At DEFCON, DHS Gets it Right on Cyber – We Need to Rethink Incentives

August 14, 2018

When DHS Assistant Secretary for Cyber Security Jeanette Manfra addressed the hackers at the annual Las Vegas showcase for modern wizardry, she didn’t focus on standards and bots. She talked about how digitization changes everything and the need to look at cybersecurity through an economic lens. She got it exactly right.

“For the first time in the national security space,” Manfra said, ‘the government is not on the front lines…this challenge everything you think about. This means we have to get past our traditional incentives.”

Manfra’s insight, that digitalization changes everything, is key to finally attacking the cybersecurity problem on a systemic basis. Digitization has changed everything. It literally is altering our brain chemistry. It obviously is changing the way we think about core ideals like privacy, and it fundamentally is changing – or needs to change – our basic assumptions about national defense. Historically America’s most important elements of national defense have been the Atlantic and Pacific oceans. These assets are largely irrelevant in the age of digital warfare.

Manfra’s comments fit well into the notion of “collective defense” that was touted at the Administration’s recent cybersecurity summit in New York City. In his luncheon address at the Summit DHS Undersecretary for Infrastructure Protection Chris Krebs noted that in cybersecurity the private sector may be on the front lines against nation state attacks against the electric grid, or hospitals, or the telecommunications systems.

However, Krebs also noted that the public and private sectors have legitimately different perspectives when doing risk assessment. The private sector is driven by economic concerns – every retailer knows 10% of the inventory is “walking out the back door” – why not hire more guards? Because it costs 11%.

The government doesn’t have this luxury. It has economic issues of course, but it also has non-economic issues like national security and privacy to be concerned about. As a result, there is a gap – a delta – between legitimate commercial-level security and necessary government-level security. The problem is in the digital world we are all using the same system

So, how to we fill the delta? How do we encourage the private sector to make the necessary –government level – not commercially justified – investments in cybersecurity needed to deal with nation state attacks?

This is where Manfra’s notion of thinking beyond traditional incentives comes in.  You simply can’t mandate non-commercially justified security spending on a private sector you are expecting to provide innovation, productivity, and jobs.

A century ago, policymakers faced a similar conundrum with respect to building our electronic and telecommunications infrastructure. Originally these services were provided only where the economics accommodated them – high density and affluent areas. The policymakers saw that these services – just like cybersecurity – needed to be provided to everyone. So, they made an economic deal – a “social contract” – with the infrastructure owners. If the providers would provide universal service, the policymakers would guarantee the return on the corporate bonds.

And it worked. Thus, were born the ironically titled privately owned public utilities and the nation was electrified and communicating. We now need a similar – not identical – cybersecurity social contract that will provide for the privately-owned public defense of our cyber infrastructure—a collective defense model.