Join War on the Rocks and gain access to content trusted by policymakers, military leaders, and strategic thinkers worldwide.
“In the United States especially, politics and economics don’t mix well. Politicians have all sorts of reasons to pass all sorts of laws that, as well-meaning as they may be, fail to account for the way real people respond to real-world incentives.”
― Steven D. Levitt, SuperFreakonomics
It’s a simple fact that incentives often drive change. Some of the best examples are found in everyday life. The best way to encourage safer driving? Insurance discounts. The best way to convince your kid to take out the trash? An allowance.
The U.S. government recognizes that incentives could also be used to combat one of the nation’s greatest vulnerabilities: cybersecurity. According to President Obama’s Executive Order 13636 issued in early 2013, the government recognizes that incentives are necessary to convince private sector companies to invest in this area. However, in spite of years of discussion and coordination, no solution has yet been achieved.
Why does the government want to be involved in private sector cybersecurity?
Because privately owned infrastructure is at risk and much of that infrastructure enables U.S. government missions. Most importantly, around 85 percent of “critical infrastructure” nationwide is owned and operated by private companies. As defined by the Department of Homeland Security in Presidential Policy Directive 21, U.S. critical infrastructure encompasses the 16 infrastructure sectors “considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety.” These sectors include energy, water, finance, and emergency services. Both private industry and U.S. government operations could be seriously affected in the event of a major cyberattack.
According to several press reports, multiple cyber intrusions into U.S. critical infrastructure sectors have occurred over the last five years. Iranian actors hacked into the command and control system of a New York dam in 2013 using a cellular modem. In late 2011, unknown hackers hijacked and destroyed the control system of an Illinois water utility company. In the financial sector, unidentified actors hacked at least five major U.S. banks in 2014, stealing bank account information and user credentials.
Attacks elsewhere in the world over the past year are further proof that cyber-attacks on critical infrastructure have the potential for significant impact. Last December, presumed Russian actors hacked into the Ukrainian power grid which affected the quality of life of hundreds of thousands of people. This February, hackers used stolen credentials to send fraudulent money transfer requests and steal $81 million from the Bank of Bangladesh. What’s scarier is only a typo prevented them from stealing the full $1 billion they were after.
Why isn’t the U.S. private sector already investing?
Some groups certainly are but, overall, cybersecurity is poorly understood and is (still) quite expensive. Many critical infrastructure companies “see little incentive in paying real money to secure facilities against a risk that can’t be stated at the bottom of a monthly business report.” While security-minded employees can point to the fines and settlements paid by other breached corporations, the direct return on investment for preventative cybersecurity spending is exceedingly difficult to calculate. Many executives still see, “every dollar or man-hour spent on security [as one] not spent on the organization’s actual goal.” For many companies, the known (often high) cost of cybersecurity technology or best-practice measures that mitigate vulnerabilities outweigh the unknown costs of a cyber incident. It is a risk many are willing to take.
For those who are genuinely interested in protecting their technology infrastructure and assets, not only is there no practical and digestible guide for daily cyber hygiene (a topic important enough to describe in a separate article), but government guidance about recommended cybersecurity technology and standards is also cumbersome and contradictory. Industry is forced to detangle “best practices” published by working groups, legislation passed by Congress, standards promoted by National Institute of Standards & Technology, and compliance thresholds set by industry-specific groups such as the North American Electric Reliability Corporation.
If incentives have been deemed necessary, why haven’t any been offered?
There are several reasons:
So what’s the way forward?
To quote the incentive theory of motivation, “incentives only become powerful if the individual places importance on the reward.” If the U.S. government wants to truly motivate the private sector, it must incentivize with an approach tailored to industry needs. Incentive programs must take into account industry and company-specific motivators to be attractive.
To understand these motivators, significant field research would have to occur involving government analysts and executives from each distinct critical infrastructure industry. Meetings would need to focus on the cyber-related challenges, priorities and motivators of each company, rather than on incentives directly. As Steve Jobs proved, people often think they know what they want, but don’t realize until later that they were wrong. Understanding a company’s underlying priorities and its unique challenges is the only way to tailor incentive programs appropriately.
In aggregating and studying the resulting data, the government must differentiate between industries, sectors, and companies — and between companies of different size. Initial research into applicable incentives for the electricity subsector of the energy sector indicates cyber priority trends only begin to form at this extremely granular level.
Once comprehensive and industry-specific research is complete, the best incentive options for each sector will become clearer. The government will then be able to tackle some of the aforementioned obstacles such as designating a government organization to lead the program. More than anything, what is needed is action, not working groups.
Eventual cybersecurity incentives might consist of grants, tax incentives, expedited security clearances, government-provided IT assistance, or similar offerings. Regardless, expecting every industry to be motivated to action by the same carrot will lead nowhere. And without carrots, the only motivator left is the stick — a catastrophic cyber-attack.
Maria-Kristina Hayden is a 2016 alumnus of the National Intelligence University, and recently joined Bank of New York Mellon’s Cyber Threat Intelligence Group as Vice President and Senior Information Security Analyst. She is also a founding team member of the Cyber Intelligence Initiative at the Institute of World Politics. Dr. Michael David and Dr. Brian Holmes are faculty members at the National Intelligence University in Washington, DC. The views expressed in this article are theirs alone and do not imply endorsement by the Defense Intelligence Agency, the Department of Defense, or the U.S. government.
