CISA Leader Tells MSPs Cyber Insurance Market ‘Fueled Rise In Ransomware’
‘Insurance companies didn’t price the market correctly and they suffered for it with the rise of ransomware. I would argue the insurance market fueled that same rise in ransomware because they made payment of ransoms far easier to happen. And they put a lot of companies under retainer to negotiate with criminal organizations,’ says Brandon Wales, executive director of the U.S. Cybersecurity and Infrastructure Security Agency.
Brandon Wales, executive director of the U.S. Cybersecurity and Infrastructure Security Agency, blasted the cyber insurance industry for what he said were years of enabling the ransomware epidemic by “negotiating with criminals” and facilitating payments of ransoms.
“Insurance companies didn’t price the market correctly and they suffered for it with the rise of ransomware,” Wales told MSPs at Right of Boom, a security-focused IT conference in Grapevine, Texas. “I would argue the insurance market fueled that same rise in ransomware because they made payment of ransoms far easier to happen. And they put a lot of companies under retainer to negotiate with criminal organizations. Now I think they are repricing the market. Premiums have gone up across the board, not just for MSPs.”
After years of mismanaging the threat and supporting it, cyber insurers are now repricing it, causing policy costs to go up nationwide, Wales said. Insurers also have realized the due diligence they carried out with MSPs five years ago is no longer adequate, he said.
[RELATED: Cybersecurity VC Funding Plunged In 2022, But That’s Not A Bad Thing]
The U.S. Department of Treasury is working on a federal backstop for catastrophic losses in the cyber insurance market, he said, adding that the upcoming release of the National Cyber Strategy will provide more details.
“With or without a federal backstop, there is likely no silver bullet that is going to solve some of these challenges we are all facing,” Wales said.
He sketched a stark cyber security landscape facing MSPs and their customers, as he called for a “radical rethinking” of the “Whac-A-Mole” approach that has thus far failed to turn the tide of ransomware attacks.
“I don’t think we have really, fully realized how pervasive cyber incidents are and the effect they are having on day-to-day life of American companies, citizens and communities,” Wales said. “We had a particularly bad period in early 2021, but frankly we continue to see this on an ongoing basis. It’s just that we’re in the middle of dealing with it, incident by incident. It’s actually a pretty bad situation.”
The security evolution needed to attack the threat is going to be driven by MSPs as they help to develop a deeper ecosystem of cybersecurity talent nationwide, he said.
“This community is unique,” Wales said. “It is a part of the tech industry that is not centered in Palo Alto. You can be out there helping to build that ecosystem. It doesn’t have to be a lot, but I would say every bit helps. And this is a space where we need to increase that pipeline. And this community can be a key part of helping to accelerate that pipeline.”
Among the audience was Kevin McDonald, COO and CISO of Alvaka Networks, based in Irvine, Calif. He is also co-chair of CompTIA’s Cyber Security Council. McDonald has not only been elbow-deep cleaning up cyber breaches, but he also spent years lobbying government in California and Washington, D.C., talking technology with politicians at all levels. He said Wales is a rare government official who understands the threat and the real work it takes to defend against it.
“I don’t get excited. Ever. I looked at my partner and said, ‘I have never felt better after listening to somebody from the government,’” he told CRN after Wales’ talk. “A lot of times what you find out is the person who is the head of whatever agency is really just a mouthpiece and they don’t know what’s going on and they’re replaying a speech or a script. This guy is the one writing the script. He knows what is going on. That is an epic shift in what you normally see, and it was so exciting to see today.”
MSP cybersecurity guru Wes Spencer, who emceed the event, told CRN that Andrew Morgan, founder of The Cyber Call, and Jon Murchison, founder and CEO of Blackpoint Cyber, deserve credit for convincing CISA’s executive director to sit for a security panel with MSPs. Spencer has spent years working with MSPs as co-founder and CISO of Perch Security, then with ConnectWise and now as channel chief of Fifth Wall Solutions.
“It’s almost like MSPs took another step toward being validated,” Spencer said of MSPs hearing directly from CISA leadership. “For the longest time they’ve felt like a small and forgotten industry that as we all know serves the vast majority of the SMB sector, which makes up the vast majority of the U.S. economy. Unfortunately, it took these massive ransomware events for the government to see how important MSPs are. Then on the other side of that were the MSPs who were saying, ‘We would welcome help. We would love some time and attention from the federal government because we’re basically ignored.’”
Government Help
Alvaka Networks’ McDonald, who frequently works with local FBI and Secret Service field offices, said that following the ransomware attacks on Colonial Pipeline, which drove up prices of gasoline as panic-buying gripped the Eastern U.S., and JBS Foods, which shut down a massive supplier of beef and pork, the federal government finally began to look for substantial ways to help businesses handle the threat.
He sees Wales as an extension of that effort.
“I don’t think they took ransomware at all seriously for a couple of years there,” McDonald said. “Those were major attacks that everyone saw and felt and it made the administration look bad. … I think he is a great representative of the change. I think it’s healthy and I think it’s wonderful.”
Fifth Wall Solutions’ Spencer said Wales’ authenticity resonated with MSPs in the room.
“He’s been in the same breach space that we’ve all been in,” Spencer said.
Wales became acting director of the agency in November 2020. A week later, Wales said Kevin Mandia alled with word about the FireEye attack. Next month came the SolarWinds attack—he blamed that breach on the Russian SVR intelligence service looking for ways to penetrate Microsoft Office 365—and targeting U.S. government installations among its 18,000 victims. He was also involved in mitigation of the Colonial Pipeline, JBS Foods and the Kaseya supply chain attacks. In the case of Kaseya, he said he was on the phone with that company’s CEO as it was unfolding.
Wales said the one lesson driven home by several high-profile ransomware attacks is to set device permissions to the lowest possible level.
“You didn’t actually need your SolarWinds device talking to the open internet to be able to perform its function on your network, which was a network optimization. But to make patching easier and faster, people left it with a full-time, open connection to the internet,” he said. “We saw many, including U.S. government customers of SolarWinds, that had shut those permissions off and locked down that system. Even though that would have been a high-priority target for the Russian SVR operators behind SolarWinds, they were not able to get into those networks.”
MSP Regulation
Government regulation of the MSP market is not going to come from CISA, said Wales, since it has no congressional authority to do so. He said in some industries where CISA can leverage Environmental Protection Agency regulations or Transportation Security Agency regulations to improve cybersecurity, it looks for ways to intervene.
“You are likely to see the U.S. government expand regulation in some areas, and it’s already doing that in places where it has authority but hasn’t exercised it yet,” he said. “TSA is using some of its authority over the transportation sector to put in place minimum cybersecurity standards for pipeline and rail.”
McDonald said he expects government regulation to come at some point. He also does not expect it to work. McDonald is part of a pilot-MSP security certification program at CompTIA that is based on frameworks from the Center for Internet Security.
“We’re trying to show the government that we as an industry can get it together on our own and that they need to stay out of it,” he said. “They are warning us. If we don’t get our house in order, they’re going to send a house cleaner and we’re not going to like it.”
Spencer said market forces will likely be paces ahead of any government regulations due to the speed at which technology businesses move.
“If a company like Aetna suffers a supply chain breach and it affects their bottom line, they’re going to go back and look at that and say, ‘We’re making changes. We’re going to make sure that anyone we are paying money to as a vendor of ours is going to have these minimums in place.”
McDonald did take issue with Wales on the topic of improving customer security by building better architecture into the service contract.
“That comes with a bill, and the reason it’s not included in the bill is that the customer will not pay for it. And so for them to imply that somehow IT providers need to include all of the very tedious and high- liability and high-skill requirements of advanced security without payment is crazy. That’s a disconnect. Most of the MSP community is dealing with sub-100 clients and those sub-100 clients can’t even afford insurance any more.”
While federal agencies would like to help more, Wales said improving security in the channel remains the job of the channel.
“A lot of the burden is going to remain on the industry,” he said. “That’s why we need corporate America to realize that cybersecurity is a core business risk and needs to be managed as such. This is a shared responsibility. The government is working hard to figure out what additional things it can do to help the ecosystem, but the MSPs, the cybersecurity companies, the end users, everyone has to take ownership over this.”