Tag: cyber risk management

Heavy Metal Murder Machines and the People Who Love Them

What is the heaviest computer you own?  Chances are, you are driving it.

And with all of the hacking news flying past us day after day, our imaginations have not even begun to grasp what could happen if a hostile person decided to hack our automotive computers – individually or en masse. What better way to attack the American way of life but disable and crash armies of cars, stranding them on the road, killing tens of thousands, shutting down functionality of every city? Set every Ford F-150 to accelerated to 80 miles an hour at the same time on the same day and don’t stick around to clean up the mess.

We learned the cyberwarfare could turn corporal with the US/Israeli STUXNET bug forcing Iran’s nuclear centrifuges to overwork and physically break themselves (along with a few stray Indian centrifuges caught in the crossfire). This seems like a classic solution for terror attacks – slip malicious code into machines that will actually kill people. Imagine if the World Trade Center attack was carried out from a distance by simply taking over the airplanes’ computer operations and programing them to fly into public buildings.  Spectacular mission achieved and no terrorist would be at risk.

This would be easy to do with automobiles. For example, buy a recent year used car on credit at most U.S. lots and the car comes with a remote operation tool that allows the lender to shut off the car, to keep it from starting up, and to home in on its location so the car can either be “bricked” or grabbed by agents of the lender due to non-payment. We know that a luxury car includes more than 100 million lines of code, where a Boeing 787 Dreamliner contains merely 6.5 million lines of code and a U.S. Airforce F-22 Raptor Jet holds only 1.7 million lines of code.  Such complexity leads to further vulnerability.

The diaphanous separation between the real and electronic worlds is thinning every day, and not enough people are concentrating on the problem of keeping enormous, powerful machines from being hijacked from afar. We are a society that loves its freedom machines, but that love may lead to our downfall.

An organization called Consumer Watchdog has issued a report subtly titled KILL SWITCH: WHY CONNECTED CARS CAN BE KILLING MACHINES AND HOW TO TURN THEM OFF, which urges auto manufacturers to install physical kill switches in cars and trucks that would allow the vehicles to be disconnected from the internet. The switch would cost about fifty cents and could prevent an apocalyptic loss of control for nearly every vehicle on the road at the same time. (The IoT definition of a bad day)

“Experts agree that connecting safety-critical components to the internet through a complex information and entertainment device is a security flaw. This design allows hackers to control a vehicle’s operations and take it over from across the internet. . . . By 2022, no less than two-thirds of new cars on American roads will have online connections to the cars’ safety-critical system, putting them at risk of deadly hacks.”

And if that isn’t frightening enough, the report continued,

“Millions of cars on the internet running the same software means a single exploit can affect millions of vehicles simultaneously. A hacker with only modest resources could launch a massive attack against our automotive infrastructure, potentially causing thousands of fatalities and disrupting our most critical form of transportation,”

If the government dictates seat belts and auto emissions standards, why on earth wouldn’t the Transportation Department require a certain level of security of connectivity and software invulnerability from the auto industry.  We send millions of multi-ton killing machines capable of blinding speeds out on our roads every day, and there seems to be no standard for securing the hackability of these machines.  Why not?

And why not require the 50 cent kill switch that can isolate each vehicle from the internet?

50 years ago, when Ralph Nader’s Unsafe at Any Speed demonstrated the need for government regulation of the auto industry so that car companies’ raw greed would not override customer safety concerns.  Soon after, Lee Iacocca led a Ford design team that calculated it was worth the horrific flaming deaths of 180 Ford customers each year in 2,100 vehicle explosions due to flawed gas tank design that was eventually fixed with a tool costing less than one dollar per car.

Granted that safety is a much more important issue for auto manufacturers now than in the 1970s, but if so, why have we not seen industry teams meeting to devise safety standards in auto electronics the same way standards have been accepted in auto mechanics? If the industry won’t take this standard-setting task seriously, then the government should force them to do so.

And the government should be providing help in this space anyway. Vehicle manufacturers have only a commercially reasonable amount of money to spend addressing this electronic safety problem.  The Russian and Iranian governments have a commercially unreasonable amount of money to spend attacking us. Who makes up the difference in this crital infrastructure space? Recognizing our current state of cyber warfare – hostile government sponsored hackers are already attacking our banking and power systems on a regular basis, not to mention attempting to manipulate our electorate – our government should be rushing in to bolster electronic and software security for the automotive and trucking sectors. Why doesn’t the TSB regulate the area and provide professional assistance to build better protections based on military grade standards?

Nothing in our daily lives is more dangerous than our vehicles out of control. Nearly 1.25 million people die in road crashes each year, on average 3,287 deaths a day. An additional 20-50 million per year are injured or disabled. A terrorist or hostile government attack on the electronic infrastructure controlling our cars would easily multiply this number as well as shutting down the US roads, economy and health care system for all practical purposes.

We are not addressing the issue now with nearly the seriousness that it demands.

How many true car–mageddons will need to occur before we all take electric security seriously?

Copyright © 2019 Womble Bond Dickinson (US) LLP All Rights Reserved.

This article was written by Theodore F. Claypoole of Womble Bond Dickinson (US) LLP.
For more on vehicle security, please see the National Law Review Consumer Protection law page.

New OCR Checklist Outlines How Health Care Facilities Can Fight Cyber Extortion

As technology has advanced, cyber extortion attacks have risen, and they will continue to be a major security issue for organizations. Cyber extortion can take many forms, but it typically involves cybercriminals demanding money to stop or delay their malicious activities, which include stealing sensitive data or disrupting computer services. Health care and public health sector organizations that maintain sensitive data are often targets for cyber extortion attacks.

Ransomware is a form of cyber extortion where attackers deploy malware targeting an organization’s data, rendering it inaccessible, typically by encryption. The attackers then demand money in exchange for an encryption key to decrypt the data. Even after payment is made, organizations may still lose some of their data.

Other forms of cyber extortion include Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. These attacks normally direct a high volume of network traffic to targeted computers so the affected computers cannot respond and are otherwise inaccessible to legitimate users. Here, an attacker may initiate a DoS or DDoS attack against an organization and demand payment to stop the attack.

Additionally, cyber extortion can occur when an attacker gains access to an organization’s computer system, steals sensitive data from the organization and threatens to publish that data. The attacker threatens revealing sensitive data, including protected health information (PHI), to coerce payment.

On January 30, 2018, the HHS Office for Civil Rights (OCR) published a checklist to assist HIPAA covered entities and business associates on how to respond to a cyber extortion attack. Organizations can reduce the chances of a cyber extortion attack by:

  • Implementing a robust risk analysis and risk management program that identifies and addresses cyber risks holistically, throughout the entire organization;
  • Implementing robust inventory and vulnerability identification processes to ensure accuracy and thoroughness of the risk analysis;
  • Training employees to better identify suspicious emails and other messaging technologies that could introduce malicious software into the organization;
  • Deploying proactive anti-malware solutions to identify and prevent malicious software intrusions;
  • Patching systems to fix known vulnerabilities that could be exploited by attackers or malicious software;
  • Hardening internal network defenses and limiting internal network access to deny or slow the lateral movement of an attacker and/or propagation of malicious software;
  • Implementing and testing robust contingency and disaster recovery plans to ensure the organization is capable and ready to recover from a cyber-attack;
  • Encrypting and backing up sensitive data;
  • Implementing robust audit logs and reviewing such logs regularly for suspicious activity; and
  • Remaining vigilant for new and emerging cyber threats and vulnerabilities.

If a cyber extortion attack does happen, organizations should be prepared to take the necessary steps to prevent any more damage. In the event of a cyber-attack or similar emergency an entity:

  • Must execute its response and mitigation procedures and contingency plans;
  • Should report the crime to other law enforcement agencies, which may include state or local law enforcement, the Federal Bureau of Investigation (FBI) and/or the Secret Service. Any such reports should not include protected health information, unless otherwise permitted by the HIPAA Privacy Rule;
  • Should report all cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs), including the Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs.
  • Must report the breach to OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals, and notify affected individuals and the media unless a law enforcement official has requested a delay in the reporting. An entity that discovers a breach affecting fewer than 500 individuals has an obligation to notify individuals without unreasonable delay, but no later than 60 days after discovery; and OCR within 60 days after the end of the calendar year in which the breach was discovered.
© 2018 Dinsmore & Shohl LLPDinsmore & Shohl LLP. All rights reserved.

White House Will Unveil Cyber Executive Actions At A Summit This Week

Squire Patton Boggs (US) LLP law firm

Legislative Activity

This Week’s Hearings:

  • Wednesday, February 11: The Senate Commerce, Science and Transportation Committee will hold a hearing titled “The Connected World: Examining the Internet of Things.”

  • Thursday, February 12: The House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies will host a hearing titled “Emerging Threats and Technologies to Protect the Homeland.”

  • Thursday, February 12: The House Education and the Workforce Subcommittee on Early Childhood, Elementary and Secondary Education will hold a hearing titled “How Emerging Technology Affects Student Privacy.”

  • Thursday, February 12: The House Science, Space and Technology Subcommittee on Research and Technology and Subcommittee on Oversight will hold a joint hearing titled “Can Americans Trust the Privacy and Security of their Information on HealthCare.gov?”

Regulatory Activity

White House Will Unveil Cyber Executive Actions at a Summit this Week

On Friday, February 13, the White House will hold its Summit on Cybersecurity and Consumer Protection at Stanford University. President Obama will be speaking at the Summit and plans to issue a new Executive Order focusing on ways to increase cybersecurity information sharing between the private sector and the U.S. Department of Homeland Security (DHS).

The executive action will likely expand the current work that DHS’s National Cybersecurity and Communications Integration Center (NCCIC) does to include a new concept of Information Sharing and Analysis Organizations (ISAO), which was briefly previewed by the President last month. As currently discussed, ISAOs would be designed to share information across multiple industry sectors to supplement the work of the current network of Information Sharing and Analysis Centers (ISACs).  According to press reports from government officials, the executive action is expected to create a network of ISAOs that would be managed by DHS in the beginning and eventually would become a privately-run entity. Several government officials and industry representatives have said that the President’s action will represent a step forward to improving the current information sharing platforms but they also recognize that information sharing legislation is still needed.

In addition to the Summit on Friday, the National Institute of Standards and Technology (NIST) will hold a half-day workshop on Thursday focused on the technical aspects of consumer security. The Office of Science and Technology Policy will also host a meeting leading up to the Summit on Thursday focused on cybersecurity workforce development.

White House Blog Highlights Future Action on Cyber Risk Management

Last week, White House Cybersecurity Coordinator Michael Daniel wrote a blog post on how companies can strengthen their cyber risk management and the role of the federal government in incentivizing stronger cybersecurity practices in the private sector. He notes in the post that the White House believes “the market offers the most effective incentives for the private sector to adopt strong cybersecurity practices,” but also stated that the Obama Administration will continue to work in a variety of areas to support these efforts by streamlining regulations, investing in cybersecurity research and development, and updating federal procurement policies and practice. Daniel wrote that the White House is working with federal agencies and critical infrastructure to identify regulations that are excessively burdensome, conflicting, or ineffective and will release a report on the findings no later than February 2016. Additionally, the White House plans to release a report this spring on the key priorities for cybersecurity research and development over the next three to five years.

The blog post also noted that the White House will not pursue public recognition as a means of incentivizing the private sector to adopt cybersecurity best practices or the NIST Cybersecurity Framework given that this could take away from the voluntary nature of the Framework. While Daniel did not mention liability protection as an incentive for greater information sharing in the blog post, it is still a possible incentive that the White House would support given that it was also included in the information sharing legislative proposal that the President released last month.

ARTICLE BY

Amy F. Davenport
Norma M. Krayem
OF
Squire Patton Boggs (US) LLP

SEC Commissioner Highlights Need for Cyber-Risk Management in Speech at New York Stock Exchange

Proskauer Law firm

Cyber risks are an increasingly common risk facing businesses of all kinds.  In a recent speech given at the New York Stock Exchange, SEC Commissioner Luis A. Aguilar emphasized that cybersecurity has grown to be a “top concern” of businesses and regulators alike and admonished companies, and more specifically their directors, to “take seriously their obligation to make sure that companies are appropriately addressing those risks.”

Commissioner Aguilar, in the speech delivered as part of the Cyber Risks and the Boardroom Conference hosted by the New York Stock Exchange’s Governance Services department on June 10, 2014, emphasized the responsibility of corporate directors to consider and address the risk of cyber-attacks.  The commissioner focused heavily on the obligation of companies to implement cybersecurity measures to prevent attacks.  He lauded companies for establishing board committees dedicated to risk management, noting that since 2008, the number of corporations with board-level risk committees responsible for security and privacy risks had increased from 8% to 48%.  Commissioner Aguilar nevertheless lamented what he referred to as the “gap” between the magnitude of cyber-risk exposure faced by companies today and the steps companies are currently taking to address those risks.  The commissioner referred companies to a federal framework for improving cybersecurity published earlier this year by the National Institute of Standards and Technology, which he noted may become a “baseline of best practices” to be used for legal, regulatory, or insurance purposes in assessing a company’s approach to cybersecurity.

Cyber-attack prevention is only half the battle, however.  Commissioner Aguilar cautioned that, despite their efforts to prevent a cyber-attack, companies must prepare “for the inevitable cyber-attack and the resulting fallout.”  An important part of any company’s cyber-risk management strategy is ensuring the company has adequate insurance coverage to respond to the costs of such an attack, including litigation and business disruption costs.

The insurance industry has responded to the increasing threat of cyber-attacks, such as data breaches, by issuing specific cyber insurance policies, while attempting to exclude coverage of these risks from their standard CGL policies.  Commissioner Aguilar observed that the U.S. Department of Commerce has suggested that companies include cyber insurance as part of their cyber-risk management plan, but that many companies still choose to forego this coverage.  While businesses without cyber insurance may have coverage under existing policies, insurers have relentlessly fought to cabin their responsibility for claims arising out of cyber-attacks.  Additionally, Commissioner Aguilar’s speech emphasizes that cyber-risk management is a board-level obligation, which may subject directors and officers of companies to the threat of litigation after a cyber-attack, underscoring the importance of adequate D&O coverage.

The Commissioner’s speech offers yet another reminder that companies should seek professional advice in determining whether they are adequately covered for losses and D&O liability arising out of a cyber-attack, both in prospectively evaluating insurance needs and in reacting to a cyber-attack when the risk materializes.

Read Commissioner Aguilar’s full speech here.

ARTICLE BY

Shawn Ledingham
OF
Proskauer Rose LLP