Cyber Risk Wednesday: October 23, 2013
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Cyber Risk Wednesday: October 23, 2013

  • 747 views
Uploaded on

Join us every third Wednesday of the month for interactive discussions on the hottest topic in cyber.

Join us every third Wednesday of the month for interactive discussions on the hottest topic in cyber.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
747
On Slideshare
316
From Embeds
431
Number of Embeds
5

Actions

Shares
Downloads
9
Comments
0
Likes
0

Embeds 431

http://www.atlanticcouncil.org 425
http://translate.googleusercontent.com 3
http://webcache.googleusercontent.com 1
https://twitter.com 1
http://www.acus.org 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Global Aggregation of Cyber Risks: “Finding Cyber Sub-Prime” Cyber Risk Wednesdays 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 2. Global Aggregation of Cyber Risks • Push by Martin Senn to be thought leader in cyber risk management, – Understand, not protect, from cyber risks – Not necessarily tied to immediate insurance products • Funded by Zurich Insurance for ~1-year effort – Under think tank, not commercial, agreement • Result in report on global pools of cyber risk, understandable to boards, other executives • Major launch event in 2Q2014 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 2 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 3. Traditional Cyber Threats “Cyber” just means interconnected IT, but that increasingly means everything Common Terms: • Intrusion, hack • Cybercrime • Carders • Russia, East Europe • Stolen identity, credit cards, records • Extortion Internet Criminals Steal individual records with personal info to sell Corporation X 23 October 2013 Hactivists Spies Militaries Global Aggregation of Cyber Risk Zurich and Atlantic Council 3 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 4. Traditional Cyber Threats Common Terms: • Intrusion, hack • DDoS (distributed denial of service) • Anonymous • Patriotic hackers Internet Criminals Hactivists Disrupt network or steal sensitive or embarrassing info Corporation X 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council Spies Militaries 4 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 5. Traditional Cyber Threats Common Terms: • Intrusion, hack • IP Theft • China • Advanced Persistent Threat Internet Criminals Steal R&D, business plans or negotiating strategies Corporation X 23 October 2013 Hactivists Spies Militaries Global Aggregation of Cyber Risk Zurich and Atlantic Council 5 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 6. Traditional Cyber Threats Common Terms: • Stuxnet • Shamoon • Iran, US, China • Cyber war, cyber conflict Internet X Criminals Disrupt network or systems or even upstream Internet – very rare Corporation X 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council Hactivists Spies Militaries 6 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 7. Non-Traditional Cyber Threats The Cloud 23 October 2013 7 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 8. But This is All At the Level of Individual Organization What About the Systemic Risks? Mainstream cyber risk management is markedly similar to that for financial prior to 2008! 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 8 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 9. Cyber Sub-Prime • Cyber is in the same place finance was prior to 2008 • Examination of cyber risk pools • Analysis of key factors • Recommendations 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 9 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 10. Cyber Sub-Prime Cyber is in the same place finance was prior to 2008 • Risk only examined one organization at a time • Risks passed outside organization into unknown pools • Little if any governance of the system as a whole and complex interdependencies ignored • Led to catastrophic global failure, even for those organization which handled internal risks correctly! • We are heading for similar fate with global aggregation of cyber risk 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 10 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 11. Overlapping Pools of Systemic Cyber Risk 1 A 0 1 1C 0 T 1 0 0 Y 0 0 0 0 1 L 1 1 1B 0A 0 0 0E 1N 1 1 1 R 0 0 0 0 • Electrical, finance • Conflicts, malware pandemics1 1 T 0 1 • Bandwidth and Internet infrastructure • States: China, Russia,0US 1 0 0 S I like IXPs, submarine cables, security • Non-states: Activists, 0 C 0 0 0 T 1 1 1 tokens Anonymous, organized crime 1 A 0 0 0 • Embedded devices: ICS, SCADA • Intrusion, disruption, theft of 0 1 C 0 1 1T • Some key companies: MSFT IP, espionage 0O 1 0 0E • Networking standards like BGP and DNS 1 0 1 1 • Internet governance C 0U 0 0 0 1 N 1 1 1R 0 C 0 0 0A 1 1 1 1 F 0 I 0 0 0 1 L 0 1 1T 0 1 1 0 01 1 0 0 1 10 0 1 1 0 01 China • Desktop, server, data 1 0 0 0 0 1 Counterfeit centers, networks, 1 0 1 1 1 0 security components, • Software: in-house, legacy, 0 1 0 0 1 0 software custom, commercial,1open 1 1 1 0 1 0 1 1 0 00 Global logistics chain source, 1 0 0 1 11 • Internet of everything and digital economy 0 1 1 0 00 largely w/o human intervention 1 1 0 1 11 • Embedded medical, human enhancement, 0 1 1 0 00 11 driverless cars, etc 0 1 0 0 01 Upstream Infrastructure Outsourced and Contract • China, India • Manufacturing • Professional: HR, legal, accounting, consultancy • Defense industrial base Supply Chain Counterparties and Partner • • • • Trusted interconnections • Dependence External Shocks Internal Enterprise Disruptive Tech
  • 12. Highest Hazard Notional Quad Chart Disruptive Tech Every year, technology and business processes push us further up and to the right! Lowest Hazard Supply Chain External Shocks Upstream Infrastructure Mitigated government action, resilience, standards, regulations Outsourced and Contract Counterparties and Partner Internal Enterprise Mitigated by risk management, resilience contracts, SLAs, MOUs Most Control 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council Least Control 12 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 13. Analysis: The Upside • Few if any single shocks could affect cyberspace in any way that could transfer into a strategic shock to the global economy • Defenders are excellent at responding • System has been extremely resilient day-to-day and year-to-year 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 13 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 14. Analysis: The Downside • Three separate vulnerabilities: interconnectedness and complexity, lack of transparency, and lack of either local control or system-wide governance – Everything increasingly interdependent in unknowable ways – Tech and business models continue to push major risks away from management understanding and control – No system-wide governance – In the face of catastrophic failures, not clear who would be in charge or what levers they could use – Few backup paths for crisis communication or manual workarounds 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 14 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 15. Therefore • Main concern is a failure of key multiple key elements could lead to cascading failures – Where is the next Lehman? The next subprime? Expected future: Organizations will suffer ever more frequent shocks like natural disasters … too severe to ever be able to sufficiently protect 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 15 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 16. How? • Either one shock that cascades completely out of control or multiple shocks which cascade and reinforce one another • Examples: California earthquake, large cloud provider goes bust (Enron-style fraud, Lehman-style misunderstanding of risk, etc), major routing protocol failure or attack, slow deterioration of resilience and defenses over time, major GPS outage takes out global precision navigation and time signals 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 16 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 17. Three Recommendations for Companies 1. Organizations can take basic and advanced mitigations, depending on their maturity and resources 2. However, since so much risk is external, complex, and interdependent then resilience is the main hope for companies 3. Board-level risk management including insurance and other risk transfer options 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 17 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 18. Two Recommendations for Governments and System-Wide Organizations 1. Far more focus on systemic rather than organizational risk 2. Eventual goal for defense to be better than offense 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 18 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 19. Notional Chart of Upstream Risks Mitigated by • SLAs • Contracts • MOAs/MOUs • Resilience 23 October 2013 Upstream Infrastructure Disruptive Tech Tight linkages More so over time Least Control Causal Upstream of all else Telco/Internet Energy Finance Supply Chain Outsourced and Contract Counterparties and Partner Info only Internal Enterprise Cascades farther downstream C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 19 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01 Over time, more business critical functions move upstream…. Mitigated by • Standards • Regulations • Governance • Resilience External Shocks A T L A N T I C Limited Control Mitigated by • Government actions • Resilience 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 Most Control Near Everywhere Distant Three Zones of Risk (?)
  • 20. Cyber Risk Wednesdays Events and social receptions are scheduled every THIRD Wednesday of every month. • • • • • November 20 December 18 January 15 February 19 March 19 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 20 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 21. Global Aggregation of Cyber Risks: “Finding Cyber Sub-Prime” Cyber Risk Wednesdays 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01