Government Can and Should Help Reduce Cyber-Security Risks: ITC Highlights

It’s no secret that cyber insurance rates keep rising into the stratosphere. But the U.S. government can take specific actions to help reduce risk and stabilize the market, a former federal official and industry CEO argued separately at ITC Vegas 2021.

“Government, as a collective entity, is very likely the single largest purchaser of everything in the world,” said Chris Krebs, former director of the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, or CISA.

Speaking from the ITC stage on Oct 5, Krebs said that purchasing power can make a profound difference.

“My consulting company of 15 people, we can’t extract requirements and set objectives for big technology companies. The [federal] government can,” Krebs said.

Chubb Chairman and CEO Evan Greenberg, during an Oct. 6 ITC session, reiterated calls for the parts of the federal government to do more through both policy and partnership initiatives.

“The [cyber] tools today are crude. They’re not that effective,” Greenberg said. “In working with the government, [there is] the notion of how we can improve those tools, the standards individual companies embrace [and] the ability to discern the effectiveness of how they are using these tools.”

Krebs said the federal government already took a step toward spurring better cyber security behavior earlier this year, when it issued an executive order requiring better security outcomes for software and other digital products.

“It’s that power of the purse that is really going to transform security expectations in software,” Krebs said. “The same product Microsoft sells to [consumers] they sell to the commercial side. There is a cascading effect. When the government decides to intervene in a market like this it is good for security outcomes.”

Government as Helper, Defender, Regulator and Enforcer.

Both Krebs and Greenberg had specific ideas of where the government should spend its time and attention on improving cyber-security outcomes that can benefit consumers and insurers trying to better manage those risks.

Krebs proposed the federal government tackled security four ways.

Officials can attack the regulatory piece, for example, to make cryptocurrency more transparent and ransomware criminals less likely to use it as they increasingly have this year to force victims to give them money.

“There is an entire economy around ransomware. They are taking the payouts, spreading it across the [ransomware] community. They invest in developers, they invest in customer service. They have 24/7 online customer support agents. It’s a business,” Krebs said. What we need is more transparency, more oversight [and] we need to understand how this economy works.”

The government can also act as a defender, Krebs said, going to adversary networks to understand their operations and make sure their systems crash rather than ours.

As well, the government can act more as an enforcer, using indictments, prosecution and incarceration to force ransomware networks to shut down. Krebs this approach had some success recently in a joint U.S./Ukraine operation.

Additionally, Krebs said, the government can be a helper, sharing good tips with industry and the public about what the threats are, what technology is good to use and what organizations can do to manage their risks.

More Sharing and Creative Hiring

Greenberg reiterated that Chubb advocates data sharing between the public and private sector to reduce cyber risks.

“We have nothing to tell you if something in the supply chain is really up to the standards [to resist a cyber attack],” Greenberg said. “No standard exists and it really needs to be created.”

But public/private partnerships on their own aren’t enough. Greenberg said that insurers can better fight cyber risk by redefining the talent they use to help underwrite it.

“The [insurance] industry, except in certain companies and pockets, hasn’t developed well in terms of the skillsets [for people] today who are now writing cyber,” Greenberg said. “It is those with a cyber-security background, with a hacker background … maybe out in the security establishment, those that have knowledge in that way [who are] inciteful both in the craft of underwriting and underwriting processes around” information technology who can shape stronger coverage now.

Hiring more diverse talent for underwriting can help improve tools that would better benefit public/private partnerships, Greenberg said.

Never Going Away

As Krebs noted, however, cyber crime is never going to go away. At best, the risks around it can be better managed than they are at present.

“No organization, no person, is a security island. We have to do this together. Everyone has to be part of the security organization,” Krebs said. “There will always be an intelligent adversary that is shooting holes in our product and looking for access.”