Cyber Mercenaries and Insurance Risk

Posted by Mark Greisiger

A Q&A with Chris Rock of SIEMonster

Cyber mercenary activity—in which geopolitical states sponsor hackers and private firms to wage acts of cyber offence on other states, organizations and individual citizens—has been on the rise for at least a decade, though the wider public is only now just starting to understand its grave implications. To get a better handle on the current state of global cybersecurity affairs, we talked to professional hacker Chris Rock, CEO and founder of SIEMonster.

Why are you talking publicly about the issue of cyber mercenaries now?
After I saw The New York Times article last month about cyber mercenaries in the Middle East, I realized that a lot of the work I had been doing since 2004 was finally now being discussed more openly. The fact that governments are paying for this work and that it’s being classified as “acts of war” by insurance companies as we saw recently with the NotPetya ransomware should be of concern to insureds.

How did you first get into this line of work?
I had been a professional hacker for many years and I just happened to be in Turkey on a family visit when I got a call from one of my former customers who wanted to know if we could have a chat about a new job. I met him in the Middle East and he introduced me to my first foreign government client.

Who hires cyber mercenaries and why?
Typically, someone like myself or an Advanced Persistent Threat (APT) hacking team would be hired by a Middle Eastern state with the goal of hacking into a company. This activity would be illegal in the United States but in other nation states these companies are essentially divisions within the government, which makes it a legal activity. The government might have a suspicion that the company is selling intellectual property secrets outside of the country or doing insider trading and they want to collect information on that citizen or company to confirm whether those suspicions are correct. We would canvas the subject and go deep within the target which would include everything around the person or business, anyone that they might subcontract with, all the assets they have, and any outside email accounts or communications they might use to gain the information we need. Then we deliver the information in a brief and the client uses it as needed. The bottom line is that hackers can get any information they need and they will be paid prime dollars to do so.

Do you see this as a growing phenomenon?
Yes, it’s already quite common but I’d say it’s really only in its infancy. In the next quarter of a century we’ll see how states and other organizations wield this power. It used to be only the military could access secret information but now it’s private firms and hackers and I think we’re going to see chaos as a result within our lifetime.

What is most concerning about this activity, from a cybersecurity standpoint?
Anything hooked up to the internet puts us at risk and there are always going to be professionals out there who will be willing to work for a state entity that’s paying them for their services. We’ve already seen the Russian government tampering in the United States elections and the consequences of that. Anything is possible. Someone could be asked to crash a currency or a hedge fund that could have catastrophic effects on the economy. We could see infrastructure problems, such as a water treatment plant dumping raw sewage (which has happened before), power and pipelines being disrupted, or tampered Nuclear plants. What most people underestimate is the amount of money and tools that state-sponsored hackers have at their disposal.

How might risk managers better frame the problem?
What needs to be acknowledged is that you’re dealing with a high level of skill. We’re talking about the top one to four percent of hackers—not just a phishing syndicate from Romania. These hackers perform anti forensics on the target systems, plant other APT code making it look like script kiddie vandals, and pretend that the attack came from another country. The customer could ask us to make the attack appear to be from their neighboring country for destabilizing purposes. It’s not only about training your employees to be careful. If you look at a company with 100 employees you need to think about each of those employee’s husbands, wives, brothers, sisters and so on because the cyber mercenaries will get to them, too, and use that trusted connection to gain access to the network they need. It’s also not a matter of the size of your organization. If a credit union deals with the SWIFT banking system, a hacker might use credit union as an entry point and then it’s just a hop, skip and a jump into the banking system and suddenly your small organization is a player in the middle of an enormous operation.

What can be done to temper some of the risk associated with cyber mercenary activity?
At this point, if I had a solution, I would give it to people. My mission right now is simply to create more awareness. We just need to start thinking about all the things that could happen and be prepared for them.

In summary…
We want to thank Chris Rock of SIEMonster for shining a light on this topic. The cyber insurance community is paying attention, as the industry is expected to grow from approximately $3 billion to $6 billion in premiums over the next couple years. The notion of the highly skilled, state-funded cyber mercenary evokes fears of a “black swan” type scenario that is now all too real.  Here, Chris raises questions of tremendous value to the many cyber insurers we support. Everyone wants to forecast the severity of future events and better understand perils that can trigger systemic or aggregation risk across their book of business (i.e., the much-feared cyber hurricane).

Conversely, the businesses being insured need to stay abreast of and defend against this increasingly sophisticated threat landscape to better understand which threats might be catastrophic and/or potentially uninsurable (e.g., if a state-sponsored mercenary attack is deemed an “act of war” that falls under this policy exclusion). To this point, Chris referenced the 2017-18 NotPetya ransomware attack which resulted in a reported $100 million loss which then became part of an insurance coverage lawsuit focused, in part, on the “act of war” policy exclusion. It should be noted that the Mondelez International case pertains to a claim brought against a traditional insurance policy, and not cyber coverage. Nevertheless, the case itself has raised many interesting questions pertaining to the usage of war exclusion for future cyber events.

You can learn more about cyber mercenaries directly from Chris Rock as we are honored to have him as our keynote speaker at our upcoming NetDiligence Cyber Risk Summit in Philadelphia this June 13.