Friday, February 7, 2025
Latest:
The Register

UK industry leaders unleash hurricane-grade scale for cyberattacks

TH Author

A world-first organization assembled to categorize the severity of cybersecurity incidents is up and running in the UK following a year-long incubation period.

The Cyber Monitoring Centre (CMC) is the brainchild of cyber insurance industry figures and a handful of the UK’s foremost cybersecurity thought leaders. It brings a severity classification system for the most severe computer assaults similar to the Saffir-Simpson Scale, which differentiates hurricanes based on the damage they cause to affected regions.

Public communications about the CMC began in January 2024, at which point the literature suggested it was a system that would be used to help cyber insurance companies, and their reinsurers, independently define what constituted a systemic event.

A systemic event is one that emanates from a single source, such as an attack on a vendor, but has a significant impact on myriad other organizations. Think NotPetya and, more recently, the CrowdStrike fiasco.

Although improvements to industry models have been made in recent years, systemic risk remains an issue in the cyber insurance realm, affecting insurers, their reinsurers, policyholders, risk managers, and others – one that lacks a clear definition. Without a firm idea of what a systemic event is, neither party can come to a clear understanding of what a policy’s terms and conditions are, and in some cases when it could or should pay out.

The CMC’s system aims to resolve this and prevent any potential litigation that may arise as a result, providing a solution from an independent, non-profit organization.

The system categorizes cyber events on a 1-5 scale, with five being the most severe. Each event will be categorized by the CMC’s technical committee, chaired by Ciaran Martin, the founding CEO of the UK’s NCSC, comprising experts from industry, academia, and think tank The Royal United Services Institute (RUSI).

Committee members will meet on an ad hoc basis when an event shows signs of damages exceeding £100 million ($123.6 million), multiple organizations in the UK are affected, and when the information required for an assessment is available.

Methodology documents [PDF] state that members will assemble for half a day to publish two deliverables: a severity categorization (1-5) and a report detailing how the decision was reached, what data informed it, and in some cases comments on the degree of confidence.

The severity score will be determined by examining the financial impact of the event and the number of organizations affected. The finances factored into the decision include, but are not limited to, incident response costs, notification costs, ransom payments, data restoration costs, and business interruption costs. It won’t consider liability payments or fines issued after the fact.

Illustration depicting the Cyber Monitoring Centre's classification matrix

Illustration depicting the Cyber Monitoring Centre’s classification matrix – click to enlarge

The financial impact thresholds are £10 million, £100 million, £1 billion, and £5 billion. The number of affected organizations thresholds are 270, 2,700, 27,000, and 136,000, which represent 0.01, 0.1, 1, and 5 percent of the total UK public and private organizations, per ONS data. Only organizations that have incurred costs of at least £1,000 are eligible to be included here.

The designated severity level increases as the incident incurs greater damages for all affected organizations, and as more organizations are confirmed to be impacted by the event.

Testing the system on major events from last year, the CMC said at its launch event on Thursday that the release of stolen MOVEit data would have garnered a category-one severity score given its small UK footprint.

Cyber Monitoring Centre launch event

Cyber Monitoring Centre launch event – click to enlarge

For the attack on Synnovis, despite the thousands of NHS procedures that had to be rescheduled and the huge human impact, it only warranted a category-two score given that it impacted only one segment of a single industry, and in that sense was deemed narrow in focus. It wasn’t seen as a true systemic event.

CrowdStrike’s outage, however, scored the highest with a category-three rating. Although it wasn’t caused by a malicious party, and the cost per individual organization was lower than other events, it affected a far greater percentage of the UK, so it was deemed the most systemic of the three events.

An example of a category-five event would be Russia’s NotPetya campaign and, hypothetically, a category-four event would likely be CrowdStrike’s if the outage was caused by an attack rather than a faulty sensor update. If it was malicious, it would have taken organizations longer to recover and, in turn, incurred greater costs, bumping it up a grade.

Real-world application

Despite originally being geared toward assisting the insurance industry, and the primary application of the system still seems to be in this area, the CMC is positioning its categorization matrix as one that could present broader benefits.

The long-term vision for the CMC is to benefit policymakers and the general public. Having five years’ worth of CMC categorizations can help distinguish the most serious data breaches from those that aren’t likely to lead to many significant ramifications. The CMC doesn’t see itself informing legislation, but it hopes to be able to offer a more nuanced understanding of events that may influence future regulations.

Martin compared two breaches disclosed in August 2023 to illustrate why the number of victims of a breach isn’t always a useful way of categorizing severity, in the CMC’s view. The UK’s Electoral Commission leak affected around 40 million people while the the PSNI breach affected only a few thousand, but the latter is still seen as more severe given the direct likelihood of harm that could have come to the officers.

Other potential dependents on the CMC could even be the UK government should it decide to establish a backstop to cover highly costly cyberattacks.

CMC CEO Will Mayes said that if a backstop were to be established, then a trigger for the release of additional funding would also have to be specified, which is where the CMC would come in.

In the near term, Martin acknowledged that the CMC isn’t the finished article and there will be areas in which its approaches will need to change.

“We know and expect to be challenged and criticized,” he said at the launch. “We know we’ll have to improve. If this was easy, somebody would have done it already.

“So, we hope by doing this in as fully transparent way as possible, that we can help not just ensure the policymakers and the general public get a much better understanding of cybercrime.”

The feeling among experts speaking to The Register at the launch event was positive but there is certainly a sentiment that the effectiveness of the CMC’s system will need to be proven over a long period.

Asked whether the organization expects the legitimacy of the CMC’s system to be challenged in court, given the CMC’s admission that its system may be used in the future to prevent insurance-related litigation, Mayes circled back to the similarities between the CMC and the Saffir-Simpson Scale, which he said has never been challenged.

The long-term aim is for severity classification to be issued within 30 days of a qualifying event happening, although it’s not a commitment. The CMC will be aiming for a 45-day publication window in 2025, shortening to 30 days in 2026 and beyond. ®

READ MORE HERE