The report uses threat assessments from the National Security Agency (NSA), the Office of the Director of National Intelligence (ODNI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Justice to quantify the risk of cyberattacks to critical infrastructure, identifying potential attacks of vulnerable technologies and a range of threat actors capable of exploiting them.
The report cites an annual threat assessment released by ODNI that found hacking groups linked to Russia, Iran and North Korea pose the greatest threat to U.S. infrastructure — as well as certain non-state actors such as organized cybercriminal gangs. Given the breadth and increasing skills of actors willing to target U.S. entities, the number of cyber incidents is rising at an alarming rate.
“Although federal agencies do not have a comprehensive inventory of cybersecurity incidents,” the report reads. Several key federal and industry sources show an increase in most types of cyberattacks in the U.S.—including those affecting critical infrastructure, as well as the scale and increasing cost of cyberattacks.”
In 2016, U.S. businesses and public agencies suffered a total of 19,060 incidents across four categories (ransomware, data breaches, corporate email breaches, and denial of service attacks) at a total cost of $470 million, according to GAO Analysis FBI report . There were 26,074 incidents in 2021, with total losses approaching $2.6 billion.
With the possibility of having to cover such huge losses, private insurers are pulling out of the market, excluding some of the highest-level cyberattacks from their insurance policies. While data breaches and ransomware attacks are still generally covered, the report found that “private insurers have been taking steps to limit potential losses from systemic cyber incidents,” refusing to cover losses from acts of cyber warfare or deliberate infrastructure attacks.
According to the U.S. Treasury Department, some insurers have also been mitigating risk by reducing the maximum amount their policies pay in the event of a cyberattack and/or increasing premiums to protect themselves from losses. The GAO found further evidence that some insurers are withdrawing from insurance in the infrastructure space entirely, arguing that the risk of attack is too high.