he understands that the company’s clients may feel frustrated or worried that their data is now in the public domain. Then the CEO expresses a bit of remorse for the breach. Finally, the CEO says that dutiful action will be taken to get to the bottom of things. Next comes the public outcry over how an organization, especially a large one, could be so irresponsible as to not screen its sub-contractors and segment its network (Target), or how an organization could be lax in its security standards, especially as they concern software patches (Equifax).
Usually, the numbers of afflicted customers creeps up over the next few weeks, as was the case with DSW Shoes (2005), LexisNexis (2014). Or, as in the case of Maersk, the severity of the damage done becomes fully apparent over the course of days and weeks. By the time the last of the initial steps occurs, which is the providing of identity theft protection, clients are so numb with pain that the “freebie” of identity theft protection provides next to no solace for the clients.
Still, to this day in the U.S. and many other countries, there is nothing on a national or multinational scale that compares with the E.U’s GDPR to help prevent data breaches and make it clear to organizations what the penalties are for inappropriate security standards.
Another setback is the continued lack of recognition of how the data breach landscape changes with different attacks, or a severely delayed response to that change. To this day, many people are unable to appreciate how much side-channel attacks at the CPU level have altered the landscape, especially because more side-channel attack possibilities are being realized.
When Stuxnet was made public in 2010, it forever changed the cyber breach landscape because it meant that every organization in the world could not only suffer damage in the cyber realm but that computer and networking systems could physically be damaged by a worm or virus, as well. WannaCry and NotPetya (the enhanced Russian strain) have NOT struck so much fear worldwide that organizations of every size are now only using variants of Windows 10, MacOS 10.15 or Fedora version 30. To this day, there are multi- national corporations that have not upgraded to Windows 10, even in the financial services sector. This is not even counting the damage of election interference in the U.S. in 2016 and the political fallout that is still afflicting the U.S.
Also uncounted are the ways social media can be corrupted to negatively influence people. It certainly is possible to continue to list advances in breach technology that have altered the cyber landscape, but suffice it to say the ways in which a breach can occur and the sophistication with which it can happen since 2001 have significantly eroded the security of most people on this planet. Today, for a majority of people around the world, our health, financial, and even electronic identities are all compromised to varying degrees, and our privacy or collective societal independence has further been eroded by companies like Cambridge Analytica.
There are two areas of further concern in the professional sphere, and these segments have grown less secure since 2001: medical data and servers that form the data backbone of organizations. Each year, more and more medical data has been put online, whether by primary care physicians, pharmaceutical companies, insurance companies or other private sector organizations. The vast amount of medical data that has been put online, though, has been done with a focus on ease of access without a similar regard for security, as evidenced in the consistent rise of medical identity theft since at least 2010.
Sometimes, the information comes from a large-scale hack, like that of Anthem (2015), and sometimes it comes from a smaller one such as that made on Sutter Medical Center (2011). On the server side, the hack of Capital One is a reminder that cloud-based data is not beyond the reach of unauthorized users. Furthermore, Spectre and other side-channel attacks on CPUs continue to chip away at the safety of the cloud, as does the illicit alteration to products from a company like Supermicro.
We are clearly not safer, overall, today than we were in January 2001, despite the rise of cybersecurity firms and cybersecurity technology.
lt would be misguided to say that nothing has been done to advance our cybersecurity in the first 20 years of this century. Perhaps our biggest advantage in this century was the creation and success of cybersecurity firms, especially ones that publicly call out bad actors. Today such firms can offer a sorely needed layer of protection in the fight to defeat a cyber breach, and this layer can often be updated each day to account for the knowledge the cybersecurity firm gained in fending off attacks from its various clients.
Advances in quantum encryption are also allowing nearly impenetrable discrete communication even over long distances. Internet browsers, like Chrome, are forcing organizations to have valid and up- to-date security certificates. Otherwise an organization risks being labeled as dangerous to online users. Private sector competition between internet browser makers is helping to advance the creative effectiveness, from a security standpoint, with which internet browsers are created.
Similar competition in the cloud segment is also helping to ensure safety. When the Capital One breach was announced, Amazon was quick to point out that there was no indication that its AWS cloud had been breached, as well.
We also have two-factor authentication for securing our e-mail and even our mobile devices. Card issuers, at least in the U.S., have finally moved almost entirely to cards with chips built into them. Now card users have a more secure method of making a payment than with the magnetic strip on the back of the card. On a much larger scale, Apple Pay, Samsung Pay and contactless technology built into credit and debit cards have been introduced over the past 10 years. They have made POS purchases much safer and easier today compared with 2001.
2016 saw the first mature version of the payment card industry data security standard (PCI DSS) framework, which helped to encourage merchants to install firewalls, segment networks and only retain credit/debit card information when necessary. Furthermore, financial firms often provide the option for a client to be notified in the event of unusual activity on a card or when a large purchase is made with a credit or debit card.
Ultimately, despite all of the cybersecurity advances, the cost and number of cyber breaches has gone up consistently since 2001. Moreover, the ease with which societies and the rule of law accept such breaches remains high. Even today, CEOs are rarely held responsible, legally or otherwise.
Furthermore, people and organizations of all sorts fail to understand how the cyber landscape changes on a continuous basis, and that failure reduces the responsiveness to the altered terrain, which consequently increases the chances of yet another cyber breach.
Globally, almost all of us bear scars in one form or another due to the damage that our lives have suffered over the course of the past 19 years. Time and again, governments have failed to protect their citizens, and organizations often grasp for cybersecurity without the knowledge of what true cybersecurity is.
However, even from this grim landscape we can find hope, direction, and ultimately a reliable path forward, such hope lying with cyber liability and technology E&O insurers.