April 04, 2017
Shared Responsibility in Cybersecurity
What is the Private Sector’s Cybersecurity Role?
By George Platsis and Paul Ferrillo
The safety of the Internet is at stake. A relatively obvious comment, but one which is neither unfounded, nor wrapped up in the auto-hysteria, as so many cybersecurity conversations are today. Why do we say this? A simple reason really: because the Internet is no longer used as it was originally designed – a benign information-sharing tool, used primarily for knowledge and research, by a select group users. Today, but also arguably for the last 15 or so years, the Internet is a “wild west” with more and more actors entering it every day. Intent of these actors may be fairly obvious – we want to order something online and have it shipped to our door – or it may be shrouded in controversy and obfuscation, making attribution a seemingly impossible task.
Despite this environment, we still must go on about our daily lives, unless of course we are willing to change our daily lives, which would almost certainly result in a lower standard of living.
The general increase in living standard we have experienced over the last two centuries, especially in the West, is in large part connected to private industry’s success. The success private industry enjoys is a function of a stable and secure environment. If we could for a moment remove ourselves from today’s realities and go back to the pre-Internet days, the theory that private industry would have been successful if the security environment was at a constant level of unrest and instability is unreasonable.
If we limit our conversation to part of North America, the private sectors of both the United States and Canada have enjoyed much success in their respective private sectors because – outside of the War of 1812 – the two countries have enjoyed peace and stability between each other. Similarly, England during the 18th and 19th Centuries was able to become the global empire that it was because it was not connected to, and mired by, the constant strife of continental Europe, namely the long string of nation-state wars between the French, Prussians, Austro-Hungarians, and other European tribes.
We must qualify our comments: the United States, Canada, and England all suffered from their own internal social ills and were far from perfect – as can be said of all today – but none of them, during their ascendency, we caught up in a constant state of battle against some external actor encroaching on their territory. This distinction matters, because if the reverse were true – as it was on continental Europe – there would be a necessary shift of state resources to defend the borders (ranging from taxes, to manpower, to innovation—you name it).
As a result, the private sector had an individual interest to maintain peace and stability so that the private sector could thrive. Implicitly or explicitly, the public and private sectors shared responsibility, which linked the security of the state to the well-being of the economy, with the reciprocal remaining true, that a well-functioning economy contributed to the security of the state.
Fast forward to today and the following question often gets asked: does private industry have an individual responsibility to protect national security interests, specifically by implementing good cybersecurity controls imposed by reasonable government regulation? This question is loaded with ideology, which we unfortunately believe takes a very legitimate question to the realm of political partisanship, hurting both the security of the state and the ability of the private sector to thrive.
Therefore, we reframe the question as follows: how can the private sector not have shared responsibility, given the government’s parallel responsibility to keep users safe from a cyberattack?
A Failure to Appreciate Asymmetry
Sober strategic thought suggests that if you cannot immediately defeat and subdue an adversary through immediate and overwhelming strength, by using surprise, speed, and violence of action, your best course of action is to bleed your adversary, over time and through asymmetry, by attacking their strengths. In the case of the West, our strengths are two: the economy and our democratic institutions (the latter of which we will not discuss in depth in this piece, as we are primarily focusing on the private sector).
Therefore, let us consider the realities of the last decade: a world increasingly experiencing asymmetric warfare on a variety of fronts. Literature and action have shown that terrorist organizations, such as Al-Qaeda and ISIS, recognize that asymmetric warfare works. In the cyber domain, most recently through the Yahoo account hacks, we see how just two identified individuals can unleash havoc on 500 million accounts. Of course, we see the merging of these two problem sets where individuals are radicalized through the Internet and they carry out an asymmetric attack in the hopes that they attack our two core strengths.
We have paid the price for not addressing this relationship and the interest on this unpaid debt is becoming suffocating. The result is a diminished overall resilience and reduced power projecting ability.
Interestingly, those – outside of the West – who employ these tactics may not fully appreciate they are holding a double-edged sword. True, they are perhaps achieving success by weakening their external adversary, but for even for the authoritarian regimes, just one internal slip up on their absolute control could very easily see these same tactics used against them within their borders by their local population; and them amplified by external actors.
For All Our Analysis, We Still See Fog
What worries us immensely is the following: we may not have an accurate picture of how profound and pervasive the impacts of cybercrime are. The 2011 testimony of Gordon M. Snow, Assistant Director of the Cyber Division at the FBI, said:
“The potential economic consequences are severe. The sting of a cyber crime is not felt equally across the board. A small company may not be able to survive even one significant cyber attack. On the other hand, companies may not even realize that they have been victimized by cyber criminals until weeks, maybe even months later. Victim companies range in size and industry. Often, businesses are unable to recoup their losses, and it may be impossible to estimate their damage. Many companies prefer not to disclose that their systems have been compromised, so they absorb the loss, making it impossible to accurately calculate damages.
As a result of the inability to define and calculate losses, the best that the government and private sector can offer are estimates. Over the past five years, estimates of the costs of cyber crime to the U.S. economy have ranged from millions to hundreds of billions. A 2010 study conducted by the Ponemon Institute estimated that the median annual cost of cyber crime to an individual victim organization ranges from $1 million to $52 million.”
We believe that the inability and difficulty to define and calculate losses still exist today. Perhaps we have better metrics, but by no means are they good, particularly when so much still goes unidentified and unreported. To illustrate the point, in 2013, one study suggested that by 2017, the global economy would experience over $100 billion in cybercrime with over 500 million users affected. But Steve Langan, chief executive at Hiscox Insurance, told CNBC in March 2017:
“In 2016 cybercrime cost the global economy over $450 billion, over 2 billion personal records were stolen and in the U.S. alone over 100 million Americans had their medical records stolen. This is an epidemic of cybercrime, and yet 53 percent of businesses in the U.S., U.K. and Germany were just ill-prepared.
In both cases, money and persons affected, estimates versus real values were off by a factor of about four. How long would you keep your job if your estimates were off by a factor of four?”
Face It: Cyber Criminals are Beating Us
Concurrently, as we continue to increasingly rely on the Internet for our daily lives, by no means is it unreasonable to assume that the losses are growing at an accelerating pace, particularly as the relative anonymity of the Internet that still exists allows sophisticated actors to set forth their best and most devastating attacks without serious fear of consequence, given that identification, attribution, criminal responsibility, and boundaries of jurisdiction are all hard, if not impossible, to define.
If these problems were not enough for us to handle, a compounding factor is that many arguments – both for and against government intervention – are ideological, not factual, which is why we reframed the initial question. Keeping with our North American example, the US Congress and Canadian Parliament Standing Committees have heard time and time again of the challenge we face, yet most any legislative action seems to get bogged down by a history of ideological disputes.
From start-ups to major multinational firms, we still see too many that fail to recognize the financial and legal risk they are taking by operating on vulnerable networks, yet cyber criminals have been, for years, forming private and trusted groups to conduct cybercrime.
Agreed, we suffer from a lack of qualified and educated personnel in the field, but this should not be an excuse. This comment was made years ago and it continues to be made today. Fine, we accept that the vast majority (over 80%) of those willing to take part in a study say that their organization has a cybersecurity skills gap, but this is truly broken record (or MP3 stuck on repeat) talk.
Newsflash: given how fast this industry changes, especially as we try to make breakthroughs in artificial intelligence and machine learning, there will always be a skills gap. Private industry cannot keep using the skills gap problem as the reason they are behind.
Used in an entirely different context, Shimon Peres’ brilliant quote is applicable here: If a problem has no solution, it may not be a problem, but a fact – not to be solved, but to be coped with over time.
Adaptation is not catching up to change, especially if we continue to employ the staffing methods we do today, such as hiring people with specific technical skills and professional certifications, but with little else, such as soft skills (communication, active listening, negotiation, and so on) and investigative minds. Therefore, some innovation in how we staff positions would be nice, as indicated in this Senate testimony by Caleb Barlow in March 2017. This is one way to cope with the fact that we will always have a cybersecurity skills gap.
Furthermore, this fact, coupled with the macro issues identified earlier, are even more reason to work alongside with government to ensure that there are truly joint public/private problems are addressed. Doing so will give us a better shot of meeting both short- and long-term challenges by having the right capabilities in place – and at the right place – in order to protect our public and private sector interests and needs.
A Shared Responsibility
So back to the original question posed: how can the private sector not have shared responsibility, given the government’s parallel responsibility to keep users safe from a cyberattack?
Let us present some obvious facts: our daily lives, economic vitality, and national security are interwoven through cyberspace. Anything short of going back to a pre-WWII economy cannot decouple us from this reality.
Next fact: a country’s ability to project power is a function of its security and economy, particularly its continuity planning. Why is the continuity planning component included? A simple reason: you could be the richest and most powerful entity in human history, but if you have no executable plan to respond to a potential death blow (like, say your critical infrastructure going offline), projecting power and interests becomes a risky proposition.
Competent businesses have a plan to deal with disruption. For example, if a facility is impacted by a natural disaster, in theory they should have a tested continuity plan that will minimize disruption (for example, flipping the switch on an off-site facility that can handle the surge of traffic from an outage). Doing so is not only prudent, but is good business (how often would you be a customer of a bank if their services went down for days at a time whenever their basement got flooded?)
But our interdependence has made this problem bigger than any one company to handle and perhaps that is our Achilles’ heel. The thought that we – alone – can handle whatever cyber challenge is put ahead of us. We feel that this is a bit presumptuous, meaning that everybody – from elementary schools to the board room to the highest government offices – have a role to play. Back to Shimon Peres: this is not a problem we are dealing with, it is a fact that we need to deal with over time.
In closing, we are not faced with a “whole-of-government” or “whole-of-industry” problem. Rather, we are faced with a “whole-of-nation” problem. Therefore, it is not only the responsibility of the public and private sectors, but of all to take part in this undertaking, be it: individuals, small business, NFPs, NGOs, and all their respective agencies. Our security and economy depend on our shared responsibility.