Hi and welcome to my new blog. If you’re reading this shortly after it was posted, than this site probably does not look like much. It will need a few days to spruce up with some better content and formatting.
But there is an important reason for creating this site: The world seems to have completely lost its mind when it comes to cybersecurity and risk management in general. We never used to have the kinds of losses due to systems being hacked that we have now. In the age of ransomware and rampant fraud, we are seeing one hospital after another, one school, one municipality after another being hit by viscous international terrorist.
Somehow we have normalized this. If it were 1999 and a hospital were shut down by savage criminals, looking to collect extortion money and willing to hurt anyone and divulge data, we would be shocked and appalled, as well we should. We would have had FEMA and the National Guard setting up temporary medical facilities. There would have been a massive response. Arguably, it should never have been dismissed as a minor thing, and just an inevitable thing.
Yet, over the past year almost nobody has noticed that the hospitals in Brooklyn were all closed for over a month, that half the hospitals in Connecticut have been disrupted. Municipalities and emergency services are being disrupted left and right. The amount of money collected by these gangs of thugs has made them unstoppable.
But what is so insane about this? Isn’t it just inevitable that which such smart hackers out there, we’d have no way to defend ourselves?
No, of course not, and don’t be ridiculous! Cyber security is just security and risk management for enterprise IT environments (basically) and just like you can secure a building with a little effort, you can certainly secure an enterprise IT system. These are systems we own, which were designed here, in the United States, by our top engineers, at top companies. We have access to the developers, they are on out side.
Cyber security is an entirely artificial risk and it’s important to remember that. Like any artificial field, the risks are finite and can be managed. They are well understood. The field of cyber security is a mature, sophisticated and modern field. There’s basically no system that can’t be made very secure if that is the priority.
Any system can be made extremely secure through continuous monitoring. This is true with technology too, and it’s appropriate for some circumstances. There are also automated systems that can do a lot. The technology and knowledge available is more than sufficient to end these problems.
So then what is the problem?
Well, it is basically a problem of regulations and incentives, which I will be posting a great deal more about on this blog. That’s the entire problem. And this problem itself stems from a lot of people who do not understand how cyber security works going out there and making big promises and refusing to admit they need to talk to experts. Cyber security somehow is extremely intimidating and unapproachable to people and they affirmatively do not want to open a book about it, but boy will they lecture about how hard it is.
What we have is an absolute vacuum of leadership and a lot of talking heads who do not know what they are talking about. As a CISSP, with a BS in cyber security, and over 20 years of experience, I will tell you that you really only should listen to a credentialled expert on anything important that is related to any kind of safety or security of any kind. A lot of people moonlight as cyber experts, but, because in decades past, the field was so small and specialized, and because as a form of risk management, it never got all that much enthusiasm, there just never were a lot of cyber security experts out there and lately the field has been so flooded with new people, it’s created the illusion that everyone is new, green and trying to figure things.
Of all the sectors out there, one stands out for its idiocy, and that is the insurance sector. People seem to think that I have a special interest in insurance. It’s not that. It’s the fact that insurance is absolutely the bedrock of how a free market society prices risk and how the private sector can self-manage risk. Insurance has always been at the forefront of risk management, because insurance creates the economic incentives to mitigate risk and creates a vested interest in safety and loss control. It’s an important mechanism for reigning in risk.
Unfortunately, in this case, insurance has done the opposite of what it should and in the process broken the risk management system. The first cyber insurance was made available in 1999. It had no qualifications or requirements for security controls. This was always a bad idea, but at the time nobody realized what they were creating. Things went along okay for a while, but then came ransomware. Ransomware was not considered when creating these simple unqualified polices, but they started paying extortion.
And what happened then? Well, the board of directors and c-suite should have gotten involved, because paying extortion is an enormous moral hazard. In fact, the insurers largely choose to pay extortion and to normalize the paying of extortion because “It would be worse not to” or “our clients need to do what is necessary to get back to business” and “It protects people from having their identity stolen.”
In fact, none of this is the case. Paying ransom does not assure anything and dramatically increases the chances of being attacked again and again. It’s not an honorable thing to do and it is never in your best interests.
So then, if it so preventable, why do insurance companies just loss control it?
This appears to be the worst case of management disconnect, administrative blindness and complete ignorance I have ever seen. It seems that most insurance executives simply do not like cyber security. They do not want to hear about it. As one person in the industry stated “They don’t want to do that because they don’t like cyber. They have lost a lot of money on it and nobody wants to deal with it.”
Yes, for real. One would think losing money would be all the more reason to want to hire experts to fix the situation. Well, of course, there is some psychology coming in here and people are not being rational. It seems it is just such as sore subject, nobody wants to talk about it.
There may be some good reason for that. The idiot underwriters who thought it was a good idea to pay ransom years ago are still there and are as clueless as ever. They’ve basically passed the message up to the board of directors that “cyber is hard. Nobody has ever able to figure it out.” The same is heard from executives who say cyber is “uninsurable” or “inherently high risk” or even “perilous” which is a word that should be reserved for natural environments not data centers.
To illustrate how clueless the insurance sector has become, with their insistence they “We are underwriters and therefore are really smart about risk management.” Now, in fact, insurance dispensed with most experts in risk and just went for “cash underwriting” in one of the most toxic moves toward public safety. Now, due to this blockade of knowledge, a lot of people who don’t want their performance looked at.
Think about it: if in 2016 you defended the paying of ransom and the staunch insistence that subject matter experts were not worth consulting, you are now deeply entrenched in that belief and admitting that you might have been wrong could be downright dangerous.
In fact, if run properly, a line of cyber insurance would be more akin to a safety certification service than a claim-paying line of insurance. Think about it: we are the US, we have the best technology in the world and it’s 2024. We have kept hackers from taking over our nuclear missiles for decades. There are many types of encryption that remain theoretically unbreakable, so of course we can fix this problem and end these losses.
There are some inevitable losses, like from malicious insiders, system malfunctions and occasionally a very sophisticated software supply chain attack. But that’s it. There’s no reason our own tech and access control systems should fail like that. The problem is that companies have been given an option to subsidize it through poorly qualified insurance, and this can and does break risk management completely.
This is why, despite several years of carnage, despite having the best technology and developers in the world, zero progress has been made. Things are broken, but not on a technical level. It’s an intuitional failure.
And where has the government been through all this?
Every bit as clueless as the insurance companies. There’s an absolute affirmative disconnect, and a kind of fear and intimidation that makes attorneys general and legislators avoid the topic. It’s often thought that non-technical people would just get tripped up or that it would be intimidating. It seems the world is suffering from the kind of irrational fear that stops someone from going to the doctor, because they don’t want to hear bad news.
In this case, though, the only bad news is how unnecessary this all has been, and how badly the ball has been dropped. A great deal of this, on the Federal level has to do with Donald Trump’s dismissal of Chris Krebs, who was the previous head of US cyber at CISA. Krebs is a very well respected expert, but Trump fired him and most of the staff left in the wake of that. The US government has never been able to get its act together.
Like others: insurance, the news media and law enforcement, they simply refuse to admit that there could be value in meeting with experts. A lot of people in such positions, attempting to justify their own ignorance, will sometimes cast cyber experts as “purely technical people who don’t understand management and are hard to work with.” That’s not true at all. Cyber security is a broad field and is based on risk management and corporate governance. It’s also a field filled with people more than smart enough to speak to some manager or legislator.
And above all else, this is the value of an expert: it’s not that they are only necessary for the highly technical end of things. They will offer you greater clarity and certainty than any amateur will. Unfortunately, one thing that seems to be very poorly understood is that cyber security is a field in and of itself and the knowledge and skills are unique to it. It’s not like anyone with an IT background or a computer science degree can do it. In fact, those from a technocratic, geeky background, tend to be some of the worst at risk management. The IT sector has a chronic problem with things like documentation and compliance.
In the coming days and weeks, I will be providing a great deal more information on this site, which I hope will hep illustrate how bad things have gotten and how unnecessary it is.
Unfortunately, things are not headed in the right direction right now, and the result of the insurance takeover of cyber risk has been a lot of layoffs and a decimation of the talent and capabilities of cyber security. I’ve never seen things so bad. This has al been caused by greed and pettiness. Perhaps also a bit of post-covid fatigue is in there too. The problem is that it will only continue to get worse. The threat to national security and the economy does not go away. The decimation of the ranks of experts, as companies turn away from hiring cyber experts and instead just buy insurance, is a huge problem for national security.
And the crazy thing is nobody seems to even realize this. Everyone seems to nod “yeah, well cyber is hard and I guess this happens.” Nobody has considered the obvious: we own these systems. Companies get sued when they get hacked, because they are, in fact, negligent.
That said, it is important to note that even the most well meaning companies, if they have no expertise at all, are left clueless. They have no trusted source of advice or guidance. And yes, it can be intimidating. Cyber experts are here to help, and should be listened to. As security professionals, cyber experts tend to have a very strong commitment to the cause. We want to help. Just stop stonewalling the actual experts from helping.