Best Infosec-Related Long Reads of the Week, 9/3/22

The origins of cyberinsurance, TSA's security theater, A million-dollar Instagram scam, How artificial intelligence threatens to spawn government disinformation at scale

Metacurity is pleased to offer our free and paid subscribers this weekly digest of long-form infosec pieces and related articles that we couldn’t properly fit into our daily crush of news. Let us know what you think, and feel free to let us know of your favorite long-reads via Twitter @Metacurity. We’ll gladly credit you with a hat tip. Happy reading!

A Brief History of Cyberinsurance

Fletcher School professor Josephine Wolff offers this excerpt in Slate of her book on cybersecurity insurance that focuses on the origins of the cyber insurance industry from its humble beginnings at a Breach on the Beach party organized by an insurance broker named Steve Haase in April 1997.

When Haase launched the first cyberinsurance policy in 1997, it brought in $2 million in premiums in its first two years, but many customers were initially hesitant, especially with the looming specter of Y2K haunting their IT systems and budgets. “That really delayed the market for three years,” Haase said. Then, in 2000, after the Y2K threat had finally receded, the dotcom bubble burst and Haase lost one-third of his clients “overnight,” just as his business was starting to gain traction. By then, Haase had left Hamilton Dorsey and launched his own company in Atlanta, called InsureTrust, to focus on advising clients about cyberinsurance policies and, in some cases, underwriting them. It wasn’t until 11 years after its launch that the business finally became profitable, Haase said, referring to it as his “$3 million hobby.”

The Humiliating History of the TSA

Darryl Campbell at The Verge offers this examination of two decades of security theater performed by the Transportation Safety Administration and wonders how it is that this agency’ needless security pat-downs still exist.

The most generous independent estimates of the cost-effectiveness of the TSA’s airport security screening put the cost per life saved at around $15 million. And that makes two big assumptions: first, that the agency is both 100 percent effective and 100 percent responsible for stopping all terror attacks; and second, that it stops an attack on the scale of 9/11 about once a decade. Less optimistic assessments place the number at $667 million per life saved.

Real Money, Fake Musicians: Inside a Million-Dollar Instagram Verification Scheme

Craig Silverman and Bianca Fortis at Pro Publica offer this in-depth investigation of the largest Instagram account verification scheme, involving at least hundreds of people who sought improperly verified as musicians on Instagram. As a consequence of the probe, Instagram-owner Meta has removed fraudulently applied verification badges from more than 300 Instagram profiles and continues to review accounts.

The scheme, which likely generated millions in revenue for its operators, illustrates how easily major social, search and music platforms can be exploited to create fake personas with real-world consequences, such as monetizing a verified account. It also underscores how Instagram’s growth and cachet combines with poor customer support and lax oversight to create a thriving black market in verification services and account takedowns for hire.

Spirals of Delusion, How AI Distorts Decision-Making and Makes Dictators More Dangerous

Henry Farrell, Abraham Newman, and Jeremy Wallace in Foreign Affairs discuss how the most significant threat of artificial intelligence used by governments, particularly authoritarian regimes, is creating disinformation at scale.

These developments will produce serious problems for feedback in democracies. Current online policy-comment systems are almost certainly doomed, since they require little proof to establish whether the commenter is a real human being. Contractors for big telecommunications companies have already flooded the U.S. Federal Communications Commission with bogus comments linked to stolen email addresses as part of their campaign against net neutrality laws. Still, it was easy to identify subterfuge when tens of thousands of nearly identical comments were posted. Now, or in the very near future, it will be trivially simple to prompt a large language model to write, say, 20,000 different comments in the style of swing voters condemning net neutrality.