By Michael Brice
CrowdStrike’s recent outage sure got the tech world talking about the risks associated with a global supply chain cyberattack. Their stock certainly took quite a hit, and the long-term financial ramifications won’t be fully understood for years. And to be clear, the CrowdStrike outage was not a cyberattack, so if you had hoped your cybersecurity insurance “Contingent Business Interruption” coverage was going to cover your losses – you’re out of luck (we will talk about cyber insurance coverage in the future, but be aware: if you’re an asset manager your policy is probably NOT covering you like you think it is). No, this was a ‘software release’ mistake of epic proportions affecting 8.5 million Microsoft Windows devices worldwide and causing billions of dollars in losses. That’s a pretty big oopsy!
But why am I, a cybersecurity consultant, mentioning this in my blog when this was not a cybersecurity incident? It wasn’t phishing, it wasn’t malware – just a genuine human error in an update file that caused Windows machines to go offline.
Well, the cynic in me is concerned that this event could lead to greater oversight (more like overreach) of the tech sector by the U.S. government – a general regulatory overreach culminating in more cybersecurity regulations due to concerns about a potential “Cyber 9/11”.
While a Cyber 9/11 is a valid concern, so are additional federal regulations. We already have the Federal Risk and Authorization Management Program (FedRAMP) as well as the Cybersecurity Maturity Model Certification (CMMC) program. If you are not familiar with FedRamp, it is a United States federal government-wide compliance program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. CMMC extends cyber requirements to commercial vendors supporting the government. Could this type of regulation be extended to commercial tech industry at large?
I hope not, because I don’t believe that the government is going to be able to make IT any less risky. After all, we continue to hear and see day after day that the US government has been hacked and our personal records are compromised by criminals – taken from the very people who may want to put additional regulations on private industry. And we already have the SEC with their cybersecurity regulations as well (yes, the SEC has also been hacked). And candidly, from a purely capitalistic perspective, the threat of billions of dollars of market capital loss due to an outage of the magnitude that CrowdStrike suffered is much more of a deterrent than a government fine. I think I’ve made my position clear: I am concerned and clearly against any type of governmental regulatory knee-jerk reaction to the CrowdStrike outage.
So why then am I writing about CrowdStrike?
It’s because most people are aware of the CrowdStrike outage even if they have never heard of MDR (Managed Detection and Response) or were not affected. It became the ‘shiny object’ news event that everyone heard about. But what about the billions of dollars lost every year in the US to oversees cyber wire fraud? Why aren’t we talking about that?
Well, I am, I have been, and I will continue to do so. It’s a national threat and it needs attention. Moreover, while CrowdStrike may have resulted in billions of commercial losses, at least those funds didn’t go to support organized crime and possibly global terrorism. I can not say the same for overseas wire fraud. According to the FBI’s IC3.gov reporting, cyber wire fraud financial losses incurred each year are much greater than the CrowdStrike event. Moreover, there is the very likely possibility this stolen money is ultimately funding global terrorism directed at the U.S.
I’m concerned. And to make matters worse, there is no U.S. government organization who has had Congress put their ‘finger’ in that organization’s proverbial belly button with the mandate: “You are responsible to address Cyber Wire Fraud and help the American people when they are attacked”.
If you read my blogs, you know I’ve written about cyber wire fraud quite extensively. I also speak about cyber wire fraud at conferences across the U.S. most months to help educate hedge fund managers, and private equity fund managers about the financial risks posed by this extremely impactful crime. My summary is always the same: You most likely cannot procure enough Cybersecurity Insurance and/or a Financial Institution Bond (e.g., a Crime Policy) coverage to protect you against the potential for cyber wire fraud. Why? Because the crime is so prevalent that the insurance industry has sub-limited this coverage due to the high likelihood of a successful attack.
So, if or when you are attacked and suffer a cyber wire fraud loss – you will struggle mightily to get assistance to recuperate the funds. Why? Because there is no single commercial or governmental organization responsible to help you get your funds back. Good luck. Perhaps you can get help from the Secret Service, the FBI or even your local sheriff. I’m not being sarcastic. Getting cyber wire fraud assistance to recover funds in the tens of thousands, hundreds of thousands or even in the millions of dollars is potluck at best. I know this first hand, having led scores of wire fraud forensic investigations. The recovery rate is about 10% and it always involves government individuals who get involved because they care – not because they have a legal mandate. If you’ve ever been the victim of a cyber wire fraud you know very well what I am saying.
So, if the government is spurred by the media and politics to do “something cyber related” as a result of the CrowdStrike non-cyber event, I want to use this event as a platform for Congress to address cyber wire fraud.
With that goal in mind, I am currently engaged in preliminary discussions with the staff of Congressman Andrew Garbarino of New York’s 2nd district. He is a Member of the House Homeland Security Committee and Chairman of the Subcommittee on Cybersecurity and Infrastructure Protection. I’m quite impressed that he seems to understand the magnitude and threat posed by cyber wire fraud and the lack of organizational responsibility mandated by Congress to help support the American public, and American commercial industry to respond to these attacks and prevent these funds from making their way to global terrorists.
In summary, I believe the squeaky wheel gets the oil in politics. Cyber wire fraud is a multi-billion-dollar issue which may well be funding global terrorism. And yet there is not a single government agency that is federally funded or mandated to report to Congress with the primary goal to defend and protect Americans against wire fraud. Generally, unless you identify the fraud within approximately 3 business days, the odds are not in your favor of getting your money back – odds that diminish every day that goes by after day 3. I’m not trying to dismiss the impact of the CrowdStrike ‘oopsy’. Instead, I truly hope that the U.S. government doesn’t use this issue as an excuse to justify more regulation and rules on tech providers. Our government’s focus should be on helping businesses to combat cyber wire fraud and stop the loss of billions of dollars going overseas to criminals.