February 23, 2022

By Larry Clinton

In the latest edition of Foreign Affairs, the US Director for Cybersecurity, Chris Inglis and Harry Krejsa, propose that the government and industry forge a new paradigm – a cybersecurity social contract.

Naturally, the Internet Security Alliance applauds this move toward a new paradigm.

We do so for two reasons, first and foremost, because at this point it’s obvious that the current paradigm isn’t working. Cyber-attacks continue to grow in size, sophistication, and damage. Despite two decades of awareness programs and information sharing the situation is only getting worse. Systemic attacks like SolarWinds and Microsoft servers are becoming more common. At the same time ransomware (and other criminal attacks) like Colonial Pipeline are escalating to effect thousands of victims and the ransoms are moving to the six and seven figure levels. Meanwhile government sanctions have no perceptible effect (they weren’t even tried in response to China’s attack on the Microsoft servers) and we successfully prosecute less than one percent of cyber criminals – a ratio that hasn’t changed in 20 years. Obviously, we need a new approach.

The second reason ISA supports Director Inglis’ call for a cyber social contract is that ISA has been calling for a cyber social contract for nearly 15 years. In fact, the very first, and most often cited, source in President Obama’s signature policy paper on cybersecurity, the 2009 Cyberspace Policy Review, was the ISA’s 2008 publication The Cybersecurity Social Contract.

The notion, as Director Inglis put it, that “the United States needs a new social contract for the digital age – one that meaningfully alters the relationship between public and private sectors” is insightful and progressive. However, as with any contract, it is the terms of the deal that need to be agreed upon.

In the Inglis-Krejsal article, they suggest the “contours are already clear: the private sector must prioritize long-term investments in digital ecosystem that equally distributes the burden of cyber defense. Government, in turn, must provide more timely and comprehensive threat information while simultaneously treating industry as a vital partner.”

While these terms may well be Mr. Inglis’ proposal, to say these are the “clear contours” of the contract is perhaps overstated. To have an operative contract both sides need to agree, and it is at the very least unclear that the private sector embraces the terms Inglis proposes.

In fact, to many the construction proposed seems rather odd. It seems to suggest that the private sector is to be the main instrument for cyber defense against nation-state attack including investment not justified by their fiduciary responsibility to their shareholders. Meanwhile government’s role “in turn” is limited to providing a comparatively minor assistance in terms of “more timely information sharing” and the undefined concept of treating industry as a vital partner. This construction would seem to be inconsistent with the mandate outlined

in the Constitution, which suggests it’s the role of government, under our existing social contract, to “provide for the common defense.”

Inglis-Krejsa are quite correct in noting that the American system has undergone a variety of “shifts” which “alter the relationship between the public and private sectors” in the past, However, they miss probably the best historic analogy to creating an expanded cyber social contract which would be the shift in relationships that enabled the US to actually build much of what we today term our critical infrastructure.

About a hundred years or so ago, the hot technologies of the day were distributed electricity and telephones. Initially, these services were provided by private companies who deployed them where it made economic sense – high density and affluent areas. The wise and visionary policy makers of the day realized these services needed to be provided universally and so made an economics-based deal – a social contract – with the private companies who were providing the services. The companies agreed to provide universal service of telephony and electricity at reasonable rates, and in return government guaranteed the rate of return on their investments. This was a sophisticated and creative answer to a novel problem.

Thus, was born the privately owned public utilities, rate of return regulation and public utility commissions many of which we still have today. Most importantly, the new social contract worked. The assured economics of these new “utilities” enabled speedy expansion and increased sophistication. These developments were fundamental (along with other shifts like immigration and the railroads) in helping the USA move from a marginal international power at the turn of the 19th century into the decisive force in World War I and the world’s dominate superpower halfway through the 20th century.

The reason the public utility social contract worked was that both contractual parties were rewarded on their own terms. The utilities received economic assurance which enabled them to innovate and expand and the nation prospered. A win-win. The US got broad based universal service and the companies made money – the policy makers included the companies’ economic needs in developing the social contract because they saw it was in the nation’s long term best interests. This is the sort to structure Director Inglis needs to use his new office help create the contours of the cyber social contract. If such a contract is to be successful and sustainable, it must be similarly economically equitable.

It is this principle of economic equity that seems to be missing in the Inglis-Krejsa article. This is a major omission. Crafting 21st century technology policy without integrating the economics is as misbegotten as it would be to discuss economic policy without considering technology.

The reality is that in the digital age private entities, who own and operate the vast majority of US critical infrastructure, are being forced to inherit traditionally government responsibilities to defend — not just themselves — but the entire nation against nation state, and state affiliated cyber-attacks.

Here is another reality – they can’t do it. Even large companies can’t ward off attacks from the Russian government (e.g., SolarWinds) or the Chinese (e.g., Microsoft servers) attacks on a perennial basis. Their economic models – many of them government blessed by state PUCs — are not built for that. To suggest the private companies should simply take on this responsibility is the rough equivalent of the US, at the outbreak of WWII telling the steel mills in Pennsylvania they need to purchase anti-aircraft weapons and radar as the Germans may want to bomb their plants.

To develop a social contract that will generate truly sustainable system of cybersecurity we will need to rethink how the economics of our critical infrastructures operate. To be a true partner government will need to up its game far more than just providing more timely notices (a problem their own studies indicate they haven’t solved in 20 years).

Fortunately, the broad counters of a sustainable cyber social contract are already suggested in the current National Infrastructure Protection Plan (NIPP) developed in the Obama-Biden Administration. The existing NIPP clearly states that the public sector and private sector, appropriately assess risk on different basis.

As outlined in the NIPP, the private sector sees risk “appropriately” as an economic issue. That’s why retailers allow x amount of the innovatory to “walk out the back door” every month – because it will cost them more to hire the guards to stop the pilfering. Government doesn’t have that luxury. In addition to somewhat limited economic constraints (unlike the private sector the government can simply print its own money), government has multiple non-economic issues such as providing services and national security so it can’t afford to be as risk tolerant as the private sector

The problem is in the cyber world government and industry are using the same system and it’s being defended on a commercial level vs. national security threats. This creates what the former Director of the Cybersecurity and Infrastructure Security Agency (CISA) Chris Krebs called the cybersecurity “gap” in critical infrastructure.

The facile answer from some is that industry should just bite the bullet and provide the security needed to stop the nation state attacks. To begin with the private sector already spends far more than the government on cybersecurity. Moreover, aside from the fact that government itself doesn’t have a great record in preventing nation state attacks, the larger problem with government outsourcing the major responsibility of national cyber defense on the shareholders is that the almost assured result the result of that is we get fewer shareholders.

Even if we would like it if investors put cybersecurity above all their economic priorities – and that is a dubious proposition – in a market economy, investment is going to flow to where it can be maximized. Hoping for long term non-economic justified security investment from private investors is a shaky proposition. Moreover, we need private investment in our infrastructures, because this is where we get the money to actually run our critical infrastructure – maintain it, grow it, provide jobs, pay taxes, etc., if we disincentize being a shareholder in critical infrastructure, we are going to systematically disable our own infrastructure.

If government is going to truly “commit to moving toward true collaboration” – and I agree with Inglis and Krejsa that this needs to be done — we need to realistically address the economics of cyber security. This is no easy task. The economics of cybersecurity are in many ways upside down. Cyber-attack methods are comparatively cheap and easy to acquire, attacks are enormously profitable, the business model for criminals is great – and becoming ever more sophisticated. Meanwhile on the defender side we are defending an inherently vulnerable system (the Internet was built as an open system) the attackers usually have first mover advantage and assistance from law enforcement is almost non-existent – we successfully prosecute less than one percent of cyber criminals.

The bottom line is that the terms of the new cyber social contract cannot be that the private sector invests enough to stop nation state attacks and government provides some information. There are a wide range of much more impactful things government can and should be doing to better engage with industry.

This can begin by working with industry– as partners, not “stakeholders” – designing market incentive programs to promote private investment in cybersecurity. Hoping, or demanding the private sector fund national defense is not a realistic strategy. We need to seriously get into how to fund our national defense while simultaneously assuring the economic vitality of our private sector providers. After all, we are partners. This can be started by researching and adapting the multiple incentive programs government already uses in many industry sectors,

Government can also become serious about updating cyber law enforcement. If the FBI can recover half of the Colonial Pipeline ransom, why don’t the thousands of ransomware victims receive equivalent assistance?

Government can become serious about promoting a cyber security workforce – recognizing that this is a national security threat government should create an on-line cybersecurity service academy to provide free education to those willing to provide 3 years cyber security service in our national cyber defense, just as we do for traditional physical defense.

Government can get serious about streamlining its own cybersecurity regulations. Studies (including government studies) show that we currently waste 40-70% of cyber security budgets on conflicting and duplicative cyber regulations.

With due respect to Inglis and Krejsa, the terms of the cybersecurity social contract are not laid out, but they can be. Such a paradigm shift is possible and probably the only path to creating a sustainably secure cyber system. The private sector is willing to engage – as true partners.