April 26, 2023

One of the many activities at RSA this week has been a series of meetings on how exactly CISA can implement the big idea in the Biden Administration’s new national cybersecurity strategy, shifting the focus on cyber from the user to the providers of cyber technology.

Much of the talk around the new strategy has suggested that implementing this idea would require new regulations on hardware and software providers.  However, the listening sessions at RSA have suggested that the traditional regulatory model may not be practical in this space. An alternative, such as using a procurement model instead of a compliance model, might be a better fit for the challenges and dynamism of cyberspace.

Developing a procurement model that could be applied in both the public and private sectors might generate the economic incentives for providers to enhance security without the truncating effects on innovation and utility that are almost guaranteed by trying to apply old-style regulations to the fast-paced, international, and highly differentiated nature of modern technology.

Of course, direct financial incentives such as in the CHIPS Act or tax incentives come to mind quickly. However, these sorts of federal budget busters need to be used sparingly and in a very targeted fashion.  Instead, the model should be the HOV lane. High Occupancy Vehicle lanes are an incentive that provides benefit for both the consumers (getting home faster in traffic) as well socially (cutting down on auto induced air pollution) without great direct government expense.  Fortunately, there are a range of similarly clever ideas for market incentives in pharmaceuticals, environment, and even physical security that need to be studied and adapted to make the secure by design concept a sustainably effective model.

Secure by design and default construct is a truly elegant idea capturing a major shift not only in liability for cyber events but the core economic model for creating software and hardware. It is absolutely critical that we do not impair this innovation and divert investment away from cyber technology, while attempting to enhance security.  It has been these cyber systems that have been the basis of most of the economic military and social changes that are characteristic of the digital age. Cybersecurity is an important value, but it is not the only value, and it must be addressed in the context of the rest of our economy.

Although the packaging is unique, that core question — why can’t technology be shipped in a secure fashion like we demand of cars? — has been around for 20 years. While the messaging has elegant simplicity, the issue is extremely complex. The essence of the CISA sessions at RSA is that perhaps, finally, the idea has met its time.

One indication of the maturation of this debate is that we seem to have moved past the simplistic proclamations of earlier discussions.  No one seems to be blithely declaring that if IT products were made more securely the market would reward the provider with growth and profitability. That is simply not true. It stretches credibility to suggest that all the IT providers — worldwide — have somehow missed this pathway to prosperity.  It seems we may finally have come to the unhappy realization that consumers — including, by the way, the federal government — generally don’t want to pay for increased security.

Also pleasantly absent from the CISA meetings is the suggestion that creating secure products is really cheap and easy.  Fortunately, there now seems to be recognition that there will be costs — both in terms of price and functionality — and that these inconvenient truths need to be addressed directly. There has never been much concern that products couldn’t be made more secure.  Producers have always known that, for example, laptops could be made much more secure.  The problem is that the result would be a $20,000 laptop, which is really slow and no one would want to buy it.

The good news is this time around CISA seems to appreciate that the economics of the issue need to be addressed equally and simultaneously with the technical issues.

The fast track to a secure by design/default model is by creating HOV lanes. We need to develop incentive mechanisms that will reward providers for the costs of the pro-social effort to provide better security in their products. CISA is wise to reach out broadly to the community to develop economic models that will be compatible with the technology that will need to be deployed in a secure by design world.