By Larry Clinton
I’m honored to be one of about 15 outside speakers who have been asked to address the G20 Cybersecurity Dialogue — part of the G20 Digital Economy Task Force — at their invitation–only meeting in Riyadh. I’m delighted that the world’s largest economies are launching an effort to look at our cybersecurity problems from an economic, as opposed to primarily technical/operations, perspective. This is what I intend to tell them, and I’m curious as to what the rest of you think.
First, we are losing the fight to secure cyberspace — and losing big. I’m pretty sure I’ll hear a series of reports on various programs people have undertaken to address the cyber problem — I might have a few of my own from ISA. That’s all great, but there is a dark side to all these lists of programs. When people hear these lists of programs — especially if they don’t follow cybersecurity everyday — they come away thinking we are solving the problem, or at least making good progress.
Nothing could be further from the truth.
According to RSA/HP, annual revenues from cybercrime are about $1.5 trillion. That means the cybercrime “nation” has revenues larger than several of the G20 member countries. According to the 2018 McAfee study, cybercrime is increasing at about 100% a year and the cyber criminals are as good technically as the best IT companies and employ the cloud, AI, and cybercrime as a service. Our legal and economic systems are much further behind in the cybersecurity field than are our technical systems.
Second, a major reason why we are losing the battle to secure cyberspace is that we have been thinking about cybersecurity in too narrow a context. Most people still think cybersecurity is essentially a technical issue and the problem is that there are too many vulnerabilities.
Obviously, there is a technical component to cybersecurity, and the technology certainly is vulnerable (last week, Oracle noted in a WSJ story that they had 150 million vulnerabilities just in their systems). But the vulnerabilities only speak to how cyber attacks occur, not why they occur. After all, our transportation systems are exceedingly vulnerable, as are our water infrastructure and our food infrastructure, yet we rarely hear of attacks on these systems. Cyber systems are attacked literally millions of times a day world-wide. Why?
To understand why cyber systems are uniquely attacked so often lies in the incentive structure of the digital economy. Put simply, all the economic incentives in cybersecurity favor the attacker. Cyber attacks are cheap and easy to acquire — you can purchase them for a couple of hundred bucks on the dark net. They are enormously profitable as noted above. The business model is terrific – you can use the same methods repeatedly on a world-wide target base, and there is virtually no law enforcement – we successfully prosecute maybe 1% of cyber criminals.
This is a perfect issue for the G20, the world’s largest economies, to address because cybersecurity is at its heart an economic issue. No list of ISO standards or NIST frameworks is going to solve this problem. We must realize that we are not in the industrial age anymore and industrial age policies will not work on 21st century problems. We are in the digital age. We need to rethink the economic structures and incentives to address the cybersecurity problem. For the most part we have not truly begun to analyze, let alone remediate, the cybersecurity issue from this perspective.
Third, we need to stop pointing fingers at each other and realize we are all on the same side. The cyber criminals are stealing personal data, corporate intellectual property, and national security secrets. Consumers, companies, and government are all on the same side.
While there has been constant rhetoric around the need for public–private partnerships, there has been precious little actual partnership development beyond rudimentary technical information sharing programs — which have largely not been independently assessed to determine their effectiveness.
While the criminals work extremely well together, we ‘good guys” are still operating our defenses in a reactive, sporadic, uncoordinated and vastly underfunded fashion. No wonder we are losing.
It will take serious thought, followed by real work, to design a cyber system that can compete with the criminals and nation states. To begin with, while we are all using basically the same internet, the public sector and (far larger) private sector address security risk management from fundamentally different perspectives.
For the private sector, security investment is primarily an economic issue. Everyone knows 5% of inventory is “walking out the back door” each month. Why doesn’t the private company hire more guards and put in more cameras? Because it would cost 6%. The private sector invests in security at a commercial level. The public sector has economic issues but also a range of non-economic issues (national security, public services, elections) and so the government has a lower risk tolerance than the private sector.
To make matters worse, it is the private sector that is often on the front lines of cyber-attacks. The attacks — even from nation states — are not confined to government or military targets. The attackers target hospitals, banks, utilities, etc. We need to devise a system wherein the commercial sector can fund cyber defense at a national security level. This cannot be done through unfunded government mandates as that kind of uneconomic investment would drive away capital and undermine the economy with enormous losses in jobs, innovation, services, and culture. On the other hand, we have real issues with government spending.
However, it is possible to develop market incentives at low governmental cost but high value to the commercial sector and thus begin to alleviate the cyber incentive discrepancy. In fact, there are models for doing this in other industry sectors which might be adapted to the cybersecurity space.
Rethinking the economic structure of our cyber systems seems to be a good job for the G-20 and we begin in Riyadh today.