DHS Incentives Study: Analysis, Recommendations, and Areas Identified for Further Research

Transcription

1 DHS Incentives Study: Analysis, Recommendations, and Areas Identified for Further Research Executive Order on Improving Critical Infrastructure Cybersecurity Tony Cheesebrough Chief Economist National Protection and Programs Directorate March 13, 2014

2 Cybersecurity Incentives Study Requirements Executive Order (EO) requires the Secretary, within 120 days (by June 13), to make recommendations to the President on: a set of incentives designed to promote participation in the [cybersecurity] Program, including an analysis of the benefits and relative effectiveness of such incentives, and whether the incentives would require legislation or can be provided under existing law and authorities to participants in the Program. Though the EO requires separate studies from DHS, Treasury, and Commerce, the DHS Integrated Task Force (ITF) has been working collaboratively with these partners to share data, research, and analysis to produce its study The White House Council of Economic Advisors, Treasury Tax Policy and Insurance Policy Offices, and Homeland Security Institute each provided focused secondary research support For its report, Commerce is reviewing the feasibility of recommendations made in response to its Notice of Inquiry (NOI) 2

3 Research Methodology Definition. For the purpose of this study, DHS will use the following definition of incentive: a cost or benefit that motivates a decision or action by critical infrastructure asset owners/operators to adopt the cybersecurity framework under development by NIST. Central Researchable Question. To what extent would each of the incentives under consideration affect the probability that critical infrastructure asset owners/operators will adopt the cybersecurity framework under development by NIST? Basic Methodology. Without better data, a basis for quantitative estimates of the benefits of cybersecurity incentives is lacking, and until the EO-required framework is developed by NIST, the same is largely true of the costs of implementing the framework. As a result, the methodology for analyzing the effectiveness of the cybersecurity incentives under evaluation for the EO relied on evaluations of voluntary non-cybersecurity programs and largely qualitative methods. Evaluations of incentives applied to voluntary non-cybersecurity programs are assumed to be relevant to the study of voluntary cybersecurity programs, though identical results were not assumed. Information Sources. Literature review completed with research support from the Council of Economic Advisers, Treasury Tax Policy and Insurance Policy Offices, and Homeland Security Institute, yielding 138 peer-reviewed journal articles, law review articles, conference papers, working papers, government reports, dissertations, and book chapters. DHS/ITF Incentives Workshop: completed April 19, 2013 U.S. Department of Commerce Notice of Inquiry (NOI): completed review of 43 comments 3

4 Microeconomic Framework 4

5 Economic Criteria for Analysis Effectiveness: does it work? Effectiveness is the probability of framework adoption and is principally driven by framework cost sharing, though expected loss avoidance, marginal revenue increase, and ancillary benefits also contribute to a lesser extent. Efficiency: is there waste? Efficiency applies to cost sharing incentives, and consists of both: Moral hazard, which in this context exists because of differences in the degree to which techniques for adopting the framework are cost-effective, and can be thought of as allowing owners/operators to choose techniques that are not cost-effective; and Adverse selection, which in this context exists due to differences in the cost of adoption among owners/operators within and across sectors, and can be thought of as over-paying lost cost owners/operators which are already near the frontier of sophistication. Equity: who pays and how much? Government, industry, or consumers; all/most, moderate, or none/least. 5

6 Recommendations DHS recommended that the Administration continue analysis of the menu of six incentive categories highlighted in green. While DHS was not able to offer specific recommendations on implementing these incentives categories due to time constraints, the Department has conducted an initial analysis regarding legal feasibility and recommended that such analysis continue and lead to specific policy and implementation proposals. In addition to recommending further study on each of the incentives categories above, in its report to the President, DHS also supported the call from the National Science and Technology Council s Subcommittee on Networking and Information Technology Research and Development (NITRD) for additional research to Explore models of cybersecurity investment and markets; Develop data models, ontologies, and automatic means of anonymizing or sanitizing data; Define meaningful cybersecurity metrics and actuarial tables; Improve the economic viability of assured software development methods; provide methods to support personal data ownership; and Provide knowledge in support of laws, regulations and international agreements. 6

7 Proposed Procedure for Awarding Incentives In practice, it might difficult for DHS to determine whether the framework has been adopted, particularly when incentive awards are based on that determination. A more practical solution might be for DHS to follow procedures whereby applicants are evaluated on the extent to which they have adopted a standard. This is also consistent with the administration s Pay for Success model of payment for performance in the context of social services. In this way, either the size of the incentive would be made contingent on the evaluation, or a penalty would be assessed for a low evaluation. Owners/operators would be awarded with higher levels of incentives for improving their evaluations, and since it is not tied to cost, moral hazard is eliminated. Adverse selection is also addressed, because even a high cost owner/operator with a low level of cybersecurity sophistication can be motivated to improve. Low cost owners/operators, already near the frontier of sophistication, stop receiving incentives once they reach the highest level of evaluation, though penalties may be assessed for regression. 7

8 Areas Identified for Further Research As noted, the DHS Incentives Study conducted under EO lacked information about the consequences and likelihood associated with a range of cyber events. The Gordon-Loeb model shows that it is uneconomical to spend more than 37% of the expected loss that would occur from a security breach. However, we don t know enough about either the likelihood or consequences of such events to estimate what the expected loss that would occur from a security breach is, and so we cannot quantify the marginal benefit or the appropriate level of investment in Framework adoption. As noted by observers of the estimates of cybercrime costs: Relying on inaccurate or unverifiable estimates is perilous because it can tilt the country s spending priorities and its relations with foreign nations. The costs could be worse than the most dire estimates but they could be less, too, ProPublica, Aug. 1,

9 Estimating Cyber Consequences Types of economic consequences include reputational impacts, lost revenue from down-time and stolen property (intellectual and financial), and remediation costs associated with cybersecurity incidents. Estimates by security vendors of the losses associated with cybercrime ranging from $250 billion for the theft of intellectual property costs to U.S. companies to $1 trillion for the global cost of cybercrime have been criticized as unsupportable and below abysmal, even by the researchers and experts listed as contributors. Yet in the absence of alternatives, the highest levels of leadership in both the executive and legislative branches of the federal government have each cited these estimates. Research questions: To what extent does reputational impact lead to loss in revenue? To what extent does stolen intellectual property contribute to lost revenue? What is the distribution of operational down-time associated with the range of cybersecurity incidents, and to what extent do they lead to a loss in revenue? What is the distribution of remediation costs for the range of cybersecurity incidents? 9

10 Estimating the Likelihood of Cyber Incidents Similar to the estimates of consequence provided by security vendors, estimates derived from methodologies for estimating the frequency and distribution of cyber crimes, such as surveys commissioned by security vendors, have been criticized as so compromised and biased that no faith whatever can be placed in their findings, and worthless, scientifically worthless, with estimates of the number of incidents as much as 50 times higher than estimates derived from government data from the FTC. Research Questions: What data and methods should be applied to estimate the frequency and distribution of incidents among the various categories? While currently unknown, is it unknowable? Can we resolve questions relating to measuring unknowns and unobservables in a security context? Where known and observed, how can we create incentives to report incidents? 10

11 The Role of Behavioral Economics Finally, layered on the challenge of estimating the consequences and likelihood of cyber incidents is the perception of those estimates by individuals and organizations that rely on such perceptions to make decisions about, for example, adopting the forthcoming Cybersecurity Framework. Understanding perception is important because information about the likelihood and impact of cybersecurity incidents is interpreted and characterized by individuals and organizations in ways that are not simply based on fact, but is also related to the degree to which it the risk is observable, or known, and uncontrollable, or dreaded. The perceived expected loss, or perceived risk, avoided by Framework adoption is composed of two elements: the perceived extent to which a cybersecurity incident that exceeds security capabilities would impact revenue or cost; and the perceived likelihood that a cybersecurity incident will impact an individual owner or operator. 11

12