Former DHS Official Announces Plan To Sell Cyberattack Insurance

from the build-a-market-with-taxpayer-funds,-collect-upon-'retirement' dept

Fri, Oct 10th 2014 6:13am — Tim Cushing

Our nation's top security guards are all retiring to go into the cybersecurity business. Former NSA chief Keith Alexander is asking (only) $1million/month for his cybersecurity consultations, which apparently include the use of patents he developed completely unrelated to his NSA work in his basement during his spare time.

Now, former top DHS official Tom Ridge is getting into the cybersecurity business, albeit one nowhere near as glamorous as Alexander's rockstar-level consulting service. Instead of showing up occasionally to offer his expertise (and collect paychecks) on cyberattack preparedness, Ridge will be performing the most "everyman" of services: selling insurance.

Ridge on Monday announced a new cyber insurance package that he said should make it easier for companies to safeguard their networks and their bottom lines.

“What we have seen is the sophistication of these attacks continue to elevate,” Ridge said at a launch event in London, according to Bloomberg news service. “Who would have thought that JPMorgan, with its security budget, could be hacked into? Now a lot of people are thinking if it could happen to them, it could happen to us too.”

The first Homeland Security secretary’s new company, Ridge Insurance Solutions Company, is teaming up with the insurance giant Lloyd’s of London to sell cyber insurance coverage.

When selling insurance, the old adage "can one have too much insurance of course not better safe than sorry here is some anecdotal evidence supporting my profitable belief" is doubly true, thanks to government agencies (such as Ridge's former employer) pushing a very fearful and apocalyptic narrative. At any moment, US businesses will be hit by "cyber Pearl Harbor" and former government officials like Ridge and Alexander are perfectly placed to take advantage of their own agencies' previous cyberthreat ~~marketing~~ warnings.

Ridge makes the claim that simply offering insurance will prevent attacks, which is an odd thing to say about a purely defensive product meant to mitigate post-attack financial damage.

Ridge said the new insurance is designed to help prevent those types of attacks.

In order to obtain insurance, companies will need to make sure their cyber defenses are up to snuff, which in and of itself should make businesses more secure, he predicted.

"This is not just about insurance but helping and incentivizing companies to manage their cyber operations more effectively,” Ridge said in a statement.

Ah. But mostly about insurance.

Insurance policies of as much as $50 million each are available from today... The company expects to generate $40 million in premiums in the first 18 months.

True, insurance isn't nearly as profitable if payouts are constantly being awarded. Hence the demands for up-to-snuffness. But it also helps if you've got a background in overselling the threat, which makes the product and its premiums seem miniscule in comparison to the potential damage. This would explain the press junket bearing headlines like "Ex-Homeland Chief Says Risk of Cyberattacks Elevated."

So, did Ridge join the DHS with the express intent of developing a market for his post-retirement dip into the private sector waters? My tin foil hat isn't that snug, but I'm sure his years of priming the cyberthreat pump factored heavily in his post-retirement job selection.

Here's a statement of Ridge's dating all the way back to 2003, as quoted in a United States Institute of Peace cyberterrorism report. [pdf]

“Terrorists can sit at one computer connected to one network and can create worldwide havoc,” cautioned Tom Ridge, director of the Department of Homeland Security, in a representative observation in April 2003. “[They] don’t necessarily need a bomb or explosives to cripple a sector of the economy or shut down a power grid.” These warnings certainly had a powerful impact on the media, on the public, and on the administration.

For instance, a survey of 725 cities conducted in 2003 by the National League of Cities found that cyberterrorism ranked alongside biological and chemical weapons at the top of a list of city officials’ fears.

The Hill points out that some critics are upset the government isn't doing more to protect companies against cyberattacks. I'm guessing Tom Ridge (and Keith Alexander) are no longer members of that group.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cyberattack, dhs, insurance, tom ridge

28 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

That One Guy (profile), 10 Oct 2014 @ 4:19am

That sounds about right
“Terrorists can sit at one computer connected to one network and can create worldwide havoc,” cautioned Tom Ridge, director of the Department of Homeland Security, in a representative observation in April 2003. “[They] don’t necessarily need a bomb or explosives to cripple a sector of the economy or shut down a power grid.” These warnings certainly had a powerful impact on the media, on the public, and on the administration.

I actually completely agree with him here, however somehow I doubt the 'terrorists' he's thinking of, and the 'terrorists' I'm thinking of when I read that are one and the same.
[ link to this | view in thread ]
Anonymous Coward, 10 Oct 2014 @ 6:32am

This is actually scary
Insurance had a tendency to become required by the state.

Once that happens, the next bailout will come with strings attached. In an effort to lower insurance risks, the feds will insist on more monitoring and sharing of internet data.
[ link to this | view in thread ]
Anonymous Coward, 10 Oct 2014 @ 6:34am

Re: This is actually scary
Think TSA on the internet toobz.
[ link to this | view in thread ]
Anonymous Coward, 10 Oct 2014 @ 6:38am

I can see where this is all headed. Congress will pass a law requiring all individuals and companies purchase cyberinsurance (a 'mandate' if you will) or face a penalty ('not a tax' - or is it?). One will be able to buy insurance on a government-run exchange called 'cyberinsurance.gov' - only the webpage will have terrible cybersecurity practices. In no way shape or form would this be an excuse for insurance companies to rake in taxpayer dollars in the form of subsidies.
[ link to this | view in thread ]
Anonymous Coward, 10 Oct 2014 @ 6:47am

1984
After the Homeland Security head Michael Chertoff made a fortune after leaving the government by starting his own "consulting" business (actually a backdoor lobby), it was only natural for Tom Ridge to follow Chertoff's path and also try to cash in on his government "service" by lining up as customers many of the same corporations he previously gave favorable treatment to as a government official.

re: United States Institute of "Peace"

We shouldn't forget that the United States Institute of "Peace" had the the notorious racist and warmonger Daniel Pipes on its board. In true "1984" style, these organizations typically name themselves the opposite of what they actually are.
[ link to this | view in thread ]
TheResidentSkeptic (profile), 10 Oct 2014 @ 6:53am

And cyberattacks will happen.
Count on it. Random attacks will happen just to prove that the insurance was needed. There will be stories of payouts from the massive damage (take our word for it... there really was massive damage that no one can see because it has been classified by our insurance company "Cyber Response Action Partner".) Then stories of "This is what happens when you don't have our insurance". Their great-grandfathers from Brooklyn would be so proud.
[ link to this | view in thread ]
David, 10 Oct 2014 @ 6:54am

I think you miss the actual business model
But it also helps if you've got a background in overselling the threat,

It particularly helps if you've got a background in being the threat.

It's the way the Mafia sells insurance.
[ link to this | view in thread ]
Anonymous Coward, 10 Oct 2014 @ 6:58am

Sell the Terrorism Snake Oil then profit from the havoc , great plan there guys , I wonder how long it'll take them to start paying people to launch full scale attacks on networks, Maybe they already have, sadly I doubt nothing from these criminals now.

The next big thing will be forfeiture insurance , Pulled over by thieving Law Enforcement protect your cash and property with one of our comprehensive insurance policies.
[ link to this | view in thread ]
Anonymous Coward, 10 Oct 2014 @ 6:59am

There's a silver lining. If before you get such an insurance, you have to pass an "up to snuff-ness" test, then the standard for security in companies should become a lot higher - otherwise they won't accept them in the first place, since they don't want to end up paying them billions of dollars when they get hacked.
[ link to this | view in thread ]
Anonymous Coward, 10 Oct 2014 @ 7:09am

cue a false flag cyber attack if this gets rejected. Since committing a crime to get your out of control governmental agencies motions passed is the norm in your god forsaken country these days.
[ link to this | view in thread ]
Anonymous Coward, 10 Oct 2014 @ 7:17am

Re:
It will become higher, aside from the backdoors the insurance company will make them keep...
I can't believe I've become this cynical.
[ link to this | view in thread ]
Anonymous Coward, 10 Oct 2014 @ 7:18am

The worst threat to cybersecurity is the companies themselves.
How often have we heard that an attack is due to huge lapses in security? Even the huuuuge companies ignore warnings from white-hat hackers and security experts until something actually happens; big security budget or not.
How about we actually start punishing those companies with large amounts of public information and that has well known security holes before information is leached. Fines so relatively large that it won't be financially sound to pay up after the fact instead of keeping security up to date.
No those who needs insurance are the people who can find their personal information for sale to the lamest bidder.
[ link to this | view in thread ]
seal, 10 Oct 2014 @ 7:18am

Say, that's a nice little domain you got there - wouldn't want anything to happen to it.
[ link to this | view in thread ]
Anonymous Coward, 10 Oct 2014 @ 7:21am

Cyber security insurance? That is one of the most stupid fucking ideas I have ever heard of. Talk about a digital snake-oil salesman.
[ link to this | view in thread ]
That Anonymous Coward (profile), 10 Oct 2014 @ 7:26am

How much do they pay if the NSA breaks in?
[ link to this | view in thread ]
Anonymous Coward, 10 Oct 2014 @ 7:36am

"Sell the Terrorism Snake Oil then profit from the havoc."

Is this any worse than Michael Chertoff's revolving door turnaround? As DHS secretary, he was a strong advocate for those naked body scanning machines that every airport is required to have. Then as a private citizen, he was on the companys payroll.

But honestly, is there anyone in government that does not cash in when they leave office? Like it or not, it's become as American as baseball and apple pie.
[ link to this | view in thread ]
John Fenderson (profile), 10 Oct 2014 @ 7:41am

The other problem
Aside from others have pointed out about them hyping up the fear and then using this scheme to profit from it, how much do you want to bet that a part of being considered "up to snuff" is to take part in any and all government information-sharing schemes?
[ link to this | view in thread ]
John Fenderson (profile), 10 Oct 2014 @ 7:43am

Re:
Not worse at all.

"Like it or not, it's become as American as baseball and apple pie."

Yes, it's common. So what? That in no way means it's acceptable or that we have to be OK with it. I, for one, can never be OK with corruption.
[ link to this | view in thread ]
Anonymous Coward, 10 Oct 2014 @ 7:45am

Re:
"But honestly, is there anyone in government that does not cash in when they leave office? Like it or not, it's become as American as baseball and apple pie."

everyone of his peers doing It ,still doesn't make it right.

I've lost the ability to hold my head up high as a Proud American.
[ link to this | view in thread ]
DannyB (profile), 10 Oct 2014 @ 8:34am

A government official suggesting you should have insurance against a cyber attack is like the mob suggesting you should have insurance against your business burning down.
[ link to this | view in thread ]
Ninja (profile), 10 Oct 2014 @ 9:06am

Re: That sounds about right
I actually think he should offer how to make their stuff dumb-proof, charge millions and simply disconnect goddamn critical systems from the Internet.
[ link to this | view in thread ]
Anonymous Coward, 10 Oct 2014 @ 9:32am

That insurance won't be worth the virtual paper it's written on.
[ link to this | view in thread ]
PlagueSD (profile), 10 Oct 2014 @ 10:18am

Ridge Insurance Solutions Company, is teaming up with the insurance giant Lloyd’s of London

I wonder what they're going to call themselves...

RISC - LoL
[ link to this | view in thread ]
Zonker, 10 Oct 2014 @ 1:59pm

Re:
s/if/when/
[ link to this | view in thread ]
GEMont (profile), 12 Oct 2014 @ 12:14am

Retirement plan for successful thieves
What none of these Ex-Spy-Guys are telling you however, is that the gang of cyber-terrorists they are "protecting" you from, is the gang they used to work for.

Extrapolation:

The NSA is not at all worried about its retiring employees aiding the American Business Community in keeping secrets from the NSA, because the tech that these employees bring to the table is years old and obsolete and has been replaced with stuff that can't be stopped by the methods that these ex-employees can provide.

But, because the American Business Community does not know this, its a great retirement fund for old spies to dip into, to help pay for that castle in Spain, the 120 foot yacht and that nasty nose-killing habit they picked up during stake-outs and stalking bouts.

---
[ link to this | view in thread ]
Anonymous Coward, 13 Oct 2014 @ 10:20am

I agree.
[ link to this | view in thread ]
GEMont (profile), 13 Oct 2014 @ 3:58pm

Re:
"I agree."

Thanks. Can't remember the last time I heard that. :)
[ link to this | view in thread ]
Mark Noo, 14 Oct 2014 @ 10:56am

He's just following Al Gore's business model with environmental warming.
Since it is most likely true, why not capitalize on it. Fear mongering is an important tool in a capitalist society.
[ link to this | view in thread ]