Skip to main content Link Search Menu Expand Document (external link)
LIS 640

Week 13 Studio: MGM

Today, we will read about an attack against the MGM Casino group that happened in September: https://www.wsj.com/tech/cybersecurity/mgm-hack-casino-hackers-group-0366c641

The US Federal Trade Commission has been investigating this attack, and whether MGM had adequate security controls. Recently, MGM sued to block the investigation

Policy Suggestions

Read about what happened in that article. Now imaging working in the health care industry and being asked to write a “boss report” about this incident: your boss comes to you, asks you about the incident, and asks what can be done to protect against similar incidents in the future?

Let’s use the knowledge we have been working on in this course to analyze the situation, and see if we can come up with serious, substantial, realistic policy suggestions.

First, grab the Policy Worksheet. We’ve been using that this whole semester.

Step 1: Understand the situation

The first side is all about trying to understand the situation. Look at the articles about ransomware attacks above, think about the way they affect the health care sector, and try to fill out the first side of the worksheet.

You can also fill out the first question on the back (about weakest link vs. best shot).

As you try to answer each of these questions, go back to the relevant notes on strategic incentives, externalities, and information asymmetry.

For this studio, ask yourself an important question: Was this a success or a failure? MGM did not pay the ransom, and was able to get operations back to normal less than a week after the initial attack. On the other hand, it cost them $100 million (more than the ransom demand) in losses, plus $10 million in cybsersecurity consulting, and a lot of bad PR. Was MGM negligent? Or did MGM do all the right things?

Step 2: Find analogies

Once you’ve got an understanding of the economic properties of this situation, let’s find some analogies. What are some other situations in the world – not cybersecurity related – that have similar economic properties? For example, if you identified a negative externality, you can look for other negative externalities like pollution.

First, start by looking at the answer to each question separately, and identify similar situations that we have talked about that have similar properties.

Second, look across the situations you’ve identified and see if any of those situations have more than one of the properties. Try to find one or more situations that has most (or all) of the properties in common with this one.

Step 3: Identify Potential Solutions

Now that you’ve identified similar situations, look for potential policy solutions. Start by using the notes on strategic incentives, externalities, and information asymmetry to identify potential policy ideas. Also, look at your similar situations, and think about ways that we have tried to deal with those problems.

Brainstorm. Make a list of more than one policy idea that be able to help with this situation. The goal of step 3 is really to identify multiple potential ideas.

Step 4: Cybersecurity Arms Race

There are a lot of good policy ideas out there, but not all of them work for cybersecurity. Once you have more than one idea, step back and think about the arms race problem. Once we implement a new policy, the attackers will adjust their behavior around that policy. Sometimes that adjustment will still leave the world in a better place, and sometimes the policy just creates more problems.

For example, we discussed earlier in the semester the new SEC policy requiring companies to report cyberattacks. The ransomware group BlackCat then weaponized this policy by reporting their victims to the SEC.

For each of your potential ideas, think about whether it would likely be helpful in the cybersecurity context or not. Use this information to make your final recommendations.