The Internet Security Alliance held a luncheon at the National Press Club today to unveil their much anticipated recommendations to Congress and the Obama Administration regarding the future course of national cybersecurity policy.
The landmark report, entitled Implementing the Obama Cyber Security Strategy via the ISA Social Contract Model, is the culmination of nearly one decade of ISAlliance advocacy for market incentive based security reforms, and echos their previous cautions against pursuing costly regulatory constraints.
As stated in an ISA press release earlier this week, the analysis provided describes:
“frameworks for creating a new, practical model for information sharing; addressing the international nature of cybersecurity issues; developing a market for adopting good security standards and practices; building a highly educated digital workforce; and managing the global IT supply chain, among other things.”
As the title of the document implies, the report is meant both as a response to the Obama Administration’s Cyberspace Policy Review and also as a followup to the ISA’s 2008 Cybersecurity Social Contract, which outlined several crucial areas of alignment as the logical jumping-off point for private industry and government initiatives.
From today’s report:
“A major focus of agreement between these two texts is the appreciation of the economics of cyber security and the need to properly deploy incentives to generate enhanced security within the private sector to serve the broader national interest.”
Central to the ISA’s thesis is the under-appreciated notion that cybersecurity is an isolated technical issue that lies somewhere outside the scope of the broader economic picture.
The sobering evidence offered in the report thoroughly contradicts this pretense, noting that worldwide losses due to information security events is in the neighborhood of one trillion dollars annually.
Simultaneously, nearly half of the companies surveyed in another study reported plans to reduce security related expenditures in 2010, the report noted.
“Rewriting the economic equations currently governing cyber security issues is essential to creating the sustainable and evolving system of security that we will need to protect our nation against the emerging threats we are facing in the 21st century.”
How best to accomplish this herculean task is at the crux of the ISA’s recommendations.
The report likens the advent and importance of the Internet to that of the telephone and the national electrical grid in the early 1900’s.
The efficacy of government policies at the time provided the necessary impetus for the private sector to invest resources to develop the national infrastructure beyond the scope of their own narrow corporate interests.
The ISA argues this approach by government and private industry was the catalyst for the rapid development and availability of these technologies that are so central to the nation’s economic engine, and should be mirrored by cyber policy today.
Also provided in the ISA report are stark warnings against the temptation to overly regulate an entity that knows no national borders, has no central administrative control, and obeys no government.
Complicated regulatory legislation discourages capital investment in new technologies, as investors fear subsequent government interventions may render their investments worthless.
Regulation also creates an expensive compliance component that typically does little in the way of solving security problems, as exemplified by the passage of Sarbanes-Oxley (SOX) after the Enron scandal, and the subsequent Bernie Madoff Ponzi-scheme revelations.
“The process of developing effective regulations is inherently time consuming there is virtually unanimous agreement that any regulations specific enough to assure improved cyber security would become outdated soon after their enactment. Even more troubling than the low prospect a regulatory mandate model has for success is the fact that such a model would generate seriously negative economic and security consequences.”
The report proceeds to underscore the Global nature of the Internet and related threats to information security, emphasizing the economic disadvantage American companies would suffer if subject to a system of monolithic statutes, contrived through vague legislation, and applied across a broad spectrum of business sectors.
THE FINANCIAL NATURE OF CYBER SECURITY
One of the most difficult issues to relay effectively to the Boardroom is that of security, particularly because a great deal of the security battle is won preemptively, before the fight even begins.
And no one can say with any certainty whether or not that battle will ever be fought; nor can they guarantee a victory, regardless of the depth and breadth of their preparations.
While this uncertainty puts security professionals in a cold sweat as they contemplate the thought of unmitigated exposure, it also puts the bottom-line budget wranglers in the position of deciding how much security is enough security, seeing IT only as a cost center to be managed.
“Typically, the economics of cyber security are not readily transparent and they are poorly appreciated. When defensive investment is compromised by factors beyond an organization’s control, the motivation for continued investment is reduced substantially. Effective and sustainable improvements in our collective cyber security posture will stem from a comprehensive understanding of how to effectively motivate all players across our economic landscape to actively engage in proven best-practices in both their business and individual cyber activities.”
The report also notes the disconnect consumers suffer when presented with high interest rates and fees on their credit and debit cards, and news of major data breach incidents in the payment card industry.
Many do not realize those “hassle-free” dispute resolutions that absolve them of responsibility for fraudulent charges made on their accounts are actually hidden in the cost of the items they purchase, and can be as much as or even exceed the sales tax levied in many states.
“Consumers [have a] false sense of security due to the belief that personal losses will be fully covered by corporate entities (such as the banks), when, in fact, much of these losses are transferred back to consumers in the form of higher interest rates and consumer fees.”
The report from the ISA also makes it clear that the path to better information security is at best uphill, and echos the sentiment common in national defense strategies: The bad guys only have to get it right once, while the good guys have to get it right every single time.
For the hackers and cyber spies it is literally a numbers game, with the bulk of their illicit scores coming from simple exploits applied among a large array of networks, just looking for that one weak spot - as opposed to more sophisticated attacks focused on any one particular target.
Either way though, the advantage definitely belongs to the criminals.
“Ultimately, with respect to cyber security economics, the dispiriting realization is that all of the current economic incentives favor cyber attackers:
- Cyber attacks are comparatively cheap and easy to execute.
- The profits that can be generated from cyber attacks are enormous.
- Because of the typically long distance physical proximity, there is very little risk of being caught or suffering retaliation.
- The cyber defensive perimeter is nearly limitless.
- Losses are difficult to assess.
- Defense is costly and often does not generate perceived adequate return on investment.”
A SUSTAINABLE MODEL OF CYBER SECURITY
The very essence of the ISA report supersedes that of merely a cautionary device meant to highlight red flags and vulnerabilities.
The bulk of the seventy-four page report is dedicated to forward thinking strategies that align the multitude of singular efforts that currently characterize the infosec realm, while maintaining the free market independence and innovation that already provides protection from the majority of threats.
As noted in the report, numerous authorities agree that more than 80% of data loss incidents could have been prevented by following existing protocols and best practices.
The ISA maintains that the key to increased adherence to infosec best practices is the creation of an environment where security innovation will be rewarded by existing market forces.
This is readily evidenced by the success with which viruses and rogue malware are regularly neutralized by the private sector.
An argument could be made that the success of the likes of McAfee (MFE) and Symantec (SYMC) at protecting consumers’ computers is not attributed to some cottage industry that arose out of regulatory compliance mandates.
The private sector works well in this virtual medium, where solutions can be applied to problems in a measure of minutes not months, and so the private sector should be employed to its fullest.
“While all of the frameworks described are already in some degree of implementation, they are, naturally, at varying stages, and each could benefit from further collective work. The issue areas are:
- Creating a new, practical model for information sharing
- Using incentives to develop a market for good security standards and practices
- Creating an enterprise education program to properly structure industry
- Addressing the technical and legal disconnect created by digital systems
- Managing the global IT supply chain
- Addressing the international nature of cyber security issues”
The overall tone of the report was very optimistic, but it made no effort to whitewash the very serious issues facing every industry from healthcare to energy, education to aeronautics.
Security problems pervade every aspect of the economy and our national security.
“An effective method of stimulating security would be to create a competitive market for the development and adoption of sound security practices, standards, and technologies. By creating a competitive market, the power of the market can be harnessed to motivate improved cyber security and, since many of the organizations targeted are international, improvements on a worldwide basis are quite possible.”
With a lagging economy, healthcare on the national docket, the need for new energy policies and other looming national security issues like war in two theaters and the emergence of new global threats, it remains to be seen whether cybersecurity can push itself further into the national spotlight on its own merits without a catastrophic security event to propel it.
This report is undoubtedly an important step in the right direction.
The full text of the ISA report provided in PDF: