Category Archives: Network Security

Decentralization in 2024

One of the founders of Ethereum recently recognized, “it is rare for the interests of idealism and pragmatism to overlap” but in the case of decentralization it “is not just something we should work towards, but something we truly must deliver on.”  This fixation on “decentralization” took on new life after blockchain hit the popular press. 

Despite BTC reaching 21 month highs, true decentralization of financial systems based on crypto usage will lack mass adoption until there is sufficient trust to render Bitcoin or any other crypto “currency” a real currency.  More than likely, this lack of trust is what is stopping the acceptance of crypto for widespread purchases – an essential precursor for any currency status.  This failing is likely why the IRS from the very beginning relegated decentralized finance products and crypto’s to the status of taxable financial assets. 

To that point, on December 28, 2023, Barrons recognized, “crypto has a long path to relevancy beyond trading.  Despite years of development, blockchain networks remain on the outskirts of mainstream finance, while hacks, theft, and money laundering continue to be among the main uses.  Crypto is still gambling on an unproven technology.”

Indeed, decentralized finance (DeFi) opportunities have also been around for nearly a decade with little widespread market penetration.  With DeFi platforms, existing growing pains stem from a lack of proper security hygiene sufficient to generate trust and “only with trust will this community ever grow beyond its current early adopters.”  Moreover, DeFi platforms and their users face a full frontal attack by centralized banking authorities seeking the sort of financial disclosures currently only found with cash transactions.  DeFi will never touch the “PayPalJPMVisa” mountain peak “until at least one DeFi application checks all the relevant boxes for a sizable enough market.  It may be a decade before a DeFi project reaches that vantage point – with the classic Amazon vs. Sears endgame likely being studied along the way.”

Decentralization can also take on several non-crypto flavors.  For example, the decentralization of governance places local governmental structures above large centralized authorities.  The World Bank considers governmental decentralization in the context of community-driven development as a driver of “economic efficiency, public accountability, and empowerment” by providing “greater voice and choice to citizens to influence decisions that affect their lives” and “allowing local governments to respond dynamically to communities”, and resulting in “allocative efficiency by matching of local needs and preferences with patterns of local public expenditure (assumes substantial fiscal autonomy).”  In the same breath, the World Bank, suggests that potential dangers and challenges brought on by such decentralization include:   “Elite capture, Corruption, Patronage politics, Local civil servants feeling compromised, Incomplete information, Constituents not able to hold representatives accountable, and Opaque decision-making affecting accountability upwards and downwards.”

None of these “potential dangers”, however, are really any less of a risk in centralized governmental structures.  Indeed, “elite capture, corruption, and opaque decision-making” can be more efficiently perpetrated within centralized structures.  Corporate decentralization in the form of DAOs (decentralized autonomous organizations) have some life given the birthplace of limited liability companies – Wyoming, recognizes such a corporate structure and is typically decades ahead of the pack having been the first to recognize LLCs in 1977. Unlike a standard LLC , “a DAO can be managed by a combination of human members/managers and algorithmically.” Nevertheless, this decentralized business entity even in Wyoming remains an LLC hybrid and can be viewed as an unincorporated association able to be sued. DAOs still remain a decentralized movement to track in 2024 and beyond.

Persistent trust issues and effective governmental interventions may curtail widespread crypto adoption and increasing decentralized governance is a non-starter for most countries, but a third major area of decentralization remains a major threat to existing centralized structures – whether such structures derive from authoritative governments – which describes most existing governmental structures, or derive from financial institutions controlling major financial levers, or even are from the tech companies currently controlling most aspects of online and offline public discourse.

Simply put, the decentralization of one’s identity and personal data using self-sovereign identity (SSI) systems represents the greatest current threat to centralized power structures.  Unfortunately, this is not an easy sell or a threat that will manifest anytime soon because, for example, decentralization of one’s digital identity entails asking people to denounce their current online identity built over many years of experience in favor of a clunky and confusing decentralized online persona.

SSI specifications such as W3C VC, OpenID for Verifiable Credentials, SD-JWT – are all directly or indirectly spearheaded by large tech companies and are gaining attention due to potential adoption with European Digital Identity Architecture and Reference Framework, NIST, DHS, etc.  It is not difficult to see why these centralized structures are pushing for mostly federated SSI solutions – the EU Parliament sees SSI as a means of enforcing its privacy regime while NIST sees SSI as a means of strengthening cybersecurity and the DHS wants to deploy it as a means of improving physical security.

More to the point, after centralized authorities implement their own SSI solutions their chosen centralized solutions will never really be self-sovereign given centralized access to personal data – especially personal health information, will never be willingly given up by a centralized authority.  Even the much-ballyhooed HIPAA turns it back to “de-identified” data sales for “medical research”.  Until March 2023, the NIH and other federal agencies previously shared COVID-19 patient health data through several Open-Access Data and Computational Resources.   Indeed, there is a reason HIPAA has long had numerous disclosure exemptions that largely swallowed the law’s protective measures. 

As it stands, healthcare providers sell patient data for billions of dollars without ever violating a single word of either the HIPAA Privacy Rule or HIPAA Security Rule.  Not surprisingly, a 2021 proposed New York Privacy Law was killed in Committee not because of BigTech lobbying – it was shot behind the barn by large hospital lobbyists not keen on having their cash cows disrupted by NYS residents obtaining rights HIPAA does not currently provide.  All the while, since 2018 researchers could “accurately match 95% of adults to their data in a deidentified user dataset”.

The roughly 3 billion DNA base pairs found in human DNA can provide a hard-coded template that cannot be currently mimicked .  In other words, the future world of rapid-fire DNA ID testing envisioned by Gattaca may eventually be the primary means of distinguishing between individuals. 

DNA harvesting for research purposes became mainstream during COVID-19 testing – which is why French President Macron refused Putin’s offer of a PCR test in 2022.  The National Human Genome Research Institute describes COVID-19 PCR “amplification” tests as follows:  “Polymerase chain reaction (PCR) is a common laboratory technique used in research and clinical practices to amplify, or copy, small segments of genetic material. PCR is sometimes called “molecular photocopying,” and it is incredibly accurate and sensitive. Short sequences called primers are used to selectively amplify a specific DNA sequence. PCR was invented in the 1980s and is now used in a variety of ways, including DNA fingerprinting, diagnosing genetic disorders and detecting bacteria or viruses. Because molecular and genetic analyses require significant amounts of a DNA sample, it is nearly impossible for researchers to study isolated pieces of genetic material without PCR amplification.”  It should be no surprise that DNA analytics firms such as 23andMe are targeted by hackers eager to possess the ultimate insight for identity verification and the NIH deployed a wide-ranging voluntary DNA research program on the heels of the eMERGE Network.

Personal identification using DNA fingerprints will become more and more attractive as realistic simulations of human voice, gaits, and images/videos, etc. using generative AI increases the risk biometric identity systems will fail to distinguish real measures from fake ones.  Indeed, some vendors now focus heavily on “liveness detection” that recognizes physiological information as signs of life as an adjunct to the associated biometric data.  FaceTec is a leader in this space and even hosts its own educational site on the importance of liveness detection.  Nevertheless, even these companies will eventually reach a wall in the form of quantum AI capabilities – which points to live rapid-fire DNA testing as the key identity verification tool for future robust SSI implementations. 

Where does this leave decentralization in 2024?  While SSI, DeFi and governmental decentralization efforts today may self-correct in the future towards true decentralization left apart from centralized authority, there are projects in play right now that might more easily mature in 2024 to further data decentralization.  For example, there are efforts taking the form of improved fund distribution – one using a platform created for UNICEF by Nepal-developer, Rumsan, and one called Disburse by Scifn, offering a one-to-many approach. These and other fund distribution platforms can eventually be removed from centralized funding sources.   

In addition to Polkadot, peer-to-peer communication platforms such as Veilid allow users to build their own private distributed apps – which creates peer-to-peer communications with no resulting centralized data storage.  Believing that centralized social media is “harmful to society”, Spritely Institute replaces the current client-server architecture currently under-girding all existing social medium platforms with a “participatory peer-centric model” that places “people in control of their own identity and build the technology that would enable a shift to collaborative and intentional security models prioritizing active consent.”  These approaches still have many mass adoption barriers – the least of which is the competitive market barriers established long ago by current data oligarchs.

SSI left only in the hands of centralized authorities will eventually lead to increased hacking and continued misuse of personal data. Until new statutory requirements bring true portability of personal data – even platform-generated data that is derivative; coupled with meaningful consent rights for existing data usage – rights that limit centralized control when off-boarding to a peer-to-peer platform; individuals will never truly “own” or have control over their personal data.  In other words, decentralization of existing data silos cannot become viable until there is a complete reset of existing norms of data stewardship and lobbyists take a backseat to the preeminence of consumer rights.  If 2024 brings us even a few inches closer to that reality, it will be a good year for decentralization.

Another Day, Another Phishing Exploit Seeking NFTs

On July 15, 2022, several of DeeKay Kwon’s Twitter followers were the latest victims of scammers feasting in the NFT space.  DeeKay is an animator and part of a growing number of innovative artists developing the Digital Art Movement spurred on by NFTs.  One of DeeKay’s admirers is Calvin Cordozar Broadus Jr. also known as Snoop Dogg also known as Cozomo de’ Medici – who acquired DeeKay’s “Life and Death” for “$1m USD, or 310 ETH.”  According to this very important art collector, “all of this [NFT profile picture] mania is bringing massive attention to NFT. And when they come in for an azuki, punk, bored ape, or their choice of “culture token” . . . But then stumble across an @XCOPYART, a @fewocious, a @deekaymotion . . . That’s when one realizes the true power DIGITAL art can have, beyond any traditional art they have ever seen before.”

DeeKay reported his Twitter account was hacked and “and the hacker has been tweeting a fake mint site.  I reacted to it ASAP and spread the word but could not stop the damage in time.”  An unknown number of DeeKay’s over 179,000 followers clicked on a phishing link found in the below fake Tweet – a Tweet that purportedly brought them to a new collection from the artist:

According to Deekay, “[t]he fake mint site was made two weeks prior, 100% copied my original website. I assumed he studied my time when I am inactive too.”   While trying to claim the purported free NFTs on the fake site, victims instead approved transactions granting the scammer access to their wallets and allowing the removal of various digital assets. It is not yet fully known how many NFTs or other crypto assets were stolen from Deekay’s Twitter followers.  Most reports currently peg the number at $150,000 worth of digital assets. 

DeeKay has been trying to “work something out” with those have been scammed.  For example, one victim was gifted “something special” by DeeKay to “help ease” his loss.  Interestingly, DeeKay recognizes the problem with reimbursing victims given that it “also encourages hackers to keep doing their thing since I am the one covering the mess. Part of me says reimbursement should not be a standard way to react, and another part of me says I should still find a way to compensate and find a balance.”  This is no different than the problem caused by insurers who continually reimburse ransomware victims and why ransomware payments should be self-insured.

DeeKay’s Twitter phishing scam comes on the heels of another phishing exploit days earlier targeting Uniswap liquidity providers that used a similar scheme but obtained a much larger $8.6 million in crypto assets.  As reported in Crypto Briefing, the Uniswap fake site “instructed the victims to claim the malicious UNI tokens as a reward for providing liquidity on the exchange, but when the victims agreed to the claim, they inadvertently approved a transaction that granted the attacker access to their wallets. From there, the attacker could make token transfers to drain their wallets.”

The phishing technique used in these scams is relatively easy to pull off given most folks still click on links without really thinking and many users of crypto wallets such as MetaMask have no clue as to what they are really providing consent for when clicking on the consent button.  After going to what appears to be a genuine site, they just assume they are obtaining what they are pitched as the reason for going to the site in the first place, namely freebies of some sort.  In a similar way an email address can be spoofed in a phishing exploit, consents can say whatever a scammer wants it to say. 

Whether it’s DeeKay’s Twitter followers or Uniswap’s liquidity providers, these pools of potential victims are publicly known and easily reached by scammers.  One way of getting away from this vulnerable crowd is by using multiple wallets and intermediaries such as fine art galleries that can work with collectors to improve their security hygiene.  More to the point, until art galleries become a mainstay part of the Digital Art Movement, these sort of scams will continue to proliferate.

UPDATE: July 20, 2022

On July 19, 2022, DeeKay let everyone know he was targeted again – likely by way of another phishing exploit. He suggested that his collectors be aware that he would “NEVER do a free mint.”

Axie Infinity’s Sidechain Suffers Massive DeFi Exploit

On March 29, 2022, the developers behind the Ronin Network – an Ethereum sidechain used to support the decentralized game Axie Infinity, announced a major exploit.  The developers revealed that an attacker used hacked private keys from four Ronin Validators and a third-party validator run by Axie DAO – out of a total of nine, to forge withdrawals of 173,600 ETH and 25.5M USDC – valued at over $625 million. 

This sort of 51% consensus attack plagued the proof of work crypto community since its early days but largely fizzled out as a threat as the major blockchains grew more complex and the number of mining nodes grew into the thousands.  The fact that the Ronin sidechain only had nine validators for its exit bridge – with a majority being a mere five of the nine, was a security failing by most vantage points.  Not surprisingly, to “prevent further short term damage”, the Ronin Network immediately “increased the validator threshold from five to eight.” And, more importantly, the network “will be expanding the validator set over time, on an expedited timeline.” 

The race to mass adoption of new networks has caused many DeFi platforms to forego a security-first design.  Rather than viewing such an approach as time-consuming or stifling growth, new networks competing with Bitcoin and Ethereum and underlying many new DeFi platforms, must recognize that only with trust will this community ever grow beyond its current early adopters.

UPDATE: March 30, 2022

According to a text message sent to Bloomberg by Aleksander Leonard Larsen, chief operating officer of the developer behind the Ronin Network, Sky Mavis: “We are fully committed to reimbursing our players as soon as possible. . . We’re still working on a solution, that is an ongoing discussion.”

Defi Security Growing Pains Continue with BitMart Breach

On December 6, 2021, crypto exchange BitMart – which bills itself as “The Most Trusted Crypto Trading Platform”, announced a security breach “mainly caused by a stolen private key that had two of our hot wallets compromised.”   A tweet from security analysis firm PeckShield first called attention to this hack days earlier.  According to Peckshield, the loss is around $196 million.  Interestingly, BitMart at first denied there was any hack – claiming it was “fake news”.

According to the BitMart Twitter release:  “At this moment we are temporarily suspending withdrawals until further notice.”  A Telegram “ask me anything” is scheduled for 8:00 p.m. est this evening.

Similar to what was done by other centralized crypto exchanges after a security incident, BitMart will use its own funds to compensate users impacted by the theft.   

The BitMart theft comes on the heels of a report by London-based consulting firm Elliptic revealing billions of dollars stolen from DeFi platforms.  According to Elliptic’s recently released report, the overall losses caused by DeFi exploits total $12 billion and of that amount, fraud and theft accounted for $10.5 billion, seven times the amount from last year.

Thefts hitting crypto exchanges such as BitMart and DeFi protocols such as Poly Network shine a light on the fact DeFi is largely driven by startups lacking cybersecurity maturity.   In contrast, the financial institutions that literally spend billions on cybersecurity want no part in helping DeFi projects; and more likely, welcome cyber incidents that tarnish DeFi’s reputation.  Until they reach a higher level of security and such incidents become less commonplace, DeFi projects will continue making platform users whole after a security incident – or risk a total collapse in the market for non-money laundering usage. 

Depending on their popularity, open-source products can be highly secure and DeFi should be no different. At some point in time – after decentralized protocols are adequately security tested and implemented and DeFi projects become fully independent and organic and not reliant on any centralized cloud solution or centralized servers, breaches such as the one that hit BitMart will be rare.  In other words, as the market and business opportunities for DeFi increase in scale and scope DeFi’s security profile will naturally evolve.

$600 Million Loss Shines a Light on DeFi Security

On August 10, 2021, Chinese cross-chain DeFi platform, Poly Network, was apparently hit with the exploit of a smart contract vulnerability in its “EthCrossChainManager” contract impacting three separate chains, including two leading DeFi blockchains – Ethereum and Binance Smart Chain, and numerous cryptocurrencies.   This latest exploit is part of a major trend in security incidents involving DeFi platforms.

Poly Network developers quickly asked for help on Telegram to block transfer of the stolen assets:   “We call on miners of affected blockchain and crypto exchanges to blacklist tokens coming from the above addresses.”  

In another August 10, 2021 post on Telegram, Poly Network also posted:  “If you are experiencing any difficulty due to the hack that just happened theres [sic] a compensation plan , connect your wallet and get your refund in minutes , our dev only lose but this did not affect any of our users.”  

It is not clear how this protocol platform would make all users whole.  

As a start, the ESL Poly Network team also posted the following open letter asking for the return of the stolen assets:

Not surprisingly, this plea was immediately derided:  “Imagine successfully stealing over $600m and have the people you stole from think there’s a chance you might be willing to return it with what amounts to a passive-aggressive post-it note on the fridge.”  

Notwithstanding the obvious desperation found in its letter, the Poly Network team may be on to something given this was apparently never really a “hack” – it was likely yet another person who exploited a vulnerability in a deployed smart contract.  As of August 11, 2021, $119 million in Binance pegged BUSD was returned by the hacker’s associated address to those 947,598 owners impacted by the exploit.  BUSD is a stablecoin used to trade crypto assets on the Binance chain.  And, another $134 million was also soon thereafter returned to other impacted owners.  According to Chainalysis, at total of $261 million in cryptocurrencies have been returned to date.

A review of the micro transactions found on Etherscan and BscScan indicates that the “hacker” has been testing literally thousands of ways to move the stolen assets.  In other words, the exploiter does not know what to do with the stolen booty.  A few posts back that up – including one where the “hacker” is allegedly asking for someone to instruct on how to circumvent miner scrutiny.

The “hacker” purportedly also posted:  “WHAT IF I MAKE A NEW TOKEN AND LET THE DAO DECIDE WHERE THE TOKENS GO.”  

As things continued going downhill, the claimed sole perpetrator of the exploit – again claiming such identity solely by virtue of using the perpetrator’s wallet address, allegedly came out as an innocent interloper:

Information posted in the form of a Q&A on an ETH transaction Private Note section goes into further detail:

It’s looking like these posts are all from the same exploiter.  A spreadsheet tracking the exploit – including related communications, can be found on Google docs.  Even if these posts are not genuine, chances are still high the exploit was performed by one or more persons who decided to offload some coin and ultimately decided to give back – as apparently already done to the tune of $261 million, whatever could not safely be absconded with using his/her/their current knowledge.  There were certainly many out there willing to provide the necessary crypto laundering assistance, but apparently the advice was not taken – the clearest signal this was committed by an “ethical” hacker.

Poly Network is at its essence an interoperability protocol used by and integrated with many DeFi projects so this exploit will have direct ripple effects well beyond the Poly Network.  The more indirect impact of this exploit is the slight chance it might be replicated elsewhere by others having the necessary domain knowledge to move stolen assets.  

The best way for investors to minimize the likelihood such failings will not impact them in the future is to seek out and only use DeFi platforms that rely on a holistic “security by design” architecture – something not easily found in a decentralized world. Not surprisingly, in a recent survey nearly 75% of institutional investors and wealth managers state that the security of virtual currencies is a “significant” hurdle stopping many individuals from entering the crypto asset space – let alone the more exotic DeFi domain where software vulnerabilities can still cause the exfiltration of $600 million in digital assets.  Beaches will always have little appeal to swimmers when there are known sharks in the water.

UPDATE: August 12, 2021

Except for $33 million in Tether stablecoins previously frozen by Tether, the entire amount taken was apparently returned. Reuters is reporting that this was done in return for an after-the-fact $500,000 “bug bounty”.

Exchanges May Crack Down on Ransomware OFAC Risk

On April 22, 2021, Chainalysis published its findings on the OFAC sanctions violation risk tied to ransomware payments.  According to Chainalysis, 15% of ransomware payments paid in 2020 were at risk of OFAC sanctions.  Even though lower than the measured risk from 2016 – 2018, last year’s numbers remain an uptick from 2019.  

Chainalysis discovered ransomware victims paid out in 2020 more than $50 million worth of cryptocurrency to addresses that carried sanctions – with mainstream exchanges receiving “more than $32 million from ransomware strains associated with sanctions risks.”  Given the public market embrace of crypto exchanges, it is very likely those exchanges seeking greater regulatory scrutiny will eventually implement curbs to address the OFAC October 2020 advisory – eventually making it more difficult for smaller businesses to satisfy ransomware demands.

Ransomware Payments Should be Self-Insured

According to Chainalysis, payments to ransomware gangs using cryptocurrency more than quadrupled in 2020, with less than 200 cryptocurrency wallets receiving 80% of funds.  And, Palo Alto Networks – which claims to use data from ransomware investigations, data-leak sites, and the Dark Web, reports that the average ransom paid by companies in 2020 jumped 171% to more than $312,000.  Despite being around for many years, the rise of ransomware has largely coincided with the diminished value derived from compromised personal data.

The REvil ransomware-as-a-service operation now picks up the phone to add a threatening personal touch to its exploits:  “Calling gives a very good result. We call each target as well as their partners and journalists—the pressure increases significantly.”  According to a published March 16, 2021 interview with a representative of REvil – also known as Sodinokibi, the group has “big plans for 2021.”  

Probably the more interesting point made by this REvil representative was the answer to the following question:  “Do your operators target organizations that have cyber insurance?”  The answer is not much of a surprise:  “Yes, this is one of the tastiest morsels. Especially to hack the insurers first—to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves.”   This is the first confirmation from an actual ransomware gang that they target cyber insurance policyholders.

Articles from the Associated Press and ProPublica years earlier suggest that cyber insurers were inadvertently driving up ransomware attacks but neither outlet provided any hard facts to back up their supposition.  Indeed, a leading broker took the natural counterpoint:  “[A]lthough no one wants to support cyber criminals, organizations are forced to weigh the option of paying ransoms against the risk of operational disruptions that could last weeks or months and cost far more.”  

It was never hard to imagine, however, that buying cyber insurance actually places a target on those companies who buy it and do not likely have the security resources necessary to stop ransomware gangs – especially given carriers may be inadvertently providing a roadmap to their house.  Indeed, last year one major cyber insurer was purportedly targeted by the Maze ransomware gang.   And, as of March 2021, there were at least two ongoing investigations involving attacks on major cyber insurers. Unless things change, it will only get worse for insurers and brokers given they are the new holders of the crown jewels.

One tactic that can impede the current claims challenge facing the industry is building on what was recently begun by AIG – a thought leader in this space for over two decades.  In January 2021, AIG became the first lead cyber insurer to require ransomware co-insurance across the board – mandating that insureds share in paying a ransom payment.  Following this lead, the larger markets began hardening on price and their underwriting requirements.  Other markets immediately began to take advantage – only temporarily repairing the holes in the dike.   As pointed out by Inside P&C:  “The retrenchment of capacity and continued upward pricing pressure also continues a reordering of the market in which some of the largest names in US cyber insurance cede market share to upstart InsurTechs.”  

Despite the fact cyber insurer MGAs are heavily funded and are now grabbing as much market share as they can, they still use paper backed by the largest reinsurers in the world – who frankly probably care more about their own profits rather than the market growth strategies of unrelated companies.  In other words, any retrenchment may also eventually hit the MGAs when treaties get renegotiated.   

Retrenchment is a good idea but will not be enough to fully address the problem. The best way to solve this problem is to do exactly what the FBI has said for years – do not pay the ransom.  An October 2020 OFAC Advisory buttresses this “do not pay” advice by warning insurers against making ransomware payments to those on the OFAC list. In other words, law enforcement would prefer that ransomware payments not be made and it may ultimately be in everyone’s best interest if such payments are self-insured – making it much less likely they will actually be paid.

This is not K&R coverage where lives are typically at stake.  Once the ransomware gangs recalibrate knowing there is no available insurance payment, the incidents will resemble earlier times, namely demands that are less frequent and for lower amounts.  These threat actors want to go in and out as fast as possible given they know that the data itself likely has very little real value on the Dark Web – it’s the urgent threat of release that has exploitive value.  If there is no expeditious insurance payment, the actual value of the target diminishes.

Insurance dollars are actually better spent helping insureds bolster their security rather than the coffers of criminals – especially because even with a payment there is no guarantee that data would be properly decrypted or that a Dark Web release or sale would not take place. There is much that can be done to assist insureds improve their risk profile and better avoid ransomware exploits. Some very basic steps include developing trusted partner relationships with vendors and law enforcement before an incident takes place; retaining a security expert to evaluate the current readiness profile; providing consistent education and training of staff; and developing or updating a Business Continuity Plan.  

On a more technical level, full and incremental backups should be consistently performed like your company’s life depended on it; weak passwords of service accounts should be removed; system logs should be maintained and monitored; employee access to sensitive data and information limited; operating systems and applications timely patched; users with admin privileges evaluated to ensure passwords are strong and secure; system safeguards such as Windows Defender Credential Guard deployed; port connections monitored and unnecessary ones removed, etc., etc., etc.  The relevant protocols all have a common goal – harden security sufficiently so that the bear decides to run after the slower runner.  If everyone ends up becoming a fast runner, the hungry bear will eventually tire of the chase and just eat something else for food.

With a robust cyber insurance policy in place, most every resource necessary to assist a ransomware victim is already available to an insured. By focusing on these other valuable first-party coverages, improving an insured’s risk management profile, and curtailing ever increasing payouts to criminals, the industry will continue with its meteoric rise.

Cyber Insurance

UPDATE: March 25, 2021

On March 24, 2021, CNA publicly disclosed that it sustained a cybersecurity attack. As of March 25, 2021, the following is the only information found on its website:

UPDATE: May 10, 2021

The day before the Colonial Pipeline ransomware attack went public, global insurer AXA announced it would cease writing cyber-insurance policies in France that reimburse policyholders for ransomware extortion payments. This is hopefully the start of a much larger trend.

UPDATE: May 12, 2021

On May 12, 2021, security experts labeled as “absolute stupidity” comments regarding the payment of ransomware that were emanating from the White House. A few days prior, the White House’s Deputy National Security Adviser for Cyber, Anne Neuberger, had given the private sector a complete free pass regarding the payment of ransoms: “And they have to just balance off, in the cost-benefit, when they have no choice with regard to paying a ransom.” Unfortunately, this position directly contradicts the long-standing position of the FBI and numerous other government agencies.

UPDATE: December 1, 2021

On November 18, 2021, North Carolina relied on its Operations Appropriations Act of 2021 to add a new article to Chapter 143 of the State’s General Statutes which now reads in part: “No State agency or local government entity shall submit payment or otherwise communicate with an entity that has engaged in a cybersecurity incident on an information technology system by encrypting data and then subsequently offering to decrypt that data in exchange for a ransom payment.” This is the first effort by a governmental entity to bar ransomware payments.

B2 – B1 < (P x H)1 – (P x H)2

On February 16, 2021, The Sedona Conference (TSC) – a nonpartisan, nonprofit research and educational institute “dedicated to the advanced study of law and policy in the areas of antitrust law, complex litigation and intellectual property rights”, released its final “Commentary on a Reasonable Security Test“.  TSC is well known for previously helping Courts around the country determine the proper contours of e-discovery.  

Recognizing that cybersecurity reasonableness crosses both legal and technology domains, TSC sought a reasonableness test that would help bridge that divide.  Accordingly, the proposed test for reasonable security was designed to be consistent with “models for determining reasonableness that have been used in various other contexts by courts, in legislative and regulatory oversight, and in information security control frameworks.” The Sedona Conference, Commentary on a Reasonable Security Test, 22 SEDONA CONF. J. 345, 358 (forthcoming 2021).  To that end, this test is ultimately based on the landmark Learned Hand negligence test in United States v. Carroll Towing Co., 159 F.2d 169, 173 (2nd Cir. 1947).  

The Sedona Conference Reasonable Security Test consists of “B2 – B1 < (P x H)1 – (P x H)2” where B represents the burden, P represents the probability of harm, H represents the magnitude of harm, subscript 1 represents the controls (or lack thereof) at the time the information steward allegedly had unreasonable security in place, and subscript 2 represents the alternative or supplementary control.  22 SEDONA CONF. J. at 360.  

TSC’s Commentary should be carefully studied for numerous reasons, including the fact TSC applies it to actual recent enforcement actions and provides solid arguments for its judicial application.  No different than its highly cited e-discovery initiatives, this new TSC approach may very well be relied on by courts tackling the important question of what constitutes reasonable security in the context of a data breach litigation or enforcement action.

Data Privacy Day 2021

On January 28, 2021, the National Cybersecurity Alliance encouraged individuals this Data Privacy Day to “Own Your Privacy” by “holding organizations responsible for keeping individuals’ personal information safe from unauthorized access and ensuring fair, relevant and legitimate data collection and processing.”  Indeed, the NCSA recognizes “[p]ersonal information, such as your purchase history, IP address, or location, has tremendous value to businesses – just like money.”

The NCSA “data as money” perspective is not a new concept.  In fact, it was hoped that Data Privacy Day 2016 would usher in a system for consumers to easily monetize their private data – a hope that has yet to materialize five years later.   Still, in the same way a bank protects money, there can be no adequate privacy without adequate security.

Richard Clarke – a security advisor to four U.S. presidents, properly recognized in 2014:  “Privacy and security are two sides of the same coin.”  The ransomware epidemic of 2020 should inform everyone why Data Privacy Day 2021 solidly places privacy and security on the same level. There can be little respect for the privacy rights of consumers – whether monetized or not, without an adequate effort at securing such data.  Some companies such as Microsoft – last year’s champion of Data Privacy Day, recognize the need to continually push the security envelope in order to properly protect consumer privacy rights. Accordingly, these companies go the extra distance and often work hand-in-hand with law enforcement to take down online criminal enterprises such as Emotet.

Going forward in 2021, companies safeguarding consumer data must recognize that the lines have blurred between nation state APT attacks – focused on the slow espionage of large companies, and criminal enterprises looking for quick financial hits.  For example, the lateral movement hallmarks of an APT attack are now routinely used during Ryuk ransomware exploits.  Moreover, the recent SolarWinds Orion Platform exploit highlights the need to focus on supply chains when protecting consumer data.

Focused security efforts would quickly stop being left on corporate “to do” lists if there was an applicable federal law in place for companies nationwide – not just the hybrid privacy/security state laws now applicable to only some companies.  Unfortunately, despite high hopes in 2019, there was little bipartisan push for a federal privacy law these past few years.  That dynamic might change in 2021.  

Former California Attorney General Kamala Harris’s 2012 annual privacy report opens with the words:  “California has the strongest consumer privacy laws in the country.”  During her tenure, California enjoyed “a constitutionally guaranteed right to privacy, over seventy privacy-related laws on the books, and multiple regulatory agencies set up to enforce these laws.”   As the new year progresses, the current Vice President may very well prod Congress for the sort of California “privacy pride” she once enjoyed on a state level. Given the current one-party rule, there is certainly no longer any excuse available to politicians looking to continue kicking the “federal privacy law can” around Capital Hill.

Ransomware Groups Declare War on US Hospitals

A recent phase of the ongoing two-pronged cyber war between Russia/Iran/North Korea and China against the United States has taken an ugly turn.  The Russian faction has launched various sophisticated ransomware attacks against healthcare providers and hospital systems across the United States.  

As stated in an October 28, 2020 Alert from the Cybersecurity & Infrastructure Security Agency (CISA), there is “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.”  In addition to the CISA Alert, cybersecurity firms battling this latest threat have shared how these latest attacks are perpetrated.

Our current healthcare cyber battle is further complicated given an October 1, 2020 Advisory from U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) reminding ransomware victims against conducting business with those on the OFAC list – including specific ransomware groups such as the Russia-based group behind the Dridex malware.  The OFAC advisory is likely driven by the FBI – which has long advocated against victims making ransomware payments.  No matter what the motivation, however, OFAC has exacerbated the current crisis given the OFAC Advisory warns the primary civil combatants against making violative ransomware payments, namely companies “providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services businesses).”

Over the past several years, the cybersecurity community has seen a tremendous uptick in the deployment of ransomware – even leading to board level scrutiny.   No different from SQL injection exploits that were commonly warned against so many years ago yet still remain an exposure for so many websites, ransomware will not go away anytime soon.  The necessary cyber defensive skillset is far from fully disbursed to potential victims.  For example, indicators of compromise (IOCs) shared with the cybersecurity community would likely be ignored by most IT staff given they do not even have the means of searching internally for IOCs within their network.

Taking into consideration the old adage:  “If you fail to plan, you plan to fail,” healthcare providers and hospital systems should immediately seek out specialized cybersecurity experts who are currently fighting this battle before it is too late.