Policy expert Josephine Wolff’s presence on the Fletcher School’s online Master of Global Administration (GBA) faculty exemplifies the program’s multidisciplinary approach to international business. The GBA develops contextual intelligence that encompasses core business skills and extends beyond them to engage culture, cybersecurity, geopolitics, global security, and international law and regulations. The curriculum promotes the nuanced, nimble approach necessary to succeed in today’s complex business environment.
Like many of her peers at Tufts, Wolff is a gifted communicator (as you’ll see in the interview below). She is the author of two books—You’ll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches (2018) and Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks (2022). A journalist as well as an academic, Wolff has written about cybersecurity issues for The New York Times, The Washington Post, The Atlantic, Slate, and Wired. In this interview, she discusses the current state of cybersecurity preparedness, cyber insurance, and how the GBA program prepares international business leaders for tomorrow’s online threats.
Learn From Academic and Professional Leaders
Build an Expansive Business Skill Set
Rapidly advancing technology creates new challenges daily. How do governments, regulators, businesses, and institutions remain nimble enough to meet the challenges and defend themselves against malicious actors?
The obvious piece is that you need to keep pace with the threat landscape and stay abreast of the latest threats. Less obvious—but also important—is realizing changes to your tech environment may create new vulnerabilities. We too often lose sight of the fact that every new software system, every new piece of technology that we add to make our systems more efficient and secure can create new vulnerabilities, because every new piece of technology creates a different potential attack surface that we need to re-evaluate.
That’s what happened with the CrowdStrike incident last summer. Organizations buy CrowdStrike to deal with security, right? So they assume that CrowdStrike will monitor any threats and report on them. They don’t understand that the software can also be a potential security threat.
That’s why it’s essential to continually assess security and risk in the technology landscape every time you make a change. You need to say, “Yes, there are ways this makes me more secure, but there may also be ways in which this makes me less secure, and I need to understand those.” It doesn’t mean you don’t go forward with the change; it just means you need to keep the risks in mind.
Cybersecurity is top of mind for everyone operating in the digital sphere. Most people know the basics: hacking, identity theft, malware, ransomware. What is something most people do not know but should?
A lot of people don’t realize that their devices can be used for attacks on other parties. We think a lot about attacks on our systems and protecting our organization. We are less likely to think about someone compromising our computer to use it as a hop point for an attack on somebody else.
Universities are often targets of these attacks—not because there’s so much valuable proprietary information on our computers, but because our systems can be used to channel attacks to government agencies or other places which an attacker may not be able to reach. They may be in a country where those connections would be dropped or would be flagged as suspicious. Maybe they just don’t want the attack traced back to them.
I think a lot about getting organizations to recognize these threats. They need to understand that their resources could be deployed against somebody else. We see it all the time: computers that are part of botnets, that are being used to attack targets, and the people whose computers are being used don’t even know. They have no idea about the malware, no idea of the risk they’re contributing to.
Is there any way to protect yourself from being used that way?
Most preventative measures involve vigilance about certain types of credential theft and malware. They’re related to the things we do to protect ourselves from being the direct targets of attacks; the difference is it involves broader monitoring of outbound traffic from your systems. You need to look for outbound attack traffic that you don’t recognize, that you don’t see yourself deliberately sending, and asking yourself why it’s there.
The challenge is in being attentive to something that may not raise any major red flags. If you can still access your data and your systems are up and running, you probably think, “No problem. So what if there’s a lot of traffic leaving my network?” The problem is it may not be harming you but it could be harming someone else.
You’ve written extensively about cyber insurance. For those unfamiliar with it, could you explain what cyber cyber insurance is, how it functions, and what its strengths and shortcomings are?
Cyber insurance describes a broad category of insurance policies that help compensate organizations for losses associated with cyber risks such as ransomware. These policies will compensate you for ransoms you pay for data breaches and for lawyers’ fees, settlements and notification costs. They might cover losses associated with business interruption if you suffer a denial of service attack or ransomware attack and your business goes down for a period of time. This type of insurance has become increasingly popular over the past decade or so.
These policies can be really valuable, especially for small and medium-sized enterprises that don’t have a huge security team. The policies help them feel protected against a wide range of threats without needing to hire a ten-person IT staff.
The shortcomings revolve around the fact that this is a relatively new field with hard-to-determine risks. Insurers are nervous about how many different types of risk they’re covering and how unpredictable the risk is. Insurance relies on forecast models: how many car accidents will there be next year, how many earthquakes, how much theft? They use the models to set price premiums and decide what types of insurance to sell.
In cyber, we don’t have very good ways of building those models. The number of car accidents this year has historically proven to be a good indicator of how many there will be next year. It’s not clear that it’s true for ransomware or data breaches. If insurers assume next year’s ransomware attacks will look like this year’s, they can really get burned. In 2019 and 2020, we saw a huge spike in ransomware that caught everyone off guard. Insurers start losing money and they have to hike their premiums way up to compensate. We don’t have good data to model the risks, and if you sell insurance, you really, really want good models.
On the flip side, we also lack the means to require people to manage their own cyber risk. When an insurer sells fire insurance, they usually set conditions. You have to have sprinklers, smoke detectors and other safety measures in place. For cyber insurance, that would mean requiring authentication controls and network monitoring tools and lots of other stuff. We do see some versions of this, but it’s not clear that it’s working because we don’t have good empirical data to determine what’s the equivalent of a smoke detector. As a result, we’re more seeing insurers make it up as they go. What are the things we should be requiring? Do we see any real impact when we require them? And often the answer seems to be that there’s not so much impact.
That’s why when ransomware starts spiking, all insurers can do is raise the premiums, because they don’t know how to stop the ransomware. They can’t say, “Hey everybody, download this protection tool.” So that creates challenges to providing effective cyber insurance.
Can people be denied coverage if they forgot or failed to download something that would protect their systems?
Yes, and there are a set of really interesting cases and controversies around that exact issue. There’s a lot of cybercrime and electronic fraud coverage that specifically looks at situations in which, say, someone emails you an invoice and says “Please transfer a million dollars to my company for services rendered.” If you pay, is that an insurable loss under electronic crime coverage? At present, the answer often seems to be no, because you initiated the transfer. Not always, though, because different courts can rule different ways. Some have ruled that targeted phishing can be a computer-based crime under certain circumstances.
But generally, the governing principle seems to be that if you initiate the transfer of funds, that’s not an electronic crime. It would be an electronic crime if someone stole your banking credentials and initiated that transfer themselves and hacked into your account.
You cover the tech beat for several mainstream news media outlets. It’s a fast-moving target. Does that make it especially challenging to teach?
It’s very challenging to teach because you can’t always stick exactly to your plan. Sometimes you have to scramble. Let’s say I’ve assigned readings in the syllabus about, say, TikTok, and a month later the app is banned. The readings I’ve assigned are now out-of-date. So teaching tech requires a certain amount of flexibility.
A lot of cybersecurity incidents come up in my class a day or two after they’re discovered, when we’re really still just figuring out what happened. Like the SolarWinds incident; we didn’t know who was behind it or how it happened. Similarly, when those pager attacks took place in Lebanon, there was a lot of class discussion speculating about how it could have happened. Is that something you really can do with smartphones? We were having that conversation before we knew the answers, and that’s challenging. But that’s also what makes it fun! I never teach the same class twice the same way.
What sets the Tufts GBA program apart from other international business degrees?
Two things. First, the strong cohort model. GBA is a really tailored and personal program. It’s not like entering a business school class of one thousand people. Students form a group who spend their time together throughout this program and get to know each other’s expertise and background.
Second is the huge amount of context to the business education piece. Most of that context is coming from an international affairs/political science perspective, but it also includes context from people like me who are technologists, and from people who are thinking about social science and sociology. That’s a really special thing to be able to study business alongside students and faculty oriented toward solving some of the largest problems the world faces. The GBA trains you to be a business leader in very concrete terms but also to understand the broader impacts of business.
What real world skills do students in this program develop?
It’s a mix of skills around writing and presenting and briefing that are probably somewhat universal to a lot of different public policy/public affairs/business graduate degrees. In addition, they build a set of skills around synthesizing many different topics to take on really global scale challenges. Maybe they’re synthesizing the finance piece of running a business with sustainability issues or tech and operational issues. These skills are most distinct to the GBA. That’s what being Fletcher is all about: being in the classroom with people who have very different expertise and backgrounds and trying to put together all of those pieces to create something greater than their parts.
Can you share success stories of how GBA graduates applied what they learned in the program to their professional lives once they graduated?
One alumna went on to take over her organization’s security portfolio. Her background coming into the program was sustainability, looking at climate and energy impacts on businesses. The program helped precipitate her move into risk management, including the cyber risk space. She saw a need for people who understand risk across many different domains, and she saw parallels between cybersecurity and sustainability: the fast-evolving threat landscape, the technological complexity, the complex range of actors with complex motivations. She took her existing skill set and applied it to a new domain where she was excited to expand her portfolio.
What advice would you offer prospective students considering the Tufts GBA program?
Come in with a pretty clear picture of where you hope to go after this program; that will help you fashion a curriculum that makes the most sense to you. At the same time, keep an open mind, because things may change for you over the course of the program. Meeting all of these people may expose you to some whole other thing you hadn’t thought about but now excites you. Have a plan in mind but remain open to the possibility that you’ll find something new you really love, and give yourself permission to reorient.