THOUGHTS ON SECURITY BY DESIGN/DEFAULT FOR WORLD ECONOMIC FORUM 

November 20, 2023

Larry Clinton’s opening statement

Last week I was honored to attend the World Economic Forum’s annual cybersecurity conference and lead a session on the demystification of the economics of secured by demand/default (watch the introduction above). I want to thank, and congratulate, the Forum creating this session. This topic lies at the very essence of the new direction in cybersecurity policy embodied both in the new US National Cybersecurity Strategy, but also internationally.  An abstract of my opening remarks is pasted below. The Forum operates on a clear Chattem House Rule basis, so the below text reflects just my opening comments and does not necessarily reflect anyone else’s views.  

I’m Larry Clinton President and CEO of the Internet Security Alliance. For those of you who don’t know the ISA its sort of an international, multi-sector trade association/think tank.  Our mission statement is to integrate advanced technology with economics and public policy to create a sustainable system of cybersecurity.    

And we have our own theory about cybersecurity. It’s called the Cybersecurity Social Contract Theory, one of the major tenants of this theory is that one of the major reasons why we aren’t making adequate progress on cybersecurity – and we are not making adequate progress – actually things are getting worse, I think we all know that. But we need to know why.  We believe a major reason is that we have been thinking about the cybersecurity issue in to narrow a context.  The vast majority of focus has been on technical operations. Of course, there is a major technical operational component to cybersecurity—but it’s not the entire issue.  

After all, the technology is just HOW the attacks occur. To really make adequate progress we need to also address WHY the attacks occur. The WHY behind virtually all cyber-attacks is economics. From a security perspective the economics of the digital age are upside down. All the incentives favor the attackers. Attack methods are cheap and easy to acquire. The profits are enormous. The criminals have a great business plan – and they tend to be pretty smart businesspeople too. Formattable adversaries. 

On the defender side we are defending a massive system that holds an even more massive set of vulnerabilities. It’s hard to demonstrate ROI to things that have been prevented and we get extremely little deterrence from law enforcement —we successfully prosecute less than 1% of cyber criminals every year. 

The core economics of the IT economy is also mis-aligned. The core philosophy of the IT industry for 30 years has been getting the product to market quickly and we will fix things later with patches and updates. That’s one of the reasons we have that truly massive system of vulnerabilities I just mentioned. 

Fortunately, earlier this year a group of 10 international agencies – including in the US government – began advocating for a substantially different approach. Noting that only the largest enterprises with substantial economics of scope and scale were capable of defending themselves adequately from modern, sophisticated cyber-attacks. As a result, the new approaches suggest we ought to reorient our strategy away from the traditional blame the victim approach and instead focus on the providers of the products – which I feel is a manifestation of sophisticated risk management theory. 

They propose we upend the core approach to IT development and business practice which focuses on speed to market and insist that IT products be made already secure by design and default.  

Now THAT’S a big idea. 

I like big ideas. 

But someone once said every big idea eventually devolves into actual work. 

And that is the focus of today’s panel.  How do we take that big idea of secure by design and default and make it actually work? 

Do we need to change the market? 

Do we need a government mandate?  

What kind of mandate might work in the intensely competitive international IT market? 

Would market incentives be better? ‘ 

What incentives? 

How are the costs balanced? 

And we need to be mindful this is no small thing. Virtually all the progress we have made in the last 30 years is in one way or another tied into the revolution created by these self-same information technologies. They have changed our economy, our national defense, our culture – for better or worse – has been changed by it. 

We need to find a way to security by design and default that doesn’t topple the whole appeal cart (no pun intended). We need to design a system that both enhances security but does not excessively impede innovation, job creation, and America’s role in the world stage. 

If the result of secure by design and default is $10,000 laptops that are really slow and no one wants to buy them – we may not only have shot ourselves in the foot, but we could run the risk of crippling ourselves in the competitive world order. 

ISA has been working with our government partners to define a set of principles for defining a secure by design/default policy (LINK) a set of best practices for implementing a secure by design (LINK). 

We have taken these principles and practices and broken them down into a series of questions for our panel. When we have concluded the panel, we will then go to the audience, and we invite not just questions but statements).