Recently, I had the opportunity to participate in The Atlantic Council’s Young Professionals in Cyber Policy discussion with thinkers from industry, academia, think tanks, and policy. After speaking with Karl Grindal of the Cyber Conflict Studies Association, I realized that part of the reason for the current insecurity and high criminality in cyberspace is game theory, not technology. Though a secure cyberspace requires more transparency, a combined paradigm and free-rider problem helps make crime easy and profitable.
Increasingly we see that most cyber crime is not conducted by wacky, idealistic teenagers in a basement but gangs of moderately tech-savvy criminals and con men, operating much like any other form of organized crime. They aren’t stealing information to send a message or to show their elite skills, they are doing it because it’s profitable and, with rudimentary hacking tools, easy. This, and not hacktivism, foreign governments, or whiz kids, is the bulk of the threat to most regular Internet users. Because criminals follow the money to cyberspace, so has law enforcement, intermittently doling out serious penalties to hackers and pirates. As with any legal or illegal venture, cyber crime has other costs as well, taking time and some initial investments in hardware and software. Because cyber crime is on the rise, as it has been for some years, we know that the expected returns currently outweigh the financial, social, and legal costs. Cybersecurity providers, law enforcement agencies, and researchers are constantly on the look out for ways to increase costs by making systems more difficult to break into and increasing the rate at which criminals get caught.
Another way to tip the balance in our favor is to increase transparency and therefore decrease rewards.
Because account details including personally identifying information are leaked by the thousands, we have become less concerned about privacy and more concerned with theft, either of money, identity, or intellectual property. The thought of strangers looking through my vacation pictures or even my health records may be somewhat unnerving, but unless somebody has a personal vendetta against me, it’s not a major concern for large-scale breaches where information on thousands and sometimes millions of users, clients, or accounts is leaked. More troublesome would be somebody obtaining my credit card number, which is so common place that PandaLabs reports the going rate of a stolen credit card number is as low as $2. Other account details can be used to make purchases or receive services on my behalf.
This information is only valuable, however, if it remains valid. If I find out relevant information has been leaked, say from my Amazon account or health insurance, I can quickly change my passwords and cancel my credit cards. It’s a pain, but it beats trying to get most of my money back from my bank after fraud. Not only does this save me time and money, but it also lowers the value of my information. If everyone knew within hours of a breach the details and extent of a leak, they could invalidate the stolen information, making it virtually worthless and greatly reducing the gains of cyber crime. If the value of a credit card number drops from $2 to $0.50 , for example, identity theft may no longer be worth the time, risk, and investment for many criminals. Unlike many security solutions, reducing the value of stolen information does not result in an arms race between new vulnerabilities and defenses where hackers continue to innovate faster than government and industry. There would likely be a push to profit off stolen information faster, but the potential there is limited.
To let users know they’ve been compromised immediately, however, takes a level of transparency, between users and providers as well as internally within government and industry networks, that we have not yet achieved. First, it requires a commitment to alert users immediately by breached companies despite the tremendous damage it does to a firm’s prestige. Old users may leave, new users may be hesitant to join, and investors may lose confidence. These factors have been somewhat mitigated, however, by the understanding that vulnerabilities and breaches are everywhere. As more companies come out and admit to successful attacks, how a firm or agency reacts to a breach will become as important as whether it was vulnerable in the first place. Furthermore, if a firm loses business due to poor security practices, this still benefits the market by creating a “survival of the fittest” atmosphere that leads to adaptation and evolution in cyberspace just like in the natural world. Yet self-interested firms are not thinking about the rewards to cyber crime or the systemic health of the industry, and still would like to employ various forms of denial and damage control. This created a free-rider problem where a firm still benefits from the increased transparency of other firms making cyber crime less lucrative while preserving its reputation if its been hacked. Legislation is in place to prevent this, and almost every state has laws in place dictating the prompt notification of users if their personal information has been leaked, but there are still delays and varying levels of disclosure. Recent scandals about late or incomplete notification by Sony and RSA are examples.
Still, between legal requirements and the outrage as users find out on their own, most firms do want to alert clients of leaks in a timely manner. The problem is that many cannot due to technical limitations. They may not immediately know what, if anything, was stolen, or that there was a breach at all. For some companies it takes years to realize that there was an intrusion, by which time massive amounts of information have been stolen. Part of the problem here is enterprises investing all of their time and resources into trying to prevent intrusions and making detecting them an afterthought. Lately, there has been a push for a “presumption of breach” paradigm that assumes, as is statistically likely, that your network has already been breached, and focuses on forensics and remediation. This involves a slightly different type of transparency, not between a company and its clients, but between the CIO or CISO, the IT department, and the networks, to see who has been there and what is going on. Catching an intrusion early has many benefits for a company, such as minimizing theft and damage, but systemically, it still creates another, smaller free-rider problem. If every other company manages to catch intrusions early on, stop them from advancing, and inform users immediately, cyber crime would still be reduced and no additional investment in intrusion detection or forensics would be necessary. This is less pronounced than the problem of trust mentioned earlier, however, as Intrusion Detection Systems tend to be good investments regardless of that everybody else does.
Lowering the expected return to cyber criminals is one of the most overlooked solutions to rampant criminality online and one that holds tremendous promise. The crux of this strategy, however, is transparency, which is currently lacking between users and service providers, as well as between security professionals and networks. The latter can be improved by “planning to fail” and incorporating “presumption of breach” into network defenses, but the former is somewhat more tricky. Laws help, but to really ensure trust and transparency online, norms of good internet citizenship need to develop to overcome the free-rider problem in cybersecurity.