February 07, 2013

Time to Change the Rules of the Cyber-Security Game

Cyber criminals and spies are breaking into companies and government agencies on a daily basis.

The last few days have highlighted yet another series of such cyber-crimes, this time against the New York Times, Wall Street Journal and the Washington Post.

Such incidents are going to continue until something fundamentally changes.

Cyber security incentives are badly misaligned. Ultimately, cyber security is about people. We cannot hope to improve the current situation without some consideration of the factors that underlie human behavior.

Cyber criminals can make millions of dollars with little effort, while defenders can spend millions of dollars and have little to show for it. As a result, criminals are highly-motivated and dynamic, while defenders are often frustrated or resigned to following checklists of industry best-practices that have limited value against sophisticated adversaries.

Reversing these incentives requires changing the cost-benefit calculations for both parties — by raising the costs for attackers, and increasing the benefits for defenders.

Progress in three key areas can help change that calculus and realign incentives: technical solutions, legal frameworks and international relations.

Technical solutions can help change the cost-benefit equation.

Current trends favor the attacker: new technologies roll out to meet market demand without good security built in and even well-designed products carry inherent vulnerabilities–the iPhone 5 was hacked within eight hours of its release.

This makes it all too easy for criminals to exploit the latest gadget or piece of software. However, technology can also help solve this problem. Software can be made more secure if it is in companies’ interest to make it so. Innovative companies are developing new solutions to help secure our data and networks—such innovation should be encouraged by all means necessary.

The federal government can play an important role by incentivizing desired innovations and by funding basic research and development that is often absent in industry. A great example can be found in DARPA’s Fast Track program, which focuses on distributing funds within days (record time in government circles) to companies that do not normally do business with the federal government.

Technology is important, but it operates within a legal framework that controls which actions are permissible and which are not. Many of the key laws in place today are decades old and are not well suited to the current technological landscape.

Because the pace of technological innovation outpaces the rate of legal maturation, the gap we face today will only grow worse as the next generation of technologies—including cloud computing, social media and mobility—become even more pervasive and interconnected.

This divergence creates an uncertain legal climate that hinders defenders from sharing information and taking proactive steps to protect their networks. Policymakers must update the key laws pertaining to cyber-security to provide more clarity on what is allowed and, where appropriate, to strengthen the ability of defenders to take effective action against an increasingly sophisticated set of aggressors.

It is also important to utilize the rule of law to punish those who harm the economic and national security interests of our country. The Justice Department recently announced that it is creating a program to train cyber-security specialists and deploy them to U.S. Attorneys’ offices across the country. It has also worked closely with companies like Microsoft to take down networks of computers that enable cyber-crime. These are positive moves, and the government should take more steps that hold aggressors—be they individuals, groups, or nation states—accountable for their actions.

Finally, changing the cost-benefit equation must include international efforts.

Changing incentives within the United States will have little impact if criminals can operate with impunity in other countries. Unfortunately, current diplomatic efforts to establish norms are not faring well due to fundamental disagreements about the nature of cyber-security and the role of governments in controlling Internet access and content.

The U.S. needs to consider taking more aggressive action to hold foreign organizations and nations accountable for cyber activities that cause serious economic harm to our country. Such actions could include sanctions, visa restrictions, criminal charges, and a range of other options.

The bottom line is clear: managing cyber-security risks is an inherently difficult task, but progress can be made if technical, legal, and policy aspects of the problem are aligned and focused on changing incentives.

Irving Lachow is a Senior Fellow and Director of the Program on Technology and U.S. National Security at the Center for a New American Security.