Rudolph Giuliani, President Donald Trump’s informal cybersecurity adviser, told a cyber risk conference in New York City last week that the administration has a long way to go before it can safely protect U.S. corporations as well as the civilian side of the federal government against hackers.
Speaking at the Cyber Risk Insights Conference, the 2008 U.S. presidential candidate and former New York City mayor said that “there’s a lot of work the government has to do, this administration has to do, in getting the government up to a level of security where [we] can be comfortable.”
In January, Giuliani was tapped by then-president elect Trump to form a public-private cybersecurity task force with the assignment of producing a cybersecurity plan for the administration within three months.
Although no task force report has yet surfaced, President Trump issued an executive order on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” on May 11. The executive order called on federal government agencies to complete cyber risk management reports, also within three months.
Asked by a participant at last week’s conference, which was held by Advisen, a risk management data firm, what the administration’s cybersecurity position was, Giuliani answered that the administration has two functions.
“One is to improve the defense for [government data], and the second is to share that information [with the private sector] to the extent that it can,” he said, and then, correcting himself, added, “not so much information, but techniques.”
The federal government “has an enormous amount of sensitive material and is as open to attack as any other sector,” he said.
Noting that “there’s so much overlap between the private sector and the government,” Giuliani said that the public-private council can benefit government cybersecurity as well as that of the private sector, “because a lot of the research and development [cybersecurity] applications are occurring in the private sector.”
At the same time, “the government defenses have not been all that good,” he said, referring to the 2015 hack of the U.S. Office of Personnel Management, which exposed potentially sensitive information connected to about 22.1 million people.
“You have a sense [from the OPM hack] that the civilian side of the government wasn’t protected in the same way that the military side of the of the government was protected,” said Giuliani, who is chief of the cybersecurity, privacy, and crisis management practice at Greenberg Traurig, a law firm.
For its part, private sector cyber-defense technology is lagging perilously behind the tech abilities of potential hackers. “The defense is trailing the offense by five years, maybe,” Giuliani said.
“It’s only in the last 10 to 15 years that we have really concentrated on this and made it a subject of great analysis. So it’s going to take us a while to develop,” he added.
Another participant at the conference, which focused largely on cyber insurance, asked Giuliani if cyber exposures are, in fact, an insurable risk. “Right now, it’s sure hard. An insurable risk is a risk you can quantify,” he said.
Earlier, Giuliani said that “the problem for the insurance industry is very, very dramatic” because for insurers to be able to underwrite risks, they have to be able to measure them.
To be able to do that, however, the risk has to entail historical accuracy and future predictability. “Well, right now you can’t measure this risk because it’s — believe it or not — too new,” he said.
Acknowledging that cyber risks are pervasive and systemic, Giuliani contended that “we don’t have enough experience of legal liability and damages.” While there have been cases involving cyber liability, “we haven’t had enough so that we can have a clear picture of what is reasonably predictable.”
Giuliani contrasted the difficulties cyber underwriters face in insuring a risk with the ease life insurers have in pricing their risk exposures.
Life insurers rely on actuaries who “have a lot of experience with people dying,” he added. “People have been dying since the beginning [of time], and we have a lot of data. We can’t be a hundred percent accurate, but we can be about as accurate as possible.”
At least one conference attendee disagreed with Giuliani’s dire forecast for cyber coverage.
Concerning the former mayor’s contention that because cyber risk lacks a sufficient history, cyber insurance can’t be adequately provided to corporations, Eric Jones, global manager for business risk consulting at property insurer FM Global, told CFO: “That’s not exactly true. It depends on what kind of cyber risk you’re talking about, what perspective you’re buying it from.”
Jones said, however, that he could agree with Giuliani’s point if he were referring to insurers that try to underwrite cyber risks on the basis of the historical data contained in actuarial tables. But it’s possible to underwrite the risk company by company, “from the ground up,” rather than via aggregate statistics, the consultant said.
“So cyber isn’t really different than any other perils,” Jones added. “The fundamental approach doesn’t change. It’s understanding the systems and data sets that [companies] have, and, if [they lost] any one of those things, what [would] happen to [those] businesses as a result.”