PART 2: Fix the Cyber Market Disfunction
In Part 1, I asserted that the reverse market forces at play in the cyber landscape (i.e., unchecked monetization of cybercrime) would lead to a destabilized world unless structural changes were pursued. The biggest loser in this ongoing destabilization would be Western economies.
There are two fundamental challenges faced in the cyber landscape: legal structures and virtually nonexistent market forces. The legal challenge will be discussed in a later part of this series. For Part 2, the focus is on the marketplace.
Supply and Demand
The main problem is the demand side, but a few observations first about the supply side include:
a) simply attend an RSA conference and it is extremely evident that there is no shortage of supply of cybersecurity products; b) products alone do not solve the risk of cyberattack, however; c) integrating different products offering different features is complex, has manpower implications, and is costly; d) the market is shifting toward services, including risk assessments, due diligence and cyberlaw, cyber threat intelligence, and information sharing (to name just a few areas); e) services help customers develop a more mature defensive posture, but similarly carry manpower and cost burdens.
Turning to demand, there are plenty of service providers. That is: consultants, technicians, strategists, and other specialists (albeit, not many cyberlaw attorneys).What is lacking, however, is demand. Just over a week ago, the UK’s intelligence agency GCHQ Director Robert Hannigan declared:
“The global cyber security market is not developing as it needs to: demand is patchy…”
In the UK, he called upon the UK government to intervene:
“It is time to take a hard look at whether the international market for cyber security is working sufficiently well … something is not quite right here. What is also clear is that we cannot as a country allow this situation to continue.
“Standards are not yet as high as they need to be. The normal drivers of change, from regulation and incentivization through to insurance cover and legal liability, are still immature.”
Here in the US, government attempts to spur demand have included engagement with the insurance industry, research and collaboration projects to spur innovation, and flow down provisions through federal contracting mechanisms. To date, none has served to truly catalyze a marketplace for cybersecurity.
The markets that show the most demand for cyber solutions are the sectors where business operations are most at risk and cannot afford a catastrophic attack: large retailers, financials, defense and government contractors, and a few other sectors. Even within these market segments, the big enterprises are the ones spending money on cybersecurity. There is little appetite for increasing capital expenditure for cybersecurity among the vast majority of businesses in America.
An executive once opined to me that he did not see the business case (for a cybersecurity engagement). Others I know, reading reports of recovery costs ranging from $25 – $50k from the loss of just one unencrypted laptop, fear sharing any cyber data with anyone. Even confidential cyber due diligence discussions under attorney-client privilege is not a palatable endeavor when cyber is not in the budget. In many businesses, demand for cyber services is virtually nonexistent, likely caused by several factors: lack of awareness of risk, recalcitrance, lack of budget, lack of leadership, risk transfer, or risk acceptance.
Hence, Mr. Hannigan’s observation is largely true in the US, and indeed is likely true throughout the world. Based on this assessment, and doubling down on the need for structural change to address an existential risk, we are at a pivotal point where something has to change! Sony and Saudi Aramco were warning signs that a calamitous cyberattack upon critical infrastructure is a very real threat.
When a senior government official takes a firm stand like Mr. Hannigan’s ‘government cannot allow this to continue’ remark, it is evident that regulations are coming (at least in the UK). For advocates of market forces over regulation, a Free Markets Cyber Movement must aggressively alter the current market dynamics. Otherwise, the argument for a baseline of security through compliance measures is likely to be advanced by governments everywhere.
An Environmentalist Comparison
A quick study of the evolution of environmentalism would be useful in this context. Like cyber risk, this movement originated from risk-based concerns. Activists mobilized society to take action to reduce pollution and other environmental harms to the planet, ultimately leading to systemic efforts at national and international levels. Over time, market forces emerged. Aspects of this movement could be adopted for cyber. For example, there is a Free Markets Environmentalism body of study.
However, we lack time, and kick starting a cyber mobilization could learn from the missteps of the environmental movement in order to leap ahead to the market enabling dimensions of environmentalism.
For example, we should quickly determine whether a centralized carbon credit model is preferred over a true Free Market model. Yet, in either case, the focus has to be establishing the conditions for incentivizing the demand side of the market.
In my own experience, what can work is creating the conditions whereby companies find a competitive advantage in branding themselves as a secure enterprise. Competing on security creates an incentive for spending, which will help the demand side of the market. In my judgment, this can best be accomplished at the community level.
Focus on Communities
In my professional endeavors, and those include national and international projects, and across focus areas such as cyber intelligence, cyberlaw, information sharing, and community capacity building, I have found that large programs are slow to permeate the national landscape. That’s a top down, government approach. While important for creating a systemic environment and for development of programs that can be imported by local activities, it is ultimately at the local levels where the market building dynamics referenced in this piece must be implemented.
As next Parts in this series will explore, there are structural changes needed to spur a cyber marketplace. The environmental movement provides a model that should be referenced in regard to developing market forces. Most importantly in the cyber context, implementation of structural changes must build cyber market forces at the community level, and it must address the needs among small businesses for improved cyber hygiene.