Government Action, Insurance, Software Product Liability Urged for Cyber Security
By: Joseph Menn (Insurance Journal) August 2014
Alarmed by mounting cyber threats around the world and across industries, a growing number of security experts see aggressive government action as the best hope for averting disaster.
Even though some experts are outraged by the extent of U.S. Internet spying exposed by former NSA contractor Edward Snowden, they are even more concerned about technologically sophisticated enemies using malware to sabotage utilities, wipe out data stored on computer drives, and steal defense and trade secrets.
Such fears and proposals on new laws and executive action to counter these threats were core topics this week in Las Vegas at Black Hat and Def Con, two of the world’s largest gatherings for security professionals and hackers.
At Black Hat, the keynote speech by respected researcher Dan Geer went straight for national and global policy issues. He said the U.S. government should require detailed reporting on major cyber breaches, in the same way that deadly diseases must be reported to the Centers for Disease Control and Prevention.
Critical industries should be subjected to “stress tests” like the banks, Geer said, so regulators can see if they can survive without the Internet or with compromised equipment.
Geer also called for exposing software vendors to product liability suits if they do not share their source code with customers and bugs in their programs lead to significant losses from intrusion or sabotage.
“Either software houses deliver quality and back it up with product liability, or they will have to let their users protect themselves,” said Geer, who works for In-Q-Tel, a venture capital firm serving U.S. intelligence agencies. Geer said he was speaking on his own behalf.
“The current situation – users can’t see whether they need to protect themselves and have no recourse to being unprotected – cannot go on,” he said.
Several of Geer’s proposals are highly ambitious given the domestic political stalemate and the opposition of major businesses and political donors to new regulation, Black Hat attendees said. In an interview, Geer said he had seen no encouraging signs from the White House or members of Congress.
But he said the alternative would be waiting until a “major event” that he hoped would not be catastrophic.
Chris Inglis, who retired this year as deputy director of the National Security Agency, said disaster could be creeping instead of sudden, as broad swaths of data become unreliable.
In an interview, he said some of Geer’s ideas, including product liability, deserved broader discussion.
“Doing nothing at all is a worse answer,” said Inglis, who now advises security firm Securonix.
SOFTWARE FLAWS
Some said more disclosures about cyber attacks could allow insurance companies to set reasonable prices. The cost of cyber insurance varies, but $1 million in yearly protection might cost$25,000, experts say.
High-profile data breaches, such as at Target Corp. and eBay Inc., have spurred demand for cyber insurance, but the insurers say they need more data to determine how common and how severe the intrusions are.
The ideas presented by Geer and other speakers would not give the government more control of the Internet itself. In that area, security professionals said they support technology companies’ efforts to fight surveillance and protect users with better encryption.
Instead, the speakers addressed problems such as the pervasive number of severe flaws in software, which allow hackers to break in, seemingly at will.
Geer said the United States should try to corner the market for software flaws and outspend other countries to stop the cyber arms race. The government should then work to fix the flaws instead of hoarding them for offense, he said.
Black Hat founder Jeff Moss said he was reminded of the importance of data security while advising a government agency that had no way to tell which of its millions of records were accurate and which had been tampered with.
In the security industry, Moss said, “we’re so day-to-day that we forget we’re a piece of a bigger system, and that system is on the edge of breaking down.”
Dire projections have led some professionals to despair, but others say the fact that their concerns are finally being shared by political leaders gives them hope.
Alex Stamos, who joined Yahoo Inc. earlier this year as chief information security officer, said the Internet could become either a permanent tool of oppression or a democratizing force, depending on policy changes and technology improvements.
“It’s a great time to be in the security industry,” Stamos said. “Now is the time.”
Categories
- Benefits Resources
- Bonding
- BOP
- Business Insurance
- Commercial Auto
- Commercial Property
- Company News
- Construction
- Crime Insurance
- Cyber Insurance
- Directors & Officers
- Employee Benefits
- Employment Practice Liability Insurance
- Entertainment
- General Liability
- Health Insurance
- Healthcare
- Healthcare Reform
- Homeowners Insurance
- Hospitality
- Manufacturing
- Medical Malpractice
- Mining & Energy
- Nightclubs
- Personal Auto
- Personal Insurance
- Professional
- Restaurants
- Retail & Wholesale
- Risk Management Resources
- Safety Topics
- SBA Bonds
- Security
- Seminars
- Technology
- Tourism
- Transportation
- Uncategorized
- Workers Compensation
Archives
- May 2021
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- November 2018
- September 2018
- August 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- February 2013
- November 2011
- October 2011
- September 2011
- July 2011
- June 2011
- March 2011
- November 2010
- October 2010
- September 2010
- April 2010
- February 2010
- November 2009
- October 2009
- November 2008
- August 2008