C. Warren Axelrod

Cyber Risk Bubble Babble

Much has been written and said about the recurrence of a bubble in Internet stocks and its imminent bursting. Significant declines in some stock  prices have already taken place … as described in the article by Rolfe Winkler, Matt Jarzemsky and Evelyn Rusli, “Tech-Stock Drop Hits Startup Funding,” on the front page of The Wall Street Journal of April 17, 2014. The article contains a graph showing drops-to-date from their highs in a number of the best known Internet stocks, such as Facebook, Netflix and Twitter, in the 17-39 percent range, and it’s anyone’s guess as to whether or not the decline will moderate, accelerate, or reverse itself.

However, a different, though possibly related, concern is expressed in an advertising article, namely, that a major failure of a cloud service provider could lead to a shock analogous to the 2008 financial meltdown. I first saw the article by Evan Rothman, “The Cyber Risk Bubble,” inside the front cover of the April 21-27, 2014 issue of Bloomberg Businessweek. The article is sponsored by the cyber insurance division of the Zurich Insurance Group. The subtitle “In an eye-opening new report, the Atlantic Council (AC) and Zurich Insurance Group reveal the same failure of imagination that preceded the 2008 financial crisis” describes the article as a collaborative effort between the AC and Zurich. The article also refers to a report, “Risk Nexus – Beyond data breaches: global interconnections of cyber risk,” which is available at http://www.zurich.com/internet/main/SiteCollectionDocuments/insight/risk-nexus-april-2014-en.pdf

On seeing that the topic was cybersecurity and that the Atlantic Council was a sponsor, I immediately wanted to see if my colleague Jason “Jay” Healey was involved. Sure enough, he was indeed quoted several times in the article. More importantly, he is the author of the “Risk Nexus” report, which was referenced in the article.

Since the early days, I have maintained vociferously that availability can often be more important than security or confidentiality with respect to the Internet. I have been subjected to a certain amount of flak from dyed-in-the-wool InfoSec professionals for my holding this position. However, if you compare the potential impact of the Heartbleed bug in OpenSSL, which Bruce Schneier has termed a “catastrophic” security failure, with the potential for melt-down of the Web due to the business failure of a major Internet player, we see an important difference. While Heartbleed is ubiquitous and very serious, it appears (so far) to be having little impact on e-commerce in aggregate. Sure, tens to hundreds of millions of user credentials are at risk of compromise, but that also was the case recently with the Target Stores fiasco. Target suffered considerably, but life went on for everyone else.

The same would not be true if a major Internet service provider suddenly closed its doors. We have a precedent for this in 2001, as I document in my book “Outsourcing Information Security” (Artech House). I quote an article by Scott Berinato, “Security Outsourcing: Exposed!” in the August 1, 2001 issue of CIO Magazine. The article no longer appears in the magazine’s archives … however, my book is still in print and available! In any event, Berinato describes how certain security services providers suddenly closed their doors leaving customers without connectivity to scramble to resume service from another source.

Clearly, if the cloud service provider(s), which were to fail, comprise a big enough segment of the marketplace, the disastrous consequences describe in the AC/Zurich report might indeed occur.

The “Risk Nexus”  report has a number of recommendations both for organizations with systemic responsibilities and for individual organizations. While the recommendations are not particularly new, it is helpful to have them summarized in one place. Here are some examples of the measures one should take:

System wide:

  •  Improve risk management, resilience and incident response
  • Use existing regulatory authority “cautiously” to expand risk management to third-party providers and affiliates
  • Pursue a private-sector-centric approach
  • Provide targeted grants for non-government groups
  • Expand and fortify internet governance with a Cyber Stability Board
  • Consider recognition of global significantly-important Internet organizations
  • Address the “too big to fail” issue

For individual organizations:

Basic:

  •  Provide application white-listing
  • Use standard secure system configurations
  • Patch application software within 48 hours
  • Patch system software within 48 hours
  • Reduce number of users with administrative privileges

Advanced:

  •  Push out risk horizon
  • Cyber insurance
  • Demand more resilient and secure standards and products
  • More effective Board-level risk management

Resilience:

  •  Redundancy
  • Incident response and business continuity planning
  • Scenario planning and exercises

These are important issues to address. Some are more achievable than others. It is not really clear how system-wide security measures will be implemented and enforced given that perhaps 80 percent of the critical infrastructure is in private hands and no one has been willing so far to take on full responsibility for the overall Internet … there are even international fights over who should control domain names. For a broader view of these issues, see my eight-year-old, though still relevant, article “Cybersecurity and the Critical Infrastructure: Looking Beyond the Perimeter,” ISACA Information Systems Control Journal (May 2006), available at http://www.isaca.org/Journal/Past-Issues/2006/Volume-3/Pages/Cybersecurity-and-the-Critical-Infrastructure-Looking-Beyond-the-Perimeter1.aspx

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*