Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, August 26th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes David Shipley, head of New Brunswick’s Beauceron Security, will be here to discuss recent news. But first a look back at some of the headlines from the past seven days:
Insurance companies are getting tougher on customers after having to pay out big money because of cyber attacks from foreign countries. Lloyds of London has told its partner insurance firms their policies have to clearly say that they won’t cover damages suffered in cyber attacks from state-backed threat actors. There was a report that some companies are giving up on trying to get cyber insurance because it’s so expensive. David and I will look at these developments.
We’ll also talk about a U.S. regulator that walked back proposed cybersecurity regulations on pipelines.
Also this week, IT leaders in organizations that use Gmail, Yahoo Mail and Microsoft Outlook were warned to ensure their employees use strong passwords and multifactor authentication to protect their accounts if they haven’t already done so. This warning comes after the discovery by Google of a new email message exfiltration tool used by an Iranian-based threat group.
The Python Packaging Index website that hosts open source Python language code components used by developers has warned of a phishing campaign against PyPI developers aimed at stealing their credentials. Messages are going out claiming there is a mandatory ‘validation’ process PyPI users have to use or their package will be removed from the library. The included link goes to a phony site that looks like PyPI’s login page and copies any usernames and passwords entered. PyPI says it can’t remove valid projects from the library. Some maintainers of legitimate projects have been compromised and their code replaced with malware. Those releases have been removed.
Several California residents are asking a court there to approve a privacy class action lawsuit against Oracle. They allege the company violates people’s privacy in the way it collects, processes and sells personal data to advertisers.
And Twitter’s former head of security has accused the company of not enforcing its own security, privacy and content moderation promises in a 2011 settlement with U.S. regulators. CNN said Peiter Zatko also alleges Twitter misled its own board and government regulators about its security vulnerabilities. The allegations haven’t been proven in court. Zatko will testify next month before Congress. Twitter says Zatko was fired for ineffective leadership and poor performance
(The following transcript has been condensed and edited for clarity)
Howard: This was a week in which there was a lot of news about cybersecurity insurance. As I mentioned at the top of the podcast, it was reported that Lloyds of London will require insurers it deals to make it clearer that their policies won’t cover damages from state-backed cyberattacks when there isn’t a war. Almost all insurance policies refuse to cover any physical war-related damages. Some policies also say damages from state-backed cyber attacks in non-war situations aren’t covered. But Lloyds wants to make sure there’s robust wording on policies. So starting next April insurers partnering with Lloyds have to make it clear their cyber insurance policies exclude losses from state-backed cyber attacks that are so big they impair the ability of a country to function. The policies should also be clear about whether there will be coverage for damaged IT systems located outside an affected country. Insurers and the organizations they cover also have to agree on how state-backed cyber attacks will be attributed. David, will this hinder the ability of companies and governments to get cyber insurance?
David Shipley: Oh, I think they’ll still get insurance. I think they’re going to be sorely lacking when they get hit and their insurance will come up short. This is a story that has been building for years. We’ve seen some pretty spectacular state-backed attacks which have had losses in the billions of dollars for companies. And the overall insurance industry is facing more questions from regulators about systemic risk in the insurance sector in the event of a widespread cyber event: Do they actually have the ability to pay out to all of their insured if there is a mass event? For cyber, insurers are doing what they’ve done for large swaths of the world when it comes to weather events and climate change and flooding — they’re just walking away from it. ‘We’re not going to cover you, you live in these flood zones et cetera,’ and that leaves a significant amount of risk on the table. The question becomes, will government step up to provide some kind of emergency aid like a FEMA [the U.S. Federal Emergency Management Agency] for cyber? Is this is where we’re heading for corporations to be able to recover in the event of a state-backed attack? And then when we dig deeper into the direction Lloyds’ is going, are they saying is only a government in your country can attribute a cyber attack to a nation-state? … If not, then your insurance is gone. That creates a new political dimension to cyber insurance and breach attribution. We’ve never seen this before.
I have some interesting questions that I’m dying to ask the insurers. Is a state-backed group just those on an official government payroll hacking team, or does it include government-sanctioned cyber privateers who they know about? Some governments are kind of ‘wink-wink we know they’re there’ to some groups. So there are a lot of questions. But the idea that your insurance is going to be there to pick up the ball after some very bad things happen, that’s becoming less and less likely.
FEMA rolls in with resources and money when the President declares a national or state of emergency and then federal dollars open up to help with recovery efforts and cleanup from natural events. Are we entering an era of governments having to pick up the tab for poor cyber hygiene? If so, that could get really interesting. Would that create better incentives for government to say, ‘If we have to rescue a whole bunch of companies that are being hit by cyber attacks maybe we’re going to start taking more interest in cyber preparedness as well as going after countries that are profiting from these crimes or using this as part of their statecraft.’ This is the most interesting evolution since the introduction of cyber insurance. We had all had such high hopes cyber insurance would raise the bar for IT hygiene. Instead it became this giant risk transfer scheme that has massive losses. Benoit Dupont from the University Of Montreal was at a privacy, security and trust conference here in Fredericton this week and his research is showing that insurers have lost anywhere between 100 per cent-plus of their premiums — that is, they made no money because all the premiums they collected they paid out more in losses … The insurance industry certainly didn’t make things better by paying at ransomware groups. It’s come to a head.
Howard: This becomes interesting when you think about the huge Merck pharmaceutical company claiming US$1.4. billion from its insurer several years ago after it was impacted by the NotPeta cyber attack. NotPeta was aimed at Ukraine, allegedly by Russia, but the malware escaped to computers around the world. Merck was one of the companies that got hit. Merck had an insurance policy that covered all risks, and that included software-related data loss. Its insurance company refused to pay the claim, saying the incident was an act of war. An American court decided this year with Merck based on the current wording of their contract. A decision like that I’m sure spooked insurers and made them even more aware of contract wording involving state-sponsored cyber attacks.
David: You can draw a line from that January decision to Lloyd’s move, and other insurers making very it clear they’re getting out of the business because it makes no sense. I don’t mean to beat up on the insurers. They’re there to provide a reasonable product at a reasonable price to cover reasonable risks. Cyber thus far has been none of those things. It has become an unreasonable risk because of its geopolitical nature.
Howard: You saw another insurance cyber insurance story that said some companies are apparently giving up on having cyber insurance because the premiums are going up but the damages that insurers are willing to cover are going down.
David: Absolutely. And this is where a lot of companies — particularly small businesses — are approaching the point. Keep in mind the backdrop today of the economy and the pandemic and they’re saying, ‘There’s so many exclusions in policies, it costs so much, I’m not even sure I’m going to get paid out for damages, I’m just going to have to accept this risk without insurance.’ And when you think about the average cost of a data breach and other things that happen this could certainly accelerate the percentage of businesses that end up closing because of a negative cyber event.
Howard: What are you hearing from organizations that you talk to about cyber insurance?
David: Some are seeing premiums increasing 50 to sometimes 300 per cent. They’re seeing the deductibles increase significantly, they’re seeing the overall coverage amounts reduce significantly, seeing some pretty tight clauses about timelines — how fast you have to notify your insurer about what’s happening. Those that have been hammered the most — I’m thinking municipalities and health care organizations in Canada — are having a real hard time getting coverage. They’re thinking about whether the government has to step in and offer some kind of a fund to either give some assurance to the insurance companies that they’re not taking on systemic risk so they can offer cyber insurance, or potentially even be the insurer of last resort for these highly targeted sectors.
Howard: The third cyber insurance-related story I saw this week was about an American company that lost a dispute involving its insurance company. The business had coverage for both social engineering fraud and computer fraud. When the company fell for a business email scam that cost it US$600,000 it filed a claim for social engineering fraud — and then it realized that particular clause only paid up to US$100,000 in lost money. Meaning had they been recompensed they would have been out half a million dollars. So the business tried to change the claim to computer fraud which covered up to US$1 million, When the insurance company we’re not going to allow you to do that it sued the insurance company, This month a U.S. judge dismissed the lawsuit, saying the claim was properly social engineering fraud. I thought there’s a couple of lessons here: One is if your firm wants cyber insurance get a lawyer to read closely what’s covered and for how much um. The other thing is, who would have thought a policy differentiates between computer fraud and social engineering fraud?
David: That would surprise a lot of folks, but we have seen these social engineering clauses — or complete exclusions — in a lot of cyber insurance coverage. So it is really important to read the fine print of what you’re actually covered for. Ransomware is the big thing that gets a lot of attention, but the one that hurts a lot of businesses that doesn’t get nearly as much attention is wire fraud — also known as business email compromise or colloquially in the industry as whaling, where you go after the CEO, CFO, etc. The FBI has seen this become a multi-billion dollar cost, and that’s just what’s reported to police. The lead of the RCMP’s national cyber team said at the Fredericton conference I was at they’ve already had $50,000,000 in reported losses reported to them so far this year and they’re on track to beat last year’s numbers — and they estimate that’s at most 10 per cent of the losses incurred by Canadian businesses.
Howard: Experts at the SANS Institute, which is a cyber training provider, noted two other things from this case. Here’s how this scam worked: The crooks sent phony invoices to the computer company’s purchasing manager, and then they hacked into that manager’s email and sent the invoices to the CEO for payment. So, arguably, if the purchasing manager’s email was well protected — perhaps with multifactor authentication — this scam would have failed.
David: Absolutely. The email to the CEO came from a trusted source within their organization. The second part was the way that they crafted it, creating a sense of urgency that there was going to be a penalty if the invoice wasn’t paid … One of the things that we always talk about with our clients is, what is your process for approving financial transactions over a material amount for your company? How do you make sure if an employee can’t get you on the phone when we have questions about an invoice they’re not paying it? Do you have processes with your customers or your suppliers to build some basic resilient steps, some checks and balances to avoid this kind of pressure? For example, if a material amount for a client is over $10,000 and a request comes in by email from an executive for a financial transaction and it’s that the employee has to pick up the phone and talk to that executive to verify the transaction.
Howard: But in this particular case, the CEO did the right thing: He phoned the partner company that allegedly sent the phony invoices to try to confirm it was real, But he couldn’t contact them. They didn’t answer his calls fast enough and the phony invoices had a deadline the CEO felt that he had to meet or face penalties so he approved the $600,000 money transfer to a bank account that the crooks controlled. So what do you do? What’s the lesson from this?
David: Usually there are terms on invoices: They’re due in 30, 60, 90 days. Whatever it is, slow down, ask questions. A one-day delay or a weekend delay, will someone who’s going to make half a million dollars off you try and hit you for that kind of money? This is the time when you have to shift from automated thinking driven by emotions and fear and take a breath. This is how social engineering works: It’s emotional hijack, and you’ve got to take control.
Howard: The second news item we’re going to talk about is one that you saw: The U.S. Transportation Security Administration has revised its directive on cyber security for critical pipelines and liquefied natural gas facilities in the United States. The new directive replaces an order that imposed mandatory cybersecurity requirements for these providers. Now the providers are allowed some flexibility to design cyber security programs that show real benefits. This is good or bad?
David: It all comes down to how much flexibility and how much rope they’re going to give these companies. The old sort of requirement –you must have a certain kind of firewall configured a certain way … and that regulation doesn’t get changed for 10 years. That kind of technology doesn’t make sense. On the other hand, going so far as to tell companies, ‘You come up with a risk-based approach that you’re comfortable with and we’re going stamp it’ is too far the other side. I think there are some basic requirements that should be part of a cybersecurity structure, particularly for pipelines. Multifactor authentication for all critical systems — and then leave some leeway to them as to the manner or format that the regulator is willing to accept. But if you allow the industry to regulate itself … that makes me nervous.
The other part of the story that kind of bothered me was the aspects of them saying, ‘You’ve got have an air gap between your IT and your OT networks. That makes sense, but that wasn’t what brought Colonial Pipeline down. It was the business network that got hit it, the business billing system that no longer functioned, which meant they couldn’t run the business. So I really think the TSA missed the missed mark.
Howard: One way of looking at this is that the industry found the rules onerous and they squeezed the regulator to ease off.
David: I certainly can see that, but there has to be balanced in regulations. They have to be smart, but you can’t just trust industry to do what it thinks is best. They’re private sector profit-motivated organizations. That’s not an evil statement, but their alignment of incentives, their risk appetites are is different. Because of that regulations exist to balance out those competing pressures. Good sense for a regulatory framework has to be a balance between, ‘We’re going to tell you some specific controls that we based on experts advice from past incidents, best practices you better have, and then we’re going to give you some opportunity to innovate around your processes.’
Howard: There’s a Canadian angle to this: There’s new proposed cybersecurity legislation which is going to be debated in Parliament this fall that says certain companies in four federally regulated Infrastructure sectors — banks, telcos, inter-provincial energy providers like pipeline providers and transport companies — would have to meet certain baseline cybersecurity controls. Those controls will be established in regulation. So What should the Canadian government’s approach be?
David: There seems to be some inclination that the infrastructure regulations may be based on what OSFI [the federal Office of the Superintendent of Insurance] has been coming up for the Canadian banking sector, which is a mix of prescriptive — ‘You got to have automatic controls in these areas’ — as well as giving them some opportunities to innovate or to adjust requirements to their needs. That’s the balance that we’re looking for. OSFI came out in July with a guideline called B-13 on technology and cyber risk management, and if that becomes the foundation [of the federal regulation] I’ll be very happy and comfortable with that.