Advertisement

U.S. needs to publicly attribute cyberattacks, former House intel chair says

The U.S. government needs to publicly attribute cyber attacks, or it will be impossible for a private sector cybersecurity insurance market to develop, the former chairman of the House Intelligence Committee said Thursday.
Former Michigan GOP Rep and House Intelligence Committee Chairman Michael Rogers. Photo courtesy the Stimson Center
HPSCI-Chair-Rogers-at-Stimson-center

Former Michigan GOP Rep and House Intelligence Committee Chairman Michael Rogers. Photo courtesy the Stimson Center

The U.S. government needs to publicly attribute cyberattacks, or it will be impossible for a private sector cybersecurity insurance market to develop, the former chairman of the House Intelligence Committee said Thursday.

“I believe that we’re going to have to have the U.S. government do attribution on attacks here if we’re going to get the insurance market to work properly,” former Michigan GOP Rep. Michael Rogers told a forum at the Stimson Center.

Rogers raised the case of a company he didn’t name, but which he said had suffered a “significant” cyber penetration “and voluntarily disclosed it, mainly because they believed and I believe as a former government official that it was the government of China that did it and stole it, now they have 109 lawsuits, and if they all win they’re in trouble. they’re going away.”

Advertisement

He described the victim as a “major insurance company,” but decline to elaborate.

Last year several large health insurers who cover federal employees were breached, with Chinese hackers as the main suspects and — significantly — none of the data showing up for sale on the criminal marketplaces on the dark web.

One former official who worked the insurance issue for the Department of Homeland Security noted that cyber insurance, like other policies, contains exclusions.

“Chairman Rogers oversimplifies,” said former DHS Deputy UndersecretaryBruce McConnell, now at the EastWest Institute. “Insurance companies are well aware of the threat landscape and write their coverage accordingly.”

Rogers suggested that attribution by the government might also provide some kind of legal shield for the victimized insurance company.

Advertisement

“If the government had publicly come out and attributed who the attacker was, it would help the defense on those lawsuits,” he noted.

“[It’s] Pretty hard for a single company to defend against a nation state that according to the U.S. Naval Academy has 800,000 cyber warriors looking at trying to get into your network,” said Rogers, who left the House of Representatives last year after a decade and half. He was chairman of the House Intelligence Committee from 2011 to 2015.

Contact the reporter on this story via email Shaun.Waterman@FedScoop.com, or follow him on Twitter @WatermanReports. Subscribe to the Daily Scoop to get all the federal IT news you need in your inbox every morning at fdscp.com/sign-me-on.

Latest Podcasts