Quote

Strategy is critical because it establishes a common goal that guides agencies in policymaking and provides the framework for collaboration and cohesion of vision. Strategy is difficult to devise, devilish to agree upon, and often painfully reductive when one considers competing demands. But without it, security boils down to ad hoc government responses based on urgent yet contradicting concepts.

Tatyana Bolton, Mary Brooks, and Kathryn Waldron, “Three Key Questions to Define ICT Supply Chain Security

Building a Strategic Vision to Combat Cybercrime

The Financial Times has a good piece examining the how insurance companies are beginning to recalculate how they assess insurance premiums that are used to cover ransomware payments. In addition to raising fees (and, in some cases, deciding whether to drop insuring against ransomware) some insurers like AIG are adopting stronger underwriting, including:

… an additional 25 detailed questions on clients’ security measures. “If [clients] have very, very low controls, then we may not write coverage at all,” Tracie Grella, AIG’s global head of cyber insurance, told the Financial Times.

To be sure, there is an ongoing, and chronic, challenge of getting companies to adopt baseline security postures, inclusive of running moderately up-to-date software, adopting multi-factor authorization, employing encryption at rest, and more. In the Canadian context this is made that much harder because the majority of Canadian businesses are small and mid-sized; they don’t have an IT team that can necessarily maintain or improve on their organization’s increasingly complicated security posture.

In the case of larger mid-sized, or just large, companies the activities of insurers like AIG could force them to modify their security practices for the better. Insurance is generally regarded as cheaper than security and so seeing the insurance companies demand better security to receive insurance is a way of incentivizing organizational change. Further change can be incentivized by government adopting policies such as requiring a particular security posture in order to bid on, or receive, government contracts. This governmental incentivization doesn’t necessarily encourage change for small organizations that already find it challenging to contract with government due to the level of bureaucracy involved. For other organizations, however, it will mean that to obtain/maintain government contracts they’ll need to focus on getting the basics right. Again, this is about aligning incentives such that organizations see value in changing their operational policies and postures to close off at least some security vulnerabilities. There may be trickle down effects to these measures, as well, insofar as even small-sized companies may adopt better security postures based on actionable guidance that is made available to the smaller companies responsible for supplying those middle and larger-sized organizations, which do have to abide by insurers’ or governments’ requirements.1

While the aforementioned incentives might improve the cybersecurity stance of some organizations the key driver of ransomware and other criminal activities online is its sheer profitability. The economics of cybercrime have been explored in some depth over the past 20 years or so, and there are a number of conclusions that have been reached that include focusing efforts on actually convicting cybercriminals (this is admittedly hard where countries like Russia and former-Soviet Republic states indemnify criminals that do not target CIS-region organizations or governments) to selectively targeting payment processors or other intermediaries that make it possible to derive revenues from the criminal activities.

Clearly it’s not possible to prevent all cybercrime, nor is it possible to do all things at once: we can’t simultaneously incentivize organizations to adopt better security practices, encourage changes to insurance schemas, and find and address weak links in cybercrime monetization systems with the snap of a finger. However, each of the aforementioned pieces can be done with a strategic vision of enhancing defenders’ postures while impeding the economic incentives that drive online criminal activities. Such a vision is ostensibly shared by a very large number of countries around the world. Consequently, in theory, this kind of strategic vision is one that states can cooperate on across borders and, in the process, build up or strengthen alliances focused on addressing challenging international issues pertaining to finance, crime, and cybersecurity. Surely that’s a vision worth supporting and actively working towards.


  1. To encourage small suppliers to adopt better security practices when they are working with larger organizations that have security requirements placed on them, governments might set aside funds to assist the mid-sized and large-sized vendors to secure down the supply chain and thus relieve small businesses of these costs. ↩︎
Image

parislemon:

John Herrman of BuzzFeed:

According to data from the BuzzFeed Network, a set of tracked partner sites that collectively have over 300 million users, Google Reader is still a significant source of traffic for news — and a much larger one than Google+. The above chart, created by BuzzFeed’s data team, represents data collected from August 2012 to today.

Yikes. Did Google just shut down the wrong product?

I’m less clear that the ‘wrong’ thing happened.* Google is getting slammed in Europe for grabbing headlines for Google News: why not shut down Reader (which pulls information from those agencies, to readers on a Google platform) and (if the same companies want all that traffic) force them onto Google+ so that the publishers are directly providing information to Google. With Google’s current policies could they then repurpose Google+ information that the companies provided and use that to feed Google News, thus undercutting publishers’ arguments?

In essence: could this be a play to push publishers onto Google+ and, by extension, then attract people who want publishers’ content, while at the same time trying to undermine some of the arguments in the EU about Google ‘stealing’ content?

*Don’t get me wrong. I depend on Google Reader and think they screwed up. But from Google’s perspective they might not have…