The Carrot or the Stick? Incentivizing Safe Cyber
“In the United States especially, politics and economics don’t mix well. Politicians have all sorts of reasons to pass all sorts of laws that, as well-meaning as they may be, fail to account for the way real people respond to real-world incentives.”
― Steven D. Levitt, SuperFreakonomics
It’s a simple fact that incentives often drive change. Some of the best examples are found in everyday life. The best way to encourage safer driving? Insurance discounts. The best way to convince your kid to take out the trash? An allowance.
The U.S. government recognizes that incentives could also be used to combat one of the nation’s greatest vulnerabilities: cybersecurity. According to President Obama’s Executive Order 13636 issued in early 2013, the government recognizes that incentives are necessary to convince private sector companies to invest in this area. However, in spite of years of discussion and coordination, no solution has yet been achieved.
Why does the government want to be involved in private sector cybersecurity?
Because privately owned infrastructure is at risk and much of that infrastructure enables U.S. government missions. Most importantly, around 85 percent of “critical infrastructure” nationwide is owned and operated by private companies. As defined by the Department of Homeland Security in Presidential Policy Directive 21, U.S. critical infrastructure encompasses the 16 infrastructure sectors “considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety.” These sectors include energy, water, finance, and emergency services. Both private industry and U.S. government operations could be seriously affected in the event of a major cyberattack.
According to several press reports, multiple cyber intrusions into U.S. critical infrastructure sectors have occurred over the last five years. Iranian actors hacked into the command and control system of a New York dam in 2013 using a cellular modem. In late 2011, unknown hackers hijacked and destroyed the control system of an Illinois water utility company. In the financial sector, unidentified actors hacked at least five major U.S. banks in 2014, stealing bank account information and user credentials.
Attacks elsewhere in the world over the past year are further proof that cyber-attacks on critical infrastructure have the potential for significant impact. Last December, presumed Russian actors hacked into the Ukrainian power grid which affected the quality of life of hundreds of thousands of people. This February, hackers used stolen credentials to send fraudulent money transfer requests and steal $81 million from the Bank of Bangladesh. What’s scarier is only a typo prevented them from stealing the full $1 billion they were after.
Why isn’t the U.S. private sector already investing?
Some groups certainly are but, overall, cybersecurity is poorly understood and is (still) quite expensive. Many critical infrastructure companies “see little incentive in paying real money to secure facilities against a risk that can’t be stated at the bottom of a monthly business report.” While security-minded employees can point to the fines and settlements paid by other breached corporations, the direct return on investment for preventative cybersecurity spending is exceedingly difficult to calculate. Many executives still see, “every dollar or man-hour spent on security [as one] not spent on the organization’s actual goal.” For many companies, the known (often high) cost of cybersecurity technology or best-practice measures that mitigate vulnerabilities outweigh the unknown costs of a cyber incident. It is a risk many are willing to take.
For those who are genuinely interested in protecting their technology infrastructure and assets, not only is there no practical and digestible guide for daily cyber hygiene (a topic important enough to describe in a separate article), but government guidance about recommended cybersecurity technology and standards is also cumbersome and contradictory. Industry is forced to detangle “best practices” published by working groups, legislation passed by Congress, standards promoted by National Institute of Standards & Technology, and compliance thresholds set by industry-specific groups such as the North American Electric Reliability Corporation.
If incentives have been deemed necessary, why haven’t any been offered?
There are several reasons:
- Private institutions that could offer incentives (i.e., insurance companies) do not yet have the data they need to offer robust and relevant cyber insurance policies that could promote “safe cyber,” mostly because cyber incident data sharing is still a tricky issue.
- Multiple government entities have studied the issue (e.g. the Departments of Homeland Security, Treasury, and Commerce), but have done so by treating all critical infrastructure industries as if they were one monolithic entity with identical challenges, priorities, and applicable incentives. Challenges, priorities and motivations often change depending on region, industry, and company size.
- No government group has taken the lead on the rollout of a cyber incentive program. So even if there were a well-researched program ready to go, it is unclear who in government would lead the effort.
- It is a daunting task to bring parties together to agree on cybersecurity “best practice” standards necessary to award incentives. For example, in order to receive theoretical incentive x, a company must prove it meets certain security requirements such as encrypting networks with AES- 256 encryption and using both inbound and outbound firewalls. Currently, too many entities publish contradicting standards.
- Many people in government and in industry remain intimidated by the term “cyber” and instinctively envision scenes from The Matrix when they hear it. They hope that if they continue about their business, cyber threats will eventually disappear. They won’t.
So what’s the way forward?
To quote the incentive theory of motivation, “incentives only become powerful if the individual places importance on the reward.” If the U.S. government wants to truly motivate the private sector, it must incentivize with an approach tailored to industry needs. Incentive programs must take into account industry and company-specific motivators to be attractive.
To understand these motivators, significant field research would have to occur involving government analysts and executives from each distinct critical infrastructure industry. Meetings would need to focus on the cyber-related challenges, priorities and motivators of each company, rather than on incentives directly. As Steve Jobs proved, people often think they know what they want, but don’t realize until later that they were wrong. Understanding a company’s underlying priorities and its unique challenges is the only way to tailor incentive programs appropriately.
In aggregating and studying the resulting data, the government must differentiate between industries, sectors, and companies — and between companies of different size. Initial research into applicable incentives for the electricity subsector of the energy sector indicates cyber priority trends only begin to form at this extremely granular level.
Once comprehensive and industry-specific research is complete, the best incentive options for each sector will become clearer. The government will then be able to tackle some of the aforementioned obstacles such as designating a government organization to lead the program. More than anything, what is needed is action, not working groups.
Eventual cybersecurity incentives might consist of grants, tax incentives, expedited security clearances, government-provided IT assistance, or similar offerings. Regardless, expecting every industry to be motivated to action by the same carrot will lead nowhere. And without carrots, the only motivator left is the stick — a catastrophic cyber-attack.
Maria-Kristina Hayden is a 2016 alumnus of the National Intelligence University, and recently joined Bank of New York Mellon’s Cyber Threat Intelligence Group as Vice President and Senior Information Security Analyst. She is also a founding team member of the Cyber Intelligence Initiative at the Institute of World Politics. Dr. Michael David and Dr. Brian Holmes are faculty members at the National Intelligence University in Washington, DC. The views expressed in this article are theirs alone and do not imply endorsement by the Defense Intelligence Agency, the Department of Defense, or the U.S. government.