"I don't have to be faster than the bear, I just have to be faster than the slowest runners," commented a cybersecurity executive to me over lunch last month. This philosophy of not being an easy target has been the cornerstone of many successful cybersecurity practices over the last two decades. It has been highly effective for organizations that have the skill and funding to outpace their peer organizations and has delayed inevitable consequences to their organizations.
Cybercriminals have historically been opportunists playing a numbers game. Mass attacks with low success rates have long provided sustainable streams of ill gotten revenue. While opportunistic crimes are very common, there is an uptick in targeted, thoughtful attacks that read like the plot to Ocean's 11.
In March, The Record interviewed Unknown from the REvil/Sodinokibi group, which offers ransomware-as-a-service to criminals to carry out extortion, data theft, and system destruction attacks to gain money from victims and/or buyers. In response to the question of whether it targets those carrying cybersecurity insurance policies, Unknown responded, "Yes, this is one of the tastiest morsels. Especially to hack the insurers first — to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves."
Not long after, Chicago-based commercial insurer CNA got hit with a ransomware attack. The latest update from CNA in April confirms a "sophisticated ransomware" attack occurred. It has also committed that "once our investigation is complete, we will notify any impacted parties as appropriate."
What we know at this point is criminals have developed sophisticated tactics (the ransomware), distribution mechanism (like REvil), and patience for bringing down bigger prey (like CNA.) The ability to breach one of the largest organizations that exist to underwrite cybersecurity risk is compelling evidence that the bear is now chasing the faster, tastier runners. If the criminal networks possess a listing of companies insured and the amount that they are insured for, they have created a menu of the tastiest morsels to target.
With criminals developing appetites for the fast runners of the past, the individualism of private organizations must transform into a collaborative herd community to survive this evolutionary change in the predators. The well-funded and less-funded organizations need to develop sustainable methods for sharing information with each other and collaborating with law enforcement to increase painful deterrence for the criminals.
In the past, well-funded organizations in most industries have had little motivation to help less-funded peer organizations. An exception to this has been between financial institutions. In the "2020 FBI Internet Crime Report," the agency recovered more than 82% of the $462 million in losses from financial institutions. This industry invested early in collaboration mechanisms and protocols between one another and law enforcement and serves as a prototype as an effective collaborative herd.
Cybercrime is a subtype of crime, and lessons we have learned in reducing crime rates in the physical world apply in the cyber world. Private organizations need to work with law enforcement agencies to establish workflows and communication tactics akin to neighborhood watches. Establishing sustainable methods for private organizations to communicate with each other and with law enforcement agencies is critical to improving arrest and conviction rates.
In the case of the CNA breach, it is my hope that CNA, its insured, and law enforcement already have vigilant safeguards and surveillance in place to produce the evidence needed to prosecute these crimes and make future crimes less attractive.
As cybercriminals evolve, corporate and private citizenry must also change. We must be ready and able to look beyond our singular interests and invest in the protection of our entire community. As we work to protect the common good, the fast and the slow both become safer.