ARCHIVED 9/1/10

September 1, 2010

To view the original article please click here.

ALTERING THE ECONOMICS OF CYBERSECURITY

Anthony Freed, InfoSec Island, 09/01/2010

I recently had the opportunity to discuss information security issues with Larry Clinton, Internet Security Alliance (ISA) President and CEO.

ISA is a multi-sector trade association established in collaboration with Carnegie Mellon University in 2000. ISA represents an array of organizations concerned with information security from the aviation, banking, communications, defense, education, financial services, insurance, manufacturing, security and technology sectors.

ISA advocates a modernized social contract between industry and government creating market based incentives to motivate enhanced security of cyber systems, and provides its members with a range of technical, business and public policy services to assist them in fulfilling their mission.

The ISA mission is to combine advanced technology with the economic realities and help create effective public policy leading to a sustainable system of world-wide cyber security.

Mr. Clinton has led ISA since 2007, and is frequently called upon to offer expert testimony and guidance to the White House, Congress and numerous Federal Agencies on policy and legislative efforts.

We are extremely fortunate Mr. Clinton has set aside some time from his very busy schedule to offer some insight into the critical role ISA plays in shaping the future of cybersecurity.

Q:  The Internet Security Alliance (ISA) and American National Standards Institute (ANSI) recently released The Financial Management of Cyber Risk: An Implementation Framework for CFOs (sponsored by Symantec) – what is the crux of the message your organizations are presenting in this report?

That many enterprises are not fully appreciating the financial risks created by poor cyber security, and therefore not making the needed investments to protect themselves.

Too many organizations simply view cyber security as an operational/technical issue when in reality it is much more. It’s an enterprise wide risk management issue that needs to be tackled in a comprehensive fashion and not just outsourced to the “techies” in hopes that they will find a magical solution.

The fact is that virtually every department in a modern organization owns data—the finance guys have data, the HR people have data, the legal compliance people have data—but they generally don’t think it’s their job to secure their own data—that’s the job of the IT guy at the end of the hall.

Unfortunately most IT shops are viewed as cost centers, which especially in tough economic times are already underfunded. These departments are carrying more responsibility and getting fewer resources, many organizations are blind to the risk that creates for the enterprises as a whole.

Q:  How would you characterize the current state of cyber security and the effect it has on our economy?

It’s very difficult to precisely assess the impact of poor cyber security on our economy but it is almost certainly enormous.  In 2004 the Congressional Research Service estimated that American businesses had lost $46 billion dollars due to poor cyber security.  When President Obama released his Cyber Space Policy Review in spring of 2009 it cited a study claiming US businesses had lost $1 trillion dollars just in the value of stolen intellectual property from cyber attacks in the previous year.

Even if we assume for the sake of argument that the study the President cited is off by $500 billion dollars that still means that American businesses lost hundreds of billions of dollars in intellectual property theft.  And that would not even take into account economic losses from downtime, inefficiency, customer dissatisfaction, or shareholder discontent following publicized breaches—which have been documented in the literature.

In addition, we know that many organizations that have been subject to successful attacks, but may not be yet aware that malware is residing on their systems.

We have to realize that virtually every aspect of our economic structure is now linked to and reliant on these modern electronic information systems So by any measure the lack of cyber security is an enormous economic problem

Q:  The ISA has long advocated market incentives as the best approach to security innovation – what role do you see the private sector playing in overall security efforts?

The ISA was founded on the assumption that since the private sector owns and operates the vast majority of the cyber systems it is their responsibility to take a leadership role in protecting it.

The private sector needs to continue to develop the technologies, standards and practices not only to drive innovation and digital service, but to protect it as well.

Probably the single most under-reported fact in the cyber security field is how well the private sector has done this job.  There are a range of studies going back years that show that if we would simply implement the standards practices and technologies we have already developed we could prevent or mitigate the vast majority of cyber breaches.

Earlier this month the US Secret Service in conjunction with Verizon published a study showing that adopting existing best practices could have stopped 94% of the 900 actual cyber breaches they studied.

Q:  Free Market solutions to many security vulnerabilities are readily available, but how can we guarantee moving forward that the best products become the most widely utilized?

There are a range of issues that need to be addressed including the outdated corporate structures we discussed above which inhibit the proper risk management of cyber security to the seductive trade off that exists between operating secure systems and operating ones that are completely user friendly.

But several studies have shown the biggest barrier to adopting effective cyber security practices in the corporate space, is cost.

This problem is compounded by the fact that cyber security economics is not well understood—mostly due to the fact that people make simplistic assumptions that do not fit with the facts.

Perhaps the most common of these is the assumption that if enterprises are losing money from cyber attacks they will naturally make the investments to stop the cyber losses.

The evidence clearly indicates that is not correct.  All the evidence demonstrates that the number of cyber vulnerabilities attacks and loses are increasing dramatically.  However, several large recent studies have also documented that between half and 2/3 of American companies are actually deferring or reducing their investments in cyber security.

We now know that many enterprises are mis-analyzing the effect of cyber security on the bottom line and that’s part of the problem.  We also know that many organizations tolerate a degree of insecurity-cyber or otherwise—after making a cost benefit analysis and determining that although there are economic losses due to poor security, if the cost of becoming secure is greater-they will tolerate the insecurity.

While this may be fine-even appropriate—for a corporation legally obligated to maximize shareholder value, it is clearly not in the public interest, and poor cyber security may even create —does create—significant national security issues.

So government does need to have a role.  It’s just that government can’t just try to impose 20th century (actually 19th century) models like regulatory mandates to a 21st century technology like the Internet.

ISA advocates a modern Social Contract wherein government assists in determining what practices work (much like they do with drugs at the FDA) and then provides the market incentives to bridge the gap between the corporate interest in security and the public interest.

Q:  SMB’s, healthcare, legal, financial and in the education sector have all experienced an increased demand for information security, while their organizations are requiring budget cuts across the board – can smaller entities really expect they can afford to keep pace with hardware, software and the required expertise?

There was a time when some smaller companies assumed that they were too small to attract the attention of attackers.  However attacks are now often automated so size doesn’t matter.  Indeed the recent research shows that smaller firms are every bit as likely to be attacked as larger ones.

And of course every small business in the world has the same goal—to become a big business.  So even if smaller firms could free up capital to bolster their cyber security my guess is that most of these companies are going to use extra capitol for additional sales and marketing much more likely than for improved cyber security.

In addition, most of the cyber security apparatus that have been developed through things like ISACs are generally too sophisticated and require too great of a time commitment to be attractive to smaller companies.

The good news is that there is progress being made. For example the ISA has proposed an alternative information sharing model designed to provide smaller firms with easily usable data to protect themselves.  We were pleased when Melissa Hathaway cited our proposal in the Cyber Space Policy Review Obama published a year ago, but we have had a very hard time getting our friends at DHS to provide the government side of the assistance we need to make things work.  However, I’m happy to report that we now seem to have some traction on this proposal and I’m optimistic we can get something done.

However, in the end I think at least for smaller firms the best way to get them to enhance their cyber security is by integrating cyber requirements into government programs like SBA loans or even as tax credits.

Q:  This latest report is addressed to CFO’s – is it difficult to effectively translate the vernacular of IT and network management into the language of enterprise-wide risk abatement?

Well let’s not just blame the IT guys for “geek-speak”-although they certainly do have a language of their own—and assuming everyone will learn that language is probably not going to work.  But so do the lawyers. And so do the finance guys.  In fact jargon is pretty endemic to most professions.

What we are really saying in our report is that all the entities involved in corporate cyber security—IT-legal-compliance-HR-finance-communications-operations—everyone needs to all be taking responsibility for cyber security on an enterprise wide basis.

We do specifically reference the CFO because s/he usually has cross departmental responsibility, but we note the job of leading the group could be given to another cross-departmental person such as the Chief Risk Officer.

The core of our approach is that everyone gets involved in an enterprise-wide cyber risk group with an enterprise wide cyber security budget and that they meet regularly to discuss and resolve their common problem. When they are talking together regularly they will learn how to communicate and the enterprise itself will be the better for it.

If one reads the chapters of our most recent publication one of the things that jumps out at you is that each of these various departments have their own unique issues with respect to cyber security.  These need to be, and we think can be, melded together into a functional system that receives the necessary support from the entire organization.

Q:  How do financial regulations such as SarbOx and some SEC mandates relate to IT and network security decisions, and should they be reported as presenting a material risk to shareholders?

This is an area the ISA Board is very interested in, which is how can we elevate this discussion to the Board level or the shareholders.

We are currently looking into this topic as a potential “phase III” of our financial management of cyber risk project. Frankly we are looking for entities that might help us with this analysis.

As to the preliminary question as to how SOX is effecting cyber security, we think there are mixed results. Clearly there was some low hanging fruit that SOX may have initially helped harvest and thus created some improvements.  However, we are also hearing that the complexities of the regulatory and auditing systems are now having a counter-productive effect on cyber security.

In short many organizations are now devoting their “cyber security” resources primarily to audit compliance which does not necessarily correspond to improved security.  Indeed by drawing resources away from actual security to focus on regulatory compliance we may well be weakling our security.

ISA is very interested in analyzing this area more fully and I expect we will have more to report on it in the future.

Q:  There seems to be little legal precedent established regarding liability in the electronic data access chain – what effect on security best practices will the courts have when they do finally weigh in?

This really depends on how the courts weigh in, and my own guess is that it may take quite awhile to get a clear picture on the liability question.

The partisan divide in the cyber security field is between the consumers who say the vendors ought to be liable because they sell vulnerable systems and the vendors who say that no one wants to pay the cost of fully secured systems and the consumers typically ignore the vendors’ suggestions about security.

So when a breach occurs who is liable?

I can see thousands of lawyers children getting their higher education’s financed as this question moves through the court system.

ISA believes a better answer is to develop a system wherein we use the market to motivate improved cyber security.  As I said above we already know what works, we just have to implement it.  We also know that the main barrier is cost —and not that much cost at that.  Finally we have a well developed system of using market incentives including procurement, awards, SBA loans, insurance etc. to successfully motivate pro-social behavior throughout our economy -in agriculture, aviation, environment, ground transport etc.  We simply need to apply these incentives to the cyber security space and motivate the practices of standards that we know will work.

Q: What’s next on the ISA’s agenda?

ISA’s mission is to integrate advanced technology with business economics and public policy to create a sustainable system of cyber security.

Core to this notion is that we need to mature our understanding of this issue to appreciate that cyber security is as much an economic and strategic issue as it is an operational technical one.

So we are focused on altering the economics of cyber security.

The main reason we have so many attacks is all the economic incentives currently favor the attackers—attacks are easy, cheap, you can steal billions and your chances of getting caught are slim.

If we can increase the cost to the attackers and simultaneously increase the profitability of good cyber defense we believe we can create the sustainable system of cyber security which will make out nation and our economy the envy of the world in the 21st century, just as we were in the 20th century.