Cybersecurity is tough, and not just because it’s technical.
Despite the hue and cry over the growing threat of cyber attacks, it is difficult to get the various players to invest the time, money and other resources it takes to create hard and layered defenses; everyone sees the various costs as more properly borne by another party. A management consultant might say the incentives are missaligned; an economist might blame externalities. The more plainspoken might just call it the “someone else’s problem” problem.
In an era when clicking on a malevolent email can cause havoc, network security ostensibly begins with user training. And yet security guru Bruce Schneier recently wondered whether it’s worth even trying to get users to follow good “network hygiene.” He compares it to telling people to eat right and exercise. It’s tough to convince people that the long-term benefits of constant vigilance outweigh the immediate desire to do something else — eat a cheeseburger, say, or get work done.
Moreover, today’s computers are sufficiently complex that the typical user can inadvertently screw something up — that is, perform an action that opens vulnerability — no matter how much training has been conducted. Schneier suggests security-training resources are generally better spent teaching developers to build systems that make it simpler for users to do the right thing and harder to do the wrong thing.
At the other end of the spectrum, NIST — the federal government’s technical standards body — is working hard to answer President Obama’s order to come up with cybersecurity standards by the end of the year. And as law professor Peter Margulies notes, much of the work so far is focused on the problem of externalities — issues of the various expenses of security. On the one hand, defense contractors and other companies are reluctant to spend their own money to protect national networks; on the other, regulators must be persuaded not to write rigid rules that prescribe costly Maginot Lines.
Security consultant Paul Rosenzweig doubts that government is capable of creating a sufficiently flexible regulatory regime. Instead, he proposes that the U.S. create a “cyber insurance and liability system” under which developers of network-related goods and services are liable for damages when their products can be reasonably held at fault for allowing an attack, intrusion or theft. These developers, in turn, would seek insurance covering them for such damages, a product the insurance industry would no doubt be happy to create.
Whatever NIST leaders come up with, they’ll have to do quickly. The deadline is less than eight months away.