This truly appears to be primarily and perhaps completely caused by mass hysteria and not any actual drone swarm of any kind. There remains the possibility that there were unauthorized drones in sensitive areas, but that does not appear to account for most of the reports.
After spending hours looking for any videos of the supposed drones in New Jersey and elsewhere, I was surprised to find that the overwhelming majority of the sightings seem to be clear, unambiguous and completely doubtless examples of civil and commercial aircraft.
This reminds me very much of the battle of Los Angeles, which was not actually a real battle but rather just an example of similar mass hysteria. We are seeing similar hallmarks to previous flying phenomena hysteria, including a mushrooming number of reports and increasing drama as more and more people are convinced that drones have crashed, are attacking or something else.
Technical Approvals in Cybersecurity: A Missing Pillar of Risk Management
In traditional industries, technical approval processes are a vital part of ensuring safety and reliability. For example, companies often pay to have their devices tested and approved by organizations like UL, which rigorously test products to ensure safety and reliability. Safety-critical devices—such as fire alarms, fire pumps, and safety doors—require approval before being used by insured parties, giving insurers the confidence that these devices will perform when needed.
Cybersecurity, however, lacks a similar robust system of technical approvals. Without an established process, standards in cybersecurity are often vague and difficult to enforce. For instance, many standards simply state that an organization must have a “firewall” or use “industry-standard encryption.” These requirements are difficult to enforce because they are vague—what exactly qualifies as an acceptable firewall, and who verifies it? There are many products that could meet these requirements on paper, but without an approval process, there is no consistent or provable standard of quality.
Technical approvals are ultimately an absolutely necessary step to establishing universally high standards. This is what will, eventually, end the problem of high levels of third party risk forever. It is an unavoidable part of standardizing risk management in technology and reign in losses. It will, unfortunately, be difficult to make great progress in cyber security until such time as a robust system of independent testing and approval is established. This will create the “ecosystem of trust” that is necessary to enforce security.
A Well-Established and Necessary Process It is unusual that cybersecurity proceeds without technical approval, but this reflects an outdated mindset in IT, where buyers assume all risk without warranties or guarantees. Technical approval is a well-established process in many industries, providing independent verification that a product meets specific standards and ensuring accountability. It is no longer the 1980’s, and software and IT products are no longer specialty products or experimental, but this mentality still persists.
So just how bad is ransomware and cyber security in general? To get an impression, lets look at the past week. Just over the past 7 days, there have been over a dozen major ransomware attacks, though a few have not been well reported in the news media. The fact is, we have fallen for a kind of creeping normality. It’s not normal and it should not be considered a routine thing to see this happen.
It is rarely in the best interest of the victim to pay ransom! Although the narrative often is “Because they have no choice” or “It is to protect people from the leak.” This is a complete myth, and it tends to be advanced by those who have paid ransom before, as a way of covering their terrible and avoidable behavior. Nobody owns this untrue narrative more than the insurance underwriters who normalized this behavior.
The problem with something like ransomware is that most companies are willing to pay ransom, and as long as this remains true it will be a persistent problem and only get worse. Ransomware has become so entrenched and is so easy and cheap to pull off, it will not subside until it becomes substantially difficult to succeed in a ransomware attack and make money doing so. Unfortunately, there have been no efforts to reduce ransom payments.
It is important to never forget exactly what is paid for, with money American companies pay (Source)
When ransomware gangs lock down a system, they are frequently the first people the victims hear from and they will do their best to instill fear, create panic and make the situation seem much worse than it is. They will often claim that they will soon delete the data or raise their price for restoration. Paying for data restoration is never necessary, if even the most basic of precautions have been taken to back up data, but that is often not the cast and 80% of organizations facing ransomware do not have adequate backups. The situation is common, though always avoidable, and at least half of ransom payments are motivated primarily by the need to release systems and have data returned, not to avoid it leaking.
In many cases, companies have felt it was more reliable or faster to pay ransom, and with gangs so skilled at instilling fear and manipulating American companies, it is not uncommon. In some cases insurers have even insisted that victims pay ransom against their will. HSB is one of the few that still does this, forcing victims to pay ransom even if they felt it was not necessary, simply because the insurance company felt it was cheaper or safer to do so. However, the practice has never gone away completely from most insurers. Because the claims staff frequently receive kickbacks, they will tell organizations they are best off paying, even when they are not.
Unfortunately, it is not cheaper or safer to do so, and this is especially true if you do have backed up data. The restored data is 100% assured to be contaminated with malware and backdoors and the incident response will be far worse off. Paying ransom almost doubles the average cost of cleaning up an incident in the end. It also dramatically increases the chances of future attacks.
Understanding and Preventing Zero Day And Other Software Supply Chain Attacks
This is the second post in the series, intended to help better understand how third party risks can be managed, and addressing the problem of misinformation from high raking sources. Because of the pervasiveness of the myth that third party risks are unmanageable, primarily due to the insistence by insurance executives that “Well I don’t understand it, and therefore it can’t be done.” But because of this toxic insistence, it is necessary to break things down and provide detailed supporting information.
In this post, we will look at zero days and unpatched vulnerabilities as a type of exposure to third party risk. Zero days are similar to supply chain attacks, and many of the same methods for controlling zero days apply to supply chain attacks as well. MOVEit is an example of a zero day attack, which caused massive damage to the US and global economy. It illustrates exactly how these attacks work.
In some ways, it was the kind of systemic attack that insurers are constantly complaining about. However, it also illustrates all the ways the damage could have been prevented. MOVEit was bad, but it was also tragic, because so much of the loss could have been prevented, if we had our act together on this.
Due to the length of this detailed topic, it will be broken into multiple parts. One of the reasons this post is so long is the extreme entrenchment of incorrect views, and therefore, a need to provide detailed explanations of why they are wrong.
Of course, this is not the case, in the finite and artificial world of cyber security, no risk is insurmountable and all can be understood. Third party risks come from the fact that so many organizations are dependent on various third parties, such as vendors and contractors. Even clients and customers can be a third party risk, because some organizations rely on a relatively limited number of clients.
In this video-accompanied post, I will do my best to provide detailed information to refute this dangerous and deeply entrenched idea.
Lets be clear on something, this is not new or unique to cyber: There is nothing new or novel about this concept at all. Some policyholders have always been dependent on a limited number of vendors or service providers. Even in the years before cyber security, a major failing of the power grid, as happened in 2003 and 1977, can cause widespread loss across a large area. A single storm can impact a huge area, or a bad hurricane season can bring devastating storms to a large area. That’s what a systemic risk is.
However, in cyber security, all systemic risks can easily be detected ahead of time, if we care to look. They’re artificial, based on the relationships we choose to have and the artificial, man-made, engineered systems we use with the human-created, anthropogenic, artificial, man-made, ARTIFICIAL RISKS. And therefore finite and easy to understand. It’s always easy to know your risks, when they are in engineered systems you own, right?
Because the artificial risk of cyber-attacks Is So controllable, Cyber Insurance can be a reliable cash cow, but it we must rethink what cyber risk is and what role cyber insurance plays. Doing so unlocks the door to billions of dollars in potential profits. Currently, nobody in the entire insurance sector knows how to do this and nobody does it properly.
The term for what we are living through is moral crisis.
Last year, the world lost hundreds of billions of dollars to cyber attacks and trillions were lost to the total economic impact of these attacks. The biggest problem is ransomware, but business email compromise, leading to fund transfer fraud and other types of account interception and social engineering fraud are also costing the economy billions. Every week, we hear about more police forces, hospitals, schools and critical institutions being attacked. Ransom is frequently paid. Lives have even been lost. It’s no longer possible to rely on your doctor, lawyer, police force or fire department to be there for you and not leak your private information.
And then we have cyber insurance, which keeps paying ransom and racking up losses, insisting that “cyber is just inherently high loss” or “cyber incidents are like earthquakes: unpredictable and unstoppable.” We see top ranking executives, even the likes of Warren Buffet saying that it is expected that cyber insurance will lose money. It will because cyber risks are just big risks and we don’t know how to control them. Also, we don’t have enough data, and perhaps in a few years we will be able to figure out how to price it.
As an expert in cyber security, ransomware especially, with an education in cyber security and over 20 years of experience, I cannot stress this enough: THIS IS INSANE!
Cybercrimes are just that: crimes. Like all crimes, they are human created and can be stopped. Cyber security is not some oddball unfigured-out kind of thing. It’s just bad guys breaking into our systems because we do not institute strong enough controls. The idea that cyber criminals are so much smarter than our best engineers is absurd. It’s the year 2024 and the US has the best technology in the world. None of this needs to happen. We could shut this down in a day, if there were proper experts involved.
There has been a massive misunderstanding of the nature of cyber risk by the insurance sector, and in doing so we have entrenches a monster which is sapping hundreds of billions of dollars out of the legitimate economy and is funding terrorism. The history of cyber insurance is a comedy of errors. There’s a reason no legitimate cyber risk experts should not have been consulted from day one, but there was a belief that cyber was simply a shiny object that could be monetized to appeal to the digital age. Insurers have been trying to sell cyber insurance without investing a dime in understanding it. They’ve simply broken something they don’t understand and now consider it a lost cause. This is absurd.
The truth is simple: If not for the fact that cyber insurance has come along and decided to encourage bad behavior, while funding crime, we would not have the ransomware problem we do. Our hospitals would be safe. Our schools would be safe. Our emergency services would not be targeted. The problem cannot currently be solved, because insurance companies stubbornly insist that they don’t want to, but are fine paying out ransoms.
