Stay informed with free updates
Simply sign up to the Cyber Security myFT Digest — delivered directly to your inbox.
A few weeks ago, a friend was about to have life-saving brain surgery in Boston when her operation was suddenly cancelled. The reason? A unit of UnitedHealth, the gigantic American conglomerate, suffered a ransomware attack, preventing the insurance payments.
Thankfully, her operation eventually took place. Meanwhile, the entity in question — Change Healthcare — is restoring its systems, after reportedly paying a $22mn ransom to the BlackCat hacker group. But investors should pay close attention. On Tuesday, UnitedHealth reported an $872mn first-quarter hit from the attack — and warned this could double to an eye-popping $1.6bn (not least because the gang are now reportedly creating continuing headaches for the company).
Cyber experts say this is just the tip of an iceberg of risks. That could create more public shocks. However, it could also force investors and corporate leaders to rethink their relationship with the government on cyber issues — and their concept of fiduciary duty in a free-market system.
“We are extraordinarily concerned [about hacks] — it is a national emergency,” Matt Hartman, a top official at America’s Cybersecurity and Infrastructure Security Agency, told a Vanderbilt University conference this week. He noted that “nation state actors” and “ransomware teams” were “locking in” on healthcare and other infrastructure.
A cynic might argue that such warnings are not new. On the contrary, as the IMF’s latest financial stability review noted, “the number of cyber incidents, especially of a malicious nature, has increased sharply over the past two decades”.
However, three issues are causing particular alarm. First, hacks have surged since Russia’s invasion of Ukraine. Second, criminal ransomware gangs, often linked to Russia, are increasingly targeting poorly protected corporate vendors and subsidiaries.
Third, according to US officials, the Chinese government in particular is intensifying attacks and — most crucially — changing their nature. Previously, these focused on espionage and/or intellectual property theft but now “prepositioning” strategies with so-called “living off the land” techniques are proliferating. In plain English: hackers secretly install themselves inside infrastructure and lie low, so they can create massive future disruption if — or when — desired.
This “prepositioning” is hard to see. However, US officials recently revealed one such incident around a so-called “Volt Typhoon” Chinese hack. Security experts fear that this threat is now far bigger than the more visible ransomware issue. “The People’s Republic of China represents the most critical threat [among cyber risks],” General Timothy Haugh, head of US cyber command, told the Vanderbilt event. Or as David Frederick of the National Security Agency echoed: “You cannot overstate the critical mass of prepositioning and attack capabilities.”
In response, the NSA, CIA and Department of Defense are now scrambling to create better collaboration with the corporate world around cyber defences. “Partnership is the only way to do it,” says Sheetal Patel, a top CIA official.
However, this is creating four big — and unresolved — flashpoints. First: the insurance sector is continuing to pay large ransoms to hackers, on behalf of companies, even though the governments of countries such as the US and UK have urged them to stop, arguing that this encourages more attacks. Second, although national security officials want stricter controls around how companies choose vendors and suppliers, this type of state interference tends to be anathema to the C-suite, who have, after all, been trained to expect freedom in boosting profits.
Third, the C-suite also tends to hate another idea mooted in Congress this week: tighter controls on corporate merger and acquisition activity to reduce cyber risks. More specifically, there is bipartisan concern that one factor behind the UnitedHealth saga is excessive industry consolidation. Finally, shareholders and their proxy advisers have been slow to impose proper accountability on cyber issues on companies, even though US government officials are pressing for this.
That might reflect their lack of expertise but I suspect the real problem is cultural. The free-market capitalist mantra that proliferated in the late 20th century does not readily accept state interference; it focuses on individual profits, not public goals. Or, as the IMF report tartly notes: “Private incentives to address cyber risks may differ from the socially optimal level of cyber security, making public intervention necessary.”
This might change, as the situation intensifies. This week, the IMF warned that cyber attacks could create serious financial stability risks, noting that “the probability of a firm experiencing an extreme loss of $2.5bn as a result of a cyber incident” had now risen to “about once every 10 years”. Yikes.
The CIA’s Patel says more companies are waking up to the dangers. “Since the Russia-Ukraine conflict, the private sector has been much more forward-leaning,” she notes. However, the grim consensus among US security officials is that unless — or until — an attack occurs that is dramatically bigger and more painful, there is unlikely to be the level of corporate collaboration needed. That is alarming for politicians and the public. It should scare investors too.