The looming threat of increased supply chain and critical infrastructure attacks is causing both cyber experts and cyber insurers to lose sleep already in 2022, according to guests on this episode of The Insuring Cyber Podcast.
“Those are going to, I think, proliferate,” said Bob Cattanach, partner at international law firm, Dorsey & Whitney, on The Insuring Cyber Podcast. “And in my conversations with carriers, I think that’s what’s got them staying awake at night because that’s a risk that we don’t really have much actuarial data on.”
James Silver, deputy chief for litigation of the Computer Crime and Intellectual Property Section of the U.S. Department of Justice, later in the podcast episode described supply chain attacks as a situation when a cyber criminal enters a piece of trusted code that might be deployed throughout multiple systems, or software supply chain companies, that are providing code to lots of customers. This means many endpoints can be exploited at once.
Silver added that critical infrastructure attacks are one of his top concerns for 2022 after some of the major attacks of last year – the Colonial Pipeline attack being one that drew widespread attention.
“I am most concerned about critical infrastructure attacks, and I’m also concerned about cyber crime evolving toward directions where we can’t use the old tools and the old methods we have before,” he said.
In a June 2021 episode of this podcast, cyber experts said that the Colonial Pipeline attack, in which ransomware took down 5,500 miles of critical infrastructure along one of the nation’s largest pipelines, should be a wake up call for all companies to prioritize their cyber hygiene. That’s a message that’s being carried into 2022, as Silver called the attack “a watershed moment” for many.
“The lesson that I draw from [2021] is we see what happens when cyber attacks have effects that spill over into critical infrastructure and the physical world. We obviously saw during the Colonial Pipeline incident that people were having a hard time getting gasoline in certain parts of the country,” he said. “So I think that the lesson I draw from that is cybersecurity has always been important, but we see an even clearer reason to focus on the supply chain and to harden it, and to focus on critical infrastructure and entities that are connected to the internet but are going to interface with the physical world.”
He said attacks like this mean there is less time to respond in many cases, leaving companies with limited time and ability to make the right decisions.
“The pressure goes up immediately on everyone because the effect of an attack on a critical infrastructure entity is going to spill into society in ways that it otherwise wouldn’t,” Silver said. “And so, we have less time to respond.”
Cattanach added that with this in mind, it’s important for companies to update their incident response plans now in preparation for evolving attack methods.
“And if you don’t have one, draft one, because that will focus on, ‘What do we do as an entity when the bad day comes?'” he said. “The watchword is not prevent, because I wish I could say you could prevent, but it’s really more a response than prevention.”
Indeed, he said cyber is “a continuing cat and mouse scenario where we know that the bad guys are at least one step ahead.”
One silver lining in all of this uncertainty, however, is that as cyber attacks have gained increased visibility, the need for better cybersecurity is catching the attention of c-suites and boards, Cattanach said.
“Everybody gets it,” he said. “It used to be that some segments, obviously financial segments, got it. Healthcare segments started to get it a little more quickly. Now, everybody gets it because everybody’s been impacted.”
This move toward better understanding is also presenting a unique opportunity for cyber insurers to offer expertise and guidance as well as insurance protection, Silver added.
“Insurance companies themselves, they don’t just offer cyber insurance, but are really in a position to help their covered entities implement best practices to get to a more secure environment that will benefit all of us,” he said.
While Silver and Cattanach both agreed that increased efforts toward cybersecurity and attack response will pay off in the long-term, it’s important to stay vigilant.
“While I’m optimistic that our increased efforts in this area can make a difference, the threat landscape, it’s always changing,” Silver said. “It’s dynamic. It’s part of what makes this work so challenging and interesting, because cyber criminals are very intelligent and they evolve constantly in their practices.”
Check out the rest of this episode to see what else Bob and James had to say, and be sure to check back for new episodes of The Insuring Cyber Podcast publishing every other Wednesday along with the Insuring Cyber newsletter. Thanks for listening.