Treating Cybersecurity as an Economic Issue: Three Levels of Policy Action

June 4, 2021

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

On May 11, the chairs and ranking members of seven congressional committees that have jurisdiction over cybersecurity wrote a joint letter to National Security Advisor Jake Sullivan stressing that “cybersecurity is no longer just an ‘IT issue’ but instead an economic and national security challenge.”

This is a potentially seminal moment in U.S. cybersecurity policy development.  One of the major reasons we have not made more progress in creating a secure cyberspace – and we are arguably not making any real progress, as things are just getting worse and worse – is that most public policy has considered the issue through an excessively narrow a lens as simply an operational/technical issue. While obviously cybersecurity has important technical and operational components, tech is not the entirety of the issue.  In their classic work “The Economics of Security,” Anderson and Moore determined: “We find breakdowns in information security is caused at least as often by poor economic incentives as by bad technological design”

As the old saying goes: To a hammer, everything looks like a nail. If we are only looking to technologies to address the problem, we are only going to get technology answers.  What the leaders of the seven congressional committees are now saying is that we need to be looking at the cyber issues in a much broader context.

All this, however, begs the next question. What exactly would it mean to infuse cyber policy with more economic analysis? 

As a starting point, we are presenting three different (albeit interrelated) levels for infusing economics into cybersecurity policy. These efforts range from programs that would be comparatively quick (although not necessarily easy) to implement to more sophisticated projects that will take more time and some research. However, all three implementation levels can be initiated in the current Congress and offer hope for finally turning the advantage more to the defenders in both government and industry.

The first, and the easiest, fastest, and least expensive, level for injecting economics into cyber policy is by addressing government administrative issues. This would begin by injecting modern management systems, which are already being adopted in leading corporations, into government agencies. For example, most leading companies have now taken cybersecurity out of the control of the technical operations units and elevated it to a strategic management team including, but not dominated by, IT – often at the board level. In addition, agile management techniques including early and systematic evaluation of programs for effectiveness and cost effectiveness need to be implemented. Ironically, these sensible steps are often skipped in government – ostensibly for efficiency – when the lack of systematic evaluation and modification lead to inefficacy and waste. We can’t afford this waste in cybersecurity because of the criticality of the threat and the lack of adequate resources. Yet, due largely to government’s unwillingness to address its own “turf” issues, these problems persist.

Beyond the need for early and systematic program evaluation, there are also structural reforms to cyber programs to eliminate legacy silos.  Again, government can take a page from the private sector in this regard. For example, several major financial organizations have instituted structural reforms in their own cybercrime operations that have yielded cost savings and improved effectiveness.  Many of these can be adapted to the government’s cyber law enforcement efforts. This may include developing a more integrated budget for fighting cybercrime and by breaking down outdated bureaucratic lines, such as between military and civilian law enforcement that make little sense in the digital age and inhibit efforts to prevent attacks. 

Additional efficiencies can be generated by reforming cybersecurity regulation. Government studies have shown for example that as much as 70 percent of cyber regulation applied to states and localities, which already have strained cyber budgets, are redundant or conflicting.  Studies in the private sector demonstrate a similar degree of waste of scarce cybersecurity resources. Government can put a stop to this practice by the Office of Management and Budget simply demanding all new regulation be certified as not being redundant to existing regulations and then funding research to find and eliminate the current redundancies and conflicts.  In addition, the method of cyber regulation – typically a long list of technical requirements – is neither economically nor risk based.  In recent years, more sophisticated cyber risk assessment methods such as FAIR and X-Analytics have been developed, which can far more accurately determine the appropriate cybersecurity action a specific enterprise ought to be taking.  These methods should replace the antiquated checklists.

A second, more complicated level implementing economics into cyber policy would come from realistically addressing the gap between commercial and national security risk assessment and spending. This gap is highlighted and discussed as appropriate in the National Infrastructure Protection Plan. Simply put, private entities assess security, as they should, on a commercial basis, in part to attract capital.  This commercial basis is more risk tolerant than government assessments. This is because government has needs beyond economics such as national security. The problem is that in the digital age government and industry are both using the same systems including for critical infrastructure. As a result, private institutions are on the front lines of cyber-attacks from nation states and criminals who are often nearly as sophisticated as the nation-states. These attacks will typically overwhelm a reasonable commercial-level security system. It is simply unsustainable to expect, or require, these private firms to continually make uneconomically justified security investments. Uneconomic security investments would drive capital away from investing in U.S. critical infrastructure.

Government agents, including members of the House and Senate, blithely asserting that industry is not being appropriately “accountable” because they are making their security investments based on commercial needs are literally “passing the buck” and shirking their own governmental responsibilities to provide for the common defense. It also bears noting that the private sector spends far more on cybersecurity than does government and is increasing their spending at a far faster rate than government. Making cheap political points by pointing the finger at industry is not only wrong but counterproductive, as what needs to happen is the development of a far more fulsome government-industry partnership. This begins with candidly appreciating that government and industry have legitimately different basis for cyber risk assessment and developing a model that works for both.

This more fulsome public-private partnership should not base on the traditional and adversarial regulatory model. Industry will have to accept its new responsibilities and government will need to accept that national security cannot be simply shifted to the shareholder. For smaller players involved in the critical infrastructure supply chain, perhaps a form of direct funding or tax credit might work. However, for the larger entities government and industry will likely need develop incentive-based systems that create economic benefit to good actors without excess expenditure by government. Fortunately, there are incentive models like this in various elements of the economy that may be studied and adapted based on the work of the proposed new partnership model. Unfortunately, government has done virtually no work on developing a realistic digitally sensitive economic model for industry-government collaboration.

A third level of economic analysis is needed to assess systemic cyber risk.  Systemic cyber-attacks, such as SolarWinds, is an attack that targets an entire system, not a specific entity. The overwhelming majority of research and government activity on cybersecurity has been heretofore focused on entity security, not systemic security. Obviously, these systemic attacks can be catastrophic. In addition, the economics, and hence the appropriate government policies, involved in systemic attacks is entirely different than those for entities. Moreover, the ability for the government to access the data to properly analyze and address these risks is far more limited than it is in various elements of the private sector – such as the insurance industry.  Unique public-private partnerships – quite different from the traditional forms – may well be required to address this issue. However, industry is ready and willing to engage in these efforts, which would address government and industry’s needs in a collective defense model. Happily, some efforts at the Cybersecurity and Infrastructure Security Agency have been initiated.

Join the Rethink Cybersecurity Community click here