Former DHS Official Announces Plan To Sell Cyberattack Insurance

from the build-a-market-with-taxpayer-funds,-collect-upon-'retirement' dept

Our nation's top security guards are all retiring to go into the cybersecurity business. Former NSA chief Keith Alexander is asking (only) $1million/month for his cybersecurity consultations, which apparently include the use of patents he developed completely unrelated to his NSA work in his basement during his spare time.

Now, former top DHS official Tom Ridge is getting into the cybersecurity business, albeit one nowhere near as glamorous as Alexander's rockstar-level consulting service. Instead of showing up occasionally to offer his expertise (and collect paychecks) on cyberattack preparedness, Ridge will be performing the most "everyman" of services: selling insurance.
Ridge on Monday announced a new cyber insurance package that he said should make it easier for companies to safeguard their networks and their bottom lines.

“What we have seen is the sophistication of these attacks continue to elevate,” Ridge said at a launch event in London, according to Bloomberg news service. “Who would have thought that JPMorgan, with its security budget, could be hacked into? Now a lot of people are thinking if it could happen to them, it could happen to us too.”

The first Homeland Security secretary’s new company, Ridge Insurance Solutions Company, is teaming up with the insurance giant Lloyd’s of London to sell cyber insurance coverage.
When selling insurance, the old adage "can one have too much insurance of course not better safe than sorry here is some anecdotal evidence supporting my profitable belief" is doubly true, thanks to government agencies (such as Ridge's former employer) pushing a very fearful and apocalyptic narrative. At any moment, US businesses will be hit by "cyber Pearl Harbor" and former government officials like Ridge and Alexander are perfectly placed to take advantage of their own agencies' previous cyberthreat marketing warnings.
Ridge makes the claim that simply offering insurance will prevent attacks, which is an odd thing to say about a purely defensive product meant to mitigate post-attack financial damage.

Ridge said the new insurance is designed to help prevent those types of attacks.

In order to obtain insurance, companies will need to make sure their cyber defenses are up to snuff, which in and of itself should make businesses more secure, he predicted.

"This is not just about insurance but helping and incentivizing companies to manage their cyber operations more effectively,” Ridge said in a statement.
Ah. But mostly about insurance.
Insurance policies of as much as $50 million each are available from today... The company expects to generate $40 million in premiums in the first 18 months.
True, insurance isn't nearly as profitable if payouts are constantly being awarded. Hence the demands for up-to-snuffness. But it also helps if you've got a background in overselling the threat, which makes the product and its premiums seem miniscule in comparison to the potential damage. This would explain the press junket bearing headlines like "Ex-Homeland Chief Says Risk of Cyberattacks Elevated."

So, did Ridge join the DHS with the express intent of developing a market for his post-retirement dip into the private sector waters? My tin foil hat isn't that snug, but I'm sure his years of priming the cyberthreat pump factored heavily in his post-retirement job selection.

Here's a statement of Ridge's dating all the way back to 2003, as quoted in a United States Institute of Peace cyberterrorism report. [pdf]
“Terrorists can sit at one computer connected to one network and can create worldwide havoc,” cautioned Tom Ridge, director of the Department of Homeland Security, in a representative observation in April 2003. “[They] don’t necessarily need a bomb or explosives to cripple a sector of the economy or shut down a power grid.” These warnings certainly had a powerful impact on the media, on the public, and on the administration.

For instance, a survey of 725 cities conducted in 2003 by the National League of Cities found that cyberterrorism ranked alongside biological and chemical weapons at the top of a list of city officials’ fears.
The Hill points out that some critics are upset the government isn't doing more to protect companies against cyberattacks. I'm guessing Tom Ridge (and Keith Alexander) are no longer members of that group.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That One Guy (profile), 10 Oct 2014 @ 4:19am

    That sounds about right

    “Terrorists can sit at one computer connected to one network and can create worldwide havoc,” cautioned Tom Ridge, director of the Department of Homeland Security, in a representative observation in April 2003. “[They] don’t necessarily need a bomb or explosives to cripple a sector of the economy or shut down a power grid.” These warnings certainly had a powerful impact on the media, on the public, and on the administration.

    I actually completely agree with him here, however somehow I doubt the 'terrorists' he's thinking of, and the 'terrorists' I'm thinking of when I read that are one and the same.

    reply to this | link to this | view in chronology ]

    • icon
      Ninja (profile), 10 Oct 2014 @ 9:06am

      Re: That sounds about right

      I actually think he should offer how to make their stuff dumb-proof, charge millions and simply disconnect goddamn critical systems from the Internet.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Oct 2014 @ 6:32am

    This is actually scary

    Insurance had a tendency to become required by the state.

    Once that happens, the next bailout will come with strings attached. In an effort to lower insurance risks, the feds will insist on more monitoring and sharing of internet data.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Oct 2014 @ 6:38am

    I can see where this is all headed. Congress will pass a law requiring all individuals and companies purchase cyberinsurance (a 'mandate' if you will) or face a penalty ('not a tax' - or is it?). One will be able to buy insurance on a government-run exchange called 'cyberinsurance.gov' - only the webpage will have terrible cybersecurity practices. In no way shape or form would this be an excuse for insurance companies to rake in taxpayer dollars in the form of subsidies.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Oct 2014 @ 6:47am

    1984

    After the Homeland Security head Michael Chertoff made a fortune after leaving the government by starting his own "consulting" business (actually a backdoor lobby), it was only natural for Tom Ridge to follow Chertoff's path and also try to cash in on his government "service" by lining up as customers many of the same corporations he previously gave favorable treatment to as a government official.


    re: United States Institute of "Peace"

    We shouldn't forget that the United States Institute of "Peace" had the the notorious racist and warmonger Daniel Pipes on its board. In true "1984" style, these organizations typically name themselves the opposite of what they actually are.

    reply to this | link to this | view in chronology ]

  • icon
    TheResidentSkeptic (profile), 10 Oct 2014 @ 6:53am

    And cyberattacks will happen.

    Count on it. Random attacks will happen just to prove that the insurance was needed. There will be stories of payouts from the massive damage (take our word for it... there really was massive damage that no one can see because it has been classified by our insurance company "Cyber Response Action Partner".) Then stories of "This is what happens when you don't have our insurance". Their great-grandfathers from Brooklyn would be so proud.

    reply to this | link to this | view in chronology ]

  • identicon
    David, 10 Oct 2014 @ 6:54am

    I think you miss the actual business model

    But it also helps if you've got a background in overselling the threat,

    It particularly helps if you've got a background in being the threat.

    It's the way the Mafia sells insurance.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Oct 2014 @ 6:58am

    Sell the Terrorism Snake Oil then profit from the havoc , great plan there guys , I wonder how long it'll take them to start paying people to launch full scale attacks on networks, Maybe they already have, sadly I doubt nothing from these criminals now.

    The next big thing will be forfeiture insurance , Pulled over by thieving Law Enforcement protect your cash and property with one of our comprehensive insurance policies.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Oct 2014 @ 6:59am

    There's a silver lining. If before you get such an insurance, you have to pass an "up to snuff-ness" test, then the standard for security in companies should become a lot higher - otherwise they won't accept them in the first place, since they don't want to end up paying them billions of dollars when they get hacked.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Oct 2014 @ 7:17am

      Re:

      It will become higher, aside from the backdoors the insurance company will make them keep...
      I can't believe I've become this cynical.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Oct 2014 @ 7:09am

    cue a false flag cyber attack if this gets rejected. Since committing a crime to get your out of control governmental agencies motions passed is the norm in your god forsaken country these days.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Oct 2014 @ 7:18am

    The worst threat to cybersecurity is the companies themselves.

    How often have we heard that an attack is due to huge lapses in security? Even the huuuuge companies ignore warnings from white-hat hackers and security experts until something actually happens; big security budget or not.
    How about we actually start punishing those companies with large amounts of public information and that has well known security holes before information is leached. Fines so relatively large that it won't be financially sound to pay up after the fact instead of keeping security up to date.
    No those who needs insurance are the people who can find their personal information for sale to the lamest bidder.

    reply to this | link to this | view in chronology ]

  • identicon
    seal, 10 Oct 2014 @ 7:18am

    Say, that's a nice little domain you got there - wouldn't want anything to happen to it.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Oct 2014 @ 7:21am

    Cyber security insurance? That is one of the most stupid fucking ideas I have ever heard of. Talk about a digital snake-oil salesman.

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 10 Oct 2014 @ 7:26am

    How much do they pay if the NSA breaks in?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Oct 2014 @ 7:36am

    "Sell the Terrorism Snake Oil then profit from the havoc."

    Is this any worse than Michael Chertoff's revolving door turnaround? As DHS secretary, he was a strong advocate for those naked body scanning machines that every airport is required to have. Then as a private citizen, he was on the companys payroll.

    But honestly, is there anyone in government that does not cash in when they leave office? Like it or not, it's become as American as baseball and apple pie.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 10 Oct 2014 @ 7:43am

      Re:

      Not worse at all.

      "Like it or not, it's become as American as baseball and apple pie."

      Yes, it's common. So what? That in no way means it's acceptable or that we have to be OK with it. I, for one, can never be OK with corruption.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Oct 2014 @ 7:45am

      Re:

      "But honestly, is there anyone in government that does not cash in when they leave office? Like it or not, it's become as American as baseball and apple pie."

      everyone of his peers doing It ,still doesn't make it right.

      I've lost the ability to hold my head up high as a Proud American.

      reply to this | link to this | view in chronology ]

  • icon
    John Fenderson (profile), 10 Oct 2014 @ 7:41am

    The other problem

    Aside from others have pointed out about them hyping up the fear and then using this scheme to profit from it, how much do you want to bet that a part of being considered "up to snuff" is to take part in any and all government information-sharing schemes?

    reply to this | link to this | view in chronology ]

  • icon
    DannyB (profile), 10 Oct 2014 @ 8:34am

    A government official suggesting you should have insurance against a cyber attack is like the mob suggesting you should have insurance against your business burning down.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Oct 2014 @ 9:32am

    That insurance won't be worth the virtual paper it's written on.

    reply to this | link to this | view in chronology ]

  • icon
    PlagueSD (profile), 10 Oct 2014 @ 10:18am

    Ridge Insurance Solutions Company, is teaming up with the insurance giant Lloyd’s of London


    I wonder what they're going to call themselves...

    RISC - LoL

    reply to this | link to this | view in chronology ]

  • icon
    GEMont (profile), 12 Oct 2014 @ 12:14am

    Retirement plan for successful thieves

    What none of these Ex-Spy-Guys are telling you however, is that the gang of cyber-terrorists they are "protecting" you from, is the gang they used to work for.

    Extrapolation:

    The NSA is not at all worried about its retiring employees aiding the American Business Community in keeping secrets from the NSA, because the tech that these employees bring to the table is years old and obsolete and has been replaced with stuff that can't be stopped by the methods that these ex-employees can provide.

    But, because the American Business Community does not know this, its a great retirement fund for old spies to dip into, to help pay for that castle in Spain, the 120 foot yacht and that nasty nose-killing habit they picked up during stake-outs and stalking bouts.

    ---

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Oct 2014 @ 10:20am

    I agree.

    reply to this | link to this | view in chronology ]

  • identicon
    Mark Noo, 14 Oct 2014 @ 10:56am

    He's just following Al Gore's business model with environmental warming.
    Since it is most likely true, why not capitalize on it. Fear mongering is an important tool in a capitalist society.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.