Today Howard Schmidt meets with Secretary of Commerce Gary Locke and Department of Homeland Security Secretary Janet Napolitano to discuss ideas for changing the economics of cybersecurity. Howard knows his stuff, and recognizes that this isn’t a technology problem, nor something that can be improved with some new security standard or checklist. Crime is a function of economics, and electronic crime is no exception.
I spend a lot of time thinking about these issues, and here are a few simple suggestions to get us started:
- Eliminate the use of Social Security Numbers as the primary identifier for our credit history and to financial accounts. Phase the change in over time. When the banks all scream, ask them how they do it in Europe and other regions.
- Enforce a shared-costs model for credit card brands. Right now, banks and merchants carry nearly all the financial costs associated with credit card fraud. Although PCI is helping, it doesn’t address the fundamental weaknesses of the current magnetic stripe based system. Having the card brands share in losses will increase their motivation to increase the pace of innovation for card security.
- Require banks to extend the window of protection for fraudulent transactions on consumer and business bank accounts. Rather than forcing some series of fraud detection or verification requirements, making them extend the window where consumers and businesses aren’t liable for losses will motivate them to make the structural changes themselves. For example, by requiring transaction confirmation for ACH transfers over a certain amount.
- Within the government, require agencies to pay for incident response costs associated with cybercrime at the business unit level, instead of allowing it to be a shared cost borne by IT and security. This will motivate individual units to better prioritize security, since the money will come out of their own budgets instead of being funded by IT, which doesn’t have operational control of business decisions.
Just a few quick ideas to get us started. All of them are focused on changing the economics, leaving the technical and process details to work themselves out.
There are two big gaps that aren’t addressed here:
- Critical infrastructure/SCADA: I think this is an area where we will need to require prescriptive controls (air gaps & virtual air gaps) in regulation, with penalties. Since that isn’t a pure economic incentive, I didn’t include it above.
- Corporate intellectual property: There isn’t much the government can do here, although companies can adopt the practice of having business units pay for incident response costs (no, I don’t think I’ll live to see that day).
Any other ideas?
Reader interactions
17 Replies to “Simple Ideas to Start Improving the Economics of Cybersecurity”
hspcd,
Your theory depends on the losses being incurred by the target company, but that’s only a small part of the problem.
Most of the problems regulations are needed to address are those where the successful target of the attack is not the one that suffers the most losses. For example, losing a credit card or SSN. The real losses are born by the person with the SSN, or various banking entities with the CC#, not the exploited company.
The economics thus tell the company to not worry about security, and keep all breaches secret to avoid any reputation damage. The good of the company is not aligned with the good of society.
Thus we use regulations to balance out the economics and make it in the interest of the company to protect the assets.
Without regulations we’d have BP-like spills on a regular basis and the companies would just spend a lot on PR to pretend it wasn’t their fault. Same with the financial system and a host of other areas.
I’ll take my big government. It’s either that, or I let a series of for profit private businesses obsessed with keeping their stock price up controlling everything from the environment, to our health care.
But putting the politics aside, from a purely economic perspective I can’t see how a complete hands-off from the government will result in protections for customers.
As for IP loss, I’m with you. Let any company lose what they want, unless it’s classified information or critical infrastructure in those cases *the company* actually does bear the losses and the economics work themselves out.
In response to Ivan and Rich. What I think should be done: We continue to speak and consult as security professionals and point out the cost offsets that are had by defending data and ensuring CIA. Companies understand this when the concepts, as you so eloquently state them, are focused sharply on risk avoidance. The process works, albeit slowly as you know, as we all know.
I think getting behind government legislation that grants them more and more control over how private business operate just to speed up the implementation of security measures we’d like to see is the wrong thing to do.
Ivan says: “More security inevitably means more cost and a reduction in return on capital mostly because risk-adjusted RoC is rarely used and even if used generally it does not account for infosec risk.
The question then is, who is supposed to pay for the improvement of the overall security posture?”
You may be right Ivan but, if the US government changes its current course and begins to use policies that promote private sector economic growth and ease up on taxes so companies can retain more of their profits, and exerts less actual control on the companies then we’ll see those businesses with more cash on hand to spend on security and other things they deem necessary. On the other hand, if government continues to tighten its grip, companies will continue to shrink, the economy will continue to contract and you and I will feel the pain as consumers and consultants and employees. It is very, very simple.
Again I say, we should all vote for smaller and less intrusive government, let the wonderful thing called Capitalism work the way it is supposed to, the way it did before government started fiddling with the controls, and we’ll all have plenty of work, plenty of money and companies will – will – do what they have to do to stay competitive, and sometimes that means spending more on security innovation.
dear hspcd
I hope you realize that your comment does not provide any contribution to the topic. It is choke full of ideological bias but devoid of any actual proposal for solutions. You are just talking about the things that should not be done and the people that should not be proposing solutions but you do not actually propose anything.
What do you think it should be done? (As opposed to what shouldn’t)
More security inevitably means more cost and a reduction in return on capital mostly because risk-adjusted RoC is rarely used and even if used generally it does not account for infosec risk.
The question then is, who is supposed to pay for the improvement of the overall security posture?
Tim,
Not all SCADA systems are online, and many of the ones that are can be more isolated without material impact on the business. There are plenty of better options to virtually air gap these systems in ways that still support critical business functions, but don’t have the darn engineer responding to phishing attacks from the same system they use to control their bit of the power grid.
Ivan,
Great ideas- and I think we are starting to see the earliest edges of this appear as more companies are reporting IT security risks in their filings.
Not many, but there is clearly precedent for what you are proposing.
hspcd,
Respectfully, your response appears based on pure ideology that “all of x is bad and y is good”, which is something, as a skeptic, that doesn’t work for me.
Separating the role of governments from society on these issues is impossible. Not all regulation is “socialism”, a word that is rarely used in accordance with its actual meaning.
In the real world, when talking about cybersecurity, it is impossible to ignore issues of policy and the role of government. Especially when evaluating the economics. And let’s be honest, it is economics, not technical controls, that can really impact our security.
After reading this I felt the need to address your comments on Critical Infrastructure/SCADA. First, air gapping is not really possible in today’s environment. Too much information is passed between entities to keep things running for this to be possible. As someone who has to live under the current level of controls (read compliance here), I will tell you that the implementation is not about security, but about compliance. I have seen many cases (including my own) where the compliance department is larger than the security department (or the implementers). Unfortantely, we spend tons of time in my corporation being compliant, NOT secure (and we are not alone.
So, if we are more prescriptive then compliance costs and time will rise, but given the what I’m seeing today the benefit to actual security will be flat or diminished (and the benefit to auditors and compliance would be significant). Granted, compliance compels companies to spend money, but only to be compliant (not secure).
Maybe the government should take a page from their own play book (FISMA), and instead of generating reams of information regarding compliance and still having significant intrusions, hold people accountable for the intrusions. Then when an intrusion occurs, look at their program to determine if and how much they should be fined (and the potential fines would be much much higher). If companies had a model like that regulating them, then more money would be spent on REAL security and not paper pushing activities.
I agree with Ivan, “All stick and no carrot will not work.”