A cyberattack on a single managed service provider (MSP) or managed security service provider (MSSP) could wreak some $80 billion in economic losses across hundreds of small businesses, a new report said.
The report was issued before a supply chain cyberattack hit Kaseya's on-premises VSA software and spread ransomware-related malware to some MSPs on July 2, 2021.
As for the report, the economic devastation of one attack on an MSP could exceed by 17 percent that wrought by Hurricane Sandy, the report issued by Foundation for Defense of Democracies’ (FDD’s) Center on Cyber and Technology Innovation (CCTI) and Intangic, an insurance solution provider, entitled The Economic Costs of Cyber Risk, found. The organizations used a risk-rating system developed by Intangic to estimate the economic impact of potentially seismic cyber attacks.
“A single company with deficient cybersecurity could inflict substantial harm on the U.S. government, company shareholders, the public and critical national infrastructure,” authors Chris Nolan of Intangic and Annie Fixler of FDD, said. The American public is “blind to the scale of the risks” of poorly managed technology, the report said.
Here’s what they’re talking about: In a hypothetical scenario, an MSP is victimized by a phishing scheme in which the hackers gain access to its network that enables them to invade the MSP’s customers and stay for months without detection.
MSP are particularly vulnerable as conduits for large scale attacks, the authors wrote. Examples not necessarily mentioned in the report include the Kasaya attack on July 2, the Cloud Hopper attacks, others and others. (Note 1: The SolarWinds attack did not involve its MSP toolkit. Note 2: Datto took an early look at MSP infiltration three years ago.) In Kaseya's case the attack apparently involved previously unknown vulnerabilities rather than phishing.
This is what could happen next: A multi-faceted ransomware attack that could impact hundreds of entities (600 in this example) across multiple critical infrastructure, industry sectors and the entire country. Intangics forecast: Economic losses of $77.8 billion and thousands of jobs lost.
“Today’s systemic risk pales that of the corporate accounting scandals of the late 1990s,” said Ryan Dodd, Intagic chief executive. “The American taxpayers shouldn’t have to rely on data science and massive data sets to understand how significant of a problem digital risk poses to their own financial health and the economic well being of the nation,” he said.
What can and should be done? The report calls on legislators to act, beginning with passing a breach notification law that would mandate companies to report a cyber attack on their data and systems, said Mark Montgomery, CCTI senior director, who also serves as a senior advisor to the Cyberspace Solarium Commission. "This paper provides policymakers with data that makes clear that government action is needed to fix this market failure,” he said. “More transparency around breaches and vulnerabilities, coupled with clearer guidance for large and small businesses alike would raise the level of cybersecurity of our nation.”
Pushes in that direction are coming from public and private sectors. Most recently, Sens. Mark Warner (D-VA), Marco Rubio (R-FL) and Susan Collins (R-ME) have drafted a bill to require federal agencies, contractors and owners of critical infrastructure to report cyber breaches within 24 hours to CISA. It’s one of only a few attempts to create a federal law mandating cyber incident reporting to the federal government. Most breach reporting has been voluntary, set at the state level and involve stealing personally identifiable information.
In April, U.S. intelligence leaders pressed Congress to propose measures that require private industry to share security breach information and other threat intelligence to the federal government. Two months earlier the House Homeland Security and the House Oversight and Reform committees called for private industry to report breaches. And, the tech industry, most prominently Microsoft and other top line cybersecurity providers, have also advocated for legislation toward that end.
The report’s actionable recommendations also include:
- Amending the Sarbanes-Oxley law, which establishes sweeping auditing and financial regulations for public companies, to include cybersecurity reporting requirements.
- Require breach notifications list financial and economic loss estimates immediately following an incident.
- Require third-party cyber assessments.
- Provide cyber hygiene guidance for small and medium sized businesses.
“Successful cyber attacks and ransomware against nearly every sector of the U.S. economy demonstrates to policymakers that the market has failed on its own to convince the private sector of the necessity of a minimum level of cyber hygiene,” said Montgomery.