What must be realized at all levels, public and private sectors, is that in cyber: national and economic security imperatives must be coupled with market forces.
As Co-Leads on a government-funded project for about the past year, my colleagues and I engaged in a research and design effort to address cyber market failures, specifically focused on the lack of appetite down-market. Our departure point, outlined in the original proposal to the US Department of Homeland Security (DHS), was to view business disregard for calamitous cyber risk as a market failure. After studying the demand-side malaise for cyber offerings, even confusion and exhaustion in certain market segments, the team arrived upon a solution for this failure in the market: “making the market” for cyber.
Market-Making is not a term exclusive to security trading and financial exchanges. Rather, it is increasingly used to describe the functions and environment needed to create a market. Increasingly, the Internet has come to be known as a Market-Making platform, with new industries being made through its unique ability and efficiency of coupling supply and demand. The social media industry, and the explosion of Facebook and Twitter, would not exist but for the Internet!
And yet in the cyber market, no calamitous event has changed behavior, even though cyberattacks occur through the Internet. Not the statistically high percentage of small businesses that go under after experiencing a data breach. Not the state actor attack on Sony. Not massive data breaches. Not even attacks on elections and Western democracies. There remains very little appetite down-market to incur costs to address cyber risks. We are not alone in observing the need to “Fix Cyber”.
In an important, concise piece, former Director of National Intelligence, Michael McConnell and co-author Patrick Gorman outlined several practical steps for improving the approach to cyber. In it, they pointed to creating market incentives, and to reducing the costs and inefficiencies associated with compliance systems.
Warren Buffett called the cyber predicament a bigger threat to humanity than nuclear weapons! The former CEO of Yahoo!, in testimony before Congress, seemed to imply that it is the role of government to help companies when it comes to sophisticated state-actor cyberattacks, a view expressed by others. Conversely, the private sector seems to widely believe that it is the private sector which should be leading, not the government; and even that government should be supporting the private sector’s leading efforts.
All this dialogue about HOW to fix cyber is good – perhaps it reflects the recognition necessary to institute change. Resistance to institutional change is a dynamic explored by Thomas Kuhn in The Structure of Scientific Revolutions. And change we must! Kuhn’s observations could be a revelation today for addressing cyber. Our team certainly adopted parts of his thinking. For us, the lack of a market reaction to calamitous risk caused our project to consider the impediments to a properly functioning market. And we arrived at a model that would deliver structural change, as well as promote market forces. The structural change part is definitely Kuhnian.
Our research revealed that to make the market in cyber, there are several elements or dynamics:
1. Market-Making is best achieved at community levels (“Community Cyber”). This would promote information sharing among trusted local stakeholders, and we view information sharing as an imperative for starting cyber markets. The other major advantage of localized Market-Making in cyber is that it would spur innovation and invention; and, a by-product of an institutionalization of Community Cyber Market-Making would be a return of wealth generation to Main Street through that localized innovation and invention. This dynamic also has an attractive populist advantage.
2. Market-Making entails active market formation. That is, if markets were functioning properly, assistive measures would not be needed.
3. Start where demand exists and grow it. Community Cyber needs quick wins to grow traction and awareness. Our efforts include the introduction of quick win value propositions and programs.
4. Community support, stakeholder engagement, and political advocacy is needed for Community Cyber. This requirement reflects structural and normative changes. That is, adopters of Community Cyber must understand and advance an approach to reducing risk that entails collective measures. This approach runs contrary to the usual practice of one-to-one vendor-customer relationships, instead of a pooled delivery of services.
5. The cost of achieving satisfactory cyber hygiene must be driven down! Increasingly sophisticated, one-to-one vendor-customer engagements are driving costs higher. Moreover, governments at all levels have generally retained these service providers rather than promoting ISAOs which would push for universal adoption of information sharing and drive costs down. In other words, governments should be supporting the ecosystem rather than solely addressing their needs.
6. Community Cyber necessitates a sustainable business model for partners to have a business incentive to pursue Market-Making in cyber. Whereas enterprise vendors profit from their services, our model drives opportunities down-market through mutually beneficial business arrangements. Our team expressly took on the tough business model question of community partners of “How do we make money doing this?” And, we answered it.
7. Markets create incentives for entry and increase efficiencies, whereas compliance regimes drive costs higher.
8. The pooled services model creates cost-sharing incentives, which again drive costs lower.
Presently, the net effect of current business practices in cyber indicates No Change. That means that the market remains dysfunctional in cyber at down-market levels. Companies have no Community Cyber option yet, which is why our project will soon start to rollout c-Market. Until that rollout begins, the costs to achieve cyber hygiene will rise, causing more down-market companies to exit. At a macro level, this dynamic makes the country less competitive and less secure. And concomitantly, it also makes up-market security-conscious companies less secure via their supply chain to those down-market.
What must be realized at all levels, public and private sectors, is that in cyber: national and economic security imperatives must be coupled with market forces. We cannot win with a government funded model. Government-funded efforts cannot compete with the power of market forces. The two models offer different outcomes: one is zero-sum and the other is synergistic.
The golden nugget in a 2012 tongue-in-cheek article by this writer that observed the advantage totalitarian regimes had over open democracies in the Internet Age was that the West won the Cold War by leveraging market forces. We should revisit that lesson in our approach to the cyber challenge.