Amid a tsunami of cyberattacks around the world, the private sector has dramatically ramped up spending on cybersecurity. According to one recent study, firms with more than 1,000 employees spent an average of over $13 million on cyberdefense in the year ending April 2021, up more than 200 percent from just two years prior. And the spending is clearly warranted: last summer, the attack on Colonial Pipeline caused lines at the pump reminiscent of the OPEC oil embargo. A cyberattack on Dr. Reddy’s, a COVID-19 vaccine manufacturer, forced it to shut down critical plants in five countries. And one cybercriminal was recently able to steal $600 million in cryptocurrency held on the Poly Network exchange.
Yet until now, the rapid growth in cybersecurity spending has done very little to avert the threat. Even as companies build out their cyberdefenses, Anne Neuberger, the deputy U.S. national security adviser for cyber and emerging technology, has noted that the “number and size” of ransomware incidents have “increased significantly.” And the FBI’s Internet Crime Report has found that the vast majority of cyberattacks are caused by basic errors, including phishing and slow patching of known vulnerabilities, allowing attackers to employ low-cost methods to penetrate expensive cyberdefense systems.
Driving this notably poor record are several related issues. Companies are responding too slowly to evolving cyberthreats, they are procuring vulnerable software products, and they are misallocating their security spending. Indeed, most businesses are neglecting sound security practices, even as they make significant investments in protections.
But underlying all of these shortcomings is a larger defect: the failure to get timely, comprehensive information on current cyberthreats to the industries most likely to be targeted. Instead, intelligence about specific attacks—and the efficacy of particular defenses—tends to be jealously guarded by cybersecurity firms and insurers, leaving companies and organizations in the dark about the vulnerabilities of the systems they are using or planning to use.
To address the current cybersecurity deficit, the U.S. government will need to facilitate far greater sharing of intelligence data about cyberthreats throughout the economy. Congress can do this by passing legislation to overhaul the Cybersecurity and Infrastructure Security Agency’s (CISA) information-sharing program, the Automated Indicator Sharing (AIS) initiative, and by establishing the Bureau of Cyber Statistics to regularly publish security data. But information alone will not solve the current cybersecurity crisis. A comprehensive cyberdefense strategy will also require new ways of getting companies themselves to act quickly on the most important threats and to put in place the best defenses.
Guarding the Wrong Secrets
Under prevailing market forces, there is a strong disincentive for cybersecurity firms to share information about threats. Although many of these firms have gathered rich data about the vulnerabilities and relative security of common software products, they do not share this intelligence with the end users of these products for fear it would erode their competitive advantage. As a result, most companies are ill-equipped to evaluate the security risks of the software they depend on. The Israeli firm Cybersixgill has estimated that 90 percent of company chief information security officers make cybersecurity decisions based on outdated intelligence data. And since there is very little information sharing, cyberattackers are often able to exploit the same vulnerability over and over again to inflict damage on thousands of enterprises around the world.
Since companies are not basing their purchase decisions on an accurate assessment of risks, there is little incentive for software providers to emphasize cybersecurity. Software products that are designed with enhanced security features are rarely able to command a premium, and many software companies have made the rational calculation that putting expensive resources into cybersecurity will not be rewarded by the market. Nor do they tend to suffer when their products are attacked. After all, as computer scientists Ross Anderson and Tyler Moore have pointed out, the clients of software companies—not the software companies themselves—are the ones that bear most of the costs of a cybersecurity failure.
Meanwhile, companies are often reluctant to disclose cyberattacks when they occur, for fear of damaging their reputations––or worse, subjecting themselves to litigation. That reticence allows malicious hackers to reuse the same methods elsewhere. And cyber insurers, firms who write insurance policies to cover financial losses sustained by data breaches and digital disruptions, are similarly unwilling to share information about the efficacy of particular security defenses, which they view as proprietary. As a result, many companies make critical cybersecurity investment decisions based on marketing or word of mouth rather than hard data.
Keeping the Skies Friendly
If information about threats were quickly shared around the world, cyberattacks would immediately lose much of their potency. Companies would be able to quickly prioritize and address urgent security flaws within their digital networks or operating systems and malign actors would no longer be able to exploit a single vulnerability to attack a large number of targets. But to date, the government has struggled to overcome built-in resistance in the private sector to information-sharing about cyberthreats.
The problem is not insurmountable. Two decades ago, the aviation industry encountered a similar difficulty in getting airlines to share information about crashes and near misses. But in 2007, the Federal Aviation Administration (FAA) came up with an innovative solution: a voluntary information-sharing body called the Aviation Safety Information Analysis and Sharing (ASIAS) program, in which airlines have an overwhelming incentive to participate. Run by an independent contractor, ASIAS has been able to attract near-universal participation in the industry, and currently receives safety data from 99 percent of U.S.-operated air carriers.
There are several explanations for this success. All safety data shared with ASIAS are kept secured and anonymous; in its 14 years of operation, there has never been a data breach or leak. Airlines are therefore confident that they can share safety data without harming their reputation. At the same time, airlines receive immunity from FAA scrutiny only if they proactively share data with ASIAS. This inducement is powerful enough to override the free rider problem, whereby companies may seek to benefit from information other companies have shared without sharing their own.
The aviation industry is a model of effective data-sharing about risks.
FAA regulators now consider ASIAS the industry’s most valuable source of safety information. Based on insights from ASIAS reports, the Commercial Aviation Safety Team—a partnership of regulators, manufacturers, aircraft operators, and unions—has developed an authoritative set of 22 safety enhancements that nearly all U.S.-based airlines have adopted. This has improved air safety: over the last decade, there have been two fatal U.S. airline accidents, compared with 16 fatal accidents in the first seven years of this century.
CISA has tried to emulate the FAA’s successful model through the AIS, which enables businesses and government agencies to share machine-readable threat data. But an inspector general report found that AIS has failed to live up to its promise because there is a “minimal” number of information providers; companies have no incentive to log threat data through the CISA program. The inspector general also averred that the program was understaffed and poorly managed. Congress should appropriate more money to CISA’s information-sharing efforts so that it can hire a full-time staff. And to ensure it receives more information, CISA should only make AIS data available to companies that actively share their own threat data. A bolstered AIS program would serve as a rapid-response mechanism, allowing many companies to quickly fortify specific defenses when one of their peers is attacked. This would significantly increase the difficulty and cost of launching malicious cyberattacks.
Safety in Numbers
Quick access to time-sensitive information about vulnerabilities is not the only crucial element in effective cybersecurity. Companies also need to receive more detailed data on a regular basis about broader cyberattack trends across industries, the safety record of current technologies, and the relative benefits of different security measures. Such longitudinal data about the resiliency of the IT system would go beyond the purview of the AIS program, which would be solely focused on fighting urgent threats.
Once again, on each of these questions, pertinent information has often been carefully guarded by cybersecurity firms and cyber insurers. Fortunately, there is potential for a breakthrough. Cybersecurity vendors and insurers themselves have come to realize that their datasets are incomplete: they may have blind spots in certain industries or regions that hinder their own performance and even threaten their bottom line. By combining data, they can gain insights that are beneficial to all of them.
One promising way to amalgamate this kind of data is through the establishment of a national Bureau of Cyber Statistics. Conceived by the bipartisan Cyberspace Solarium Commission, which concluded its work in December, the bureau would be operated by the Department of Homeland Security and serve as a clearinghouse for large-scale data about cyberattack trends and the safety record of current technologies. A bill now pending before Congress and sponsored by U.S. Senators Angus King, (I-Maine), Ben Sasse (R-Neb.), and Mike Rounds (R-S.Dak.) would create the bureau and mandate that it receives comprehensive data from cyber insurers and incident-response firms every 180 days. The bureau would then supplement these data with insights from intelligence agencies and create aggregated datasets that would be available to researchers, cyber insurers, and companies seeking to improve their cybersecurity.
Once the Bureau of Cyber Statistics has been established, its datasets will help the cybersecurity community identify software companies that have systemic or recurring security weaknesses and estimate which kinds of cybersecurity investments yield the best level of protection. While information from the revamped AIS initiative will be leveraged by the cyber equivalent of firefighters to fight conflagrations, Bureau of Cyber Statistics data will be employed by forest managers to reduce the likelihood of fires in the first place.
The Cost of Inaction
Through the AIS and the Bureau of Cyber Statistics, companies throughout the private sector would have access to information on both current cyberthreats and long-run cybersecurity trends. Still, if companies don’t act on the information they receive, then overall cybersecurity in the private sector will not improve. And many companies are unwilling to adopt proactive measures that increase short-term costs.
Consider the case of EternalBlue, an exploit affecting Microsoft Office. Developed by the National Security Agency, EternalBlue was stolen by malicious hackers, who weaponized it to take over and encrypt computers in thousands of large organizations. In 2017, 80 British hospitals were among the first victims, with many having to temporarily close and send patients elsewhere. Health-care IT teams around the world would have certainly heard about this debilitating attack. Yet a full two years later, many organizations had failed to patch the vulnerability. An astounding report by security research firm Armis revealed that 40 percent of health-care organizations worldwide suffered an EternalBlue attack in the last six months of 2019.
Rapid price signals can pressure companies to adopt better cybersecurity.
To force companies to be more responsive to cyberthreats like EternalBlue, some experts have called for greater government oversight. Chris Finan, a former Obama administration official, has suggested that the poor cybersecurity record of American companies is a “clear market failure that can only be remedied with regulation.” But regulatory standards and directives are often cumbersome to implement and may not be effective against a constantly mutating threat. New attack methods could render some standards obsolete overnight.
The government could, however, partner with the cyber insurance industry, which has a vested interest in getting companies to implement cost-effective security measures to reduce the size and frequency of claims for cyber breaches. (Full disclosure: one of us, Raj Shah, helps lead the cyber insurance firm Resilience.)
The insurance industry has a powerful incentive to act on the most current threat information, since it often bears a direct financial cost for security breaches at the companies it insures. Already, many cyber insurers are adopting dynamic pricing models to account for constantly changing risks. As ransomware attacks grew more frequent and disruptive, for example, cyber insurance premiums skyrocketed, rising by 96 percent over the course of last year.
These rapid price signals in turn put pressure on companies to patch vulnerabilities, purchase secure software, and efficiently allocate their cybersecurity budgets. Companies that continue insecure practices will be penalized; those who respond to changing threats with alacrity will see their premiums fall. Similar to how fire insurance companies help promulgate improved building code standards and increased numbers of fire stations, cyber insurance firms can induce companies to adopt the most efficacious and up-to-date security standards and practices. By mandating a minimum level of cyber insurance for businesses that sell goods and services to the public sector, the government could harness the power of the profit motive to rapidly spread effective cybersecurity.
Containing the Next Catastrophe
For the moment, significant barriers are hindering the widespread use of cyber insurance to transform cybersecurity practices in the private sector. Although McAfee has tabulated that the global economy suffers over $1 trillion in annual losses from cyberattacks, the entire cyber insurance market only collects $5.5 billion in annual premiums, according to Christian Mumenthaler, the CEO of Zurich-based reinsurance giant Swiss Re. And the growth of the industry has sputtered. With the surge in ransomware and supply chain attacks, many providers are retrenching from the market. A survey by Resilience found that 77 percent of companies wanted more cyber insurance coverage than they could obtain.
Many insurers have been reluctant to expand coverage because they lack robust data access, modeling, and underwriting tools that show how to diversify risk. The problem is that cyber risk is treated as a monolithic threat. In reality, it encompasses many different kinds of threats: MITRE, a government contractor, has identified 222 unique techniques that cyber adversaries employ. More recently, some cyber insurers have begun to model and price distinct perils, or forms of risk. They can then diversify the kinds of insurance they provide in order to limit losses. For instance, insurers have discovered that most operating system vulnerabilities only affect one operating system. Insurers can reduce potential losses by offering coverage to some companies that use Apple devices and others that use Windows devices. Through this perils-based approach, insurers can prudently increase their cyber risk exposure and help bring scale to the market through cyber catastrophic bonds, analogous to what the insurance industry did to address hurricane risk.
Still, even in an expanded and diversified industry, private sector insurers will be unable to cover the most severe cyberattacks, particularly attacks aimed at large-scale digital networks that might be perpetrated by nation-states. For example, a direct attack on the cloud infrastructure on which huge parts of the U.S. economy relies could cost close to $1 trillion, more than the combined annual revenues of the dominant cloud service providers––which are themselves some of the largest companies in the world. The insurance industry lacks the collective resources to absorb such losses.
One solution to this problem is to have the government become the insurer of last resort. Government assistance kept many businesses out of bankruptcy when the COVID-19 pandemic hit; similarly, the government may need to come to the aid of the private sector in the event of a truly catastrophic cyberattack. Without preconditions, however, such a backstop would do more harm than good. If enterprises know they will receive a bailout in the event of a large-scale cyberattack, they may have less incentive to invest in effective cybersecurity. Instead, the government should only offer backstops to companies that have already met exacting cybersecurity standards, obtained minimum amounts of private sector insurance, and are attacked by state-sponsored or supported groups.
The strengthening of the AIS program and the establishment of the Bureau of Cyber Statistics will do much to level the playing field between defenders and attackers by unlocking siloed information and allowing companies to harness it for their own defenses. But these initiatives will be effective only if they are complemented by new public-private partnerships to encourage better cybersecurity practices and allow for the accurate measurement and pricing of cyber risks. The right combination of tools—real-time information, robust standards, incentives for improved cyber practices by companies themselves, dynamically priced insurance coverage—will make cyberattacks much more costly for hackers to carry out and much easier for U.S. companies to defend against.