|
It's difficult to get precise numbers on our non-defense cybersecurity spend (which is a problem in itself) but most estimates place the number between $65-70 billion annually.
It’s debatable that even this number is adequate. China’s Digital Silk Road strategy is officially funded at $1.4 trillion over 5 years, or roughly 6 times the USA’s estimated cyber spend – and that’s just China. Add to that number the investments of our other major adversaries – Russia, Iran, North Korea, and a vast integrated cyber-criminal network, and it's clear the USA is being vastly out spend by our adversaries. This is one explanation for why the World Economic Foundation estimates the annual economic loss from cyber-attacks is roughly $10 trillion.
As we move into an era where government spending will be scrutinized more than ever, the need to have a sophisticated way of assessing the worth of our spending, including that in cyber defense, is paramount.
Unfortunately, notwithstanding the massive current cyber budget, we do not have a sophisticated macroeconomic model that we can use to assess the utility and effectiveness of current – let alone future needed – cybersecurity spending.
Ironically, cybersecurity routinely ranks as one of our nation’s largest areas of risk, yet it is virtually the only area of risk for which we do not have a sophisticated model to assess our spending’s impact and cost effectiveness.
In virtually every other area of risk analysis – financial risk, geopolitical risk, environmental risk, even weather, there is not only a sophisticated model to guide policy analysis and spending effectiveness but there are typically multiple models.
Cybersecurity is the only major area of risk for which we have no such models, meaning we really don’t know if the $70 billion we are spending annually on cybersecurity is worth it or if our tractional programs need to be rethought and reformed.
As devastating as natural events, like fires are, we actually have models that can tell us how best to know to fight and maintain them. They are, in the grand scheme of things, fairly predictable given proper variable (e.g. wind) analysis. Analyzing cyber risk is far more complex. In cyber we are dealing with conscious, well-funded, and intentional actors. The attack community uses sophisticated tools, including AI, to analyze our vulnerabilities and create multi-stage and often intentionally stealthy attack methods.
Rather than relying on a well thought out analysis of technical, economic, and strategic variables to empirically analyze cyber risks and develop cost effective solutions our approach – for over 20 years – has been to bring in a group of individual “experts” (often vendors with products to sell) and ask their opinions. The bottom line to this remarkably unsophisticated method to assess sophisticated cyber risk has been a constant retread of outdated prescriptions such as the use of unverified – indeed untested – regulations and frameworks coupled with reporting requirements.
Einstein probably never said it, but it is no doubt true. Doing the same thing over and over again and expecting different results is the definition of insanity.
Moreover, as the recent CrowdStrike incident has taught us, our cyber risk is not limited to managing cyber-attacks. We now know that unintentional accidents, like CrowdStrike, can create massive systemic impacts on our cyber systems. There is virtually no substantial research on the growing issue of systemic cyber events which are an entirely different species of risk as compared to the traditional attacks.
Several years ago, Oliver Hart, who won the Noble Prize in Economics, and his colleagues -- the Prysm Group -- proposed to CISA that they fund the creation of the first macroeconomic model for cybersecurity. The estimated cost would be $1 million dollars to develop the model – so we can begin to properly analyze our $70 billion spend. CISA never acted on the request.
Of course, you need to develop the model and run it before you can definitively determine the effectiveness of policies being tested. However, the Prysm proposal identified several areas where a sophisticated analysis could alter and improve cybersecurity policy.
For example, the National Infrastructure Protection Plan (NIPP), supported by both the first Trump and then the Biden Administration recognizes that most critical infrastructure is held by private companies but in the digital age these companies are taking on traditional national defense obligations as they defend against nation-state cyber-attacks.
Typical government policy has been to encourage these private firms to increase their own cybersecurity spending. While in the short term this solution may seem appealing (at least to government) the Prysm proposal would analyze the broader impacts. At what point would the increased security spend by private firms impact their ability to provide critical services? At what point would the increased obligations create investor flight from utilities thus endangering their long-term viability? Are there incentive programs (and if so what programs) that can accomplish our mutual security interests more effectively?
Similarly, having a sophisticated macroeconomic model to assess cyber risk – developed by Prysm or others – could offer novel approaches to difficult cyber issues such as Ransomware, protecting small businesses, and addressing systemic risk.
Now, more than a quarter century into the digital age, it is finally time for government to invest a million dollars to create a sophisticated methodology to assess the effectiveness of the tens of billions we are spending on cybersecurity To do so is both good economics for the government and good security practice for the nation.
| 
