Of Mice and Coin

elevenM’s Peter Quigley takes a closer look at what Australia can do in the face of a modern scourge – ransomware – as governments up the ante against the threat.

Plummeting winter temperatures in Australia have led to an unexpected threat for car and home owners: rats and mice. Like most of us, these rodents are trying to find a place to take refuge from the cold and the resulting damage has been significant.

The scale of this threat has led major insurers to reject many claims made, stating that their insurance only protects against vermin infestation as a flow-on effect from a fire or flood.

As a risk person, I have always found the insurance industry interesting. At its core, it is a system which derives profit from the analysis of risk data. This is why I keep an eye on what the industry is saying about cyber security.

Like homeowners in Australia, companies around the world are now having insurance claims rejected – not for vermin but for infestation of a different kind: ransomware.

As you will have undoubtably read, ransomware incidents have significantly increased over the past year. The reasons for this have been well reported and we won’t delve into them here. What I want to talk about is what happens to a cyber risk when, like vermin infestation, it becomes uninsurable?

If companies are not able to insure against a potential risk event, then they have two options: (i) accept the risk and wear the cost of that event should it happen or (ii) not engage in the practices which may lead to that risk event. In the case of ransomware (and most cyber threats), given the digital nature of every business today, the latter is not a viable option. So, we are left with the former – that is, taking the position of, as we say in Australia: “She’ll be right”.

If, however, businesses begin to fold and the broader economy is impacted, there’s a case to be made that the government needs to step in. In Australia, we are seeing building momentum as ransomware is yielded as a political stick – most recently by Tim Watts, Australia’s Shadow Minister for Cyber Security, calling for A National Ransomware Strategy. Ransomware was also on agenda at the G7 summit in London last weekend, with various commitments made to fight the threat collaboratively.

What governments can do to combat this technical and geopolitical threat in real terms is unknown. Mr Watt’s strategy contemplates a variety of measures including increased law enforcement, crackdowns on rogue bitcoin exchanges and various sanctions.  

The strategy also advocates for Australian organisations to develop a reputation for being less likely to pay ransoms (through imposing controls on ransomware payments), so that attackers’ return on investment for targeting Australian organisations might fall in comparison to those in other countries. While making yourself a less attractive target is a common and legitimate strategy in cyber security, I tend not to agree with this approach to ransom payments. Due to the random nature of ransomware attacks (often enabled by automated services scanning and prodding IP’s across the internet) it seems likely to me that Australian organisations will continue to be heavily impacted by ransomware – regardless of policies that limit or regulate their ability to pay ransoms.

As noted earlier, ransomware is both a technical and geopolitical problem. Looking at both these aspects in detail and asking what can be done, I always arrive at the following:

  • Technical – Ultimately, cyber criminals are most likely to move on if they encounter mature cyber defences. As done in Singapore, Australia should mandate a minimum set of cyber security controls for all critical infrastructure as part of current changes being considered to security legislation. Outline what those controls are and encourage private businesses to adopt those controls. The Australian Government should publish threat data on recent ransomware events to support those charged with the operation of cyber controls to update as required.
  • Geopolitical – Not to appear too cynical, but I maintain low expectations on the current and immediate impact of geopolitical efforts on the ransomware landscape. It’s widely believed that ransomware gangs operate with impunity in some jurisdictions, despite those jurisdictions agreeing to international norms. As these geopolitical efforts slowly gather pace, it’s all the more reason to enhance the defensive maturity of organisations in the meantime.

This is just my view. In the words of John Steinbeck, “Guy don’t need no sense to be a nice fella.”

The difference between NIST CSF maturity and managing cyber risk

Yesterday marked the fifth anniversary of what we here at elevenM think is the best cyber security framework in the world, the NIST Cybersecurity Framework (CSF). While we could be writing about how helpful the framework has been in mapping current and desired cyber capabilities or prioritising investment, we thought it important to tackle a problem we are seeing more and more with the CSF: The use of the CSF as an empirical measurement of an organisation’s cyber risk posture.

Use versus intention

Let’s start with a quick fact. The CSF was never designed to provide a quantitative measurement of cyber risk mitigation. Instead, it was designed as a capability guide. A tool to help organisations map out their current cyber capability to a set of capabilities which NIST consider to be best practice.

NIST CSF ’Maturity’

Over the past five years, consultancies and cyber security teams have used the CSF as a way to demonstrate to those not familiar with cyber capabilities, that they have the right ones in place. Most have done this by assigning a maturity score to each subcategory of the CSF. Just to be clear, we consider a NIST CSF maturity assessment to be a worthwhile exercise. We have even built a platform to help our clients to do just that. What we do not support however, is the use of maturity ratings as a measurement of cyber risk mitigation.

NIST CSF versus NIST 800-53

This is where the devil truly is in the detail. For those unfamiliar, NIST CSF maturity is measured using a set maturity statements (note that NIST have never produced their own so most organisations or consultancies have developed proprietary statements: elevenM included) against the Capability Maturity Model (CMM). As you can therefore imagine, the assessment that would be performed to determine one maturity level against another is often highly subjective, usually via interview and document review. In addition to this, these maturity statements do not address the specific cyber threats or risks to the organisation but are designed to determine if the organisation has the capability in place.

NIST 800-53 on the other hand is NIST’s cyber security controls library. A set of best practice controls which can be formally assessed for both design and operating effectiveness as part of an assurance program. Not subjective, rather an empirical and evidence-based assessment that can be aligned to the CSF (NIST has provided this mapping) or aligned to a specific organisational threat. Do you see what we are getting at here?

Which is the correct approach?

Like most things, it depends on your objective. If you want to demonstrate to those unfamiliar with cyber operations that you have considered all that you should, or if you want to build a capability, CSF is the way to go. (Noting that doing the CSF maturity assessment without assessing the underlying controls limits the amount of trust stakeholders can place on the maturity rating)

If however, you want to demonstrate that you are actively managing the cyber risk of your organisation, we advise our clients to assess the design and operating effectiveness of their cyber security controls. How do you know if you have the right controls to manage the cyber risks your organisation faces? We will get to that soon. Stay tuned.