[2:22] Cybersecurity Insurance and Cyber War

Rachael: Today's guest who is in Cambridge, Massachusetts, Dr. Josephine Wolff, is the associate professor of cybersecurity policy at Tufts University, the Fletcher School. She's also the author of the book, You'll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches, from MIT Press in 2018. 

First of all, I love your writing, and it's just so fascinating to read. In the vein of cyber insurance, you also have a book coming out soon, on cyber insurance, which we absolutely want to talk about. But you were talking about cybersecurity insurance and defining cyberwar and people are getting into these really crazy gray areas. I’d love for you to expound on what you're seeing out there.

Josephine: It's a really interesting and exciting area. It’s hard to get people sometimes really jazzed about insurance, but I've spent a couple of years looking at it now. I have this book coming out later this year with MIT called Cyber Insurance Policy. The thing that has been really interesting to track in just the past two years or so, is that you've seen this really big shift in that market.

Whether there's been this huge spike in ransomware claims because there's been this huge spike in ransomware. All of a sudden, the insurers are trying to rethink their risk models. They’re trying to rethink how they've been selling these policies.

 

Denials of Claims From Cybersecurity Insurance

Josephine: One of the things that we've seen happen as a result of that are some pretty high-profile denials of claims. In particular, the ones around defining cyberwar are mostly around the NotPetya attacks from 2017. This question of can insurers invoke these war exclusions to say, "Well, NotPetya.”

Eric: Which they do on normal insurance. Take cyber out of it. A bomb hit your house from Russia. Sorry, don't count it.  You're not covering.

Josephine: This is a standard language. When I start looking at the legal disputes and a little bit of history in the book, this goes back to Pearl Harbor. There are life insurance disputes where people who died in Pearl Harbor, their family members try to claim life insurance. The insurer says, "No, this was an act of war."

And the families, and their lawyers say, "No, Pearl Harbor was the day before the United States of America declared war. That wasn't war." You're right, it's been in these policies for a long time. It's been disputed in the past, not just around Pearl Harbor, but around terrorist attacks and whether those count as acts of war. NotPetya is interesting, we are pretty confident it is the act of a nation-state. It’s attributed to the Russian government.

Eric: We're highly confident on that one. We're about to see the next iteration here. It's January 21st of 2022.

Josephine: This has implications not just for this incident, but for many more incidents, potentially. Because of that, you have what the insurers see as this opportunity to say, "Okay, this is really clearly a nation-state attack. It's not just a one-off nation-state attack, it's part of this ongoing conflict between Russia and Ukraine."

 

Looks a Little Bit Like War

Josephine: There's a stronger case to be made for many other cyber attacks, that this is part of something that looks a little bit like war. Or something that's at least sometimes called war, in the context of a conflict between those two countries. So you see, a couple of them, not just one insurer, not just one insured getting into these legal disputes. There's a big case pending around Merck, the pharmaceutical company.

There is another one around Mandalay, the multinational food company. The fights are really over, well, is NotPetya a war like a hostile action? Does it fall under that category for insurance purposes? The latest ruling which actually just came out last month in the Merck case, the judge basically says, "No."

He says, "If you wanted this exclusion to apply to cyber attacks, you should have changed the language." But it's totally reasonable for Merck to think that would involve the use of armed forces.
There's this really interesting fight playing out, which is partly about NotPetya. But much more than that, it’s about what we are going to do about the next wave of nation state attacks and who has to pay for them.

Eric: One of the things that comes to my mind is really around attribution. How do you determine that it was a nation-state, not even getting into which nation-state, versus a criminal group, like REvil? Theoretically, they're gone. Operating out of a nation or on behalf of a nation-state, do they even get into that level or really doesn't matter? It's any excuse they can get to cut their risk.

 

Behind an Act of War

Josephine: So I think that’s important here because when you look at the definitions and the actual insurance policies, the idea that there's a government behind an act of war is really important to that definition. The reason you see these disputes crop up specifically around NotPetya is because there's not a lot of dispute around the attribution there. You get this coordinated multi-country attribution effort from the United States, the U.K, Canada, Australia. A whole bunch of governments put out statements like, "We're quite confident this was Russia."

In this particular case, you haven't seen many of the insureds trying to make the argument, "Oh, this wasn't a nation-state." This particular incident is not a great one for doing that. That's also why the insurers are trying to test the water on this one. They think they have the strongest possible case on that attribution issue.

Rachael: I thik people were getting into a place of cyber insurers. Oh, my cyber insurance will just cover it. I'm good, I'm not going to worry so much. You had written in one of your other articles too, about where the onus of responsibility falls in these kinds of things. Like targeted organizations, what is their responsibility? The organizations at large, how do you prevent it? It's going to happen. Who's got the stick then to fix it? There's 200 cybercriminals in jail worldwide. You said in the first half of '21, 590,000,000 have been earned by cybercriminals. Something's got to change, but where?

 

The Growth of the Cybersecurity Insurance Industry

Josephine: Rates are going up, we're definitely seeing that. It's not totally clear, the ways in which the growth of the insurance industry in this sector has actually changed the question of who's responsible for what. That's a question that interests me a lot. The first book I wrote is really about that. It’s about who we hold responsible for cyber-attacks and failing to defend against them. How do you spread out that responsibility to all the different stakeholders who are involved in this ecosystem? That was actually what got me started thinking about insurance.

One of the things a lot of the people I spoke to for that book said, "Well, this is all going to end up being about who gets insurance and what the insurers require from their policyholders."  I come away from looking at this insurance industry feeling pretty strongly. The insurers have not been able to deliver on the promise of we're going to collect a lot of data. We're going to figure out what everybody needs to do to have strong security. Then we're going to help them reduce their risk. 

One of the reasons I wrote a book about this industry is trying to come to grips with that failed promise. What cyber insurance was going to bring to cybersecurity is really important for thinking about where we go from here.

Eric: What I'm not observing in the industry is that behaviors are changing as a result of any kind of insurance increase. I don't know that is driving behavior at this point. But I do think people are much more aware.

 

[10:17] Where Cybersecurity Insurance Is Driving Behavior

Eric: Boards are involved in asking questions, but I don't hear a lot. You don't read a lot, you don't talk to a lot of people at the C-level where cybersecurity insurance is driving behavior, which you would think it would. Rates would either go way up or you'd have areas of risk because they reduced coverage.
To me, those are the two levers that an insurance company has. We just keep seeing more and more ransomware hitting and impacting businesses. In your 2018 book, you list out a series of escalating incidents, but I don't see behaviors changing. Am I crazy?

Josephine: That's exactly right. A lot of what brought me to cyber insurance as a topic was this idea of, this is how we change behavior. We get all the insurers writing these policies that require companies to do the things that are most effective. The insurers are the ones who are going to be able to put together that data and figure out what those safeguards and controls are because they have all these claims. You're exactly right.

There are a couple of explanations for what's gone wrong in that. The first and the biggest one is that the process for buying cyber insurance is much lighter than I anticipated when I went into this. I would've thought, you're selling cyber insurance to a company, you're going to do a pretty intensive audit of what their security posture is, what safeguards they do and don't have in place.

For a variety of reasons, both because insurers often don't have the technical expertise in-house or they're just trying to grow this market so quickly. They don't have the time and the resources to do that.

 

40 Questions To Fill

Josephine: There's really not that process. What there is, is usually a questionnaire. You get 10 to 20, maybe more like 40 questions that say things like, "Do you have an incident response plan? Is there a person who is responsible for security and do you have firewalls?"
It questions where you can answer yes to all of them and they're designed so you can answer yes to them. They can sell you insurance, but answering yes to a question, do you have a firewall? Do you have an authentication policy? Have you implemented multi-factor authentication? Doesn't it actually stop colonial pipelines? It doesn't actually get at the really in-depth security analysis you would want.

There's been a real failure there to try and change behavior in a meaningful way. There is some recognition of that now in the insurance industry. Those vetting processes are not really working in the way that we thought they were or we hoped they were, at least. But, there's also a lot of uncertainty about where you go from here and how you make that better.

Eric: I'm thinking about the last time I did life insurance. I mean they drew blood. I probably filled out 10 pages of family and medical history. Think about any insurance, my homeowner's insurance, I periodically get this update talking about the condition of the roof and the materials of the house and everything. It seems like it's so much more stringent, at that level.

Josephine: There are definitely much better risk models in place for all of those things. There’s much more established insurance industry verticals to look at all of those issues.

 

Fundamental Challenges in Cybersecurity Insurance

Josephine: Part of this may be an issue of, this is new and this is going to take time for the insurers to get a hold of. There are some reasons to think that there are more fundamental challenges here than just that, partly because the industry has matured. Even over the past few years, we haven't seen it necessarily moving in the right direction. We haven't seen it getting closer. We're improving our risk models. We are making the progress you would hope to see to feel like we're on a positive trajectory. 

Some of that is the nature of the threat landscape, the boom and ransomware, and things that the insurers were not anticipating. But I do think that you're right to say this feels different from other types of insurance. This feels like there's less of a handle on it and there's less expertise and certainty.

Eric: You reminded me of a conversation I had back in 2012 with my CEO on how you get promoted in cybersecurity. You buy the latest hot project, product and then you implement it. Nobody in the industry is focusing on outcomes. The industry isn't consolidating as a result and, yes, protection is getting better overtime. But the adversaries are moving faster and we're falling further behind. We see that in the results.

Josephine: That's totally fair. One of the things that's interesting to me about insurance is policy. It’s the realm that I study most closely. But the public policy space for a long time has had many people in it. They are saying, "We can't move fast enough to make the cybersecurity regulations. Government is slow and unwieldy, we really need the private sector."

 

Cybersecurity Insurance Has Been Held Up

Josephine: Cybersecurity insurance has been held up as the private sector solution that's going to move quickly and change rules every year when policies are updated. So far, I try to be optimistic about this, but we haven't really seen that making good in the way we might have hoped a few years ago.

Eric: We do have things like the NIST frameworks. There are things where we have some level of standardization where they could form a basis for common questions. A common level, we're almost seeing it. I don't know if you know about the CMMC work the government has been doing. It's what everybody has been arguing about. But there are different levels and while it's being contested. Level one is very different from level three. There's certain things you need to do. You would think that they would have standards where it's more than just, do you have firewalls?

Josephine: The NIST framework is actually a great example of something that the insurers have not been able to correlate with improved outcomes in their claims data. They aren't able to say, "If you implement the NIST framework then we see you will suffer fewer incidents or you will have smaller losses when you do."

Eric: Or at least parts of it.

Josephine: That's not a conclusion that any of the underwriting teams I've talked to have ever been able to sort of come out confidently. Now maybe that's because the NIST framework isn't working. Maybe that's because the way it's being implemented is variable. Maybe that's because the claims data is not rich enough to understand how well it's being implemented in different instances.

 

Overseeing the Incident Response

Josephine: Another thing that comes up in this, and we're maybe too into the weeds, but that's often where I end up. The insurers often don't have a lot of information about these incidents they're covering. There are lawyers who are brought to oversee the incident response. They often say, "Well, the final report is covered by attorney-client privilege. We can't share it with the insurer." The insurers themselves are often very frustrated and feel like they have no insight into what went wrong. They can't build a better underwriting model.

Eric: I thought it might be that or the lack of expertise, the lack of understanding of cybersecurity in the industry. The insurance industry might hold them back, but it still doesn't answer for me why the claim, why the premiums aren't super high then.
Josephine: Premiums are skyrocketing in the past year, if that's any comfort.

Eric: So maybe that will drive. I've found in business that cost, money will drive behavior. So maybe we will see in the next couple of years a major difference.

Josephine: That's possible. To see that difference, we would need a better handle on what exactly we think an organization should be doing around threats like ransomware. That's where the insurer's claims data would be most helpful. It's saying, "If you have this configuration or if you have these types of multifactor authentication controls, then we can really see that there's actually a much quicker recovery time. It's much easier to get things back up and running." I'm hopeful that will happen but I don't think that it has yet. I don't hear from the insurers themselves that they feel they can confidently make those assessments at this point.

 

[19:04] Cybersecurity Insurance Is a Major Mover

Eric: I'm not an expert on cybersecurity insurance or insurance in general. But I believe cybersecurity insurance will be one of the major movers, if not the major mover that helps address the challenges in this industry, consolidation, better protection of personal data. You talk about it in your first book, the motives for the attacks.

Financial gain, espionage, public humiliation of their victims, which we saw with Sony and many others. I think insurance will help us in those areas, but you've got to understand the adversary. You've got to understand what you're protecting against. I don't think most companies do a good job today.
Josephine: It's why I started this project on insurance, I thought this is a really important thing that is going to move this industry in a serious way. I go back and forth between feeling like it needs some more time. It's getting there, they're hiring more people with expertise. They're learning from their past mistakes and feeling like the carriers are all just going to stop selling this tomorrow.

The last year and a half of ransomware claims has just been brutal. You've seen some insurers really step back and reevaluate, “Is this something that I want to be a primary on? Is this something that I can carry in terms of the amount of risk involved?”

Eric: If you just look at simple things like car theft, car insurance premiums are much higher in areas with higher car theft. That's an easy equation for an insurance company. I would think they would extrapolate the same type of logic to cyber insurance. If I have softer targets, we've talked to a lot of people, state and local governments, city governments that are getting hammered with ransomware, soft targets.

 

Figuring Out the Soft Targets

Eric: If you're not doing your job as we're going to raise the rates, or if they're more attractive targets, maybe critical infrastructure companies or companies that have a lot of intellectual property to lose or something like that. You would think the rates would be a lot higher.

Josephine: There is some of that for sure. There's the challenge of figuring out who the soft targets are, which the insurers are still wrestling with. Certainly, everybody's rates are going up and they'll all tell you that. One of the things that some of the companies that purchase this insurance find frustrating is this feeling that everybody's rates are going up regardless of what you have or haven't done around cybersecurity.

For instance, you mentioned the NIST framework. There's an interesting congressional hearing about cyber insurance several years ago. They bring in some people who purchase insurance for their companies. People testify, "I spent all this time in money implementing the NIST framework. When my insurance got renewed, the premium doubled anyway, and nobody cared." There's frustration on the policyholder side. "If I'm really good about security, that doesn't seem to get me anything in terms of a lower premium. So why would I spend the time and money on that?"

Eric: It's like medical insurance or life insurance. Somebody who is grossly overweight with preexisting conditions, heavy smoker, drug user, alcoholic, having the same exact rates as somebody who's running marathons or in perfect health. You would think that the insurance companies for medical insurance or life insurance have different premiums. They understand that. I don't think they get that yet for businesses.

 

How to Measure Risks

Eric: They don't understand how to measure. How to appropriately charge organizations both on the risk side but also on people who are doing the right things. You would expect that to be off, maybe is the best way to put it, on both sides.

Rachael: From what Dr. Josephine Wolf was saying, it sounds like there's a 40 questionnaire. How can they do the digging to validate it? It doesn't sound like they have that capability.

Eric: If everybody's answering yes and one organization is doing their utmost and one is doing nothing, but they all answer, yes, they're treated alike.

Rachael: How do you discern the difference? That's the thing.

Eric: You don't.

Rachael: It's not like, I can get a blood test and you can learn a lot about me, but there's no blood test in cybersecurity.

Eric: But if there's no blood test, there's no difference between two individuals, from that measurement angle.

Josephine: You've seen a lot of partnerships. You've seen a lot of insurers trying to work with security firms to say, "Okay. You have to go in and do the assessment of all of our potential policyholders, run the scans, and that sort of thing." You've seen some movement there. That very rarely affects the premiums though.

We have these partners, they'll do some risk assessments. But the premiums are almost entirely tied to how big is your company? How much revenue do you have? The policyholders themselves can see, this is not really about my security posture or my vulnerabilities. This is mostly about how large a company I am and how much damage is the insurer therefore imagining I will be subject to.

Eric: There's really no incentive then to be better from an insurance perspective?

 

Cybersecurity Insurance Is a Risky Business

Josephine: There hasn't been. I'm always optimistic that will change. The insurers are always trying to get there, always struggling a little bit to figure out how.

Rachael: Because you assume. Basically, if you haven't breached yet, you will or it's just a matter of time. It's delaying and waiting. Cybersecurity insurance sounds like a really risky business to be in. But 9 times out of 10, you have to pay out on something unless you can find this definition of war or these other loopholes, however you want to look at them. It's really fascinating and there's no clear path.

Josephine: It is a really risky business. You need to have a certain kind of confidence in your own risk models that's probably not deserved. To be selling this, I would say two things that are important to keep in mind from the perspective of the insurers. One, this is still a sort of relatively small insurance market compared to the really big ones, auto insurance, property, and casualty insurance. But it's one of the only sectors of insurance that's growing really fast.

The insurers are under a certain amount of pressure to expand this part of their portfolio. Make sure they're not losing out to all of their competitors, on who's going to win the cyber insurance customers. The other thing which is really important to keep in mind is that, up until 2019 or so, it was a very profitable form of insurance compared to others. You paid out less of your premium intake percentage-wise than you did for auto insurance, than you did for these other areas of insurance that had much better risk models.

 

Better Risk Models

Josephine: Because they were much better risk models, it was easier for all the different insurers to compete with each other on price. So cyber insurance didn't feel really risky until 2020. Then all of a sudden it went off the rails.

Eric: Are they paying out in excess of their premiums or they're just not doing as well as other types of insurance at this point?

Josephine: Depends on the insurer. Some of them are paying out, certainly in excess of their cyber insurance premiums, not in excess like all of their premiums across all sectors.

Eric: It's like a really bad driver.

Josephine: Some of them are just not doing as well, but everybody is nervous. Everybody is feeling like this is a big change. This is not the calculus that we had been assuming, looking at the past 5, 10 years.

Eric: So we're in 2022 right now. I'm betting by '25. They've got this pretty down and they are moving the needle in organizations. I don't see them better than the way you do. But I don't see them losing their shirts for five-plus years and not making corrections. It's just not a normal business model.
The fact that ransomware is increasing, the fact that they are losing money in some cases or not as profitable in others will force them to come up with better models. The actuaries are going to look at this and say, "Look, we've got a set of data at this point that we can at least get some. Drive some idea of what's going on in the industry and it's not heading in our favor. We need to change some things." 2025, we'll circle back on the show here and figure it out.

 

[28:18] Cybersecurity Insurance Companies Are Also Victims

Rachael: The thing that’s interesting is, you read the reports in the last year. Cybersecurity insurance companies are being victims of ransomware themselves. People targeting their client list, "They got ransomware insurance. Sweet, we gotta get this great pool to go after." So then, for ransom, if cyber insurance companies become the targets, then who gives them cybersecurity insurance?

Josephine: This was AXA, one of the big insurers. They announced that it stopped covering ransoms in France, mostly because they were worried about regulatory oversight and interventions. Almost immediately afterwards, unclear whether it was related or not, got hit with ransomware. There was this sort of fear among a lot of insurers of, “We should be careful of anything we say about ransomware coverage. Don't want to attract attention.”

Eric: It is totally coincidental, I guarantee it. But that's the thing in this industry, the risk is so low to the attacker. Your best defense is stay quiet, don't upset anybody, just stay below the radar. You stay below your peer group and everybody else. I've said a number of times, "Colonial pipelines would never have been attacked if they knew what was going to happen." The president of the United States and the government of the United States would get involved. They would've never made that, just stayed under the radar.

Josephine: That's an interesting question, I'm trying to decide if I agree with that. It depends on who's really pulling the strings behind that attack. If we think it's really just a financially motivated attack then, yes, you're right. The financially motivated cybercriminals aren't interested in a lot of law enforcement efforts or presidential statements.
 

Financially Motivated Cyber Criminals

Josephine: With Russia, there's always a possibility that the financially motivated cybercriminals are in some partnership or coordination. Or even just tested agreement with the government. With the Russian government, it's less clear to me that they wouldn't want to do anything that would rile up the president of the United States or make a big public splash. NotPetya is an example of the Russian government doing something that they knew would be incredibly public, incredibly disruptive and going forward with it anyway.

Eric: I would argue NotPetya was definitely directed. If you look at some of the random ransomware attacks, maybe not random, and maybe that's a bad word, but of the spray of ransomware attacks, I don't think everyone is directed. I don't know if the nation-state government said, "Hit the colonial pipeline." A nation-state government may have said something to the effect of, "Disruption of the organizations in the United States is in our best interest. We sanction that, go disrupt things."
 I don't know about the colonial pipeline. This is Eric's opinion only here. I don't think it came up on a target list, with the intent to engage the United States government in the way it did.

Josephine: That's perfectly reasonable. I have no idea whose decision the Colonial Pipeline was. Anybody, whether a government official or a cybercriminal, or anybody else probably could have made a decent guess that going after a major pipeline, would elicit some pretty significant response.

Eric: Even if they went after a major pipe, if they even knew what they were hitting necessarily.

Rachael: Like a spray and frame thing?

Eric: Do you understand the consequence?

 

Multi-Million Dollar Ransom

Josephine: You're making a multimillion-dollar ransom demand, you know what you've got? Based on the size of the ransom they paid, they understood what a high-profile target they were going after there.

Eric: I wouldn't argue that logic at all.

Rachael: They got some of the money back, which was rare, but nice. So, not easy to do. You had written about this as well. Was it an insider in the attacker group or did the company somehow get an encryption key? Or you almost have to get lucky and have a lightning strike thing if you're going to be able to claw it back. Maybe the crypto mixing firm gave it up?

Josephine: There's some luck involved, obviously. The U.S government doesn't reveal exactly how they got the keys to those wallets. I'm guessing a little bit about what happened. Either there was a clumsy choice of infrastructure on the part of the criminals. That allowed for the U.S government to issue some orders that enabled them to get access to part of this money. Or there was some other insider, maybe just good espionage and surveillance work that enabled them to get their way.

Certainly, it is the exception, not the rule. It’s not the case that we've got tools that allow us to do that every time. It doesn't mean we shouldn't do it when we can. Obviously, I would rather have law enforcement drawing money back than not. I just worry a little that the message of that story to some people was like, we should just pay ransom so we can always get the FBI to get them back afterwards. I do think it's important to keep in mind that that's a pretty unusual thing.

 

Artificial Intelligence

Eric: That's not happening. You should not be in the business if you're banking on that. So let's pivot to artificial intelligence. I know you've done a ton there.

Rachael: I love everything about AI. There's just so many paths to take on it. You hear a lot of bias in AI though and all the bag of tricks that come with getting it right. And you can get AI right in cyber, especially when you're thinking about people and understanding how they work.

Eric: Are you talking about the attacker or the defender?

Rachael: The defender. If you're using AI for security, how can you get it right? How do you get there?

Josephine: Part of what's hard about this is that, often, we're making up the metrics for success as we go. There's no clear consensus on what it even means to get AI right. We're trying to figure out what different things you can measure here and how we are doing. Are we forgetting to measure some really important things that we should have thought of? You see that a lot in the bias space. One of the ways that people are trying to think about bias and fairness in AI, is by coming up with new ways to assess what is fair. What's unfair in an algorithm? 

How do we measure that in different ways that will allow us to try and understand that better? Until there's more consensus around that, it's probably a little bit tricky. The question of how do you get AI right is a really tricky one. Part of that is about trying to understand what the ultimate goals are.

 

The Ultimate Goals Around AI

Josephine: In security, the ultimate goals around AI are being able to use AI to detect attacks, maybe even to respond to them. Do that anomaly detection work in a more sophisticated, more adaptive way than we're perhaps able to do it with existing tools. Then the other part of that, and it's broadly across all applications of AI, is how you secure applications of AI themselves. How do you make sure that they're not being manipulated or undermined, or in other ways corrupted?

Eric: That is a big question. How does an adversary not corrupt the model so that they can get their gain and whatever it may be in that manner? Because at some point, you take the human out of the loop when you're using artificial intelligence.

Josephine: Part of the question that we're seeing now in policy, particularly, the EU draft AI regulations, those kinds of policy efforts. Some of the DoD efforts around AI as well have been focused on making sure there is a human in the loop. It’s saying at what stage a person needs to oversee a final decision or an assessment or whatever the AI application is.

Part of that has been trying to nail down the different ways that humans can oversee artificial intelligence applications. What does it mean to try and have a sort of human in the loop somewhere, but still get the benefits of AI? That's something that we're just beginning to see policymakers try to figure out.

The DoD, for instance, has had a lot of principles and discussions about, we may want to use AI for certain kinds of video analysis or things like that.

 

[38:23] Useful Application of AI in Cybersecurity Insurance

Josephine: If you've got 1,000s of hours of surveillance footage and you're trying to search for something in particular, that could be a really useful application of AI. But maybe not in identifying and selecting targets for attack. Maybe that's the thing that they really want to request them to do.

Rachael: You mean even like offensive strategies?

Josephine: Yes. A lot of it comes down to figuring out what the specific places that we're comfortable not having human oversight and which places we feel we really need.

Eric: I've done a decent amount of work in automation and cyber. I certainly wouldn't call it artificial intelligence, literally. Just automation, doing routine stuff and removing the human from the loop. I've written on human-machine teaming, but I agree with you fully. Where do you draw that line? How do you educate the human in the loop or watching the loop, on what they have to do? I've seen a tremendous amount of pushback from the lower levels where that's my job. I don't want a machine to do that.

Well, wait a minute, you will do a higher-order activity, which is supervising the machine decisions. That's better for everybody, and they don't like that. They don't necessarily be concerned in some cases with having some type of artificial intelligence or even just basic automation run. Those humans weren't comfortable to address what their role is, and what the model does, and doesn't do.

Josephine: This is a huge AI issue as well. The workforce question and it gets at everything, not just security of what happens to these jobs and who are you displacing or removing. You've brought in automated systems.
 

The Implications of Using More AI

Josephine: A massive question around both trying to think through the consequences and the implications of using more AI, and trying to predict where this is actually going to happen. You see all of these different predictions around like, there are going to be no more human truck drivers in 10 years. There are going to be no more people doing X, Y, or Z tasks.

I think, a lot of the time, we haven't turned out to be great at making those predictions about AI. Knowing what exactly is going to be fully automated, what kinds of human oversight are going to be needed and what's that going to look like. We also, certainly, haven't been great at predicting the timeline of, how soon do we think there won't be any need for human truck drivers? Is that two years out, five years out, 50 years out, et cetera?

Eric: Will we even use trucks at the point when we could bring technology to do something like replace a human in a truck driver's seat? No, it's an area where we've been talking for at least a decade in cybersecurity, specifically about AI. When I say that, I mean pretty heavily. I'm sure professors and scientists have looked at it for decades. In the last decade of my career, we've seen machine learning and artificial intelligence really take a prominent position.

What I haven't seen is a lot of beneficial results. A lot of tools and I'm struggling. I'm racking my brain right now. When I was at McAfee, some of the test rigs we had, which would go through 100s of 1,000,000s of samples a day, were pattern matching.

 

Customer Level Technologies

Eric: There was definitely some machine automation in there, which then needed some level of human review. I'm trying to think of customer-level technologies, and I'm just drawing a blank right now.

Josephine: It's pretty minimal right now. Honestly, a lot of things are marketed that way. I won't surprise you to hear the actual benefits, we're still in very early stages. That's true in the consumer security market. But, it's true in the national security space with artificial intelligence applications that you're seeing groups like the U.S military start to build up some efforts around AI.

But not necessarily have great results yet or rely on them very heavily. Just trying to start experimenting a little bit and see where it's going. There's probably still ways to go in all of those areas in terms of trying to figure out what exactly we're heading towards or how quickly that's going to happen. My sense is it all moves slower than we usually expect. That's why you haven't been able to see it.

Eric: Things like targeting or looking through massive amounts of video, or audio recordings are probably going to be easier than cybersecurity.

Josephine: That's probably fair.

Eric: I'm stepping out of my swim lane here, but I'm betting on human behaviors.

Josephine: Maybe, part of it as well. You could imagine those as security-related applications certainly.

Eric: I'm going to the podcast record here saying, “The cybersecurity insurance piece will resolve itself before we see massive movement from an AI machine learning perspective, in cybersecurity.“

Rachael: I think insurance learns fast. They can learn quickly and also because they have to.

Eric: I'm betting on the currency being the driving force there.

 

The Cybersecurity Insurance Needle

Josephine: There's a lot of money wrapped up in AI too, these days. But, that makes sense to me. The insurance piece feels like a more settled and more developed state so far.

Eric: There will be a lot of transactions. There will be a lot of experimentation, a lot of efforts, but I think the cybersecurity insurance needle will move faster.

Josephine: I'm still not totally sure I know what the timeline is for either. You say 2025. That's a little optimistic, but I'm hoping that's where we land for the insurance industry.

Eric: Dr. Wolf let's be honest with ourselves because I was counting on my fingers. I'm going to give it about four years. We'll see something because money's in play.

Josephine: The only thing I'd say, this is not to be negative or not to be pessimistic. Five years ago, we were saying that about cyber insurance too. We were like, "We just need a few more years. We're going to figure this out, and build better models." Instead, everybody became much more skeptical of the models in the course of those five years. We'll depend a little on what the threat landscape looks like as well.

Eric: Let's talk about my very basic model, I was counting on my fingers using the Price is Right rules. I wanted it to be below, not over the price target.

Josephine: Sure, that makes sense.

Eric: So listeners, don't go off of what I'm saying. It could be 2030, 2040, but I'll stick with 2025. Rachael, you got to vote.

Rachael: Well, I'm leaning on the '27 to get it baked, but, we'll get there.

 

Success Is Everybody Having Cybersecurity Insurance

Josephine: We are counting as success like it's a booming market, everybody has cybersecurity insurance, the rates are really stable and standardized.

Eric: We probably should define what we're talking about. When will we consider it like success?

Josephine: A mature one. A semi-mature market. We're looking at the 2030 to 2035 range, and I very much hope I'm wrong. I want to come back in 2025 and we'll play clips of this conversation, and talk about where we were wrong and right.

Eric: This is the fourth year of our show. So if we double our lifetime, we probably can make that happen.

Rachael: There's always my favorite question about optimism for the cyber path ahead but I'm picking up some optimism here from Dr. Wolf.

Josephine: I'm optimistic, but I'm also trying to trade myself to be optimistic on long-time horizons. It's hard to feel really optimistic about 2022 or 2023 right now. I'm optimistic that in the span of the next 5 to 10 years, we could make big progress. But I'm less optimistic that progress can happen in sort of immediate or short time frames.

Eric: Your book, You'll See This Message When It Is Too Late came out in 2018.

Josephine: It's not a super optimistic title, is it?

Eric: No, but I love it because it's so accurate. You basically argued from  2005 to about 2015, '16. Things got progressively worse and we really didn't do a whole lot about it. So from 2015 to '25, am I hearing you say, "Things will continue to get progressively worse? That we will continue to do, maybe not enough about it?"

 

[48:04] Severe Threat Landscape

Josephine: The first half of that period from 2015 to '21, '22 things have continued to get worse. We're going to turn a corner in 2022 and maybe even late 2021. In terms of attention and resources, I don't think we're going to turn a corner in terms of how severe the threat landscape is. But we're going to turn a corner in terms of how much attention, how much money, and how much folks focus from policymakers and organizations. Slowly, over the course of many years, that's going to make a difference. That's what I'm betting on.

Eric: How much are we spending on cybersecurity protection right now?

Rachael: Is it a 100? No, it's in the trillions. Is that right or is it 150,000,000,000? I get my numbers myself.

Eric: I honestly don't remember the latest data. How much are we losing each year, do you have that data?

Rachael: No, but I do know as our CEO said, that cybercriminals are making so much money. They're basically the third-largest country in the world behind the U.S.

Eric: From a GDP perspective.

Rachael: Right, from the U.S and China.

Eric: That sounds like a problem to me.

Josephine: Not great.

Eric: Josephine, I am not quite as optimistic as you are. It's something I'm trying to get over, but I just do it year after year. So I'm not sure we turned the corner in '22, '23. But, we got to hope. Great talking to you.

Rachael: It's been amazing. I'm looking forward to your book, Cyber Insurance, coming up.

Eric: When does that come out?
Josephine: That'll come out in August.

 

You'll See This Message When It Is Too Late

Eric: And we can get your current book on Amazon. MIT Press?

Josephine: Yes.

Eric: I've got Perfect Weapon and oh, which Nicole Perlroth's book?

Rachael: This Is How They Tell Me the World Ends.

Josephine: Sitting right here.

Eric: You'll See This Message When It Is Too Late, you're right in there. I've got those up there and there's a nice book from Steve Grobman and Allison Sarah from McAfee. A couple of them, but yours is right up there with it for me. It’s what I'd recommend to somebody looking at the industry and trying to get a handle on it, who comes from outside the industry. "Hey, read this and it will give you a generalized idea of where we are in the industry today and the problems we deal with."

Rachael: Well, Dr. Josephine Wolf, thank you so much for joining us this week. It's been great talking to you. As always, thank you so much to our listeners for joining us this week. Smash that subscription button. You get a fresh episode in your email inbox every single Tuesday.

 

About Our Guest

Dr. Josephine Wolff is an associate professor of cybersecurity policy and has been associated with The Fletcher School at Tufts University since 2019. Her research interests include international Internet governance, cyber-insurance, security responsibilities and liability of online intermediaries. It also includes government-funded programs for cybersecurity education and workforce development, and the legal, political, and economic consequences of cybersecurity incidents.

Josephine's book "You'll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches" was published by MIT Press in 2018. Her writing on cybersecurity has also appeared in Slate, The New York Times, The Washington Post, The Atlantic, and Wired. Prior to joining Fletcher, she was an assistant professor of public policy at the Rochester Institute of Technology and a fellow at the New America Cybersecurity Initiative and Harvard's Berkman Klein Center for Internet & Society.

She received a Ph.D. in Engineering Systems and M.S. in Technology and Policy from MIT, and an A.B. in mathematics from Princeton. As a student, she also spent time at Microsoft, the Center for Democracy and Technology, the White House Office of Science and Technology Policy, and the Department of Defense.