Last week, I was honored to be asked to lead the session on reimagining cyber regulations at the World Economic Forum event in Paris. The Forum relies on the Chatham House Rule, so I will await their report on the meeting; however, below is the text from which I drew the opening statement for the session.
INTRODUCTION
I’m Larry Clinton, President of the Internet Security Alliance. The ISA is a coalition of mostly larger companies’ CISOs representing virtually all the major critical sectors. The Mission of the ISA is to integrate advanced technology with economics and public policy to create a sustainable system of cybersecurity. Since ISA sees the core problem with creating a sustainably secure system as an economic issue, even more than a technical issue, we have a fairly natural affinity to the Forum, and we are very grateful for them holding this much-needed event and allowing ISA to initiate the conversation.
THE CYBERSECURITY ISSUE HAS GENERALLY BEEN MISANALYZED
We need to anchor this discussion in the indisputable fact that what we have been doing for the last 20 years – mostly regulation – is not working.
Microsoft estimates we are experiencing 600 million cyber-attacks a day. The Forum estimates that the annual economic cost from cyber-attacks is growing quickly toward 20 trillion dollars – for context, China’s GDP is a little less than 18 trillion.
In the U.S., we know that major elements of our critical infrastructure have already been compromised by cyber-attacks. We know they are in our telecommunications infrastructure, our energy infrastructure, our financial system, and likely much more. Not only do we know they are in there; we don’t know how to get them out.
The major reason we are not making progress on cybersecurity – and we are not making any progress on cybersecurity; things are getting worse – is because we have largely misanalysed the problem. Although the technology is vulnerable, that is not the essence of our problem.
The technology is only HOW the attacks occur. To reach a sustainable solution, we also need to address WHY the attacks occur. The reason why the attacks occur is almost always economic. Mostly for financial reasons, but even political attacks are launched to achieve a political profit. That is the motive behind cyber-attacks, and virtually none of our current efforts address the critical motive for the attacks, which is why they are going to continue until we do address motive, i.e., the economics of cybersecurity.
IF YOU ASK THE WRONG QUESTIONS, YOU GET THE WRONG ANSWERS
We need to ask ourselves: what is the real problem, and why are we not making progress?
The problem with the economics of the digital era is that all the economic incentives favor the attackers. Cyber-attack methods are cheap and easy to acquire on the dark net. The business model is excellent – you can use the same attack methods repeatedly over and over on a global victim base, and the profits are enormous. Moreover, the attackers are very good businesspeople. They invest in their business and constantly innovate; they are aggressive with modern technology and collaborate successfully.
On the defender side, we have to defend a porous system. We are almost always in a response mode. It’s difficult to demonstrate return on investment to preventing attacks, and there is virtually no law enforcement – we successfully prosecute less than 1% of cyber criminals. Moreover, the most typical government response, especially as illustrated in the EU’s new Cybersecurity Act, is harsh and punitive regulation on companies, not the attackers.
I noted that our speaker representing the French government yesterday told us with great enthusiasm how much he “loved regulation.” He didn’t mention how much he loved security. In fact, he didn’t talk much about security at all. He mostly talked about regulations and penalties. He never once demonstrated how this process would lead to greater security.
He also pointed out – twice – that government was not going to apply the same regulations to their system. Supposedly there are “constitutional reasons” why government can’t be subject to the same regulations they apply to industry. Really? The French constitution contains provisions addressing cybersecurity regulation? That is a very visionary constitution. As we would say in Brooklyn, where I was born, if you believe that one, I have a bridge to sell you.
TRYING THE SAME THING OVER AND OVER AGAIN AND EXPECTING DIFFERENT RESULTS IS INSANITY
The fact is that the traditional regulatory model is a poor fit for the cybersecurity problem. Traditional regulation is a backward-looking check-the-box methodology, whereas cybersecurity is a forward-looking risk management process.
The facts cited above clearly prove that the traditional system does not work. For a fuller review of why cyber regulations don’t work, I’d suggest reading Hubbard’s excellent book, How to Measure Anything in Cybersecurity Risk. Hubbard does a painstaking analysis of the literature on cyber regulation and the underlying methodology it uses. He concludes there is not a single study that demonstrates that any of the traditional regulatory methods have ever been shown to actually improve cybersecurity.
Not only is it clear that the regulatory model doesn’t improve security, but it also actually impairs our efforts to enhance security. Cyber regulation is excessively complicated. It tends to be process-oriented rather than outcome-oriented, and it is massively duplicative. Multiple studies have shown that, depending on which sector is being analyzed, between 40-70% of cybersecurity budgets are being spent on redundant regulatory compliance regimes, rather than actual security measures.
IF WE CAN’T RELY ON GOVERNMENT – THE PRIVATE SECTOR NEEDS TO DEFINE AN EFFECTIVE PATH FORWARD
Rather than trying to placate governments in hopes that they will hit us with a smaller stick, the private sector needs to offer our government partners – and we need to enlist them as true partners – a set of concrete proposals that will enable us to create a pathway to cybersecurity success. This needs to begin by making effectiveness the essential element of all cyber regulation. We, possibly through the Forum, need to push for a principle of cost benefit analysis (CBA) to be applied to all cyber regulations. If a regulation cannot be shown to be cost-effective, it needs to be reformed or eliminated.
Cost benefit is a hallmark of regulation in most sectors already, but it is not applied to cyber regulation. CBA is a widely used and empirical model that can and needs to be a core principle and requirement of all cyber regulations. Cost benefit would also offer a pathway to quickly indemnifying and eliminating the enormous problem of duplicative regulation – as duplication is likely to be the first victim of a CBA test. CBA can be used as the needed next step in the discussion of the need to “harmonize” cyber regulations. Harmonization is a vague term. It could take years to simply arrive at a consensus definition, and we don’t have that kind of time given the current cyber threat. However, CBA as the core principle around which various states would converge their disparate regulatory methods could vastly enhance the efficiency of cyber regulations and move the core goal from “harmonization” to effectiveness.
In the United States, we have already begun this process. Last month, a coalition of five major trade groups petitioned the Trump Administration to use advanced technology to identify duplicative cyber regulations and work with industry to eliminate them by a date certain. In addition, the Chairs of both the House Committee on Homeland Security and the House Oversight and Government Reform Committee wrote to the Trump Administration’s Office of Management and Budget (OMB) instructing them to “act now” to eliminate duplicative regulation as this would be the “fastest and most cost-effective way to materially improve the nation’s cybersecurity.”
INCENTIVES ARE A BETTER FIT FOR THE DYNAMISM OF THE DIGITAL AGE
Cybersecurity, while a critical goal, needs to be addressed from an ecosystem perspective. It is not enough to make critical infrastructure secure. We need to provide that security while also enabling our critical infrastructures to provide the core services they were designed for in an economically viable model. For such a task, market incentives that enable to industry to defend against 21st century attacks – including from nation states – is required.
Industry can work together to analyze what various sectors have already done to provide market incentives to achieve pro-social goals. The environmental industry, the energy industry, the pharmaceutical industry, and the transportation industry are all examples of sectors that have worked with government to develop ways to provide prosocial services while maintaining the economics required to provide service in a market economy. There are very few examples of governments initiating work to create similar market incentives in cybersecurity. The private sector can lead the way in that direction, and perhaps the Forum could serve as a center for this process.
Thank you.
