Building a Strategic Vision to Combat Cybercrime

The Financial Times has a good piece examining the how insurance companies are beginning to recalculate how they assess insurance premiums that are used to cover ransomware payments. In addition to raising fees (and, in some cases, deciding whether to drop insuring against ransomware) some insurers like AIG are adopting stronger underwriting, including:

… an additional 25 detailed questions on clients’ security measures. “If [clients] have very, very low controls, then we may not write coverage at all,” Tracie Grella, AIG’s global head of cyber insurance, told the Financial Times.

To be sure, there is an ongoing, and chronic, challenge of getting companies to adopt baseline security postures, inclusive of running moderately up-to-date software, adopting multi-factor authorization, employing encryption at rest, and more. In the Canadian context this is made that much harder because the majority of Canadian businesses are small and mid-sized; they don’t have an IT team that can necessarily maintain or improve on their organization’s increasingly complicated security posture.

In the case of larger mid-sized, or just large, companies the activities of insurers like AIG could force them to modify their security practices for the better. Insurance is generally regarded as cheaper than security and so seeing the insurance companies demand better security to receive insurance is a way of incentivizing organizational change. Further change can be incentivized by government adopting policies such as requiring a particular security posture in order to bid on, or receive, government contracts. This governmental incentivization doesn’t necessarily encourage change for small organizations that already find it challenging to contract with government due to the level of bureaucracy involved. For other organizations, however, it will mean that to obtain/maintain government contracts they’ll need to focus on getting the basics right. Again, this is about aligning incentives such that organizations see value in changing their operational policies and postures to close off at least some security vulnerabilities. There may be trickle down effects to these measures, as well, insofar as even small-sized companies may adopt better security postures based on actionable guidance that is made available to the smaller companies responsible for supplying those middle and larger-sized organizations, which do have to abide by insurers’ or governments’ requirements.1

While the aforementioned incentives might improve the cybersecurity stance of some organizations the key driver of ransomware and other criminal activities online is its sheer profitability. The economics of cybercrime have been explored in some depth over the past 20 years or so, and there are a number of conclusions that have been reached that include focusing efforts on actually convicting cybercriminals (this is admittedly hard where countries like Russia and former-Soviet Republic states indemnify criminals that do not target CIS-region organizations or governments) to selectively targeting payment processors or other intermediaries that make it possible to derive revenues from the criminal activities.

Clearly it’s not possible to prevent all cybercrime, nor is it possible to do all things at once: we can’t simultaneously incentivize organizations to adopt better security practices, encourage changes to insurance schemas, and find and address weak links in cybercrime monetization systems with the snap of a finger. However, each of the aforementioned pieces can be done with a strategic vision of enhancing defenders’ postures while impeding the economic incentives that drive online criminal activities. Such a vision is ostensibly shared by a very large number of countries around the world. Consequently, in theory, this kind of strategic vision is one that states can cooperate on across borders and, in the process, build up or strengthen alliances focused on addressing challenging international issues pertaining to finance, crime, and cybersecurity. Surely that’s a vision worth supporting and actively working towards.


  1. To encourage small suppliers to adopt better security practices when they are working with larger organizations that have security requirements placed on them, governments might set aside funds to assist the mid-sized and large-sized vendors to secure down the supply chain and thus relieve small businesses of these costs. ↩︎
Quote

[Mark Carney’s] prescription: End through strict regulation and resilience tests the scandal of too-big-to-fail, where “bankers made enormous sums” and “taxpayers picked up the tab for their failures.” Recreate fair and effective markets with real transparency and make every effort — through codes of conduct and even regulatory obligations — to instill a new integrity among traders (even if social capital cannot be contractual). Curtail compensation offering large bonuses for short-term returns; end the overvaluing of the present and the discounting of the future; ensure that “where problems of performance or risk management are pervasive,” bonuses are adjusted “for whole groups of employees.”

Above all, understand that, “The answers start from recognizing that financial capitalism is not an end in itself, but a means to promote investment, innovation, growth and prosperity. Banking is fundamentally about intermediation — connecting borrowers and savers in the real economy. In the run-up to the crisis, banking became about banks not businesses; transactions not relations; counterparties not clients.”

In other words, human beings matter. An age that has seen emergence from poverty on a massive scale in the developing world has been accompanied by the spread of a new poverty (of life and of expectations) in much of the developed world. Global convergence has occurred alongside internal divergence. Interdependence is a reality, but the way it works is skewed. Clinton noted that ants, bees, termites and humans have all survived through an unusual shared characteristic: They are cooperative forms of life. But it is precisely the loss at all levels of community, of social capital, that most threatens the world’s stability and future prosperity.

* Roger Cohen, “Capitalism Eating Its Children
Quote

… the cultural, political, and privacy concerns raised by the new business alliances of search engines, social networks, and carriers cannot be translated into traditional economic analysis. They raise questions about the type of society we want to live in–a holistic inquiry that cannot be reduced to the methodological individualism of economics.

* Frank Pasquale. (2010). “Beyond Innovation and Competition: The Need for Qualified Transparency in Internet Intermediaries.” Northwestern University Law Review 104(1).