Solarium Chairs are Right: We Need a Cyber Social Contact

May 12, 2021

Cyberspace Solarium Commission co-chairs Sen. Angus King (I-ME) and Rep. Mike Gallagher (R-WI) said Monday that the Colonia Pipeline attack “underscores the vulnerability of our national critical infrastructure in cyberspace and “the disruption is a clear example of the need to create a new social contract between the Federal government and systemically important critical infrastructure,” 

Creating a Cyber Social Contract is an amazingly pertinent and useful phrase that describes one of the basic philosophical premises of liberal democracy.  It also carries interesting political/economic history as the social contract was adapted by early 20th century policymakers as the basis for creating the very critical infrastructures – privately owned public utilities – that are the subject of this week’s cyber catastrophe: the Colonial Pipeline.

However interesting the history is, the truly important question is: If we are going to create a cybersecurity social contract, what are the terms of that contract?

Fortunately, several years ago the Internet Security Alliance published a book that just happened to be titled The Cybersecurity Social Contract, which very specifically lays out what the terms of a cyber social contract might be.  We will describe some of the key terms below,  (the book itself is 260 pages) but the fundamental notion modern policymakers need to understand is that you don’t create a social contract via mandates.  A social contract is, by definition, an exchange of value. Without a viable exchange, the contract will fail, and we really can’t afford that.

The genius of the original adaptation of the social contract, which created the privately owned public utilities, was an economic deal between the private sector and government to find a way to provide universal service of modern 20th century technology (distributed energy and telephone service) even to areas of the nation for which these services were economically prohibitive, such as low income and rural areas.

Without going into excruciating detail, the deal was this: The private companies agreed to build the infrastructure to provide universal service of these critical services. In return, government essentially guaranteed generous rates of return on their private investment. And it worked.  The model spurred a rapid expansion of 20th century technology much faster than the alternative government-mandated system in Europe, and that had a great deal to do with turning the United States from a second-rate world player into a legitimate world power by World War I and the world’s superpower by World War II. The economy grew, people got services, and the world was secure.

As times have changed and the internet is clearly a different entity than traditional utilities, the terms of the new cyber social contract need to be updated. In the Cybersecurity Social Contract ISA lays out a 10-step program that government and industry might start with.

  1. We need to attack the cybersecurity problem with greater urgency. Of course, ISA said this in 2016, and we pretty much have been plodding along since then.  However, maybe in the year of SolarWinds, Microsoft Exchange Service, Colonial Pipeline and ransomware in general – totally out of control – maybe we will get that urgency – maybe.
  2. Government needs to recognize the importance of economics in cybersecurity. We don’t mean just the economic impact of cyber-attacks – we need to understand the economic causes of cyber-attacks. As Chris Krebs told the House Cyber subcommittee last week: “We are on the cusp of a global ransomware pandemic driven by greed.”  Analyzing technology without factoring in economics is as foolhardy as analyzing the economy without factoring in technology.  But there has been virtually no work on addressing the economic causes of the cybersecurity problem.
  3. Government must dramatically increase funding for cybersecurity. We don’t just mean increasing funding for government technical systems (although that need too has been longstanding). Government is charged with providing for the common defense. We are being vastly under-resourced compared to our major adversaries by factors of hundreds – some say thousands – to one. Cyber education needs more funding, cyber law enforcement needs more funding, and we must close the gap between commercial security expenditures and national security needs, and that gap needs to be filled by government.
  4. Government needs to be reorganized to reflect current digital realities. In the private sector, (and government could learn a lot from the private sector – not just about tech but about organization) financial institutions have broken down silos to better address cybercrime. Modem techniques like agile management and speedy evaluation and use of metrics to gauge organizational effectiveness need to be brought to government – of course that will go up against the strongest force on Capitol Hill – turf. 
  5. Focus more on cybersecurity from a law enforcement perspective. Colonial Pipeline is a criminal protection racket – Capone would be proud. The FBI’s budget is about the size of one of our larger financial institutions’ – about a half billion dollars.  Cybercrime grosses about $2.2 trillion.  Our valiant law enforcement personnel are literally outgunned and lacking the support they need.  For all the talk about the need for deterrence in cybersecurity – how about putting some of the criminals in jail?  We currently successfully prosecute 1 percent of cyber criminals, and it’s been that way for decades.
  6. Test government programs for success. One of the hallmarks of agile management is speedy evaluation of programs so modifications (or cancellations) can be made.  There is virtually no systematic evaluation of any industry-facing government programs – including the vast regulatory apparatus that exists around cyber in most critical infrastructures – including utilities. In his excellent book, How to Measure Anything in Cybersecurity, Doug Hubbard reviewed the literature on major regulatory measures and found “there is no evidence any of them have actually improved security”
  7. Government needs to prioritize working with smaller companies. DHS Secretary Alejandro Mayorkas said this week that we have seen a 300 percent increase over last year’s victimization of companies, and there’s no company too small to suffer a ransomware attack. Small companies lack the economies of scope and scale to withstand cyber-attacks and recent research shows the core reason is economic.  Yet the new infrastructure bill contains no money for enhancing cyber infrastructure for smaller companies.
  8. We need to modernize and streamline cyber regulation. Research, including a Government Accountability Office study put out just last year, shows that redundant and conflicting regulation – depending on sector – takes up between 40-70 percent of cybersecurity budgets. While many cyber problems – like securing emerging technologies and supply lines or competing with China – are overwhelmingly hard, streamlining existing regulation is just a matter of paperwork – tedious but very doable – much more doable than most cybersecurity takes. Imagine if we could improve our use of scarce cyber resources by 40-70 percent. Also, this is a problem created by government and government can solve it – just takes a little work.
  9. Develop market Incentives to promote sound cybersecurity behavior. At DHS’s 2018 Cybersecurity Summit, Chris Krebs pointed out the core problem with securing critical infrastructure owned by the private sector. The private sector assesses security, appropriately, on a commercial basis, which is inherently more risk-tolerant than the government, which has needs such as national security. The question is how to fill the gap between commercial-level security and national-level security.  This is where market incentives need to be deployed. Despite multiple commissions ranging from the House GOP Task Force on Cybersecurity to President Obama’s EO 13636 that have called for developing the appropriate menu of incentives, Congress has done virtually nothing to address this issue.
  10.  Clarify the role of government in defending the private sector from nation-state attacks. Colonial proves not all sophisticated attacks are literally nation-state attacks but many, like Microsoft Server and SolarWinds and many others, are.  For years, the cybersecurity community has noted that in terms of damage, cyber-attacks are indistinguishable from physical attacks, but whereas government would clearly pursue physical attackers on our soil, the same is not true in the cyber realm. This clearly makes no sense and needs to be resolved if ever a true – and much needed — partnership between government and the private sector is ever to be established.  Answering that question is core to creating a cybersecurity social contract.

If the Solarium Commission, or government writ large wants to create a Cyber Social Contract, here is a template they can start with.