Guess Who’s Watching
In the war against cyber attacks, a major complication is the constant evolution in the scheming originality of the attackers. Last year more than 18 million new malware samples were conceived—an average of 200,000 viruses, spyware, worms and other insidious codes each day.
Kill one virus and another takes its place. How can companies possibly do battle against such a multiheaded Hydra?
One way is for businesses to share information about their data breaches. Other deterrents include greater cyber awareness, education, training and a rapid response to the incident. These opportunities will be available to insurance brokers and agents (and other commercial enterprises) once the National Cybersecurity Center in Colorado Springs opens its doors for business.
The NCC is a nonprofit organization founded in 2016. Supported by philanthropic and corporate donations, the center’s ambition is to vastly improve the cyber preparedness, security and response of primarily midsize and smaller companies.
Its impact is likely to be widespread, given that all businesses are vulnerable to cyber threats. The Ponemon Institute, which conducts independent research on privacy, data protection and information security policy, tallies the average annual cost of cyber attacks worldwide at more than $9.5 million per company. Some pay more, some less. Although large companies are not immune to cyber attacks, they do have greater capital and personnel resources to prevent, detect and mitigate data breaches. Smaller companies simply don’t have the same capacity.
Cyber thieves want different things, such as inside information on a planned acquisition or a new product, compromising information about a top executive for blackmail purposes, employees’ personally identifiable information for credit card fraud, or ransom to decrypt an encrypted IT network and systems. Today’s hackers are an increasingly broad group of perpetrators, ranging from criminal organizations executing ransomware schemes to nation-states looking to disrupt large institutions like banks and utilities. In between are malicious corporate insiders, hacktivists promoting social or political causes, and traditional hackers exploiting IT systems for bragging rights.
The attack surface for these varied agents has also become much broader. A decade ago, when the first smart phones debuted, there was little (if any) in the way of machine learning, artificial intelligence, mobile applications and the Internet of things. Each technology presents a new doorway for hackers to get inside the corporate perimeter. “With technology moving at the speed of need, the risks are constantly evolving,” says Ed Rios, CEO of the National Cybersecurity Center.
Three Pillars of Security
In the NCC’s bunker-like room surrounded by giant TV monitors—a mini version of NASA mission control—NCC officials prowl the dark net, the anonymous network used for illegal peer-to-peer file sharing. In these murky corners, the spoils of a data breach are offered for sale.
“The dark web is essentially anything on a computer network that’s not indexed for location by typical Internet search engines like Google, Bing and Yahoo,” explains Ed Rios, CEO of the National Cybersecurity Center. Many sites on the dark web use the Onion Router, often called TOR, a tool designed to keep location and users anonymous.
According to Wired, TOR works by having your traffic bounce through a series of routers until it gets to an end router, which then gets the requested web page and sends it back through the tubes, but none of the individual routers know or remember the IP address of the original requester.
“TOR was originally created for legitimate purposes by the U.S. military. In defense, it’s preferable to keep location and identities secret,” Rios says. “However, TOR is also now used for nefarious criminal activities to include the sale of black market items, services and stolen information. Everything from hacking services to personal information and beyond can be found on the dark net if one has the system and knowledge of how to access it.”
What’s the NCC doing there? “It uses the dark net in support of customers for hack validation and consequence management,” Rios says. “It is also used for cyber defense research, training and general situational awareness.”
The NCC grew from the vision of Colorado Governor John Hickenlooper, who urged state legislators to fund the development of a nonprofit cyber education and research facility. Colorado Springs seemed like a natural fit because it has a growing technology sector and “a confluence of military operations, technology companies and commercial enterprises all engaged in some aspect of cyber-risk analysis and security,” explains Matt Coleman, Colorado market president at insurance brokerage Hub International.
In Hickenlooper’s State of the State address in February 2016, he pledged the facility would become the “country’s foremost authority” on cyber research and development, enhancing the ability of businesses to rapidly detect and react to cyber attacks. Three months later, the state’s legislature voted by a strong majority to back its creation.
The organization’s leadership has created three pillars to achieve its mission, each pillar comprising a bucket of different services that will be available via a subscription-based model.
The Cyber Institute is a dedicated education and training center focused on increasing the cyber-risk awareness of the C-suite, boards of directors, other corporate executives and elected officials to improve their governance and oversight of cyber risks.
Such awareness is needed. According to a 2017 survey by professional services firm EY, which polled more than 1,700 global executives, information security managers and IT leaders, nearly one in three respondents (32%) said a lack of executive awareness has challenged the effectiveness of their cyber-security planning. Only 38% of respondents said they believed their boards of directors had enough information to evaluate their organization’s cyber risks, and nearly half (49%) said their boards were unsure of the financial repercussions of a cyber attack.
“Cyber risks have moved from the server room to the boardroom,” says Kyle Hybl, who chairs the NCC’s Cyber Institute Advisory Board. “The risks to an organization are not just financial—a company’s hard-earned reputation is at stake. The challenge for businesses is they have to win every single time they defend against a cyber attack. The attackers just need to win once.
“We’re going to train business leaders about cyber risks, so when they confer with their chief information security officers they’ll know what’s needed, resource-wide, to make the company as secure as possible,” Hybl says.
He pointed to an organization’s “crown jewels,” the sensitive and high-value data most important to protect. “Business leaders need to know what their crown jewels are,” Hybl says, “where they’re located, who has access to them and what to do from a disaster response standpoint if someone tries to steal them.”
The Cyber Research, Education, and Training Center is a cyber academy affiliated with the University of Colorado campus in Colorado Springs. The training center will provide certificate-awarded courses in cyber risk and security awareness. The ultimate goal is to make the NCC a national focal point of a cyber-educational curriculum for the business workforce. A full-time staff connected to leading cyber-security researchers across the world will operate the academy.
The Rapid Response Center is a dedicated facility designed to assist NCC members prior to and in the event of an attack with proactive threat analyses and reactive threat response options. “When something bad happens to a small or medium-sized business, they often don’t have the ability to understand what is going on, much less the tools to react to the incident,” Hybl says.
The response center will draw upon leading cyber-security experts, cyber vendors, and both public and private partnering organizations to forensically determine the category of an attack, such as a ransomware demand or a distributed denial of service attack. Once the attack type is verified, a short list of NCC-certified cyber-security vendors adept at resolving the specific cyber incident is provided to the member company.
“We want to be the front door resource to medium and smaller companies—a one-stop shop when they need to immediately resolve an active breach,” Hybl says.
He and other NCC personnel refer to such businesses as the “Unfortunate 50,000,” meaning they lack the financial and personnel resources to combat cyber attacks as effectively as their larger counterparts. But the NCC’s operating model is designed to assist companies of all sizes, with the aim of becoming a clearinghouse for cyber-related information.
This data warehouse will also be populated with government data on cyber incidents. The NCC is one of several operations nationwide, known as Information Sharing and Analysis Centers, that collect, analyze and disseminate actionable threat information from commercial entities, government agencies and cyber-security firms to prepare their members for an attack.
“We have up-to-the-minute feeds on different attacks coming into us on a 24/7 basis from Homeland Security, the Defense Department and other government agencies,” Rios says. “We’re not there yet, but our goal is to anonymize this classified information and push it to our members.”
“You want to immediately share this information, because hackers don’t just stay on one company,” says Mark Turnage, CEO of OWL Cybersecurity, a cyber-security consulting firm. “If there’s something unique about an attack, this information can be quickly shared across the NCC’s membership to allow for a more prepared and timely response.”
The NCC provides the means for businesses to share their cyber-attack experiences on an anonymous basis. For example, information about a threat may come from a government source and be leveraged by the NCC to assist a private-sector business. “But the source of this information and methodology would never be identified,” Coleman says.
Rios points out that NCC information is private data. “Cyber-security breach information remains confidential between the victim company and the NCC,” he says. “It’s up to the company to report publicly or to the government or not.”
A United Front
Coleman sees tremendous value in what the NCC can offer the brokerage industry and its clients. And with the subscription-based model, members could pick and choose from the available services. “Membership fees could range from $50 a year for individuals to possibly $25,000 for an organization,” says Rios, though he cautioned these rates are not set in stone. “Such costs are generally less than what you would pay for a for-profit security consulting firm. … As a nonprofit, we’re able to present a financial structure that allows for greater utility by more people.”
Some brokers may be interested in cyber-risk education and training alone, others may want to avail themselves of the value of the Rapid Response Center, and many may want to leverage NCC membership to assist clients with their cyber-security concerns. While clients would need a subscription for the Rapid Response Center, brokers could certainly leverage the knowledge and training they gain from the center to provide value and expertise in advising their clients. “The NCC represents an external cyber-risk control resource with a reach and expertise that is far beyond what most insurance brokers could either staff or afford,” Coleman says.
And the value has the potential to go both ways. “A co-branded strategic partnership would be very beneficial,” Rios says. “The insurance industry is a repository of (cyber-loss) claims information that can add dimensionality to our growing database and knowledge transfer efforts. We’re all in this together.”
Hybl shares this perspective. “All kinds of businesses today are part of a digital ecosystem; each party’s vulnerability to a cyber attack potentially exposes the other parties,” he says. “Malware that affects an insurance agency may be passed on to an insurance carrier and to that insurer’s customers. A united front is needed.”
Banham is a financial journalist and author. Russ@RussBanham.com