One of the common themes across IT security, investment banking and finance is how to reduce risk. Now that President Obama has named cybersecurity a national defense issue, it’s important to review our nation’s security framework in a holistic manner. How can we reduce risk? What types of policies work? And what doesn’t work? Interestingly, we can examine our nation’s financial regulation, and the policies put in place to reduce monetary and investment risk, for some valid insights about what makes a good cybersecurity policy.
Why Is this so Hard?
Creating a cybersecurity policy is hard, largely because it’s so difficult to define success. The fact that you didn’t get hacked today means nothing. You could still be insecure and not even know it. Plus, there are many different parties and parts woven into our cybersecurity fabric – applications designed by one party, coded by another, using platforms from many software and hardware vendors and sitting on a network managed by another cadre of architects and vendors. In this labyrinth of players and layers, who is responsible for security?
The US has already tried a number of approaches to reduce risk, including:
Litigation and other forms of punishment
Testing and simulation
Examining the pros and cons of each can help define the best path forward.
Any business is familiar with regulation. The government hires people to write and enforce rules that, in theory, cause entities to amend their behavior in order to reduce risk. In the US, The Privacy Act, Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX), all contain regulations to support IT security and reduce risk.
Government regulation would seem to be a simple affair – bureaucrats design the rules and then enforce them across the public and private sector. Because they are technically employed by the taxpayer, they would appear to be unbiased in their efforts to minimize cyber-risk. But just in the financial sector alone, the regulatory space has become convoluted and sometimes corrupted.
Influential lobbying groups try to sway the rules in favor of their constituents. This can result in financial scandals like the Keating Five, when wealthy businessman Charles Keating leveraged five US senators to reduce regulatory pressure on his faulty savings and loan, eventually costing American taxpayers $3.4 billion to cover his losses.
Sometimes regulators become overly sympathetic to the entities they regulate and lose perspective. This can occur when regulators are lured to lucrative jobs in the private sector where their regulatory expertise and inside knowledge is highly valued. The back and forth between public and private domains tends to blunt regulatory zeal and impartiality.
Having a comprehensive, rigid set of rules to govern cybersecurity policy is one way to prevent lobbyists and other influential parties from getting around regulations or swaying them to their benefit. However, the fast-moving, ever-evolving nature of cybersecurity nullifies this approach. The financial sector is similar. Even with substantial and stringent regulations to fall back on, US financial regulators have continually remained behind market innovations such as basic derivatives, collateralized mortgage obligations (CMOs), highly leveraged transactions (HLTs), bond insurance and subprime mortgages. The lag time between new IT initiatives, technological and cybersecurity innovations and appropriate regulatory oversight could leave major loopholes.
Current IT security regulations have created incentives to address security issues, and some fines are tied to non-compliance. But they remain mostly ineffective at reducing risk in a meaningful way. Companies comply with the letter of the mandates, but rapid changes and complexity mean that cybersecurity regulations are incomplete and outdated almost as soon as they are introduced. As a result, a regulation-based strategy will not substantially contribute to improving a nation’s cybersecurity posture.
Litigation and Punishment
Civil litigation and other forms of punishment for not meeting regulatory standards can help encourage compliance – and ultimately contribute to reduced risk. But this is a slippery slope. It is far easier to outline punishment than it is to define and identify the crime.
Litigation also costs a lot of money. Corporate defendants ultimately pass those costs onto their consumers, while indirect costs for judges, jurors and courts are generally borne by society.
Little actual litigation followed the recent financial crisis because many of the problems were caused by stupidity, which isn’t against the law. The law also gives financial firms a fair amount of latitude in doing things that are not in the interest of their customers (buyer beware). The same could hold true for companies and their cybersecurity decisions. Although litigation and fines play some role in incentivizing organizations to maintain sound cybersecurity practices, they are not the sole means to reducing overall risk.
Insurance is an interesting concept for the cybersecurity space. Organizations engaged in a particular activity would purchase insurance from a highly rated, diversified insurer. For example, a power company’s cyber-insurance policy might cover compensatory payments to customers whose service is interrupted due to a cyber-attack.
An insurance-based approach enables the actuaries and insurance companies to judge the risk each company bears, and to set their premiums accordingly. It also pools risk across a diversified group. What’s more, consumers could choose to do business with firms that carry insurance (or not) at their discretion, making sound security practices more of a positive market differentiator.
The downside of an insurance model is that the perception of risk can swing wildly for insurance companies, depending on recent loss histories. Pricing can be volatile as a result. Plus, if a particular industry was hit with a string of cyber-attacks, it could wipe out insurance firms without enough diversification.
Risk-mitigating contracts are another idea borrowed from the financial services space. In this model, the federal government would contract with private entities to lessen their risk of being hacked. For example, the government would pay someone $100,000 a year for creating and hosting an application if it does not get hacked, and only $50,000 if it does.
In the financial space, rates on deposit insurance vary. Higher-risk firms pay higher rates and riskier non-bank pays even higher rates to borrow (if they can borrow at all). This approach does not work without the ability to accurately assess risk, which brings us to cybersecurity testing and attack simulation.
Testing and Simulation
Financial regulators have relied on testing in recent years, forcing large financial institutions to project their ability to survive losses based on varying assumptions. The same concept could be applied to cyber security, causing large and/or critical infrastructure-based entities to make projections about the ability to withstand a cyber-attack.
Penetration testing is already widely accepted. A formal cyber-testing and simulation model would take it to the next level, with government-funded or independent pen-testers probing systems for weaknesses and evaluating the risk of attack.
However, testing was a spectacular failure in the financial industry based on inaccurate assumptions and inability to predict the future. In cybersecurity, it’s difficult to create a true representation of a production system, so the dangers of testing must be considered. Pen-testers can accidentally damage production systems and cause the very harm that they are trying to avoid.
The idea of testing and simulation retains some merit. Combined with cybersecurity insurance and risk-mitigating contracts, it could ensure more dollars and attention are allocated for sound security practices.
The Best Path Forward
Viewed through the lens of the financial regulatory environment, a nation’s cybersecurity policy cannot depend on organizations to act in good faith, or for regulations to account for every cybersecurity loophole. In financial services and cybersecurity, the game changes too quickly for the rules to keep up.
The US has a strong record of coming up with new, innovative solutions, and American capitalism fosters creative destruction. A national cybersecurity initiative should harness these skills to define the goals we want to achieve and the incentives for the private and public sector to cooperate.
In the end, the Federal government may have to take the lead to create a successful, innovative security program. With funds at its disposal and no board of directors or earnings per share to meet, the government may have more freedom to experiment with different components of a cybersecurity policy. If some of the experiments do work, the private sector would certainly replicate them.