Despite 20 years of awareness programs, we are making little progress in securing cyber space. The Internet is now more technologically vulnerable than ever – and getting weaker all the time. The cost of cyber-crime now runs into the trillions of dollars annually – enough to qualify the cybercriminal “nation” for the G-20 group of the world’s top economies. These facts, beg the question: why are we not making more progress on cybersecurity? The overwhelming focus of US cybersecurity policy has been focused on the vulnerabilities in the operational technology. However, technical exploitation is only explaining HOW cyber-attacks occur. To appreciate the essence of the cybersecurity problem, and to begin to effectively manage it, it is also important to address WHY cyber-attacks occur. The “why” of cyber-attacks are almost always economic. Specifically, virtually all the economic incentives in cybersecurity favor the attackers over the defenders. Cyber-attacks are cheap and easy to acquire. The “business model” for attackers (including nation states) is compelling. Profits are enormous. On the other side of the issue defenders are faced with protecting an inherently vulnerable system, attackers have first mover advantage and there is almost no help from law enforcement – we successfully prosecute less than 1% of cyber criminals. Attempting to design technology policy without factoring in economics is as misguided as attempting to design economic policy without factoring in technology. A new model is required that can rebalance the economic incentives in the digital age. This new model can be understood as an updated version of the social contract model as it was applied to the formation of US critical infrastructure a century ago. This cyber social contract would redefine aspects of the public-private partnership so as to integrate advanced technology with economics and public policy in an effort to create a sustainably secure cyber system.
Combining Technology, Public Policy and Economics to Create a Sustainable System of Cybersecurity
Larry Clinton is President of the Internet Security Alliance. He advises industry and government on cyber policy. He has briefed NATO, the OAS and G-20 and the US Congress. He has twice been named to the Corporate 100 list of the most influential individuals in corporate governance. He has written cybersecurity best practices books used in the US, Europe, Latin America and Asia.