Altering the Economics of Cybersecurity

Tuesday, August 31, 2010

Anthony M. Freed

6d117b57d55f63febe392e40a478011f

I recently had the opportunity to discuss information security issues with Larry Clinton, Internet Security Alliance (ISA) President and CEO.

ISA is a multi-sector trade association established in collaboration with Carnegie Mellon University in 2000. ISA represents an array of organizations concerned with information security from the aviation, banking, communications, defense, education, financial services, insurance, manufacturing, security and technology sectors.

ISA advocates a modernized social contract between industry and government creating market based incentives to motivate enhanced security of cyber systems, and provides its members with a range of technical, business and public policy services to assist them in fulfilling their mission.

The ISA mission is to combine advanced technology with the economic realities and help create effective public policy leading to a sustainable system of world-wide cyber security.

Mr. Clinton has led ISA since 2007, and is frequently called upon to offer expert testimony and guidance to the White House, Congress and numerous Federal Agencies on policy and legislative efforts.

We are extremely fortunate Mr. Clinton has set aside some time from his very busy schedule to offer some insight into the critical role ISA plays in shaping the future of cybersecurity.

Q:  The Internet Security Alliance (ISA) and American National Standards Institute (ANSI) recently released The Financial Management of Cyber Risk: An Implementation Framework for CFOs (sponsored by Symantec) - what is the crux of the message your organizations are presenting in this report?

That many enterprises are not fully appreciating the financial risks created by poor cyber security, and therefore not making the needed investments to protect themselves.

Too many organizations simply view cyber security as an operational/technical issue when in reality it is much more. It's an enterprise wide risk management issue that needs to be tackled in a comprehensive fashion and not just outsourced to the "techies" in hopes that they will find a magical solution.

The fact is that virtually every department in a modern organization owns data---the finance guys have data, the HR people have data, the legal compliance people have data---but they generally don't think it's their job to secure their own data---that's the job of the IT guy at the end of the hall.

Unfortunately most IT shops are viewed as cost centers, which especially in tough economic times are already underfunded. These departments are carrying more responsibility and getting fewer resources, many organizations are blind to the risk that creates for the enterprises as a whole.

Q:  How would you characterize the current state of cyber security and the effect it has on our economy?

It's very difficult to precisely assess the impact of poor cyber security on our economy but it is almost certainly enormous.  In 2004 the Congressional Research Service estimated that American businesses had lost $46 billion dollars due to poor cyber security.  When President Obama released his Cyber Space Policy Review in spring of 2009 it cited a study claiming US businesses had lost $1 trillion dollars just in the value of stolen intellectual property from cyber attacks in the previous year.

Even if we assume for the sake of argument that the study the President cited is off by $500 billion dollars that still means that American businesses lost hundreds of billions of dollars in intellectual property theft.  And that would not even take into account economic losses from downtime, inefficiency, customer dissatisfaction, or shareholder discontent following publicized breaches---which have been documented in the literature.

In addition, we know that many organizations that have been subject to successful attacks, but may not be yet aware that malware is residing on their systems.

We have to realize that virtually every aspect of our economic structure is now linked to and reliant on these modern electronic information systems So by any measure the lack of cyber security is an enormous economic problem

Q:  The ISA has long advocated market incentives as the best approach to security innovation - what role do you see the private sector playing in overall security efforts?

The ISA was founded on the assumption that since the private sector owns and operates the vast majority of the cyber systems it is their responsibility to take a leadership role in protecting it.

The private sector needs to continue to develop the technologies, standards and practices not only to drive innovation and digital service, but to protect it as well.

Probably the single most under-reported fact in the cyber security field is how well the private sector has done this job.  There are a range of studies going back years that show that if we would simply implement the standards practices and technologies we have already developed we could prevent or mitigate the vast majority of cyber breaches.

Earlier this month the US Secret Service in conjunction with Verizon published a study showing that adopting existing best practices could have stopped 94% of the 900 actual cyber breaches they studied.

Q:  Free Market solutions to many security vulnerabilities are readily available, but how can we guarantee moving forward that the best products become the most widely utilized?

There are a range of issues that need to be addressed including the outdated corporate structures we discussed above which inhibit the proper risk management of cyber security to the seductive trade off that exists between operating secure systems and operating ones that are completely user friendly.

But several studies have shown the biggest barrier to adopting effective cyber security practices in the corporate space, is cost.

This problem is compounded by the fact that cyber security economics is not well understood---mostly due to the fact that people make simplistic assumptions that do not fit with the facts.

Perhaps the most common of these is the assumption that if enterprises are losing money from cyber attacks they will naturally make the investments to stop the cyber losses.

The evidence clearly indicates that is not correct.  All the evidence demonstrates that the number of cyber vulnerabilities attacks and loses are increasing dramatically.  However, several large recent studies have also documented that between half and 2/3 of American companies are actually deferring or reducing their investments in cyber security.

We now know that many enterprises are mis-analyzing the effect of cyber security on the bottom line and that's part of the problem.  We also know that many organizations tolerate a degree of insecurity-cyber or otherwise---after making a cost benefit analysis and determining that although there are economic losses due to poor security, if the cost of becoming secure is greater-they will tolerate the insecurity.

While this may be fine-even appropriate---for a corporation legally obligated to maximize shareholder value, it is clearly not in the public interest, and poor cyber security may even create ---does create---significant national security issues.

So government does need to have a role.  It's just that government can't just try to impose 20th century (actually 19th century) models like regulatory mandates to a 21st century technology like the Internet.

ISA advocates a modern Social Contract wherein government assists in determining what practices work (much like they do with drugs at the FDA) and then provides the market incentives to bridge the gap between the corporate interest in security and the public interest.

Q:  SMB's, healthcare, legal, financial and in the education sector have all experienced an increased demand for information security, while their organizations are requiring budget cuts across the board - can smaller entities really expect they can afford to keep pace with hardware, software and the required expertise?

There was a time when some smaller companies assumed that they were too small to attract the attention of attackers.  However attacks are now often automated so size doesn't matter.  Indeed the recent research shows that smaller firms are every bit as likely to be attacked as larger ones.

And of course every small business in the world has the same goal---to become a big business.  So even if smaller firms could free up capital to bolster their cyber security my guess is that most of these companies are going to use extra capitol for additional sales and marketing much more likely than for improved cyber security.

In addition, most of the cyber security apparatus that have been developed through things like ISACs are generally too sophisticated and require too great of a time commitment to be attractive to smaller companies.

The good news is that there is progress being made. For example the ISA has proposed an alternative information sharing model designed to provide smaller firms with easily usable data to protect themselves.  We were pleased when Melissa Hathaway cited our proposal in the Cyber Space Policy Review Obama published a year ago, but we have had a very hard time getting our friends at DHS to provide the government side of the assistance we need to make things work.  However, I'm happy to report that we now seem to have some traction on this proposal and I'm optimistic we can get something done.

However, in the end I think at least for smaller firms the best way to get them to enhance their cyber security is by integrating cyber requirements into government programs like SBA loans or even as tax credits.

Q:  This latest report is addressed to CFO's - is it difficult to effectively translate the vernacular of IT and network management into the language of enterprise-wide risk abatement?

Well let's not just blame the IT guys for "geek-speak"-although they certainly do have a language of their own---and assuming everyone will learn that language is probably not going to work.  But so do the lawyers. And so do the finance guys.  In fact jargon is pretty endemic to most professions.

What we are really saying in our report is that all the entities involved in corporate cyber security---IT-legal-compliance-HR-finance-communications-operations---everyone needs to all be taking responsibility for cyber security on an enterprise wide basis.

We do specifically reference the CFO because s/he usually has cross departmental responsibility, but we note the job of leading the group could be given to another cross-departmental person such as the Chief Risk Officer.

The core of our approach is that everyone gets involved in an enterprise-wide cyber risk group with an enterprise wide cyber security budget and that they meet regularly to discuss and resolve their common problem. When they are talking together regularly they will learn how to communicate and the enterprise itself will be the better for it.

If one reads the chapters of our most recent publication one of the things that jumps out at you is that each of these various departments have their own unique issues with respect to cyber security.  These need to be, and we think can be, melded together into a functional system that receives the necessary support from the entire organization.

Q:  How do financial regulations such as SarbOx and some SEC mandates relate to IT and network security decisions, and should they be reported as presenting a material risk to shareholders?

This is an area the ISA Board is very interested in, which is how can we elevate this discussion to the Board level or the shareholders.

We are currently looking into this topic as a potential "phase III" of our financial management of cyber risk project. Frankly we are looking for entities that might help us with this analysis.

As to the preliminary question as to how SOX is effecting cyber security, we think there are mixed results. Clearly there was some low hanging fruit that SOX may have initially helped harvest and thus created some improvements.  However, we are also hearing that the complexities of the regulatory and auditing systems are now having a counter-productive effect on cyber security.

In short many organizations are now devoting their "cyber security" resources primarily to audit compliance which does not necessarily correspond to improved security.  Indeed by drawing resources away from actual security to focus on regulatory compliance we may well be weakling our security.

ISA is very interested in analyzing this area more fully and I expect we will have more to report on it in the future.

Q:  There seems to be little legal precedent established regarding liability in the electronic data access chain - what effect on security best practices will the courts have when they do finally weigh in?

This really depends on how the courts weigh in, and my own guess is that it may take quite awhile to get a clear picture on the liability question.

The partisan divide in the cyber security field is between the consumers who say the vendors ought to be liable because they sell vulnerable systems and the vendors who say that no one wants to pay the cost of fully secured systems and the consumers typically ignore the vendors' suggestions about security.

So when a breach occurs who is liable?

I can see thousands of lawyers children getting their higher education's financed as this question moves through the court system.

ISA believes a better answer is to develop a system wherein we use the market to motivate improved cyber security.  As I said above we already know what works, we just have to implement it.  We also know that the main barrier is cost ---and not that much cost at that.  Finally we have a well developed system of using market incentives including procurement, awards, SBA loans, insurance etc. to successfully motivate pro-social behavior throughout our economy -in agriculture, aviation, environment, ground transport etc.  We simply need to apply these incentives to the cyber security space and motivate the practices of standards that we know will work.

Q: What's next on the ISA's agenda?

ISA's mission is to integrate advanced technology with business economics and public policy to create a sustainable system of cyber security.

Core to this notion is that we need to mature our understanding of this issue to appreciate that cyber security is as much an economic and strategic issue as it is an operational technical one.

So we are focused on altering the economics of cyber security.

The main reason we have so many attacks is all the economic incentives currently favor the attackers---attacks are easy, cheap, you can steal billions and your chances of getting caught are slim.

If we can increase the cost to the attackers and simultaneously increase the profitability of good cyber defense we believe we can create the sustainable system of cyber security which will make out nation and our economy the envy of the world in the 21st century, just as we were in the 20th century.

Possibly Related Articles:
14590
Enterprise Security
Federal
Government Internet Security Alliance
Post Rating I Like this!
5c857bc159e9c361aebbb1eab4c87c3f
Mister Reiner This is a really good discussion Anthony. Probably the most intelligent and grounded perspective I've read in a long time. Thank you.
1283401866
Fd5503762b1f3ee8ba3a4a86bd604363
Neelabh Rai Thanks for such an informative interview / discussion.
1283408305
02d1941438bbd398f00e76203eeee9ea
Prasanna Venkatesh CB Nice read, thanks for sharing!
1283430672
Default-avatar
Rob Lewis Indeed, a very thoughtful discussion.

However, one would be wrong to assume that adopting best practices would have stopped 94% of the breaches in the Verizon Report.

Attacks may still have been successfully executed by using more advanced exploits. Attackers simply have no need to pull out the elephant guns when pea shooters will currently do, but that does not mean that they are not available, especially if attacks are targeted.

1283443139
959779642e6e758563e80b5d83150a9f
Danny Lieberman First of all, kudos on an excellent article.

One of the best I've read in a long time.

I do have several comments, if I may.

1) The costs, the reality and who actually pays
".. US businesses had lost $1 trillion dollars just in the value of stolen intellectual property from cyber attacks in the previous year."
"... that would not even take into account economic losses from downtime, inefficiency, customer dissatisfaction, or shareholder discontent"

First of all - where does the $1 trillion number come from? Is it a top down multiple (like the BSA calculations of software piracy
damage of the OEC calculations of economic damage from product counterfeiting? If so - the number could be off not be 50% by a
few orders of magnitude. It's a lot like a guy with an idea for a startup going to a VC and saying he'll take 1% of a $10BN market
which will give them a revenue of $10M/year after 3 years. In reality - they sell 0 the first year, they sell 1,000 units at $100/unit
the second year and by year 3 they may have $500k revenue not $10M. These top down calculations are problematic.
See my articles - http://www.software.co.il/wordpress/2010/06/2010-fifa-world-cup-game-and-software-piracy/
and http://www.software.co.il/wordpress/2009/07/drug-counterfeiting-hype-or-health/

Second of all - what does that mean "US businesses" ? Does that imply that the Russians/Israelis/Italians/Iraqis have stolen US IP?
Because if some of this IP theft is one global business attacking another - it's a zero-sum game. Perhaps - the IP theft is not
a net loss but a net gain - if the people who steal the IP do a better job monetizing. So I think that is also problematic as
a general statement.

Third - who pays the bill? downtime for the company and customer dissatisfaction are paid by two separate people, aren't they?
I could probably make a reasonable case that security breaches don't cost US BUSINESSES anything while they are indeed costly for
the customers they are supposed to serve.


2) Practical measures are best
I totally agree that practical measures aka "best practices" are the best and most cost-effective - like walking to the supermarket
every day to get the milk instead of driving would reduce US rates of heart attacks by 50% (courtesy of Prof Jan Bruckner, Widener)


3) Not doing the analysis
Again - you're right on the mark. Here - most busineseses, neither large, nor small do the calculation of how much value at
risk they actually have on the table.


Finally - a recommendation.

In my experience with clients the past few years, doing risk assessments and data security projects - I have discovered that
the CFOs, IT and security people can easily find a common language - a common language of threats.

I've written an article that Anthony published - https://www.infosecisland.com/blogview/3441-The-Tao-of-GRC-for-CISOs-and-CSOs.html

Thanks for a thought provoking and insightful article

Danny Lieberman









1283527954
D13f77e036666dbd8f93bf5895f47703
Theresa Payton Great article & not much to add between the article itself and the great comments.

Some food for thought:

Due to the economics of asset protection / cybersecurity, many organizations find it challenging to build a solid business case that shows if you spend $1 on security, how it positively impacts the bottom line. Unfortunately, many times the business case looks more like you are paying for an event you hope never happens so the $1 looks like there is zero return. That leaves the business executive with the decision to spend that dollar knowing they have to make up that much more revenue on other initiatives. It is tough to build the business case so it can compete fairly with expense reduction and revenue producing initiatives. However, it can be done.

In addition, there are often low and no cost options that businesses can do that can add to their layers of defense. The low and no cost solutions typically focus on employee education, employee awareness, and well-defined, easy to follow data handling guidelines.
1283963064
6d117b57d55f63febe392e40a478011f
Anthony M. Freed Great points Theresa and Danny - cost and return on investment always seems to be the ultimate factor in security decisions. Infosec Island is specifically designed to help channel the low- and no-cost solutions to those organizations that need it most.
1283963948
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.