Our nation’s top security guards are all retiring to go into the cybersecurity business. Former NSA chief Keith Alexander is asking (only) $1million/month for his cybersecurity consultations, which apparently include the use of patents he developed completely unrelated to his NSA work in his basement during his spare time.
Now, former top DHS official Tom Ridge is getting into the cybersecurity business, albeit one nowhere near as glamorous as Alexander’s rockstar-level consulting service. Instead of showing up occasionally to offer his expertise (and collect paychecks) on cyberattack preparedness, Ridge will be performing the most “everyman” of services: selling insurance.
Ridge on Monday announced a new cyber insurance package that he said should make it easier for companies to safeguard their networks and their bottom lines.
“What we have seen is the sophistication of these attacks continue to elevate,” Ridge said at a launch event in London, according to Bloomberg news service. “Who would have thought that JPMorgan, with its security budget, could be hacked into? Now a lot of people are thinking if it could happen to them, it could happen to us too.”
The first Homeland Security secretary’s new company, Ridge Insurance Solutions Company, is teaming up with the insurance giant Lloyd’s of London to sell cyber insurance coverage.
When selling insurance, the old adage “can one have too much insurance of course not better safe than sorry here is some anecdotal evidence supporting my profitable belief” is doubly true, thanks to government agencies (such as Ridge’s former employer) pushing a very fearful and apocalyptic narrative. At any moment, US businesses will be hit by “cyber Pearl Harbor” and former government officials like Ridge and Alexander are perfectly placed to take advantage of their own agencies’ previous cyberthreat marketing warnings.
Ridge makes the claim that simply offering insurance will prevent attacks, which is an odd thing to say about a purely defensive product meant to mitigate post-attack financial damage.
Ridge said the new insurance is designed to help prevent those types of attacks.
In order to obtain insurance, companies will need to make sure their cyber defenses are up to snuff, which in and of itself should make businesses more secure, he predicted.
“This is not just about insurance but helping and incentivizing companies to manage their cyber operations more effectively,” Ridge said in a statement.
Insurance policies of as much as $50 million each are available from today… The company expects to generate $40 million in premiums in the first 18 months.
True, insurance isn’t nearly as profitable if payouts are constantly being awarded. Hence the demands for up-to-snuffness. But it also helps if you’ve got a background in overselling the threat, which makes the product and its premiums seem miniscule in comparison to the potential damage. This would explain the press junket bearing headlines like “Ex-Homeland Chief Says Risk of Cyberattacks Elevated.”
So, did Ridge join the DHS with the express intent of developing a market for his post-retirement dip into the private sector waters? My tin foil hat isn’t that snug, but I’m sure his years of priming the cyberthreat pump factored heavily in his post-retirement job selection.
Here’s a statement of Ridge’s dating all the way back to 2003, as quoted in a United States Institute of Peace cyberterrorism report. [pdf]
“Terrorists can sit at one computer connected to one network and can create worldwide havoc,” cautioned Tom Ridge, director of the Department of Homeland Security, in a representative observation in April 2003. “[They] don’t necessarily need a bomb or explosives to cripple a sector of the economy or shut down a power grid.” These warnings certainly had a powerful impact on the media, on the public, and on the administration.
For instance, a survey of 725 cities conducted in 2003 by the National League of Cities found that cyberterrorism ranked alongside biological and chemical weapons at the top of a list of city officials’ fears.
The Hill points out that some critics are upset the government isn’t doing more to protect companies against cyberattacks. I’m guessing Tom Ridge (and Keith Alexander) are no longer members of that group.