In March 2013, when Joseph R. Swedish became WellPoint’s CEO, he had plenty of challenges on his plate. WellPoint was competing in a rapidly changing marketplace, and had encountered a number of setbacks that had tarnished its reputation. There’s a very good chance that Mr. Swedish would not have listed the possibility of being the target of a state sponsored cyber attack as among his chief concerns.
On January 29, 2015, Anthem Inc., the newly renamed WellPoint, discovered that it was the victim of a massive data breach. The nation’s second largest health insurer may have lost upwards of 80 million health care records, including the social security numbers, birthdays, street addresses, income data, and phone numbers of its customers. Speculation about the source of the attack quickly centered on China. Now, ThreatConnect, Inc., which provides threat intelligence products and services, has released a report, “The Anthem Hack: All Roads Lead to China,” that indicts individuals and groups associated with the Chinese government in the Anthem attack. The report offers an interesting read, and serves as a chilling reminder of the ever expanding array of challenges facing corporate executives and boards. Nation states are not behind every cyber attack, but they are involved in some of the most serious and far reaching efforts to extract valuable data from corporations.
Like Joseph Swedish, most CEO’s and board members did not come to their positions expecting they would need to spend significant time and effort preparing for state sponsored cyber attacks. But the reality of today is that nation states have learned that cybercrime does pay. Relatively inexpensively, and relatively anonymously, nation states can use cybercrime as an extremely potent economic weapon. As PWC’s 2014 US State of Cybercrime survey points out, “The cybersecurity programs of US organizations do not rival the persistence, tactical skills, and technological prowess of their potential cyber adversaries.”
It is possible that at some future point, many nations may reach agreement that will establish boundaries governing acceptable nation-state practices in cyberspace. But, we are a long way from that point. For now, corporations must continue to invest the time and resources it takes to lessen their vulnerability and enhance their response capability.
By Tom Davis, SDI Cyber Risk Practice
SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.
You can view previous blog posts on cyber risk management here.
March 3, 2015