February 27, 2023

Spoiler alert: It’s both.  However, virtually all of our efforts to address our cybersecurity problems have focused on the tech side and virtually none on the underlying economics of cybersecurity.  This has led to an unbalanced and ineffective government response in “providing for the common defense” in the cyber infrastructure.

In their classic work, The Economics of Information Security, Anderson and Moore observed,

“Security failure is caused at least as often by bad economic incentives as by bad technological design. Economists have long known that liability should be assigned to the entity that can manage risk. Yet everywhere we look we see online risk allocated poorly… people who connect their machines to risky places do not bear full consequences of their actions. And developers are not compensated for costly efforts to strengthen their code.”

If we think about it, we all know this. We all know that if someone uses the same password – say, 123456– and goes to sketchy websites, their credit card is likely going to be hacked. A hacker may run up $100,000 in false claims on their card, but our sketchy citizen only owes $50. The banks pick up the rest of the cost, then charge it back to all of us in higher fees and interest rates. As a result, we good citizens are subsidizing the sloppy cyber risk-takers.

A major reason more secure products are not developed is because there is very little market value for them. We – people, industry and, government — are generally not interested in paying for security in our tech. We want – i.e., will pay for –functionality, ease, low cost. As a result, secure coding is not valued as a profession – and most universities do not teach it – because consumers do not want to pay more for secure devices without seeing highly visible and immediate benefits.

Of course, our cyber systems are vulnerable – incredibly vulnerable and getting more vulnerable all the time.  The internet itself was built to be an open, i.e., vulnerable system.  But most of our critical infrastructures are terribly vulnerable.  Our surface transport system is vulnerable. Our agricultural system was vulnerable – there were recent stories about how electric utilities were taken off-line by people shooting transformers through the wire fences around them.  However, we very rarely hear about this kind of attack while we know cyber systems are under attack all day everyday thousands of times a day. 

The reason cyber infrastructure is attacked more frequently than other types of critical infrastructure is that cybercrime (including attacks from nation-states) is immensely profitable.

We have an inherently vulnerable system housing incredibly valuable data. The vulnerable tech is the “how” of cybersecurity, but the upside-down economics is the “why” of cybersecurity and to design an effective public policy solution we need to address both.

The real issue is not that the technology is weak or flawed, but that the technology is under constant, insidious attack. If the economic realities of the cyber issue remain as they are, attackers will continue to attempt to steal, disrupt, or corrupt as much of our valuable data as they can.  The challenges to security in cyberspace are not just a matter of technical vulnerabilities, but also the result of economic decisions where there are too few financial disincentives for criminals and malevolent state actors, and too high a security cost for defenders particularly private companies who in the current environment are being asked to fend off sophisticated nation-state and state affiliated attackers.  To make things worse, the non-state criminal community is becoming, in many instances, as sophisticated as the state actors.

The 2022 edition of the “Verizon Data Breach Investigation Report” found that more than 95% of all cyber breaches are financially motivated. Even in non-financial acts of aggression (e.g., Russian attempts to disrupt the US electoral system, nation-state theft of national intelligence data, or hacktivist disruption) there is a profit and loss equation that the attacker uses to decide if and how to launch the attack.

For example, the Russian attack on the US electoral system was designed to generate a geopolitical profit for the Russians. Understanding that type of economic equation is critical to properly confronting the aggressor. Approaching cybersecurity from this economic perspective is crucial to developing an integrated cybersecurity strategy.

One of the greatest challenges for the modern economy is to balance the economic necessity of digital transformation against the risks of large-scale cyber insecurity and its attendant threats to personal data, intellectual property, and national security.

However, public policy discussions have been largely confined to the direct monetary cost of cyberattacks and fixing the immediate technical vulnerabilities.  While this calculation is important – and government needs to invest more in fighting cybercrime – it is not enough. We need a more comprehensive and effective strategy.

We need a strategy that not only considers the real technical issues of cybersecurity but also and equivalently the economic underpinnings of our cybersecurity problem.   Un-fun fact: cybersecurity is a matter of national defense and defense costs money. Moreover, government can’t simply shift the burden on its industry, especially when US industry is facing unfair competition from nation states like China who are massively cross subsidizing their tech industry as we have previously documented.  – that is not where the buck stops.

A national cybersecurity strategy worthy of this great nation needs to directly face and design a practical and sustainable digital strategy that both assures our national defense and our long-term economic viability.

How do we do that? Well, we have a few ideas we will provide (already in Fixing American Cybersecurity if you can’t wait for the blogs), but next up is an analysis of why our current approach is destined to fail. Stay tuned.

(Adapted from Fixing American Cybersecurity: Creating a Strategic Public-Private Partnership.)