Cybersecurity Public-private Partnership Strategy

C Y B E R S E C U R I T Y P U B L I C - P R I VAT E PA R T N E R S H I P S T R AT E G Y

America's economic prosperity in the 21st century will depend on cybersecurity. 1 United we stand, divided we fall. 2 No one can be secure alone.

THE DECISION SPACE FOR SECURING CYBERSPACE: If one developed a graph of relative influence based on budget, purview, and existing infrastructure (capabilities) among the various federal-level agencies presently charged with some aspect of cybersecurity, the weightings might look something like the following (with 10 being the most influence, 0 being no influence at all): National Security Agency (NSA) 10; Department of Defense (DOD) 8; Department of Homeland Security (DHS) 0.8; Department of Justice (DOJ) 0.1; Securities & Exchange Commission (SEC) 0.03. The National Security Council (NSC), the government entity charged Lyle Brecht

Draft 4.6

Saturday, January 2, 2010 CAPITAL MARKETS RESEARCH

Page 1 of 18

C Y B E R S E C U R I T Y P U B L I C - P R I VAT E PA R T N E R S H I P S T R AT E G Y

with coordinating the various missions among competing agencies and departments for the good of the nation, to prioritize and coordinate efforts related to cybersecurity has a difficult, if not insurmountable, task. This is due to the present situation of: (a) huge discrepancies of relative influence; (b) large entrenched bureaucratic capacities; (c) existing momentum of these bureaucracies, and (d) because the NSC has little ability to reallocate budget in real-time. Thus, each ‘policy-coordinating’ meeting conducted by NSC is neither a meeting among equals, nor a forum for real policy coordination beyond verbal head nodding and then when the meeting is over, continuing with business-as-usual. What is particularly toxic with this arrangement of decision space and often unstated is that there are philosophical conflicts over what the objectives for securing cyberspace should be and even what constitutes cyberspace from the perspective of these different agencies and departments of the federal government.3 This leads to very real consequences in addressing (or not) the systemic risk associated with maintaining and operating the national cyber ecosystem. Oftentimes, policies of one agency or department may directly interfere with or even counteract specific cybersecurity initiatives of another agency or department, or those of the private sector, collectively. The mission of NSA, more so than eliminating certain vulnerabilities of the existing cyber ecosystem may, instead, be to exploit such vulnerabilities for purported National Security purposes (i.e. for the intelligence value of the data flow). However, this is a particularly narrow view of national security when maintaining certain existing vulnerabilities in order to achieve intelligence objectives creates or sustains systemic risk in the cyber ecosystem that may have significant (e.g. $5,000 billion or more consequential risk) cost to the national and/or global economy. To date, the question of whether or not the present NSA mission is worth it, or is properly focused, given the economic need to close off certain existing vulnerabilities to reduce systemic risks in cyberspace has not yet been sufficiently answered.4 For example, while NSA was busy intercepting communications traffic from offshore and domestic ‘enemies of the state’, as defined as those set on a violent overthrow of the existing order, the actual existential threat to the nation may have been from Wall Street’s activities regarding collateralized debt obligations (CDOs). The collapse of the CDO market ultimately led to a near-meltdown of the global financial system and the shoring up of this system with ~ $17,489 billion in loans, pledges, and guarantees backed by future taxes of the American citizens (see footnote #10 for further explanation of this assertion). At variance with publicly-acknowledged rhetoric to fix cyber ecosystem vulnerabilities are the military’s present programs to develop offensive cyber weapons and to defend cyberspace Lyle Brecht

Draft 4.6

Saturday, January 2, 2010 CAPITAL MARKETS RESEARCH

Page 2 of 18

C Y B E R S E C U R I T Y P U B L I C - P R I VAT E PA R T N E R S H I P S T R AT E G Y

attacks through existing nuclear deterrence doctrine. Cyberspace is a networked ecosystem comprised of many parts that are interconnected globally, and complexly. The notion that one portion of this ecosystem (or even individual nodes of the cyber ecosystem) can be blithely attacked, or defended (especially with nuclear weaponry), is so outlandish and puerile as to bring into question whether the military actually understands even the basics concerning the cyber ecosystem upon which even they are ultimately, like air or water, dependent upon for their survival.5 DHS activities to address malicious threats to the nation’s cyber ecosystem are laudable and on the right track. Yet, as I argue below, malicious threats may constitute the minority of real, systemic threats to the nation’s cyber ecosystem. Thus, even if malicious threats were able to be completely eliminated from the system, very large consequential systemic risk still remains.6 Below, I discuss the very serious consequences of no one, literally, minding and attending to the cyber ecosystem as a whole. It is almost like everyone has their own store in the mall, may be doing a responsible and upright job of selling their ‘product’ and minding their own store, even as the entire mall falls into disrepair and abuse around each storefront. My argument is that to really achieve cybersecurity (of the entire cyber ecosystem), at least cybersecurity that matters in the long-run, we must address the consequential systemic risks that are structurally embedded in the existing system. Thus, I argue for adequate budget to develop the cyber ecosystem, not just allocating budget to protect the cyber ecosystem as it exists today. The object is NOT to pave the cow paths.7 Each of the aforementioned federal agencies has an important role to play. A role that my be somewhat different than today’s mission in a well-coordinated approach to cybersecurity that sufficiently addresses known and potential consequential systemic risks. And, the private sector must be enlisted to play a role, a somewhat different role than it has been playing presently, to develop the cyber ecosystem in ways that mitigate existing known vulnerabilities in a timely fashion. I argue below that such a new approach to a private-public partnership for cyberspace security is ultimately the most profitable for the national economy, as well as produces the best value in increasing national security for cyberspace-related initiatives. As the vast majority of the cyber ecosystem exists solely within the purview of the private sector, it is the private sector that requires the economic incentives to ensure development and protection of the national cyber ecosystem. I contend that this new partnership with the private sector has the potential to provide more real national security than the present NSA use of cyberspace as an intelligence platform and DOD use of cyberspace as just another war-fighting terrain using offensive cyber weapons. My deep concern is that some of the ongoing NSA and Lyle Brecht

Draft 4.6

Saturday, January 2, 2010 CAPITAL MARKETS RESEARCH

Page 3 of 18

C Y B E R S E C U R I T Y P U B L I C - P R I VAT E PA R T N E R S H I P S T R AT E G Y

DOD cyber programs are presently antithetical to a productive public-private partnership arrangement to develop a secure national cyber ecosystem.8 DEVELOPING & PROTECTING THE CYBER ECOSYSTEM: Cybersecurity, in its present constellation and embodiment in publicly-acknowledged (as opposed to what happens behind trusted conversations with security-cleared participants) government regulatory zeal is primarily concerned with protection. The assumption is that a more secure cyber ecosystem will ensue through regulatory protection of cyberspace. This regulatory protectionism, by fiat, assumes that government requires 1,000’s of government employees to oversee this protection, a cyber czar to oversee the government’s cyber activities, and significant budgets spread over many departments and agencies to assure that the protection of cyberspace comes to fruition. All this focus and activity is rationalized through two apparently indisputable facts: (1) malicious attacks on the national cybersystem are growing each year; and (2) the national cybersystem is understood as a critical infrastructure that demands protection for the economic well-being of the nation. But is protecting cyberspace the best or the only means to secure the nation’s cyber ecosystem? Can development also play a role in assuring a secure cybersystem? Also, if we wish to secure the national cybersystem, have we defined what level of risk we are willing to face and the security we want to achieve? And, at what cost? Without having clear objectives for cybersecurity and knowledge of budget, is it reasonable to establish public-sector organizational structure, to imagine inherited structure and regulations are adequate, or to rush to pass new regulatory initiatives? What I see is a pre-Katrina-like situation. We may be busy solving the more trivial, but highly visible risks, while potentially neglecting the larger, more systemic risks right in plain view. Post-9/11, terrorism was identified as the number one risk. Large amounts of manpower and capital were allocated to address the risk of this type of event not occurring again. But almost nothing was done, no capital was allocated, no manpower was applied, to address the more likely systemic risk of a natural (not man-made) Katrina-like event and its impact on the City of New Orleans. One thing that we should have learned from Katrina is that addressing systemic risk often has a timeliness. Fixing the levees of the city before Katrina hit would have been a fraction of the cost of cleaning up the mess from the flooding afterwards. The analogy to securing cyberspace is that the cyber ecosystem may be more threatened from systemic risk of structural weaknesses than from malicious acts. Rushing to erect secure Lyle Brecht

Draft 4.6

Saturday, January 2, 2010 CAPITAL MARKETS RESEARCH

Page 4 of 18

C Y B E R S E C U R I T Y P U B L I C - P R I VAT E PA R T N E R S H I P S T R AT E G Y

barriers to protect cyberspace through regulatory zeal, public sector budgets and dedicated manpower may leave us with a false sense of security, if development of cyberspace is not also considered. Ultimately, managing cybersecurity must support the freedom and creativity of ideas that are necessary to preserve the capitalism and free markets that have produced the economic growth of this nation. This does not mean regulations are not necessary. More profits can always be made in a well-regulated market that adequately addresses systemic risk. CYBERSECURITY IS, AFTER ALL, A SYSTEMS PROBLEM: Present federal government focus on cybersecurity is absolutely needed to ensure sustainable economic growth for the nation now and in the future. However, due to the networked systems nature of the cyber ecosystem and the timeliness of the cybersecurity problems the nation presently faces, traditional ways of promulgating standards, managing initiatives to secure cyberspace, and setting metrics for success leaves many gaps. This is often due to the stovepipe approach to cybersecurity where one department or agency’s initiatives collide with another agency’s and neither agency’s methods constitute best practices from the perspective of private industry.9 The process whereby budgets are decided and funds employed to implement policy across multiple, often competing jurisdictional boundaries is often not well coordinated. The policy coordinating function may have difficulty against agency budgeting by the politically powerful for ideas that are topical (or popular), the private sector may be left to its own devices to sort out highly-compromised regulatory initiatives, and the nation, as a whole, oftentimes reverts to reactive mode as crises (real or perceived) materialize. Most importantly, the systemic risk of the failure of cybersecurity initiatives may be neglected due to this inadequately coordinated, stovepipe approach to cybersecurity.10 We recommend that today is a perspicuous time to build a new-model public-private sector partnership decision-making framework for investing in cybersecurity.11 We propose that creating economic incentives for speeding-up new technology adoption to develop cyberspace may offer one of the best and, to date, overlooked approaches to risk management of the cyber ecosystem. That is, developing the cyber ecosystem may be a cost-effective means to both achieving risk reduction for identified cybersecurity vulnerabilities, protecting national security, and growing the national economy, while creating a significant number of new jobs. THE CYBERSPACE ECOSYSTEM: The advent of advanced computational resources, largescale data storage, embedded smart controllers in many industrial processes and consumer goods, and cyber networks (collectively, “cyberspace”) and the resultant networked information economy may be the most significant economic change since the start of the

Lyle Brecht

Draft 4.6

Saturday, January 2, 2010 CAPITAL MARKETS RESEARCH

Page 5 of 18

C Y B E R S E C U R I T Y P U B L I C - P R I VAT E PA R T N E R S H I P S T R AT E G Y

industrial age. Cyberspace presently serves as the substrate for the evolution of the postindustrial economy of the twenty-first century in advanced countries of the world: Cyberspace is a human-engineered complex, dynamical system described most accurately as a system comprised of a large network of components operating with simple rules (programs and protocols) with no central control (i.e. the system is self-organizing) that results in sophisticated information processing (computational processes), adaptation, and complex collective behavior. Additionally, this complex, dynamical system is non-linear in its exhibition of emergent behavior (i.e. the behavior of the system cannot be fully predicted from a knowledge of all its parts) and probably exhibits features of a chaotic system (i.e. there is a sensitive dependence on initial conditions).12 More than ninety-percent of cybersecurity needs/requirements reside in the private sector portion of the cyber ecosystem;13 Cyberspace vulnerabilities are believed to generally result in events that fall into two categories: (a) LOSE (loss of service event), and (b) LODE (loss of data event). Cybersecurity consists in addressing vulnerabilities that result in these two events;14 Choosing what not to do to protect and defend cyberspace may be as important as what we collectively decide to invest capital in to achieve cybersecurity; Today, both the public and private sectors tend to establish priorities to address cybersecurity issues primarily by two methods: (a) the windshield method (what is most visible and immediate), and (b) the normative risk assessment method (choose the most probable vulnerability with the largest consequent);15 Presently, widely-agreed metrics for what constitutes a reasonable level of system vulnerability (how secure must cyberspace be, given the costs for achieving this level of security?) for critical sub-systems of cyberspace, across the national cyber ecosystem, or the international cyberspace do not exist; Practicable EROIC (economic return on invested capital) metrics based on a standard risk assessment methodology 16 to schedule investments for cyberspace security have not yet been established and promulgated across all the actors engaged in cybersecurity;17 If cyberspace is the foundation for a large portion of the annual GDP growth of the national economy, it has taken on a mantle of critical infrastructure with national security implications; thus, cyberspace and its security has become a necessary component for

Lyle Brecht

Draft 4.6

Saturday, January 2, 2010 CAPITAL MARKETS RESEARCH

Page 6 of 18

C Y B E R S E C U R I T Y P U B L I C - P R I VAT E PA R T N E R S H I P S T R AT E G Y

sustainable economic growth, comparable to ecosystem services inputs like air and freshwater in the natural realm; 18 Cyberspace resilience to vulnerabilities risk may be lower than it should be given its critical infrastructure importance.19 For example, some critical cyberspace infrastructure is outdated, highly vulnerable to threats, inefficient, and unsuitable for sustained future economic growth. Using the Federal Interstate Highway System20 as an analogue, it is as though we have both high powered sports cars and model T Fords traveling down the road together 24 hours a day every day, going not more than 30 MPH because the road is in such disrepair. Additionally, there are bandits all along the road who may hijack our car at any moment;21 As critical infrastructure, cyberspace has also become a potential environment for novel strategic, offensive cyber warfare initiatives and the development of both defensive and offensive cyber weaponry. Both cybersecurity22 and cyberwarfare,23 although interlinked and enmeshed, are proceeding apace rapidly and, for the most part, independently; Many of the technologies underlying weapons of mass destruction (WMD) i.e. chemical, biological, radiological, and nuclear weapons (CBRN) require access to hard-to-acquire and often large scale, sophisticated weapons programs. What is different about cyber warfare is that, along with other networked technologies such as genetics, nanotechnology, and robotics, knowledge-enabled weapons of mass destruction (KMD) are widely within the reach of individuals or small groups;24 Offensive cyberweapons are potentially so powerful25 and cybersecurity vulnerabilities potentially so catastrophic if they occur at scale that accidents, abuses, and deliberate malicious attacks that cause the collapse of cyberspace may be capable of producing circumstances whereby, for example, instead of global GDP going from $60 to $240 trillion (in $2005 purchasing power parity) by 2050, it declines to $6 trillion;26 Annual cyberspace-dependent revenues from the various uses of cyberspace amount to a significant portion of the annual GDP of the world’s economy. If cyberspace infrastructure was compromised, crippled, and/or disabled for an extended period do we have an estimate of the reduction in global economic production (GDP) might ensue;27 Do we have a good handle on the estimated ongoing operating and maintenance (O&M) costs and repair and replacement (R&R) costs for the nation’s cyber infrastructure” Could they be $248 billion annually or is this too high; too low? On an annual basis, depending on

Lyle Brecht

Draft 4.6

Saturday, January 2, 2010 CAPITAL MARKETS RESEARCH

Page 7 of 18

C Y B E R S E C U R I T Y P U B L I C - P R I VAT E PA R T N E R S H I P S T R AT E G Y

what the optimal O&M and R&R requirements are for the nation’s cyber ecosystem, what is the magnitude of the deferred investment that is not being made each year? Are both private and public sectors presently underinvesting in the necessary O&M and R&R to obviate consequential cybersecurity vulnerabilities, or is everything just fine? Could the nation be underinvesting by about $126 billion annually (that is a ten-year underinvestment of $1,260 billion)? Is this estimate too low or too high for underinvestment in the cyber ecosystem; The size and ongoing nature of the deferred investments in adequate O&M and R&R for the nation’s cyber ecosystem results in a highly vulnerable cyber ecosystem (from a probabilistic risk assessment perspective that assesses consequential vulnerabilities) that is prone to compromise and partial system collapse; Even with adequate O&M for some portions of the national cyberspace ecosystem, some portions of the cyber ecosystem are so vulnerable due to lack of timely R&R, that adequate security of the national cyber ecosystem cannot be assured. That these outdated portions of the cyber ecosystem comprise portions of the national cyber ecosystem creates a situation of heightened vulnerability for all cyberspace users; There may be a statistically higher probability for catastrophic damage to sectors of the nation’s economy from cyberspace vulnerabilities due to inadvertent system failures than in deliberate malicious attacks against the national cyber ecosystem; Have we developed good estimates of the probabilistic risk from different threats across the cyber ecosystem? For example, do we know if estimates of the probabilistic annualized threat estimates of cyberspace disruptions or collapse from system-related problems (e.g. cascading failures) due to lack of O&M and R&R = 40%;28 deliberate malicious attack of the national cyber ecosystem exacerbated by insecure, outdated infrastructure = 30%; emergent causes (black swans) = 20% 29 and faults due to natural causes = 10% (earthquakes, tornados, hurricanes, floods, asteroid collision with earth, etc.) are reasonable or off the mark for depending on the type of risks we face, different policies may be appropriate and/or differing amounts of investment to close off certain risks may be reasonable; Threats to existing cyberspace environment vulnerabilities follow a Cauchy-Lorenz distribution in number and severity of system related threats over time (i.e. only a few lowprobability threats will be severe and large scale, but potentially of very large consequential or catastrophic results). The majority of threats from cyber ecosystem vulnerabilities are Lyle Brecht

Draft 4.6

Saturday, January 2, 2010 CAPITAL MARKETS RESEARCH

Page 8 of 18

C Y B E R S E C U R I T Y P U B L I C - P R I VAT E PA R T N E R S H I P S T R AT E G Y

merely noisome, although, collectively, they may add up to many billions of dollars in lost revenue;30 The inherent vulnerabilities of the national cyber ecosystem to withstand powerful solar storms31 and EMP (electromagnetic pulse) attack 32 disruptions or shutdowns due to inherent system design limitations, as well as from human error, introduces another significant level of risk.33 For example, there is an economic cost ripple effect for inadequate O&M and R&R to the nation’s electricity grid. For example, the entire national cyber ecosystem infrastructure relies on clean, dependable electricity sources to function; Practically speaking, the cyber ecosystem’s vulnerability is often determined by the lowest common denominator of present technical capabilities. It is unlikely from a probabilistic perspective, or from a game theory perspective, that the cyber ecosystem can ever achieve 100% security. That is, there will always be some level of probabilistic risk from known and unknown vulnerabilities in cyberspace that we are not able to adequately ‘manage’ or that can be engineered out; Regularly upgrading cyber ecosystem technology may be one potential economicallyadvantageous means for managing the risk assessment curve. That is, with each new successive introductions of cyberspace technology, there is a high probability that glaring structural and functional security issues will have been addressed. Thus, only unknown operational and structural security issues will remain until security flaws in the new cyber ecosystem technologies become known;34 Additional cybersecurity may be established if normative technology adoption cycles were reduced by 50%-80%. T most cost-effective means to accomplish a speeding-up of technology adoption cycles may be to assess the probabilistic cost of maintaining out-ofdate cyber technology with vulnerabilities in market transactions (e.g. establish economic disincentives for using insecure, out-dated cyber technology), and to provide economic incentives and subsidies to encourage markets to rapidly adopt newer, less vulnerable cyberspace technologies;35 Opportunity costs for not making the necessary investments to re-engineer and improve the probabilistic forecasts for cyber infrastructure disruption or collapse may be very large. If one calculated this opportunity cost, the result may be an Incremental Capital Output Ratio (ICOR) that equates to a loss of about $500 billion in national annual GDP, on average;36

Lyle Brecht

Draft 4.6

Saturday, January 2, 2010 CAPITAL MARKETS RESEARCH

Page 9 of 18

C Y B E R S E C U R I T Y P U B L I C - P R I VAT E PA R T N E R S H I P S T R AT E G Y

Cybersecurity is by nature cross jurisdictional, multifaceted, multi-level, international and its capabilities and citizens’ freedom to access these capabilities have moral and ethical implications.37 In order for a reasonable level of cybersecurity for the national cyber ecosystem to be attained and maintained, only a heretofore exceptional new-model collaborative public-private partnership that reaches out to the entire cyberspace community may be necessary and sufficient. Threat vulnerabilities that, if exploited or due to consequential failure, might limit the continued rational use of the cyber ecosystem, distort the reliability of valid data storage or transfer, and/or result in catastrophic risks to the nation ultimately could profoundly affect personal freedoms. The objective of any cybersecurity initiatives must be first and foremost to preserve individual freedoms for all citizens, while protecting cyberspace for the good of the nation.38

OBJECTIVES FOR A NEW-MODEL PUBLIC-PRIVATE PARTNERSHIP TO SECURE CYBERSPACE: Engage government agencies/departments charged with overseeing cybersecurity in a new-model public-private partnership for investing in cybersecurity and developing economic incentives to speed-up new technology adoption cycles to reduce cyberspace vulnerabilities; Develop the decision framework methodologies and analytics that will assist public sector and private sector cyberspace actors to: establish public-private partnership policy development priorities, scale capital allocation budgets (how much capital must be allocated to adequately address the cyber vulnerability identified as a priority); establish EROIC (economic return on invested capital) target metrics for national cybersecurity and cyberspace development efforts; Pilot this innovative public-private sector partnership for allocating development capital, establishing well-defined cybersecurity metrics, and building economic incentives to speed-up new technology adoption cycles;

Lyle Brecht

Draft 4.6

Saturday, January 2, 2010 CAPITAL MARKETS RESEARCH

Page 10 of 18

C Y B E R S E C U R I T Y P U B L I C - P R I VAT E PA R T N E R S H I P S T R AT E G Y

Introduce this capital allocation approach for investing in cybersecurity and building economic incentives for developing cyberspace security to other global partners in the international community. PLAN OF ACTION - TO BE COMPLETED BY _______________. Establish cybersecurity as a national priority. For example, what is the economic cost in GDP loss from not adequately addressing cyber ecosystem security; Establish that the critical infrastructure portfolio for cybersecurity risk management extends beyond manmade deliberate malicious actions. Quantify and create a narrative that reads understandably to help the uninitiated understand this; Establish that manmade deliberate malicious actions may actually constitute a minority of consequential and catastrophic risks to cyberspace security. This proposition needs to be substantiated through additional research and quantification of the systemic risks to the cyber ecosystem by source;; Establish that the single greatest improvement in overall system security of cyberspace may be to reallocate private sector capital to adequate O&M & R&R to achieve an as yet, unspecified level of cybersecurity. This proposition needs to be further substantiated through case studies and analytical work; Concurrently, additional investment in private-sector R&D may speed-up technological innovation that dramatically improves cybersecurity if adequate O&M and R&R investments are being made in an ongoing manner, over time. This proposition requires additional study in light of potential technological breakthroughs that may improve cybersecurity if such technology innovations were employed at scale more quickly with additional investment; This is because, >90% cybersecurity is in hands of private sector actors. This proposition needs to be validated; An immediate benefit of increased O&M, R&R, and R&D by the private sector may result in significant jobs creation that directly benefits sustainable economic growth in GDP by improving cybersecurity and eliminating losses from cyber ecosystem disruptions. This potential jobs creation effect needs to be quantified and estimated as to timeframe for hundreds of thousands or millions of new jobs created through this approach to cybersecurity;

Lyle Brecht

Draft 4.6

Saturday, January 2, 2010 CAPITAL MARKETS RESEARCH

Page 11 of 18

C Y B E R S E C U R I T Y P U B L I C - P R I VAT E PA R T N E R S H I P S T R AT E G Y

To accomplish this reallocation of capital to technological innovation and new jobs creation by the private sector to secure the cyber ecosystem, the federal government may wish to consider implementing strong economic incentives to make this investment. This may, based on analysis that is yet to be completed, accomplish more cybersecurity faster, at lower economic cost than a primarily regulatory approach. Prove this; Consider drafting a new-model public-private partnership economic incentives cybersecurity package to Congress. The economic incentives are in the form of tax credits for cybersecurity O&M, R&R, and R&D investments. They are available to all businesses. For example, the program might grant up to $200 billion of tax credits a year beginning in 2010. The program could run for ten years through 2019. Thus, over the ten-year life of the program, businesses in the U.S. , overall, could potentially be eligible for up to $2,000 billion in tax relief for investments to secure the cyber ecosystem of the nation. Draft legislation is needed; Look into the feasibility and mechanics of paying for the tax credit program by pricing systemic risk of cyberspace and assessing a network access and use fee for all users of the cyberspace ecosystem. This access and use fee will be analytically determined based on pricing the economic systemic risk associated with specific users. Collectively, the result in the cybersecurity investment tax credits will be revenue and deficit neutral, adding only a small $100 million annual administration cost to the federal budget. The mechanism and the analytics for such an access and use fee needs to be worked out; Develop the framework and proposed mechanisms for establishing cybersecurity insurance and/or cyberspace assurance to protect capital investments in developing the nation’s cyber ecosystem and improvements in cybersecurity. ENDNOTES: “And this is also a matter of public safety and national security. We count on computer networks to deliver our oil and gas, our power and our water. We rely on them for public transportation and air traffic control. Yet we know that cyber intruders have probed our electrical grid and that in other countries cyber attacks have plunged entire cities into darkness.” See presidential speech, President Barack Obama, “Remarks by the President on Securing our Nation’s Cyber Infrastructure” (May 29, 2009: 11:08 A.M. EDT). 1

2

Aesop, in his fable The Four Oxen and the Lion.

I define cyberspace provisionally as the medium(s) involved with the deliberate exchange of electrons for the purpose of conveying and/or storing data. 3

Lyle Brecht

Draft 4.6

Saturday, January 2, 2010 CAPITAL MARKETS RESEARCH

Page 12 of 18

C Y B E R S E C U R I T Y P U B L I C - P R I VAT E PA R T N E R S H I P S T R AT E G Y For a discussion of consequential risk and the value of Intelligence see http://www.pdfcoke.com/doc/ 23598062/National-Security-Managing-Systemic-Risk?secret_password=4rbhutz5wiu9581pmis. If NSA continues to take the lead for national cybersecurity from DHS, what constitutes a secure cyber ecosystem may be radically different than the private sector’s vision of cybersecurity. Despite rhetoric and protestations to the contrary, it may be in NSA’s interests to maintain certain system vulnerabilities rather than to encourage the closure of these vulnerabilities through cybersystem development initiatives. There are two problems with this approach that enables NSA to remain lead for cybersecurity: 4

(a) from a probabilistic risk assessment (PRA) perspective this may be extremely expensive in that capital needed from the private sector to address key aspects of consequential systemic risk in the existing system may not be as readily forthcoming or timely applied. As far as we suspect, no economic analysis has been conducted to determine if maintaining certain vulnerabilities to assist NSA data collection for national security purposes is of greater value than mitigating these vulnerabilities to avoid the consequential risk to the economy; (b) NSA’s continuing interest in moving from passive listening to communication signals (analogue and digital) and data mining to an active gathering of data in cyberspace through the use of digital agents released into the wild is potentially destructive of private sector needs for data integrity. There is a potential problem with the use of such digital agents to collect data across all of cyberspace. The potential for a serious problem is in the capture of the digital agent by a hostile force and the alteration of the code to infect NSA data stores (or other unanticipated ‘natural’ epidemic infection problems), as well as other government and/or private sector data stores. With the potential for self-replication, and modification of basic code sets, once these sophisticated agents are released in the wild, it may not either be affordable or feasible to turn them off easily. Again, an economic PRA should be required to assess whether the value of such active digital agent data collection by NSA for ‘national security’ purposes is reasonable, given the economic cost to the economy from the risk of using this technology. There are two features of the national cyber ecosystem that may be being neglected: (1) the cyber ecosystem is a complex system with emergent behavior. It is radically different than other landscapes that the military and IC are familiar; and (2) cyberspace has become critical infrastructure for all. Just like the air we breathe or freshwater we drink, we need to be careful not to pollute it. However, unlike the earth’s natural environment that has been able to recover from tremendous assaults on its integrity, cyberspace is a human engineered complex system that does not possess the resilience of the earth’s natural systems. That is, polluting cyberspace even a little beyond present conditions may have rapid, profound and potentially catastrophic consequences. See Memo to Melissa Hathaway after Comments for 60-Day Review at http://www.pdfcoke.com/doc/ 12659947/. 5

6

A discussion of consequential and catastrophic risk is at http://www.pdfcoke.com/doc/22163392/.

A discussion of a proposed National Risk Integration Center is at http://www.pdfcoke.com/doc/9746884/ National-Risk-Integration-Center. 7

A discussion of one mechanism to more effectively coordinate cybersecurity policy across all sectors of the economy and across the various agencies andf departments of government is at http:// www.pdfcoke.com/doc/21517975/brecht-cyberspace-center-for-policy-integration? secret_password=94iefj2cvwq5w0jw95a. 8

Lyle Brecht

Draft 4.6

Saturday, January 2, 2010 CAPITAL MARKETS RESEARCH

Page 13 of 18

C Y B E R S E C U R I T Y P U B L I C - P R I VAT E PA R T N E R S H I P S T R AT E G Y “[T]here is an urgent need to move beyond the informal, DC centered partnerships of the past. While these inside the beltway structures have an important place in the system, government must frankly address industry at a business plan level. Government needs to provide incentives for industry to invest in security items that may not be justified by their corporate business plans. Industry and government must construct a mutually beneficial social contract which addresses, creatively and pragmatically, the security of our cyber infrastructure. See “A Twenty-First Century Model for Protecting and Defending Critical Technology Systems and Information,” Internet Security Alliance (2008). 9

One of the most recent examples of the cost for not adequately assessing systemic risk and planning for the rare event-failure of systems, in this case the market for collateralized debt obligations (CDOs) derivatives, was the collapse of the CDO market in 2008. For example, premiums for individual tranches of CDO’s were priced at a risk-adjusted price that assumed no systemic risk. As the CDO market collapsed, U.S. taxpayers were required to put up approximately $17,489 billion in reserves (potential future taxes to make good on underpriced CDO insurance) during 2008. 10

This chart is from Nomi Prins & Christopher Hayes, “Meet the Hazzards,” The Nation (October 12, 2009) at http://www.thenation.com/doc/20091012/prins_hayes based on the analytical work published in Nomi Prins, It takes a Pillage: behind the Bailouts, Bonuses, and Backroom Deal from Washington to Wall Street, (New York: Wiley, 2009). Potentially one of the important hopes for such a new-model public-private partnership is to rethink present risk management initiatives for cyberspace to counter the present situation where sometimes “Ineffective risk management methods, often touted as ‘best practices,’ are passed from company to company [and throughout the public sector] like a bad virus with a long incubation period: there are no early indicators of ill effects until it's too late and catastrophe strikes.” That is certainly what occurred on Wall Street with respect to the market transactions surrounding CDOs, that due to their systemic risk being neglected, almost overnight became trillions of dollars of toxic assets. See Douglas W. Hubbard, The Failure of Risk Management: Why it is Broken and How to Fix It (New York: Wiley, 2009). 11

The “presence of chaos in a system implies that perfect prediction... is impossible not only in practice but in principle.” See Melanie Mitchell, Complexity: A Guided Tour (Oxford & New York: Oxford University Press, 2009), 13, 15, 20, 23, 33). 12

Lyle Brecht

Draft 4.6

Saturday, January 2, 2010 CAPITAL MARKETS RESEARCH

Page 14 of 18

C Y B E R S E C U R I T Y P U B L I C - P R I VAT E PA R T N E R S H I P S T R AT E G Y In investing to close cyberspace vulnerabilities, who should pay, what economic incentives are available, who decides best practices, and how is accountability accomplished? For example, “With tens of billions of dollars in investment on the line.... [participants] want to know that the investments aren’t going to introduce new and unmanaged risks.” See “Testimony of the Hon. Gary Brown, Chmn., NY State Public Service Commission, before the U.S. House of Representative, Committee on Energy and Commerce, Subcommittee on Energy and the Environment on behalf of the National Association of Regulatory Utility Commissioners” (October 29, 2009). 13

Although there has been undue focus on malicious threats to the nation’s cyberspace, what may be a more serious and likely reason for LOSE (Loss of Service Event) and LODE (Loss of Data Event) incidents are risks from cascading failures where the failure of one node causes the failure of other nodes. E.g. The consequences of a future solar storm like the Carrington Event of August-September 1859 are extensive and involve a range of potential economic impacts not unlike a major Force 5 hurricane or tsunami that could cripple the present cyberspace ecosystem for an extended period. See National Research Council, “Severe Space Weather Events--Understanding Societal and Economic Impacts Workshop Report” (NASA, 2008). 14

A risk methodology that uses a Cauchy-Lorenz distribution rather than a normal (Gaussian) distribution may be a more appropriate methodology? E.g. instead of prioritizing investments to address highest probability, highest consequence cyber vulnerabilities, is it more productive (on an EROIC basis) to address vulnerabilities on the fat tail of the Cauchy that represent unlikely, but potentially catastrophic consequences. An underlying issue is if cyber is a complex system, what risk methodologies are appropriate to use? 15

E.g. Probabilistic Risk Assessment (PRA) is an analytical process that begins with two system counterfactuals: (1) the magnitude (severity) of the potential adverse consequences of system failures; and (2) the likelihood (probability) of the occurrence of each potential consequence. The objective is not as a predictive exercise, but as a disciplined descriptive process that may identify and highlight budget requirements for a secure national cyberspace environment. 16

The issue is that even as high probability/high consequence vulnerabilities are decided on as priorities, the capital necessary to address these vulnerabilities to a specified level of system assurance is not analyzed on an NPV basis, but left as an ‘open’ investment. Even if the vulnerabilities are patched, there are often few means to determine on a relative basis whether this allocation of capital produced a better return on invested capital than another project, given that there is always a limited supply of capital to complete work in any defined period. 17

Traditional regulatory approaches to mandate investments in cybersecurity may besmil a nonstarter. Old-style regulations often relied on two forms: Thou Shalt Not and If....Then regulatory forms that are unlikely to be useful in a systems environment like cyberspace. Additionally, these regulations are often promulgated in a piecemeal, disjunctive fashion and collectively may be dis-economic, producing results that are as or more harmful to the economy than the good the regulation was intended to achieve. 18

Resilience is understood here as the “ability of networks to maintain short average path lengths in spite of the failure of random nodes” (Mitchell, 257). 19

Developed as a national critical infrastructure initiative in 1956 during the Dwight D. Eisenhower administration. 20

Lyle Brecht

Draft 4.6

Saturday, January 2, 2010 CAPITAL MARKETS RESEARCH

Page 15 of 18

C Y B E R S E C U R I T Y P U B L I C - P R I VAT E PA R T N E R S H I P S T R AT E G Y “ In 2007, there were almost 44,000 reported incidents of malicious cyberactivity -- one-third more than the previous year and more than ten times as many as in 2001. Every day, millions of automated scans originating from foreign sources search U.S. computers for unprotected communications ports -the built-in channels found in even the most inexpensive personal computers. For electronically advanced adversaries, the United States' information technology (IT) infrastructure is an easy target.” See Wesley K. Clark and Peter L. Levin, “Securing the Information Highway: How to Enhance the United States’ Electronic Defenses,” Foreign Affairs Vol. 88, No. 6 (November/December 2009). 21

“In January 2008, President George Bush signed National Security Presidential Directive 54/ Homeland Security Presidential Directive 23 — more commonly known as the Comprehensive National Cybersecurity Initiative (CNCI). This estimated $30 billion secret program recognizes that cyber security must be elevated to a level of importance on par with an organization’s core functions and missions. It emphasizes that cyber security is a leadership responsibility, not just a function of the Chief Information Officer and information technology staff. And it acknowledges that effective cyber security is multidimensional, multifaceted, and actively involves the entire organization.” Unfortunately, “because many of the best-trained and most creative experts work in the private sector, blanket secrecy will limit the government's ability to attract new innovations that could serve the public interest. Washington would be better off following a more ‘open-source’ approach to information sharing” (Clark and Levin, “Securing the Information Highway”). 22

Either force or counter-force measures applied with the frame that cyberspace is just another ‘warfighting environment.’ The subtext typically assumes that National Defense means force projection and is based on Deterrence Doctrine, which today relies on fundamentally on U.S. Nuclear Posture. Protecting cyberspace is now a national defense objective, but is force projection the best means for protecting cyberspace or to deter attackers? 23

The development and deployment of offensive weapons in cyberspace have a high probability of mimicking HIV i.e. the release into the environment a wild-strain retrovirus that cannot be effectively inoculated against than of deterring attacks or ‘punishing’ supposed attackers. 24

We now have the possibility of threats not just of weapons of mass destruction, but of knowledgeenabled mass destruction (KMD) weapons; KMD weapons will most likely use the power of selfreplication to amplify their destructiveness by many orders of magnitude. Knowledge alone will enable the use of and destructiveness of these weapons. See Bill Joy, “Why the future doesn't need us,” Wired (June 2008) at http://www.wired .com/wired/archive/8.04/joy_pr.html. 25

Present global GDP estimate is from U.S. Central Intelligence Agency. See http//www.cia.gov/cia/ publications/factbook/ rankorder/2001rank.html. 26

Would $3,000 billion be a reasonable guess; $5,000 billion; more or less; in loss of GDP growth if the cyberspace services, presently taken for granted, were disabled or destroyed and could not be up and running again in a reasonable time frame. Some portion of the present productivity of the national economy of $14,290 billion in GDP (2008) would be lost. 27

Although there has been undue focus on malicious threats to the nation’s cyberspace, what may be a more serious and likely reason for LOSE (Loss of Service Event) and LODE (Loss of Data Event) incidents are risks from cascading failures where the failure of one node causes the failure of other nodes (Mitchell, 257). 28

Lyle Brecht

Draft 4.6

Saturday, January 2, 2010 CAPITAL MARKETS RESEARCH

Page 16 of 18

C Y B E R S E C U R I T Y P U B L I C - P R I VAT E PA R T N E R S H I P S T R AT E G Y 29

Emergent behavior is difficult to predict from an analysis of the system and its components.

Many real life systems do not exhibit finite distributions and no expected precise estimate of probability may be attached to a decision about this system with any degree of confidence. This does not indicate that certain outcomes will not occur (are uncertain), only that their occurrence is unpredictable. It also suggests that a set of possible outcomes for a system may never be fully complete. That is, the system may exhibit results that are unknowable to some degree with any amount of analysis, no matter how much money is spent to gather evidence. 30

The consequences of a future solar storm like the Carrington Event of August-September 1859 are extensive and involve a range of potential economic impacts not unlike a major Force 5 hurricane or tsunami that could cripple the present national electricity grid for an extended period. See National Research Council, “Severe Space Weather Events--Understanding Societal and Economic Impacts Workshop Report” (NASA, 2008). 31

See Dr. William R. Graham, et. al., “Report of the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack, Volume 1: Executive Report (2004).” 32

The national electricity grid, 164,000 miles of high-voltage transmission lines and 5,000 local distribution networks is outdated, highly vulnerable, inefficient, and unsuitable for fluctuating renewable power sources. The PV of annual transmission losses may be as much as $150 billion (at 3% discount rate). A smart-grid could potentially reduce electricity consumption by 6 percent and peak demand by 27 percent and enable renewables to comprise 20% of electricity production. 33

34

Cybersecurity is an ongoing, never-ending process. Technical panaceas are unlikely.

Recent work in behavioral economics and risk management theory may be helpful in arriving at better policy regarding economic incentives to address cybersecurity. In the realm of behavioral economics, for example, issues of decision-making in light of: prospect theory (generalized expected utility of decisionmaking under uncertainty), bounded rationality (satisfaction vs. maximized utility), overconfidence, projection bias, effects of limited attention, time-inconsistent choice (behavior not based on expected utility, but on previous historical reinforcement experiences), hyperbolic discounting (changing discount rates based on length of forecasting period), fairness, reciprocal altruism, etc. may suggest insightful approaches. In risk management, issues of cognitive biases, observation selection effects, and systemsbased risk analyses may offer new insights. See Eliezer Yudlowsky, “Cognitive biases...”; Milan M. Cirkovic, “Observation selection...;” Yacov Y. Haimes, “Systems-based Risk Analysis” in Nick Bostrom and Milan M. Cirkovic, eds., Global Catastrophic Risks (Oxford: Oxford University Press, 2008). 35

A metric that measures the marginal amount of investment capital necessary for an improvement in the national economy’s level of production efficiency. 36

Lyle Brecht

Draft 4.6

Saturday, January 2, 2010 CAPITAL MARKETS RESEARCH

Page 17 of 18

C Y B E R S E C U R I T Y P U B L I C - P R I VAT E PA R T N E R S H I P S T R AT E G Y Sometimes the foundational and important aspects for why we wish to secure cyberspace are left unarticulated. For those reasons are not just to ensure commerce proceeds unimpeded. E.g. if that commerce was to support the Third Reich in pre-WW II Germany build-up to WWII. Also, the objective is not just so that data and information flow smoothly from source to receiver. E.g. if that data was to plan another 9/11 attack on the homeland or that information was designed to convince citizens of some deleterious belief through the promulgation of bald-faced lies that have national security implications (I am thinking, for example, of global warming deniers attempts to establish climate change as a figment of imagination and global warming as ‘not scientifically proven’). 37

Often these ethical and moral issues devolve into self-serving arguments and lobbied decisions regarding ‘privacy’ or ‘free-speech’ or economically-driven choices over market (proprietary rights) versus non-market (commons) control of the cyber ecosystem. What I am suggesting is that many of these discussions are merely symptoms of a lack of a theory of justice, not only what is fair in a transcendental Rawlsian frame (see John Rawls, A Theory of Justice, 1971) of idealized justice, but what steps might we take to move towards a more just world in terms of the behavior of citizens transacting their everyday activities interacting, with ever increasing frequency, with the cyber ecosystem? That may be, I believe, the real point of securing cyberspace - to use this technological medium of cyberspace for establishing a more just society. If that is even remotely a reasonable objective, of many other objectives such as to keep the economy going, prevent or, at minimum, reduce consequential and/ or catastrophic risks from occurring, etc., then we may need to start with a theory of justice that assists our decision-making for allocating capital to cybersecurity. A starting place, for example, may be that we wish to secure cyberspace so as to promote democracy through the support of reasoned civil discourse and reciprocal personal freedoms, to improve the efficiency of free markets, and to preserve the commons for posterity. See Amartya Sen, The Idea of Justice (Cambridge, MA: The Belknap Press of Harvard University Press, 2009). A set of principles to protect individual freedoms has been proposed within the context of Islam (its reform to contemporary understandings of human industry), but may be equally applicable for other belief systems e.g. Christianity, Judaism, capitalism, humanism, scientism, atheism, etc. The foundational proposition is that all personal freedoms rely on a set of tolerant beliefs that recognize that “freedom is the only form in which man’s worship of God can be embodied.” This is true whether beliefs are centered on the God of Scripture, as in Judaism, Christianity and Islam, or in more secular gods such a belief in science, capitalism, etc. as determining what is ultimately rational and Real in the world. Following from this principle: 38

no religious coercion is allowed, as this transgresses individual freedom and “is too fundamental to be subject to elections or debate;” no persecution of other religions is allowed as distinctions do “not justify enmity, hatred, and killing;” democracy is necessary for personal freedom as it “is so far the best relative standard man has achieved;” and religiously motivated violence is rejected. From the perspective of utility, maybe the most important reason to protect personal freedoms “is the intangible but critically important power of ideas.... it can be argued they are as important as economic or military might” in shepherding the entrepreneurial success of a great nation. Ideas are the engine that drives capitalism. Developing ideas requires personal freedom. See Muhammad Shahrur, Proposal for an Islamic Covenant, trans. D.F. Eickelman and I.S. Abu Shehadeh, (Damascus: al-Ahali, 2000) quoted in Vaclav Smil, Global Catastrophes and Trends: The Next 50 Years (London & Cambridge: The MIT Press, 2008), 114 and 140. Lyle Brecht

Draft 4.6

Saturday, January 2, 2010 CAPITAL MARKETS RESEARCH

Page 18 of 18