A number of significant reports and surveys have been released this week pertaining to cyber risk and corporate governance. To help separate the signal from the noise, I have parsed out a few key findings below.
First, on the threat side, the company FireEye has released “APT 28: A Window into Russia’s Cyber Espionage Operations?” This study identifies a range of Russian activities aimed at stealing political and state secrets, rather than financial profit. Of particular note here, as a New York Times piece on the report notes, is the 2009 Russian hacker attack on Kyrgyzstan to pressure the country to remove a U.S. military base. Given Russia’s demonstrated level of capability and intent, both from a Computer Network Exploit (CNE) and Computer Network Attack (CNA) perspective, the U.S. would do well to inoculate itself against Russia cyber-wise, especially in light of U.S. (and E.U.) sanctions imposed on Russia for its behavior in the conflict with Ukraine.
Also this week, the Cyber Security Coalition, composed of Novetta and other large private sector companies including Cisco and Microsoft, released a report on Chinese state-sponsored cyber espionage, titled “Operation SMN: Axiom Threat Actor Group Report.” Again, the focus is on CNE: theft of political and military secrets along with intellectual property and industrial espionage. In addition to threat reporting, the Cyber Security Coalition announced “the teaming of security industry leaders to execute coordinated, effective remediation and disruption of activities tied to several families of malware used by advanced threat actor groups across the globe.”
In other words, enough talk, time to act. Let’s hope this leads others to translate the nouns into verbs and kick-starts an important discussion around “active defense”.
All of this comes on the heels of the reportedly imminent cybersecurity treaty between Russia and China, which generated next to no news, but has significant implications. The pact would pave the way for joint cyber operations between the two countries.
Turning from CNE to corporate governance, Zurich Insurance and Advisen Ltd. released a Special Report this week, titled “Information Security and Cyber Liability Risk Management.” What’s interesting here is the growing recognition among corporate boards of the importance of cybersecurity: “Of the 507 respondents surveyed in August, 64% said their board of directors views cyber risks as a significant threat to their organizations…” At the same time however, the Report finds that “only 62% of respondents…[are] certain that their companies had a breach plan in place…”. And “only 52% have a multidepartmental information security risk management team…”. For more on corporate governance and the role of boards of directors with respect to oversight and cybersecurity, see my recent op-ed with Governor Tim Pawlenty here.
Next, there is the Deloitte Survey which “reveals a confidence gap among America’s top executives.” Specifically, the Survey found that “nearly three-quarters (72 percent) of the CXOs who say ‘cyber risk’ is an obstacle growth do not prioritize investments in both technology and incident response.” Not a very comforting juxtaposition.
Also released was the “Cyber Insurance Survey” prepared by Hanover Research, which gauges “insurance industry interest in cyber security and the prevalence of cyber security policies.” Among the key findings: “Less than half (46 percent) of respondent companies currently offer cyber security insurance coverage, but a majority will in the next year”; “Data breaches are considered the most serious cyber risk facing businesses today with 79 percent of insurers offering coverage for data breach expenses”; “Only 18 percent of insurers offer coverage for cyber extortion”; and “Many (40 percent) believe the greatest challenge in selling cyber insurance is that many companies simply don’t think they need it.”
And finally, today The Pew Research Center released a report entitled “Cyber Attacks Likely to Increase” wherein they canvassed a large number of experts who play active roles in Internet evolution as technology builders, researchers, managers, policymakers, marketers, and analysts.
Overall, 1,642 respondents weighed in on the following question:
Major cyber attacks: By 2025, will a major cyber attack have caused widespread harm to a nation’s security and capacity to defend itself and its people? (By “widespread harm,” we mean significant loss of life or property losses/damage/theft at the levels of tens of billions of dollars.)
Some 61% of these respondents said “yes” that a major attack causing widespread harm would occur by 2025 and 39% said “no.”
Plenty of food for thought here — and it’s only Wednesday.