The Case for a Federal Cyber Insurance Program
| Publication year | 2021 |
| Citation | Vol. 97 |
97 Nebraska L. Rev. 555. The Case for a Federal Cyber Insurance Program
The Case for a Federal Cyber Insurance Program(fn*)
TABLE OF CONTENTS
I. Introduction .......................................... 556
II. Cyber Risk Is Best Addressed by Insurance ............ 558
A. U.S. Policy Contributes to Cyber Insecurity ........ 558
1. The United States Leads in Cyber Offense ..... 558
2. U.S. Domestic Policy Fosters Cyber Insecurity. . 560
B. An Escalating, Dynamic, and Unique Risk ......... 562
C. State and Multinational Actors Increasingly Involved .......................................... 565
D. Unique Cybersecurity Issues Frustrate Policy ...... 566
III. Responses to Cyber Risk Beyond Insurance Are Failing ............................................... 571
A. The Public Law Response Is Inadequate ........... 571
B. Private Law Is Ineffective at Addressing Cyber Losses ............................................ 575
C. Public and Private Law Contradict Limiting Remedies ......................................... 576
IV. The Private Insurance Market Is Unable to Manage Cyber Risk ............................................ 576
A. The Market Is Undercapitalized ................... 576
1. Current Market Capitalization ................. 576
2. Losses Outstrip the Market .................... 578
B. Cyber Risk Management Is Uniquely Difficult ..... 579
1
1. From the Consumer and Business Perspective. . 579
2. From the Insurance Perspective ................ 580
C. Current Cyber Coverage Is Inadequate ............ 582
1. Coverage Not Widespread ...................... 583
2. Coverage Mirrors Regulation Instead of Risk . . . 584
3. Coverage Is Difficult to Obtain ................. 585
4. Coverage Is Expensive ......................... 587
5. Obtained Coverage Is Illusory .................. 588
6. Adequate Coverage from the Private Market Is Unsustainable ................................. 591
V. Cyber Insurance Is Vital for Cyber Risk Management. . 592 VI. Federal Cyber Insurance: A Solution to Cyber Risk Management .......................................... 593
A. Public/Private Collaboration Is Required ........... 593
B. Defining the Threat Matrix ........................ 595
C. Federal Insurance Models ......................... 596
1. Federal Backstop Insurance (TRIP and Commercial Space Law)....................... 597
2. FDIC .......................................... 599
3. NFIP .......................................... 601
D. General Benefits of National Cyber Insurance ...... 602
E. Counterpoint: Possible Negative Results of National Cyber Insurance ................................... 603
VII. Conclusion ............................................ 604
"Take back your insurance Baby nothing's guaranteed"
-Tom Petty, Bob Dylan, Mike Campbell, "Jammin' Me" (1987)
I. INTRODUCTION
Perhaps the greatest threat to U.S. national security is the cyber threat. Vast amounts of wealth are lost annually to this threat-a wealth transfer historically akin to the conquest of the New World by Spain. The lack of security in the cyber ecosystem stems from a devil's brew of foreign policy, domestic policy, and a substantial, dynamic threat. In foreign policy, the United States uses cyberattacks to great effect and leads the world as a source of cybercrime.(fn1) Domestic policy supports deregulated utilities and encourages private development of Internet and telecommunications infrastructure for convenience,
2speed, and utility, but not security. The U.S. economy and the breadth of its industry rely on the Internet and telecommunications infrastructure. As a market economy, most U.S. critical infrastructure is also private.(fn2) The United States, therefore, is an attractive target unable to respond adequately through its national security institutions because of its own offensive cyber operations.
Domestic cybersecurity measures have failed as well. Public law responses are fragmented and ineffective.(fn3) The Federal Trade Commission (FTC) has stepped into the void, perhaps beyond its authority, but it simply cannot address the breadth of security problems that continue to scale. Private law also fails in the cyber ecosystem, leaving individuals little recourse when personal information is lost, and businesses and government little recourse for insecure technology. The disjointed approach confuses actors and creates inconsistent incentives and uncomfortable decision-making. Basic security measures increase the possibility of government intrusion, and deterrent measures and research-like bug bounties and friendly hacking-arecriminalized.(fn4)
Cyber insurance serves as an adept regulator in this policy vacuum, but it faces severe challenges that render it ineffective. The private insurance market is undercapitalized compared to large losses. Cyber risk possesses unique qualities, including interdependent security and correlated failure. Thus, cyber risk management is difficult, and the insurance industry is unable to pool risk. Because of these factors, cyber insurance is not widespread. The insurance is reactive to regulation and purchased after breaches as an alternative to security. It is hard to obtain, expensive, and limited by rigid exclusions. Coverage that is purchased will not cover many common cyberattacks. The private market for insurance may be unsustainable.
3After considering U.S. policy, the nature of the threat, the failed public and private law responses, and the limitations of the private cyber insurance market, the discussion herein moves to consider a national cyber insurance program. It considers the need for public and private collaboration and examines three existing federal insurance programs. It considers federal backstop insurance, like the Terrorism Risk Insurance Program (TRIP), as a model to expand the risk pool for private insurers; the Federal Deposit Insurance Corporation (FDIC) as a model to restore faith in shaken institutions; and the National Flood Insurance Program (NFIP) as a model to address correlated failure and provide security in future development. Finally, this Comment briefly considers the possible benefits and detriments of a national cyber insurance program generally.
II. CYBER RISK IS BEST ADDRESSED BY INSURANCE
A. U.S. Policy Contributes to Cyber Insecurity
1. The United States Leads in Cyber Offense
In 1970, the Soviet Union established a new section, Directorate T within the KGB, tasked with obtaining badly needed technology from Western research and development.(fn5) Its operating arm known as "Line X" engaged in cloak and dagger techniques during trips by Soviet delegations, like applying glue to shoes during a Boeing tour to obtain metal samples.(fn6) French President Francois Mitterrand informed Ronald Reagan in 1981 that the French had employed the services of an engineer working for Directorate T, who supplied thousands of documents on the Soviet program that included the identity of hundreds of Line X officers.(fn7) The documents revealed the success of Directorate T and that stolen technology was supporting Soviet defense.(fn8) The trove also included a Soviet technology wish list containing gas pipeline pump, turbine, and valve control software.(fn9)
The U.S.S.R's gas supply was critical to its internal economy and to its hard currency earnings from the West.(fn10) Accordingly, the United States engaged in efforts to block Soviet gas sales to Western Europe.(fn11) The CIA and American industry cooperated in preparing
4flawed software and in publishing the technology to Line X.(fn12) The software was designed to operate properly for a time before resetting pump speed and valve settings to overstress pipeline joints and welds.(fn13) The software triggered a huge explosion on a Soviet gas pipeline in Siberia in the summer of 1982.(fn14) The explosion was the largest non-nuclear explosion and fire ever observed from space.(fn15) The Soviet trust placed in stolen technology was shaken forever, and internal economic decline ultimately contributed to the Soviet collapse a few years later.(fn16) Russia, to this day, maintains that it is entitled to respond to a cyberattack with nuclear retaliation.(fn17)
Similarly, malware targeting industrial control systems caused the failure of thousands of centrifuges at uranium enrichment plants in Natanz, Iran in 2010.(fn18) Called "Stuxnet," the code targeted logic controllers that ran automated processes in the plant and damaged the operation severely enough to set the plant's capabilities back two years.(fn19) Atypical of malware and contrary to common motivations behind malware, Stuxnet targeted a specific, limited set of computers.(fn20) The use of four zero-day hacks in the malware suggests that the target was of great value to the attacker.(fn21) It was not the work of hackers, but months of work by organized programmers with significant resources.(fn22) The malware was highly specialized, and its utility intended specifically for the destruction of nuclear centrifuges.(fn23) These factors and the United States' refusal to deny responsibility strongly evidence the involvement of the United States and Israel in the development and deployment of Stuxnet.(fn24) It has been suggested that Stuxnet was designed and used intentionally for compliance with the Law of Armed Conflict (LOAC).(fn25) Beyond physically damaging...
To continue reading
Request your trial