39031_Dixon_Cybersecurity_580x180_230117
Peter-Dixon_April_Head__50x75px

Peter Dixon, Global Equities Economist

As we engage ever more in online activity, we leave a bigger digital footprint which leaves a trail for the less scrupulous to follow. According to recent figures, more than a quarter of all recorded malware appeared in 2015 alone. Cyber threats are clearly on the rise, but for all the concerns about the rise of malware and foreign hackers, the biggest threat is quite simply carelessness on the part of users. As a result, it is possible to reduce some of the obvious threats by adopting cheap security measures. But bigger problems require more expensive solutions, which raises two key questions: (i) At what point do the economic costs of protection outweigh the benefits and (ii) How much privacy is society willing to trade-off in favour of greater online security?

The threat

The internet routinely makes it into the list of the top ten most influential inventions of all time (although this might be somewhat questionable as it represents a scientific evolution rather than a revolution). Nonetheless, it has enabled an economic and social revolution as a result of the way it has affected how people are able to interact with each other. Thanks to the internet, the dictionary definition of community (“a group of people living in the same place or having a particular characteristic in common”) has changed because people no longer have to live in close proximity to be part of a community. But some things never change: Communities have historically attracted less savoury elements intent on exploiting other members of the group. And cyberspace is no exception.

Every individual or organisation which links to the internet leaves some form of digital footprint which advertises their existence and alerts the unscrupulous. Just as in the real world, cybercrime can be classified under the broad headings of fraud, terrorism, extortion and, in its most extreme form, warfare. The purposes of cybercrime differ. It may simply be theft – whether of financial resources or non-financial resources, such as identity, with a view to committing some other crime. Other motives could be extortion, which might entail repeated attacks on a website which desist upon payment of a fee, or more seriously the denial of services which threaten national security.

All forms of cybercrime involve gaining initial access to a network. At its least sophisticated, but nonetheless often effective, fraudsters try to entice individuals to click on a link which then enables the release of a computer virus which either sends back information or takes control of the host system. More sophisticated hacking attempts repeatedly bombard networks in an attempt to find a vulnerability which can subsequently be exploited. However, carelessness, rather than gullibility, is seen by corporate executives as one of the major cybersecurity threats. A survey conducted by IBM suggested that more than 40% of executives see negligence on the part of insiders as the single most important threat to the integrity of their network (chart 1). The second most important threat is posed by the loss of devices, with web attacks and malware rather lower down the worry list.

Obtaining decent data on the extent of the threat posed by cybercrime is difficult. For one thing, companies do not report all data breaches for reasons of confidentiality and credibility. Moreover, not all companies are aware they have been hacked (the recent hacking of the US Democratic Party’s computer network by a group code-named Cozy Bear only came to light after another group, known as Fancy Bear, was exposed). However, according to the security company CyberArk, cybersecurity incidents surged 38% during in the course of 2015; malicious cyberattacks are estimated to cost between USD300bn and USD1 trillion per year; data breaches average $154 per record whilst the cost per breach is estimated at USD3.8 million. Perhaps even more worrying is that hackers often have up to 200 days before they are discovered.

The economics of cybersecurity

The problem which network users and providers face is how much security to provide. We can think of this problem in terms of the demand and supply sides of the cybercrime market. Hackers have to balance the costs of their actions (for example, in terms of detection) against the benefit. Defenders have to balance the cost of protection against the losses from cybercrime. It should be evident that even if it were technically possible to completely eliminate cybersecurity threats, the cost of doing so would far outweigh the benefit. From an economic perspective, the optimal degree of cybersecurity across society as a whole is one where the marginal social benefits are exactly equal to the marginal social costs (chart 2).

39031_Cyber_Charts_1_and_2_260117

Note that this does not simply measure the sum of costs and benefits of all parties in the economy: There are, for example, significant network effects associated with investment in cybersecurity measures, because enhancing security to deal with a particular issue encourages network participants to engage in other activity. However, a market in which private actions determine the level of protection is also one prone to failure. For example, it may lead to under-investment in protection in cases where agents are slow to adopt the latest technology (perhaps for reasons of cost). In order to minimise these problems, there is a role for government to set minimum standards and perhaps to give incentives to encourage R&D spending on cyber protection measures. In the sections which follow, we need to keep these simple economic concepts in mind when assessing the impacts of cybersecurity.

Managing the threats

As noted above, carelessness is one of the key reasons why hackers are able to access systems. Such lapses tend to happen because systems users are subject to information overload. In this environment it is all too easy to click on a button you should not, which then allows unauthorised users onto a system. Another problem is that entry points into systems have grown exponentially as mobile devices become cheaper and their functionality improves. The problems are set to multiply in the years ahead. According to McAfee Labs, between 2015 and 2019 the number of internet users will rise by around one-third, with half the world’s population projected to have online access. The amount of network traffic is projected to more than double, whilst the amount of data carried across the net could increase by a factor of five (chart 3).

IT managers around the world are all too aware of the risks and the exponential increase in threat potential is sure to give them plenty of sleepless nights. Companies have a series of basic protocols designed to minimise threats, although the problem increasingly resembles an arms race between potential attackers and defenders. The first line of defence is a secure firewall. This has been made much more difficult than used to be the case by the fact that the workforce is increasingly mobile, with the result that the location of the network perimeter is much less well defined than a decade ago.

There are some other basic precautions that should be followed to minimise the threats. One is to ensure that passwords, which are the single biggest failure point of any network, are not easy to crack. Changing them away from the system default is always a good start: apparently the two most popular passwords are “123456” and “password.” A more draconian approach is simply restricting access to applications. Around 50% of third-party apps assessed by CloudLock Inc were subject to an outright ban by IT security professionals, with one third of them blocked because the vendor was deemed untrustworthy (charts 4 and 5).

39031_Cyber_Charts_3_and_4_260117
39031_Cyber_Charts_5_and_6_260117

The second requirement of any system is that network devices are configured only to provide the required services, which requires the removal of redundant applications and access to superfluous networks, and users should be given the minimum level of access to ensure that they can operate efficiently. Finally (and it should go without saying), all systems require protection against malware and it is important that software patches are implemented as quickly as possible in order to prevent known system weakness from being exploited. All of this comes at a cost, of course, and the US federal government spends proportionately twice as much on cybersecurity measures as it did a decade ago (chart 6).

Increasingly, cloud-based security services are seen as relatively cost effective for small and medium-sized enterprises which cannot afford to invest in state-of-the-art solutions. Such systems offer high levels of protection but because the costs tend to be spread across a number of users, the unit costs are lower than in the case of individual company solutions. Security experts do caution, however, that companies conduct their due diligence on off-base storage sites, for it would defeat the purpose if the cloud-based supplier turned out to be less than reliable.

Bigger problems require scaled-up solutions

Governments are increasingly looking at cybersecurity problems in the context of national security. Attacks on military computer systems have been occurring in various forms since the 1980s, with NATO dating the first cyberattack to 1988. Although the perpetrator of that attack was quickly traced to one individual, subsequent efforts have proven to be more sophisticated. Attacks on US computer systems, which began in 2003, were attributed to Chinese-based hackers whilst the targeted attacks on Estonia in 2007 were blamed on Russia. Not that western powers are blameless, with the Stuxnet virus, which came to light in 2010, rumoured to have been a joint American-Israeli attempt to sabotage the Iranian nuclear programme. In all cases, despite the suspicions, there was never any direct proof that the attacks were state sponsored, and obviously the alleged perpetrators denied any involvement.

It is not only denial of service attacks which are a cause for concern. The theft of intellectual property is an increasing problem which could have significant financial implications for those affected. Many companies note that cyberattacks originating from China are a particular issue for concern. The cybersecurity consultancy CrowdStrike noted in a report in 2015 that attacks against US technology and pharmaceuticals companies were “clearly aligned to facilitate theft of intellectual property and trade secrets.” Such actions are believed to be less the result of deliberate government policy than a lax regime for prosecuting those companies which benefit from intellectual property theft. In order to combat such activities, the US and China signed an agreement in 2015 designed to limit the extent of such theft, although the jury is still out as to whether it is having much impact.

All of these examples illustrate that there are clear risks to infrastructure which increasingly relies on digital control systems. Transport and power grids, for example, are known to be vulnerable to hacking. In a similar vein, a significant amount of corporate intellectual property resides in the computers which act as companies’ memory banks. Governments are thus increasingly aware of the need to put in place national security systems. The UK recently announced the creation of a National Cyber Security Centre which in effect proposes the creation of a national firewall. This comes after various government efforts to persuade companies to tighten their security procedures have not produced the desired results. It is, of course, ironic that a generally pro-market government should have to step in to correct such a market failure. After all, it is the companies themselves which will suffer. But the government has decided that if it is possible to filter out spam mails, a similar principle can be applied to malicious online threats.

The trade-off between data security and privacy

One of the issues raised by efforts to tackle cybercrime is how to deal with questions of privacy. That there is a trade-off between privacy and security is not in doubt. The question is where do we draw the line? Not surprisingly, there are no clear-cut answers in a debate which has existed almost as long as the internet itself. Going back to the mid-1990s, concern began to mount regarding the use of HTTP cookies which were originally designed as a means of checking whether users had already visited a particular website. But they evolved as a means of tracking a host of data specific to an individual user, and it became possible to collect data across a range of websites which allowed companies to build web profiles of their customers. This raised a number of questions about how much information companies were able to hold. In response, the EU introduced a directive in 2011 which required consumers to give their consent before accepting cookies on their device – a law which was subsequently adopted around the world.

But the limits of data privacy are forever being extended. British plans to introduce a national identity card database in the mid-2000s were abandoned, partly due to opposition arising from fears over online security. The issue of state-sponsored attempts to gather private information came back onto the agenda – albeit in a different way – earlier this year when the FBI approached Apple Inc. for help in breaking into the encoded iPhone belonging to a terrorist. Apple refused, on the grounds that to do so would undermine the security of its systems which in turn would damage its reputation in the eyes of its customers. As it happens, the FBI did not need Apple’s help: It was a pretty straightforward job to break the phone in the first place. Security experts believe that the case was chosen to set a precedent requiring IT companies to provide help when needed. What these examples illustrate is that there is a trade-off between efforts to maintain the safety of online customers and the information which they need to give out in order to maintain that security. And the greater the potential threat, the more information customers will be required to give.

Last Word

It is evident that the more we engage in online activity, the more information we have to give to vendors who cannot guarantee with 100% certainty that it will be kept safe. We must accept that total protection is impossible. But companies have an incentive to encourage consumers to go online in order to reduce costs. As a result, they also have an incentive to enhance their cybersecurity systems – their long-term reputations may depend on it. But how much privacy is society willing to trade off in return?

Top