This article originally appeared in Advisen’s Front Page News, Cyber Edition, on March 16, 2017.
Over the last few months, there have been a number of news stories concerning allegations that the Russians may have hacked US political parties and the US intelligence community. It is easy to dismiss these national and international stories as being too big to provide any real insight into our domestic cyber insurance market. However, it may be too soon to write off all news of government or political cyber attacks and leaks.
Last week, WikiLeaks published a substantial amount of data hacked from the CIA, showing the agency’s hacking and cyber warfare techniques. While no one would reasonably want to see a leak that could compromise national security, this leak provides valuable information for the insurance industry to evaluate its cyber insurance products. And, with the information already being leaked, the insurance industry should use this information to examine current and future cyber threats.
In its largest leak ever, WikiLeaks dumped data and information showing the classified hacking activities and other cyber weapons of the CIA. The document dump showed the CIA created software code to hack smart technology in the following manner:
- Smart Phones: The CIA developed code to allow it to track an individual’s geolocation and allow remote access to audio, text communications, camera, and microphone features on a target’s smartphone before the data could be encrypted.
- Smart TVs: The CIA’s code was able to transform a smart TV into a “covert microphone” capable of sending conversations occurring near the television through the internet to a CIA server while the television appears to be off.
- Smart Vehicles: The WikiLeaks’ release showed that “[a]s of October 2014 the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks” which may be used to complete “nearly undetectable assassinations.”
Current cyber threats
This leak is important because it shows how the CIA and, presumably, other sophisticated hackers are trying to access various consumer products. In this first dump alone, WikiLeaks leaked 8,761 documents with more documents on the way. It is rare that the insurance industry would have access to such a huge amount of information concerning the threats that give rise to cyber risks. This information can immediately be put to good use. For example, the information dumped in this leak provides substantial data for automobile insurers to determine the threat posed by hackers compromising smart cars. And, the data comes from sophisticated, real-world hacking attempts rather than controlled experiments.
Further, more than just the leaked data, the leak provides valuable insight into the current threat covered by cyber insurance. The fact that this information may have been breached by a CIA employee or contractor shows the current threat of malicious insiders in determining cyber risks. The insurance industry must wrestle with the fact that if the CIA cannot stop a breach of its most secretive data, there may be little chance for an insured to stop a determined hacker.
Future cyber threats
This leak also provides valuable information showing where cyber threats may be going over the next few years. As stated in the WikiLeaks’ press release: “[o]nce a single cyber ‘weapon’ is ‘loose’ it can spread around the world in seconds, to be used by peer states, cyber mafia and teenage hackers alike.” Therefore, in assessing future cyber risks, the insurance industry should consider the CIA’s current hacking capabilities in order to forecast where non-government hackers may be going in the coming years, especially now since this information is in the public domain.
For example, WikiLeaks’ data dump shows the CIA was not necessarily penetrating encryption applications on smart phones. Rather, the CIA was simply hijacking the entire device and gathering information before it was even encrypted. First, this may provide step-by-step instructions for hackers less sophisticated than CIA hackers. It may be worthwhile for the insurance industry to start analyzing how this threat may impact cyber insurance policies in the near future. Additionally, the insurance industry may look at whether stringent requirements requiring insureds encrypt their information would be useful in the future as such steps may not necessarily provide a safeguard or may take resources that could be applied elsewhere. The CIA’s technique to get around encrypted devices was not widely-known even two weeks ago.
Additionally, the WikiLeaks’ dump states the intention behind the hack was to have the public decide whether the CIA has too much power. In a statement to WikiLeaks the source details policy questions that they say urgently need to be debated in public, including whether the CIA’s hacking capabilities exceed its mandated powers and the problem of public oversight of the agency. The source wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.
Consequently, based on the stated intention of the hackers giving rise to the WikiLeaks’ leak, it may be worthwhile for the insurance industry to consider the place that “hacktivism” has for cyber insurance products in the future and whether there is an increased cyber threat to insureds that draw negative attention.
No such thing as “absolute privacy”
Finally, the public’s attitudes concerning privacy are an important component in assessing the risks for cyber insurance. The risks covered by cyber insurance and expectations for privacy can be better understood when events such as the CIA leak occur. For better or worse, after seeing their privacy compromised in large-scale data breaches at retailers and government institutions and after falling prey to ransomware and phishing scams, the public may start viewing their privacy differently than just a few years ago. Further demonstrating this point is the fact that after WikiLeaks’ leak, FBI director James Comey, stated “[t]here is no such thing as absolute privacy in America.” At a cybersecurity conference days after the hack, Comey further stated, “All of us have a reasonable expectation of privacy in our homes, in our cars, and in our devices. But it also means with good reason, in court, government, through law enforcement, can invade our private spaces.”
A few years ago, Comey’s statements would have caused waves in the news. Today, the public barely took notice of his statements. Therefore, while seeing our privacy being compromised may still be unacceptable, the insurance industry can begin looking at the risk associated with a breach of an individual’s privacy in a slightly different manner than how it viewed it just a couple of years ago. Not to mention the fact that many courts are finding plaintiffs lack standing to bring lawsuits unless they show they have suffered damages when they have their private information compromised. In a sense, the level of risk goes down for insuring cyber incidents as the public begins to accept their privacy may not be protected.
Even though they do not directly impact the insurance industry, cybersecurity issues facing government agencies and political parties should not be overlooked as a valuable resource for the insurance industry. The insurance industry should take information from any source available, including WikiLeaks, to evaluate cyber products.