Why Market-Making is Needed for Cyber

What must be realized at all levels, public and private sectors, is that in cyber: national and economic security imperatives must be coupled with market forces.

As Co-Leads on a government-funded project for about the past year, my colleagues and I engaged in a research and design effort to address cyber market failures, specifically focused on the lack of appetite down-market. Our departure point, outlined in the original proposal to the US Department of Homeland Security (DHS), was to view business disregard for calamitous cyber risk as a market failure. After studying the demand-side malaise for cyber offerings, even confusion and exhaustion in certain market segments, the team arrived upon a solution for this failure in the market: “making the market” for cyber.

Market-Making is not a term exclusive to security trading and financial exchanges. Rather, it is increasingly used to describe the functions and environment needed to create a market. Increasingly, the Internet has come to be known as a Market-Making platform, with new industries being made through its unique ability and efficiency of coupling supply and demand. The social media industry, and the explosion of Facebook and Twitter, would not exist but for the Internet!

And yet in the cyber market, no calamitous event has changed behavior, even though cyberattacks occur through the Internet. Not the statistically high percentage of small businesses that go under after experiencing a data breach. Not the state actor attack on Sony. Not massive data breaches. Not even attacks on elections and Western democracies. There remains very little appetite down-market to incur costs to address cyber risks. We are not alone in observing the need to “Fix Cyber”.

In an important, concise piece, former Director of National Intelligence, Michael McConnell and co-author Patrick Gorman outlined several practical steps for improving the approach to cyber. In it, they pointed to creating market incentives, and to reducing the costs and inefficiencies associated with compliance systems.

Warren Buffett called the cyber predicament a bigger threat to humanity than nuclear weapons! The former CEO of Yahoo!, in testimony before Congress, seemed to imply that it is the role of government to help companies when it comes to sophisticated state-actor cyberattacks, a view expressed by others. Conversely, the private sector seems to widely believe that it is the private sector which should be leading, not the government; and even that government should be supporting the private sector’s leading efforts.

All this dialogue about HOW to fix cyber is good – perhaps it reflects the recognition necessary to institute change. Resistance to institutional change is a dynamic explored by Thomas Kuhn in The Structure of Scientific Revolutions. And change we must! Kuhn’s observations could be a revelation today for addressing cyber. Our team certainly adopted parts of his thinking. For us, the lack of a market reaction to calamitous risk caused our project to consider the impediments to a properly functioning market. And we arrived at a model that would deliver structural change, as well as promote market forces. The structural change part is definitely Kuhnian.

Our research revealed that to make the market in cyber, there are several elements or dynamics:

1.      Market-Making is best achieved at community levels (“Community Cyber”). This would promote information sharing among trusted local stakeholders, and we view information sharing as an imperative for starting cyber markets. The other major advantage of localized Market-Making in cyber is that it would spur innovation and invention; and, a by-product of an institutionalization of Community Cyber Market-Making would be a return of wealth generation to Main Street through that localized innovation and invention. This dynamic also has an attractive populist advantage.

2.      Market-Making entails active market formation. That is, if markets were functioning properly, assistive measures would not be needed.

3.      Start where demand exists and grow it. Community Cyber needs quick wins to grow traction and awareness. Our efforts include the introduction of quick win value propositions and programs.

4.      Community support, stakeholder engagement, and political advocacy is needed for Community Cyber. This requirement reflects structural and normative changes. That is, adopters of Community Cyber must understand and advance an approach to reducing risk that entails collective measures. This approach runs contrary to the usual practice of one-to-one vendor-customer relationships, instead of a pooled delivery of services.

5.      The cost of achieving satisfactory cyber hygiene must be driven down! Increasingly sophisticated, one-to-one vendor-customer engagements are driving costs higher. Moreover, governments at all levels have generally retained these service providers rather than promoting ISAOs which would push for universal adoption of information sharing and drive costs down. In other words, governments should be supporting the ecosystem rather than solely addressing their needs.

6.      Community Cyber necessitates a sustainable business model for partners to have a business incentive to pursue Market-Making in cyber. Whereas enterprise vendors profit from their services, our model drives opportunities down-market through mutually beneficial business arrangements. Our team expressly took on the tough business model question of community partners of “How do we make money doing this?”  And, we answered it.

7.      Markets create incentives for entry and increase efficiencies, whereas compliance regimes drive costs higher.

8.      The pooled services model creates cost-sharing incentives, which again drive costs lower.

Presently, the net effect of current business practices in cyber indicates No Change. That means that the market remains dysfunctional in cyber at down-market levels. Companies have no Community Cyber option yet, which is why our project will soon start to rollout c-Market. Until that rollout begins, the costs to achieve cyber hygiene will rise, causing more down-market companies to exit. At a macro level, this dynamic makes the country less competitive and less secure.  And concomitantly, it also makes up-market security-conscious companies less secure via their supply chain to those down-market.

What must be realized at all levels, public and private sectors, is that in cyber: national and economic security imperatives must be coupled with market forces. We cannot win with a government funded model. Government-funded efforts cannot compete with the power of market forces. The two models offer different outcomes: one is zero-sum and the other is synergistic.

The golden nugget in a 2012 tongue-in-cheek article by this writer that observed the advantage totalitarian regimes had over open democracies in the Internet Age was that the West won the Cold War by leveraging market forces. We should revisit that lesson in our approach to the cyber challenge.

Get involved with Community Cyber!

By Doug DePeppe, Founder
Cyber Resilience Institute
First published:  January 8, 2018 on LinkedIn

Geopolitics and Sports: A Fiery Mix

Geopolitical uncertainties in regional relations threaten the long-term planning efforts of major sporting events.

2018 Winter Olympics

There are currently growing concerns about the heated rhetoric between the U.S. and North Korea about the impact on the upcoming Winter Olympics in Pyeongchang, South Korea.  As of Nov. 16, organizers say they’ve hit just 41% of their sales target of 1.06 million tickets, with sales in South Korea even weaker than those by international tourists, according to a USA Today article.

In addition to the concerns about the uncertainties surrounding the actions of North Korea, Olympics spectators are balking at the long travel times from Seoul to Pyeongchang, the lack of accommodations at the various venues, and the fact that insurance companies have been unwilling to issue cancellations in the event of a disruption by North Korea.

The prospect of a nuclear confrontation has suppressed both sales and enthusiasm for the event that is aimed at bringing the world together.

2022 World Cup

Similarly, the upcoming 2022 FIFA-sponsored event to be held in Qatar is now subject of some consternation due to the recent blockade of Qatar by five Arab countries. Saudi Arabia, the United Arab Emirates and Bahrain, as well as Egypt and the Maldives severed all political and economic relations with Qatar on June 5, 2017. They accused the country of backing extremist groups, a charge Qatar strongly denies.

Quoting from FIFA president Gianni Infantino at the kick-off ceremony of the mini-stadium project of the Thai Football Association.  President Infantino noted that “2022 FIFA World Cup, which will be held in Qatar after five years, will be a very important event for the Asian continent.” “The Asian continent is very important for the FIFA, especially after the continent has presented impressive examples both at the organisational level and at the results level,” said Infantino.

But a more sinister motive appears to be behind the blockade and recent allegations towards Qatar of supporting the Muslim Brotherhood (believed by Saudi Arabia and the UAE to be a terrorist organization) and the popular Arab world news organization Al Jazeera. A November 9th story from the Gulf Timespublished the news of a plot to manipulate currency and bond markets to cripple the Qatar economy and steal the 2022 World Cup by the UAE.

As noted by the authors Ryan Grim and Ben Walsh of the Intercept,  “Targeting a nation’s economy using financial manipulation would be a dramatic break from traditional norms of diplomacy and even warfare.”

They further note:

“One of the plan’s stated aims is forcing Qatar to share soccer’s 2022 World Cup, according to the outline. The strategy laid out in the document calls for using a public relations campaign to point the international soccer body FIFA to Qatar’s dwindling cash reserves, making a case that the small Gulf country can’t afford to build the necessary infrastructure.”

The Elixir of Sports for Easing Geopolitical Tensions

Sporting events are important for peace and can be useful touchstones for resolving regional geopolitical conflicts.

They can also reveal the worst in humanity.