Incoming: Cybersecurity Economics Entails Flipping the Spend

Today, government and industry increasingly are on the wrong side of the cybersecurity spend.

Criminal groups, nation-states and individual hackers often force organizations to spend much more to defend against cyber attacks, or the threat of attacks, than attackers spend to carry them out. How do we slow down this trend and reverse the spend, forcing the attacker to pay a higher price?

Technology and a better-educated workforce will help, but these solutions may not really reduce the spend or increase the cost to the attacker.

The best way to do this is through significantly increased partnering as well as more timely and greater sharing of threat data and real-time attack information.

Government agencies and industry need to establish more robust cybersecurity partnership agreements. These agreements should include mutual cyber defense pacts, guarantee that partners protect exchanged information, have detailed disclosure rules and provide stiff penalties for partners breaking those rules.

The partner agreements should define trigger events that activate shared cyber defense teams, real-time connected cybersecurity operations centers, arrangements that allow immediate tasking of shared assets and plans that include network and other information technology asset-sharing arrangements.

Partners should build response templates that are routinely updated based on real-world cybersecurity attacks and successful practices.

Agreements should include sharing sensors, sensor data and analyses in real time. Partner teams must have agreed-upon strategies and responses that enable them to fight cyber attacks together as they happen, and private-sector partners should agree to mutually support business operations and not to exploit any business opportunity resulting from a cyber attack. Partners should train together and freely share both wise practices and lessons learned.

Partners must agree to establish and enforce basic cyber hygiene rules and practices and share methods both to improve compliance and to detect violations. The cost of development and implementation of improved cyber education practices and training would be shared. Partners should test and challenge each other, working to raise the overall cybersecurity readiness level and raising the cyber hygiene bar.

This may be a more controversial suggestion, but perhaps partners could work together to reveal the source of attacks and publicly identify attackers or websites and expose what amounts to bad cyber neighborhoods. Commercial partners might even work together to find ways to inflict economic penalties directly on attackers or entities supporting attackers.

Building real partnerships and robust, active cyber defense agreements can have a big payoff. The approach not only forces attackers to expend more resources to be successful but also lowers defense costs by permitting partners to freely share personnel, data and tactics, allowing them to rapidly expand their trained cybersecurity force when needed. It can raise overall standards for cybersecurity and eventually shine more light on bad cyber actors.

What do you think? How would you recommend flipping the spend? Contact me at signalnews@afcea.org.

Terry Halvorsen, the chief information officer (CIO) and an executive vice president with Samsung Electronics,i s the former U.S. Defense Department CIO. He also has served as the Department of the Navy CIO.