Information Policy

What we can learn from the aftermath of cybersecurity breaches and how we can do a better job protecting online data.

Cybersecurity incidents make the news with startling regularity. Each breach-the theft of 145.5 million Americans' information from Equifax, for example, or the Russian government's theft of National Security Agency documents, or the Sony Pictures data dump-makes headlines, inspires panic, instigates lawsuits, and is then forgotten. The cycle of alarm and amnesia continues with the next attack, and the one after that. In this book, cybersecurity expert Josephine Wolff argues that we shouldn't forget about these incidents, we should investigate their trajectory, from technology flaws to reparations for harm done to their impact on future security measures. We can learn valuable lessons in the aftermath of cybersecurity breaches.

Wolff describes a series of significant cybersecurity incidents between 2005 and 2015, mapping the entire life cycle of each breach in order to identify opportunities for defensive intervention. She outlines three types of motives underlying these attacks-financial gain, espionage, and public humiliation of the victims-that have remained consistent through a decade of cyberattacks, offers examples of each, and analyzes the emergence of different attack patterns. The enormous TJX breach in 2006, for instance, set the pattern for a series of payment card fraud incidents that led to identity fraud and extortion; the Chinese army conducted cyberespionage campaigns directed at U.S.-based companies from 2006 to 2014, sparking debate about the distinction between economic and political espionage; and the 2014 breach of the Ashley Madison website was aimed at reputations rather than bank accounts.

Why cyberinsurance has not improved cybersecurity and what governments can do to make it a more effective tool for cyber risk management.

As cybersecurity incidents—ranging from data breaches and denial-of-service attacks to computer fraud and ransomware—become more common, a cyberinsurance industry has emerged to provide coverage for any resulting liability, business interruption, extortion payments, regulatory fines, or repairs. In this book, Josephine Wolff offers the first comprehensive history of cyberinsurance, from the early “Internet Security Liability” policies in the late 1990s to the expansive coverage offered today. Drawing on legal records, government reports, cyberinsurance policies, and interviews with regulators and insurers, Wolff finds that cyberinsurance has not improved cybersecurity or reduced cyber risks. 
 
Wolff examines the development of cyberinsurance, comparing it to other insurance sectors, including car and flood insurance; explores legal disputes between insurers and policyholders about whether cyber-related losses were covered under policies designed for liability, crime, or property and casualty losses; and traces the trend toward standalone cyberinsurance policies and government efforts to regulate and promote the industry. Cyberinsurance, she argues, is ineffective at curbing cybersecurity losses because it normalizes the payment of online ransoms, whereas the goal of cybersecurity is the opposite—to disincentivize such payments to make ransomware less profitable. An industry built on modeling risk has found itself confronted by new technologies before the risks posed by those technologies can be fully understood.