Can a federal backstop redeem cyber insurance?

— The federal government is inching closer toward creating an emergency fund to rescue the economy from crippling cyberattacks. But there’s growing optimism that a federal insurance backstop can accomplish a whole lot more than the name implies.

HAPPY TUESDAY, and welcome to Morning Cybersecurity! Shout-out to three amazing artists I heard perform this weekend: Ayo, Ephraim Nehemiah and The New Rockwells.

If you’re reading this (doubt it), I hope you’re thinking what I thought when I saw you lay your soul on the line last Saturday: That guy there is so incredible, so passionate, I want to give it all up and do what he does!

…Or maybe you’re not that jazzed about a government fund to cover catastrophic cyber risk.

Got tips, feedback or other commentary? Send them my way at [email protected]. You can also follow @POLITICOPro and @MorningCybersec on Twitter. Full team contact info is below.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

Getting back into the swing of things.

NOT JUST FOR EMERGENCIES — Between the rise in ransomware attacks and the growth in supply chain intrusions, the federal government has no shortage of reasons to begin thinking about how to insure against damages that private markets can’t — or won’t — cover on their own.

But as momentum builds for a so-called federal insurance backstop, those who have studied the idea of creating a financial cushion to steel the economy against catastrophic cyber incidents increasingly see it as a tool for doing a whole lot more than the name implies.

Beyond serving as a rainy day fund for the long-prophesied cyber deluge, researchers believe the policy could be used to restore the original promise of the cyber insurance industry, coaxing insurers into enforcing better cybersecurity practices from their clients and taking a bite out of the high sticker price that increasingly adorns cyber insurance policies.

How it would work — Beyond identifying which incidents would trigger a federal bailout and funding the program itself, legislators could set requirements for private insurers to qualify for federal support, said Sasha Romanosky, a senior policy researcher at RAND who is conducting ongoing research about the idea.

By conditioning government aid on compliance with cybersecurity standards, the federal government could needle private insurers to enforce better cyber hygiene standards over their policyholders and free up new coverage for less well-off firms, said Romanosky.

Properly constructed, the initiative could “help the cyber insurance market, reduce risk, provide information we otherwise lack, and…be a good forcing function for companies,” he said.

Avoiding the war exclusion — Legislators could also use a conditional backstop to clear up some of the legal and contractual uncertainty surrounding insurance exclusions for cyber incidents, said Bryan Cunningham, executive director of the Cybersecurity Research and Policy Institute at the University of California Irvine.

In a few notable cases, cyber insurers have argued they have no obligation to cover attacks resulting from acts of war — a standard that is difficult to adjudicate in the digital domain, where attribution is imprecise and malefactors often launch attacks outside declared conflict.

But Cunningham — who published a paper on the backstop last year — told MC that legislators could require the government to declare what incidents would qualify. Thus, it could “get rid of massive litigation risk” in private markets, preventing insurers and insureds from waging costly legal battles in the muddy trenches of cyber attribution.

What’s next — The Treasury Department’s Federal Insurance Office closed a public comment period on the cyber emergency fund in December, after the idea wormed its way from the inaugural report of the Cyberspace Solarium Commission to Congress and the White House.

But policymakers and executive branch officials have plenty left to iron out, said Romanosky, and they might opt for something far less ambitious than a highly qualified backstop — at least in the short term.

“There’s momentum, there’s impetus behind creating something,” he said. And if they want, lawmakers could always advance something simple now and “amend it later on.”

LIFE INSIDE LOCKBIT — A new report out of cybersecurity firm Analyst1 offers a rare look at the inner workings of the world’s most prolific ransomware group. Its key finding, in MC’s eyes?

The network of cybercriminals that pulls the strings behind the most devastating ransomware attacks is a bit like the Wizard of Oz: “much smaller than most people think.”

Backstory— The author of the Monday report, Jon DiMaggio, infiltrated the LockBit group by cultivating several personas on dark web forums. Working Eastern European hours out of the D.C. area, Dimaggio would use one account to establish the criminal bona fides of another, ultimately gaining enough credibility to coax sensitive information out of LockBit operators via the dark web equivalent of a heart-to-heart.

Tight-knit community — For example, DiMaggio’s research led him to the conclusion that LockBit’s leader “personally knows” the identity of key members of three other ransomware groups, as well as the former leader of the REvil ransomware gang.

DiMaggio also found that a single software engineer played an instrumental role in building the malware powering five elite cybercrime groups: BlackCat, DarkSide, BlackMatter, LockBit Black and Fin7. That could make the developer a juicy target for U.S. and international law enforcement, he argues.

Allergic to sanctions? — The incestuous nature of the ransomware ecosystem also manifested in a colorful episode from last summer, when LockBit falsely claimed to have breached cybersecurity firm Mandiant.

DiMaggio believes LockBit was lashing out because the incident response firm linked the group to EvilCorp, after the notorious cybercrime gang — which the U.S. government sanctioned in 2018 — quietly accessed the group’s encryption software.

LockBit, DiMaggio speculates, feared any public association with the entity could choke off ransom payments, a reaction that suggests U.S. sanctions policy actually carries some bite.

No honor among thieves — DiMaggio acknowledged the limitations of his research, which relies on word-of-mouth intelligence from criminals. But he believes the approach offers a unique perspective that deserves more attention from cybercrime researchers.

Human intelligence in a cyber context, he writes, offers a rare window into “the operation from the eyes of the adversary.”

SIGNS OF TROUBLE? — A top French defense official is warning that Cyber Command’s hunt forward operations offer a smokescreen for American espionage, an unsubstantiated allegation that could nonetheless undermine support for a linchpin of the Pentagon’s new defend forward strategy.

Sticks and stones — Pointing to a recent uptick in hunt forward operations — where Cyber Command detailees deploy on-site to partner nations — the head of the French Cyber Defense Command said last week that the “relatively aggressive” missions “raise questions” about the potential for follow-on intelligence gathering, French newspaper Le Monde first reported Friday.

Official comment?— U.S. Air Force Major Katrina Cheesman, a spokesperson for the Cyber National Mission Force, told MC that hunt forward operations are purely defensive in nature.

“Cyber Command and the 20-plus partner nations to which we’ve deployed over four years share a common goal: to have safe, secure networks from malicious cyber actors,” she said.

Grain of truth?— While there’s a deficit of clear information about what Cyber Command actually does on hunt forward operations, it’s clear the missions give it the potential to access sensitive data — and that the Command has to work hard to build partners’ trust.

But if hunt forward missions give Cyber Command unique insight into allied networks, that doesn’t mean U.S. digital warriors are exploiting the access for nefarious purposes. In fact, nations that invite Cyber Command onto their networks do it precisely because they want help from the U.S.

What to watch— True or not, if foreign countries begin to take the French accusations seriously, the espionage narrative could take some wind out of the sails of an increasingly popular tool of U.S. Cyber Command, which has conducted 38 hunt forward operations in 21 countries since it rolled out the new strategy in 2018.

In particular, keep an eye on Russia. Accusations of American intelligence misdeeds are catnip to Russian disinformation operatives. And as of Monday, the claims have already found their way into at least one pro-Kremlin mouthpiece.

Brian Mazanec is now the deputy assistant secretary for security, intelligence, and information management within the critical infrastructure protection division of HHS’s office of the assistant secretary for preparedness and response. (PSA: We’d all love to see your new business card, Brian.) He formerly worked as director for strategic warfare and intelligence at GAO.

A reminder to reflect on the legacy of Dr. King, per Camille Stewart Gloster, the White House’s deputy national cyber director for technology and ecosystem security.