Why Market-Making is Needed for Cyber

What must be realized at all levels, public and private sectors, is that in cyber: national and economic security imperatives must be coupled with market forces.

As Co-Leads on a government-funded project for about the past year, my colleagues and I engaged in a research and design effort to address cyber market failures, specifically focused on the lack of appetite down-market. Our departure point, outlined in the original proposal to the US Department of Homeland Security (DHS), was to view business disregard for calamitous cyber risk as a market failure. After studying the demand-side malaise for cyber offerings, even confusion and exhaustion in certain market segments, the team arrived upon a solution for this failure in the market: “making the market” for cyber.

Market-Making is not a term exclusive to security trading and financial exchanges. Rather, it is increasingly used to describe the functions and environment needed to create a market. Increasingly, the Internet has come to be known as a Market-Making platform, with new industries being made through its unique ability and efficiency of coupling supply and demand. The social media industry, and the explosion of Facebook and Twitter, would not exist but for the Internet!

And yet in the cyber market, no calamitous event has changed behavior, even though cyberattacks occur through the Internet. Not the statistically high percentage of small businesses that go under after experiencing a data breach. Not the state actor attack on Sony. Not massive data breaches. Not even attacks on elections and Western democracies. There remains very little appetite down-market to incur costs to address cyber risks. We are not alone in observing the need to “Fix Cyber”.

In an important, concise piece, former Director of National Intelligence, Michael McConnell and co-author Patrick Gorman outlined several practical steps for improving the approach to cyber. In it, they pointed to creating market incentives, and to reducing the costs and inefficiencies associated with compliance systems.

Warren Buffett called the cyber predicament a bigger threat to humanity than nuclear weapons! The former CEO of Yahoo!, in testimony before Congress, seemed to imply that it is the role of government to help companies when it comes to sophisticated state-actor cyberattacks, a view expressed by others. Conversely, the private sector seems to widely believe that it is the private sector which should be leading, not the government; and even that government should be supporting the private sector’s leading efforts.

All this dialogue about HOW to fix cyber is good – perhaps it reflects the recognition necessary to institute change. Resistance to institutional change is a dynamic explored by Thomas Kuhn in The Structure of Scientific Revolutions. And change we must! Kuhn’s observations could be a revelation today for addressing cyber. Our team certainly adopted parts of his thinking. For us, the lack of a market reaction to calamitous risk caused our project to consider the impediments to a properly functioning market. And we arrived at a model that would deliver structural change, as well as promote market forces. The structural change part is definitely Kuhnian.

Our research revealed that to make the market in cyber, there are several elements or dynamics:

1.      Market-Making is best achieved at community levels (“Community Cyber”). This would promote information sharing among trusted local stakeholders, and we view information sharing as an imperative for starting cyber markets. The other major advantage of localized Market-Making in cyber is that it would spur innovation and invention; and, a by-product of an institutionalization of Community Cyber Market-Making would be a return of wealth generation to Main Street through that localized innovation and invention. This dynamic also has an attractive populist advantage.

2.      Market-Making entails active market formation. That is, if markets were functioning properly, assistive measures would not be needed.

3.      Start where demand exists and grow it. Community Cyber needs quick wins to grow traction and awareness. Our efforts include the introduction of quick win value propositions and programs.

4.      Community support, stakeholder engagement, and political advocacy is needed for Community Cyber. This requirement reflects structural and normative changes. That is, adopters of Community Cyber must understand and advance an approach to reducing risk that entails collective measures. This approach runs contrary to the usual practice of one-to-one vendor-customer relationships, instead of a pooled delivery of services.

5.      The cost of achieving satisfactory cyber hygiene must be driven down! Increasingly sophisticated, one-to-one vendor-customer engagements are driving costs higher. Moreover, governments at all levels have generally retained these service providers rather than promoting ISAOs which would push for universal adoption of information sharing and drive costs down. In other words, governments should be supporting the ecosystem rather than solely addressing their needs.

6.      Community Cyber necessitates a sustainable business model for partners to have a business incentive to pursue Market-Making in cyber. Whereas enterprise vendors profit from their services, our model drives opportunities down-market through mutually beneficial business arrangements. Our team expressly took on the tough business model question of community partners of “How do we make money doing this?”  And, we answered it.

7.      Markets create incentives for entry and increase efficiencies, whereas compliance regimes drive costs higher.

8.      The pooled services model creates cost-sharing incentives, which again drive costs lower.

Presently, the net effect of current business practices in cyber indicates No Change. That means that the market remains dysfunctional in cyber at down-market levels. Companies have no Community Cyber option yet, which is why our project will soon start to rollout c-Market. Until that rollout begins, the costs to achieve cyber hygiene will rise, causing more down-market companies to exit. At a macro level, this dynamic makes the country less competitive and less secure.  And concomitantly, it also makes up-market security-conscious companies less secure via their supply chain to those down-market.

What must be realized at all levels, public and private sectors, is that in cyber: national and economic security imperatives must be coupled with market forces. We cannot win with a government funded model. Government-funded efforts cannot compete with the power of market forces. The two models offer different outcomes: one is zero-sum and the other is synergistic.

The golden nugget in a 2012 tongue-in-cheek article by this writer that observed the advantage totalitarian regimes had over open democracies in the Internet Age was that the West won the Cold War by leveraging market forces. We should revisit that lesson in our approach to the cyber challenge.

Get involved with Community Cyber!


By Doug DePeppe, Founder
Cyber Resilience Institute
First published:  January 8, 2018 on LinkedIn

Tactical Cyber: The Case for Community Cyber ISAOs

An army of bots, hackers and social media trolls has fundamentally altered and intensified the risks from cyberspace.

A prior piece here redirected the national debate about certifications for ISAOs onto a broader view — that ISAOs represented industry formation of cyber capacity and innovation centers at community levels. In that article, the concepts of Community Cyber and Market-Making were introduced. And, it was outlined how an innovative DHS contract vehicle had spawned the Cyber Market Development Project. The views expressed previously, informed from project research, showed how the question about certification was too narrowly scoped; and the piece described how this predicament of issue definition had come about from the genesis of information sharing and its early structures. It’s time to further explore how this project research can inform a deeper understanding of the ISAO movement.

What the White House got right in the Executive Order on Information Sharing, and which DHS further implemented in proper fashion through contractual establishment of the ISAO Standards Organization, was to establish information sharing as a national policy to further national security interests in resilience and cyber capacity building. Yet, in practical terms, what is resilience and cyber capacity building? And how are we to go about it? Are ISAOs supposed to suddenly spring up? What is their mission? What are the use cases?

Let’s look at why it was proper to cast ISAOs in the national security mission space. And how to introduce that mission at community levels.

A NEED TO BETTER UNDERSTAND THE ATTACK LANDSCAPE

What has been revealed in the past two years is that an army of bots, hackers and social media trolls has fundamentally altered and intensified the risks from cyberspace. No longer are we fighting JUST identity thieves, DDOS botnets, or black-market enterprises, we are now combating state actor networks and a complex, anonymous web of deceit and manipulation. The trustworthiness of news and information are being undermined.

When we look to define what’s needed to build resilience and cyber capacity, we have to factor the changed game plan of the adversary. Deploying a better firewall and calling it a day won’t work. We have entered the era of cyber intelligence, where businesses need to be better equipped with information to fight the modern cyber battle.

We must also countenance that with all the wizardry of the intelligence community, the requisite Need to Know criteria severely limits its utility outside the national security environment. Yet, businesses also need to know the nature, sophistication, motives and game plan of the attackers.

BUILDING A CYBER ORDER OF BATTLE WITH COMMUNITY RESOURCES

What is now universally needed is a private-public Order of Battle build. An Order of Battle derives from military lexicon and practice, and it refers to profiling the adversary to identify command and control, malicious architecture and domains, TTP, campaign correlations, and even attribution to attacker networks and identities. Commercial vendors offer sophisticated intelligence, yet tailored services to enterprise customers needs to come down market. That’s the role of Community Cyber and public-private ISAOs.

An Order of Battle build is tactical intelligence. And ISAOs are the perfect structures to offer tactical intelligence across localities, tied to state Fusion Centers, and supporting member needs. Tactical intelligence is the province of bottom up, organic generation, rather than from top down structures. Hence, building local capacity to conduct tactical intelligence is well-suited for ISAOs.

With this in mind, the Cyber Market Development Project – which is commercially prototyped as the c-Market™ – developed the CrowdForce. The first university club is being formed with a partner university, and will grow across our other partner universities. This cadre of cyber threat analysts is formed with the dual purposes of workforce laboratory and tactical collection network.

With the benefit of this description and an identified manifested creation, consider the value of ISAOs, located in communities across the Nation’s footprint, for creating a tactical cyber intelligence capability for elevating cyber defenses from the ground up. This is resilience and cyber capacity building!  This is a use case for ISAOs at community levels: to engage in tactical intelligence, Order of Battle building, and training the workforce in ISAO operations and cyber threat analytics.

ISAO Conceptualization: Expanding the Narrative

When there’s talk of ISAOs, and whether certifications are advisable, it is important to question the premise: with ISAOs, are we considering all their use cases?

Establishment of a network of cyber intelligence entities engaged in tactical intelligence in support of their communities seems a more substantive debate than the narrow question about certifications.


By:  Doug DePeppe, Founder
Cyber Resilience Institute
First Published:  January 4, 2018 on LinkedIn