Russia’s assault on Ukraine has made the vulnerability to cyber attacks of critical government and private sector infrastructure and networks a pressing concern. At the onset of the invasion, the hacking of US satellite company Viasat not only beset Ukrainian defences but affected Internet users and web-connected wind farms across central Europe. Two months later, the Pipedream malware was detected in US critical infrastructure before becoming active, showing that direct attacks on a nation’s ‘nerve system’ are no longer a remote threat. In effect, there are more than twice as many Russian cyber attacked against the US than against Ukraine – a country with which it is at war (see figure 7). Germany’s Federal Office for Information Security, for one, has classified the threat level as higher than ever before. Besides Russia, China, North Korea, and Iran are the main perpetrators of state-sponsored cyber operations.
Figure 7: Countries targeted by Russian cyberattacks from July 2020 to June 2021, by location of notified customers
Ransomware has become a particular headache for both governments and companies, as criminals are increasingly extorting developing countries as well as less protected entities, such as local administrations and small businesses. The industries most affected by ransomware are manufacturing (28%), health (20%), and consumer retail (16%). Attacks are so frequent and severe that insurance companies have increased premiums by 74% in 2021 alone, according to S&P Global Market Intelligence. Figure 8 shows that cyber insurance premiums in the US increased steadily from 2015 to 2021 (at an average annual growth rate of 34%), while the loss ratio – calculated by dividing the direct losses and defense costs by the premiums earned – changed significantly year on year. Moreover, some insurers such as Lloyd’s of London have introduced comprehensive rejection clauses to exclude coverage for state-backed cyber operations, thus leaving struck companies to deal with the damage themselves.
Figure 8: Cyber insurance premiums earned (in $m) vs. loss ratio in the US (in %) 2015-2021
In addition to malevolent cyber activities, government policies also requires firms to respond. The EU recently passed several important cybersecurity regulations, most importantly the Network and Information Security (NIS2) Directive. Other legislative initiatives include the Cyber Resilience Act, which addresses the Internet of Things, and the Digital Operational Resilience Act for financial sector regulation.
The NIS2 Directive considerably expands the number of entities that must meet heightened cybersecurity standards, e.g., by adding sectors such as social networking platforms and pharmaceutical companies. It also requires firms to follow strict incident reporting procedures (within 24 hours for an initial notification of an incident and within 72 hours for a more comprehensive incident report) and to use multi-factor authentication. In terms of more comprehensive cybersecurity risk management measures, the directive requires companies to, for instance, perform due diligence of their supply chains, implement proper encryption practices, and have business continuity and crisis management plans in place. It also sets standards for robust network segmentation between the corporate and production levels of a company. This would help to blunt a future incident like the ransomware attack on the Colonial Pipeline oil system in the US in May 2021. Set to enter into force by the end of the year, the NIS2 directive gives member states 21 months to be incorporate its provisions into national law.
European regulations focusing on the Internet of Things and financial services could be similarly effective in a market that has been only sparsely regulated and where hardware and software providers have had little incentive to provide secure equipment. Like the EU’s General Data Protection Regulation, these acts will have a wider global impact wherever companies do business with the EU.
The US, in turn, has been less resolute in regulating the cybersecurity landscape. Instead, it has taken an incentivizing approach by linking higher cybersecurity standards to the procurement of IT hardware and software to the US government. Moreover, the divide between red (Republican-run) and blue (Democrat-led) states has widened after the mid-term elections, hindering comprehensive big tech regulation at federal level. Even so, the proposed American Data Privacy and Protection Act in its current form enjoys bi-partisan support, even though Nancy Pelosi, the outgoing Speaker of the House, has so far blocked passage of the bill. She rejects the limiting effect that does not allow states - like California, which she represents - to go beyond the federally prescribed measures. Democrats also advocate for a “private right of action” allowing individuals to sue companies for wrongdoings. Republicans, in turn, push for a baseline federal law that cannot be exceeded by the states and oppose the said “private right”.
The debate on stronger regulation comes at a crucial time when location data, search histories, and other personal information have become critical security issues. With virtually no laws restricting expansive data brokerage practices, American consumers’ personal data can currently be easily acquired by foreign intelligence agencies or criminals. This represents not only a great reputational risk to companies holding such data, but can also do real operational damage. In the end, 2023 may provide first indications of the pros and cons of both the European and American approaches to securing the cyber domain – with companies active across the Atlantic having to deal with both.