This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here
By now anyone who is reading this sort of blog is aware that the ransomware epidemic is totally out of control. Colonial just paid $5 million in Bitcoin to get their data (and our gas) released. But this is by no means an isolated event. Ransomware attacks have been proliferating both in number and size of ransom for a while. Earlier in May, former CISA Director Chris Krebs told the House Cybersecurity Subcommittee that we are on the cusp of a world-wide ransomware pandemic fueled by greed.
It’s that last part of Chris’ comments that really needs to be understood by our policy makers.
Follow the money! It’s the economy, stupid. It’s all about the Benjamins. Show me the money!
Cybersecurity has never been just about the existence of technical vulnerabilities. The reason ransomware, and other cybercrimes, are going through the roof is they are so dam profitable.
For Congress and the Administration to finally get a handle on cybersecurity they need to consider the issue in this broader sense and get at not just shoring up the systems but to mitigating the motivation for cyber-attacks – the money.
Notably, this week that was a significant epiphany on the part of Congressional leadership – bipartisan leadership –regarding the very nature of the cyber threat.
On Wednesday the Chairs and Ranking Members of the five major committees that deal with cybersecurity in the House of Representatives wrote a joint letter to the President’s National Security Advisor, Jake Sullivan, requesting more information on the Colonel Pipeline attacks. While that request is unsurprising, what the Committees are asking for is revealing. Their letter noted prominently that”
“As we have repeatedly stressed, cybersecurity is no longer just an ‘IT’ issue but instead an economic and national security challenge that can have real-world impacts on our security.”
If we may be allowed a couple of slight quibbles – cybersecurity has never been just an IT issue, it’s always been a strategic risk management issue with just as many economic aspects as technical. It’s just that most in Congress have not understood that, until now.
And the claim “we have repeatedly stressed” is a bit surprising, I must have missed all that cybersecurity legislation that folded in economics as much as technology. But OK, we are all on the same page now.
The real question now becomes, what does a cybersecurity policy (or strategy) that appreciates the essential economics of the issue, look like?
Most discussions of cybersecurity economics focus on the economic impacts of cyber events. This is obviously important although precise measurement, such as assessing the true cost of the loss of valuable intellectual property, can be difficult. However, there are a few things we know about the economic impacts of cyber-attacks. We know they are massive, enormous, gargantuan – and growing. These, of course, are technical terms.
We know we are losing somewhere between hundreds of billions to a few trillion dollars annually due to cyber-attacks. Determining the exact impact is a job for psychometricians and economists. The issue for policy makers is how can public policy restructure the economics of the cybersecurity equation so that we can integrate advanced technology with economics and create a sustainably secure cyber system?
The economic cybersecurity equation that must be solved if we are ever to achieve a sustainably secure cyber ecosystem is this: Cyber-attacks are comparatively cheap and easy to acquire, the attackers ‘business model ‘is highly effective, and extremely profitable. On the other side of the equation defenders are defending an inherently vulnerable system, we are virtually always in a reactive mode, it hard to demonstrate ROI on things you prevent plus we get virtually no help from law enforcement – we prosecute less than 1% of cyber criminals.
Hopefully, based on the letter the congressional cyber leadership sent to National Security Advisor Sullivan, they are now willing to address rebalancing the cybersecurity equation so that it works for governments as well as industry working in a liberal democratic capitalistic system.
Fortunately, there is a very wide range of economic options that are available for us to begin to rebalance that economic equation for cybersecurity and they range from comparatively simple and direct steps to a range of more complicated issue that will require extensive collaboration between government and the private sector.
Let’s start with the simple and direct steps. First, is getting the existing cyber regulatory system in order. Multiple studies – by both government and industry – have found that the existing and extensive regulatory process for cybersecurity, such as in finical services, health care and even state and local governments, contains large redundancies and conflicts eating up 40-70% of cybersecurity budgets. A joint DHS-industry white paper defining a collective cyber defense model found that “government can substantially increase the effectiveness of available cybersecurity resources by streamlining duplicative regulations to deconflict provisions between competing agencies.”
Fortunately addressing this issue may not even require legislation. This is exactly the sort of thing the Office of Management and Budget was designed for. Freeing up 40-70% of functional cybersecurity resources is a significant boost to overall security and can be done with the stroke of a pen. Considering incidents like Solar Winds, Microsoft Exchange Server, and Colonial Pipeline there will likely be new regulations promulgated. OMB can take a quick first step by simply requiring that any new cyber regulations include certification by the regulating authority that the new regs are not redundant or in conflict with any current regulations or requirements. This is a little extra work for the regulating agencies, but that is what they are there for.
A second, comparatively easy and direct step toward building economics into cybersecurity would be require that cyber regulations be regularly assessed for cost effectiveness. Without even getting to the issue of cost, there is little to no evidence that the existing model of cyber regulation (typically a long list of technical requirements) is effective at all. In his book How to Measure Anything in Cybersecurity Dug Hubbard reports on an extensive review of literature on the ordinal methods typically used for cybersecurity and finds there is no evidence that any of them actually improve security. If Congress is going to pass new cybersecurity regulations, they ought to at least be assessed to see if they are working. Simply adding that line to any bill requiring new regulations is an important step. It will also lead to the important and serious step of getting serious about defining what is security. A harder, but necessary step.
Cost effectiveness is still another matter. It is certainly plausible that regulations, for example in truly critical infrastructures like the power grid, may be effective from a pure security perspective, but also be cost prohibitive from a commercial perspective. One of the important subtleties of cyber economics is that private industry assesses security at a commercial level which is more risk tolerant than the government. Everyone knows 10% of inventory “walks out the back door” of a retailer operation. They don’t hire the guards to police this pilferage because costs 11%– it’s a simple commercial/economic calculation.
Government naturally has concerns beyond commercial viability – such as national security.
It is simply unsustainable to ask the shareholder to hold the burden of government required security investments that are not cost justified. The reason such a model is unsustainable is because the shareholders can simply take their money and invest it elsewhere, and we need people investing in our critical infrastructure.
The first step in creating a truly functional and economically sustainable cybersecurity model for critical infrastructure, such as utilities, is to verify the effectiveness and cost effectiveness of the security requirements. If they are, empirically, cost effective we will have no problem. If there are, as I suspect there will be, requirements of private industry that are not cost justified then government will need to step in and find economic incentives to implement when they implement the new regulations.
We will return to the discussion of market incentives in future posts.
Join the Rethink Cybersecurity Community click here