How To Change the Economics of Cyber

Chris Inglis, the current National Cyber Director, recently commented on the cost of entry for cyber aggressors by stating that it is too low and he does not see it changing any time soon (https://www.meritalk.com/articles/ncd-inglis-cost-of-entry-for-cyber-criminals-still-far-too-low/). For those who have read my past articles, you know I have frequently written that the primary way to change the cyber landscape is to change the economics. This started with my first article in 2018 on why the White House Cyber Czar should be an economist (https://www.dhirubhai.net/pulse/why-next-white-house-cyber-czar-should-economist-chip-block/) and more recently on several other articles and posts.

A key point in changing the economics of cyber is that it involves more than the techie crowd in the back room. It involves changes across all sectors, from finance to legal to business operations. Additionally, it includes both increasing the cost to the attackers and decreasing the cost to the defenders. The solution cannot just be to spend more money defending; that impacts the bottom line of every organization and eventually becomes unsustainable.?

Although there is a long list of items that could change the economics of cyber, there are a few that are achievable in the near term and are at Mr. Inglis’ level to address.?

Devalue the Data

Devaluing data always gets an odd look when I say it, but I believe it is the most critical item that needs to be addressed. Also, the concept of devaluing data is looked upon warily because it conflicts with many of the objectives of the artificial intelligence and machine learning (AI and ML) community.?The objective is to reduce the value of the attack while increasing the cost to the attacker by addressing how data is stored and accessed.

Right now, the primary architecture across most enterprises is the move to large data stores and data lakes to mine new knowledge and features out of massive data sets. These giant storages of data never go away and are central to almost all applications, which is great for the AI and ML worlds. Though this is good for application and knowledge discovery, it is the perfect economic driver for attackers. If the aggressor gets to the data store, they get great value and can also lock down an entire enterprise for ransomware with one attack.

The primary method for protecting these giant data stores is network driven. Access to the data lakes is given through standard identity management techniques. ?If the data store is encrypted, then usually the entire store is singularly encrypted and can be compromised if a credential is hacked or stolen. Network and single encryption work to slow the attacker down, but if the attacker is successful, it is party time with tons of value.

Devaluing the data refers to changing the architecture so that if the attacker is successful, then their return is limited. Cracking one identity, or getting access to one data location, returns limited value. This not only applies to data stores, but also to email, chat, and every other piece of data. To achieve this, the security has to be built into the data, not just the network. Michael Conlin, the first Chief Data Officer of the Department of Defense, and I wrote a paper on this a while back, which can be found here (https://evolverinc.com/evolving-cybersecurity-moving-toward-a-data-aware-model/).?This approach embeds security into the data itself, instead of relying purely on network security.?

Since writing the paper with Michael in 2020, several items have progressed and makes our approach much more achievable through technologies, such as Galaxkey from the United Kingdom. Furthermore, the move to Zero Trust Architectures (ZTAs) directly aligns with the data-driven cyber approach. In fact, I strongly suggest a “data pillar first” approach to ZTA for this very reason. Capabilities, such as data microservices, are now possible and can also move this concept forward. So, the first recommended step in changing the economics of cybersecurity is to devalue the data.

Government Empowerment of the Insurance Industry

Now, I want to discuss another part of the economic equation. Cybersecurity as a risk factor is well recognized, but we have not leveraged a major economic engine to address the risk market, insurance. Even though cyber insurance exists, it is fragmented, unstructured, with little commonality from one insurer to the next. Risks are calculated differently by every underwriter and premiums are based on an almost random criterion. Over the past year, premiums have skyrocketed, and many companies cannot even qualify for a policy.

There is, however, one group that can address the issues in the cyber insurance industry: the federal government. I am not proposing a new, large standards program, but I do believe that the federal government can leverage its buying power to drive standardization and economic reality into the insurance market. Bottom line, the federal government should require all federal contractors to have cyber insurance and the government should dictate those policies. If you want to do work with the federal government, you have to have a policy that meets minimum requirements.?

The United States has utilized insurance to change behaviors and safety for over a hundred and fifty years.?From protecting buildings to manufacturing safer cars, insurance changes people’s behavior; defines how products are built; and mandates processes for institutions that protect almost everything. The reason insurance has this influence is that it gets to the core economic structure of every organization. This same economic power needs to be applied to cybersecurity. If you want to make the software in medical devices more secure, tell the manufacturers they cannot get insurance if they do not pass the equivalent of a UL test.?Likewise, the hospitals cannot get insurance if they buy a device that does not pass that test.?

Making every federal supplier have an insurance policy, defining those policies, and putting some form of standardization into place, will obviously be a major undertaking. This is the type of undertaking that seems fit for the National Cyber Director.

Polymorphism’s Time Has Come

So, I discussed data change in the first recommendation, business change in the second recommendation, and now I am going to provide a third recommendation that gets real techie. The objective of changing the economics is to increase the cost to the attackers while reducing the cost of the defenders. There is a class of technologies that is fairly mature and can go directly to these economics: polymorphism.??Polymorphism, by definition, means “many forms.” From a computing perspective, this refers to making computing devices different so that success on one device cannot be used against other devices. Years ago, this was achieved at a low level with address space randomization. Today, the technology exists to apply this across an entire computing device, or even network, so the encoding and operation of software is different from one machine to the next.

The value in this approach is that even if an attacker is successful in landing malware on a machine, it would have to be encoded differently to move into a different machine. Polyverse, a company in Bellevue, WA, has made significant strides in this area. I also believe similar concepts can be applied to networks through deceptive technologies and dynamic routing, so that the targets for attackers are constantly changing. This minimizes the value of an attack and changes the economic value.

In many ways, this may seem contrary to current thinking of having every device exactly the same in order to facilitate patching upgrades and monitoring. There has been a major push to standardize devices and to make response and management more streamlined. The problem with this approach is that it also facilitates the attacker. Applying new technologies that achieve polymorphism, while also supporting maintenance and management, needs to be the next major objective of the cybersecurity market.

These are just three recommendations for finding primary ways to change the economics of the cybersecurity landscape. A key element in all of these recommendations is moving to a quantified, monetary risk structure through models, such as the Factor Analysis of Information Risk (FAIR). In addition, moving economics into the forefront of the discussion is an essential element of changing our approach to cyber going forward. As Mr. Inglis pointed out, changing the economics is the key.