CHICAGO -- Calling cybersecurity “asymmetrical warfare,” the former Chief Technology Officer of the United States, who spoke Thursday at the CTC Corporate Treasurers Forum, stressed the need for standards for cyber insurance products to improve their quality and value.
Aneesh Chopra said treasury and finance professionals need to purchase cyber insurance in today’s threat-heavy environment, but he believes it is “a market failure.” He noted that if he were to ask most CEOs how much they want to spend on cybersecurity, there would be no clear answers. “It basically falls in that vortex; there’s a never-ending, bottomless pit of spending, and you’re not even sure you’re getting any value from what you are spending. So where’s the right level? A well-functioning cyber insurance market would allow us to price more of this,” he said.
Given that there is so little clarity on cyber insurance products, Chopra is calling for standards. He noted that Democrats and Republicans in Congress actually agree that the government should engage with the private sector on voluntary, enforceable standards around cybersecurity. Furthermore, the National Institute of Standards and Technology (NIST) is actively convening the private sector to come up with best practices around cyber insurance.
“So the vector of work to give us the data in order to fuel new cybersecurity insurance products is upon us,” Chopra said.
Cybersecurity is asymmetrical warfare
The term asymmetrical warfare more commonly refers to terrorism, but Chopra noted that the term applies to cyberfraud because hackers can penetrate an organization’s million lines of computer code with just 100-125 lines of code.
“These massive, bloated defense systems are now 10-million-plus lines of code large,” Chopra said. “In effect, we’re building these ever-increasing moats around our very precious data assets. But the attackers come in, in so many clever ways. It’s a fool’s errand to think we could ever build a moat big enough to keep all the attackers out.”
Among Chopra’s responsibilities under President Obama as America’s first CTO was to find ways that both the public and private sectors could reposition their capacity to respond to cyberthreats. Chopra said he and his team came up with two game-changers currently under development in both sectors.
Moving target defense: This is a shift in defense posture from blocking people out to letting them in and but neutralizing their impact. “Assume they’re going to break in; assume they’re going to connect to systems we don’t want them to,” Chopra said. “How am I going to mitigate the effects of that action? Moving target defense is just the beginning of a conversation around behavioral activity within our networks.”
Networks upon the network: “We are increasingly seeing the birth of internet networks on top of the internet,” Chopra said. For example, when doctors exchange health information, they now use the Direct protocol, a special, secure communications platform. Virtually every doctor has to have a Direct account.
“The beauty of the Direct protocol is, you can use it yourselves,” Chopra continued. “There’s not a requirement that the payload be healthcare. What this says is, what we didn’t do right on the internet was authentication and encryption. So what the direct protocol says is, if I can validate the sender and the receiver, we can assign them both a Direct account, and encrypt the message in between. It’s a collaborative process with standards defined by the private sector, not the bureaucrats in Washington.”