Incentivizing Responsible Cybersecurity in the Private Sector

By Joshua McGee, Center for Technology and National Security Policy

“Businesses care more about protecting their public image during an intrusive cyber incident than avoiding the loss of the intellectual property itself.”  This was the comment by a panelist at a July 18^th Bipartisan Policy Center event.  His experiences with companies in Silicon Valley was that they seemed more concerned with headline-grabbing cyber incidents by hacktivists than with the discreet loss of intellectual property[1] that is said to cost the U.S. economy billions of dollars every year.[2]

Why might a private company have these priorities?  One would imagine that the loss of intellectual property is something that a company would take seriously, just as seriously as protecting their public image.  Recent publicized cyber intrusions show that many companies have lax security protecting vital intellectual property and consumer data.[3]  It seems as if current free market forces are not directing companies to implement up-to-date cybersecurity strategies.  Instead, these forces may be simply directing companies to create public relations contingency plans to reassure the public and shareholders after-the-fact?  Ultimately, intellectual property is important to national security, and the resiliency of the United State’s high-tech, information and services-based economy.  The following is a thought experiment in order to discuss and explore a few of the conundrums and issues that surround the loss of intellectual property in the private sector via cyber intrusions, the incentives for companies to prevent and react to these cyber intrusions, and how the government may play a role in preventing the loss of vital intellectual information held by the private sector.

For the most part, detected private sector[4] cyber intrusions can be placed in two categories:  cyber intrusions that are publicly known, and those that are not. [5]  In each of these situations, there are different company assets at stake:

• Publicly Known Breach – Loss of intellectual property (content) and bad PR (thus tarnishing the corporate brand and consumer confidence).
• Undisclosed Breach – Loss of intellectual property (content)

In both situations, content is being stolen, but the difference is that the corporate brand of the company is severely jeopardized with a “headline-grabbing event.”  Recent studies show that corporate executives are extremely protective of their corporate brands, and that many times, a corporate brand may be more important than the intellectual property that they produce. [6]  For this reason, there is a lot at stake when a company is a victim of a cyber intrusion conducted by groups like Anonymous or LulzSec, who purposely publicize such intrusions.[7]  This fear of a tarnished brand thus could lead companies to prioritize public relations campaigns and not necessarily focus on the cause of these intrusions (both public and undisclosed):  poor security.  It is also difficult for companies to quantify losses associated with the disclosure of intellectual property and consumer data.  This further complicates a company’s cost benefit analysis on whether it should invest in increased security or public damage control.

While a tarnished brand could greatly affect the company’s profits, the stealing of intellectual property and consumer data is not only a concern for the company, but also for national security, particularly when it involves government contractors.  Such loss of intellectual property also affects the overall resiliency of the U.S. economy (which is  largely based on innovation in high-technology, information and services).  As discussed above, it seems as if companies may not be properly incentivized to protect themselves from cyber intrusions, but are more prone to address the public relations fallout that arise from a small number of intrusions that become publically known.

Should the government create the incentives for companies to make it their first priority to secure networks rather than engage in public relations campaigns?  There is much at stake for the (security and economic) well-being of the U.S.  Such legislation may include cybersecurity requirements for industries critical to national security or create a safe space for the private sector and government to collaborate on information sharing and best practices for cybersecurity.  Many companies are also hesitant to fully disclose their cybersecurity intrusions because they are unsure whether or not they will be held legally and financially liable for lost information.  Regardless, it is important to understand this problem as an issue of incentives that current government legislation and the free market provide to private companies.  Through such a lens, stakeholders can better discuss the issues at hand.

---

[1] Bipartisan Policy Center, “Improving Cybersecurity Information Sharing,” Washington DC, July 18, 2012.

[2] http://washingtontechnology.com/articles/2011/07/21/stan-sloane-cyberattacks-ip-threats.aspx

[3] http://www.ibtimes.com/articles/141872/20110505/sony-had-outdated-security-software-no-firewall.htm

[4] For the purposes of this article, “private sector” excludes owners of critical infrastructure, whose situation is unique compared to other businesses.

[5] Private disclosure to the government is another possibility, but the legal ramifications of a private company admitting to a security breach are unclear, and there are currently no known legal benefits for private companies to voluntarily disclose such information to the government.

[6] http://www.iwu.edu/economics/PPE17/lewis.pdf – “The Coca-Cola Brand is far more valuable than the ingredients that go into a can of Coca-Cola” (p. 47)

[7] http://www.webershandwick.com/resources/ws/flash/InRepWeTrust.pdf

South Korean Cybersecurity: Three Questions

By Brett Young, Research Assistant, American University, DC
Center for Technology and National Security Policy

 

The mid-April paralysis of the National Agricultural Cooperatives Federation (Nonghyup), South Korea’s fourth-largest retail bank, seemed to be another routine cyber incident in the same vein as recent, high-profile intrusions carried out against Sony (where attacks resulted in the breach of 100 million customers’ personal information) and Hyundai Capital (where hackers demanded a ransom for not releasing stolen information.) Preliminary investigations, however, showed that this was not the work of ordinary hackers. In early May, the Seoul Central District Prosecutor’s Office announced that the culprit was North Korea.

A network breach of the financial systems that underpin a vibrant modern economy, particularly one conducted not by a group of profit-seeking hacker-criminals, but by a sovereign nation-state with hostile intentions, raises a number of questions.

How should this alleged incident impact diplomatic relations with North Korea? After a bloody 2010, this year has seen a North Korean “charm offensive” with an emphasis on improving relations between the two Koreas. The North may be seeking food aid to stave off famine conditions, or may want a more stable situation for the 100^th anniversary of Kim Il-Sung’s birthday in 2012. At the negotiating table, President Lee Myung-bak’s default position has been to seek apologies for the deaths of 50 citizens at the hands of the North in 2010. Yet any discussion of the Cheonan corvette sinking or the shelling of Yeonpyeong Island is met with vigorous denials and can lead to immediate termination of any talks by the North.

Nonghyup’s security breach was considerably more than a nuisance; since April 12, the bank has spent over $400 million on measures to prevent the loss of customer confidence. When the South sits down at the table with the North, should Nonghyup be on the agenda? Or is silence (or covert retaliation) best?

The North has shown the ability to change their diplomatic posture overnight; their “charm offensive” posture may not last. When dealing with a regime that specializes in provocation, South Korea needs to define what manner of cyber incidents will be permitted to derail ongoing negotiations.

At the national level, how should South Korea pursue cybersecurity down the road? The security team at Nonghyup ignored financial sector regulations regarding strength of passwords, and internally permitted use of passwords that were deemed too weak to be used by their own customers.

Previous cyber intrusions in the ROK were enabled by the malware spread through popular peer-to-peer (P2P) file-sharing websites. In the past, South Korea has tried to combat cyber intrusions by increasing public awareness through mass and social media. But the economic motivation to use P2P websites—and get goods for free—will remain, despite government campaigns. South Korea can create more vigorous laws regarding network protection, but must do so in a fashion that will not create a counterproductive environment where reluctance to cooperate is the preferred corporate response to a network breach.

Internationally, the Nonghyup case will never end up before the United Nations. Last year’s sinking of the Cheonan resulted in a UN Presidential Statement condemning the attack. But in cyberspace, attribution—being able to directly attribute an intrusion to a source—remains the thorniest in a thicket of issues. North Korea’s involvement has been alleged, not proven—as with two other previous cyber incidents in the South. Some experts and media outlets disagreed, noting that technical evidence cited by the National Police Agency can be manipulated by competent hackers. As a state with one of the highest broadband connectivity rates in the world, South Korea is better off continuing to bolster its defenses: it has both a Cyber Warfare Command and Cyber Terror Response Center, and roughly doubled funding for the former in April. 

Finally, there is the broader question of the gradual increase in cyber intrusions against states, and what states are to do about them. Recent years have seen increasingly brazen network intrusions, threatening state secrets, which costs time and money. Intelligence agencies, military planners, and policymakers are grappling with the question of how exactly to respond to certain types of intrusions—and what, if any, level of a cyber incident would require the answer of a real-world, kinetic response.

An event which broke as this went to press will certainly have the attention of Seoul. The Wall Street Journal reported that the U.S. Department of Defense is soon to release its cybersecurity strategy, possibly containing precedent-setting answers to the question posed above.

All three questions bear close scrutiny not only by South Korean policymakers, but by those interested in shaping policy for effective cybersecurity around the world.

Brett Young is a graduate student at American University’s School of International Service, where he focuses on security studies in East Asia. He is currently researching aspects of cybersecurity for NDU’s Center for Technology and National Security Policy. He previously interned at the Korea Economic Institute in Washington, DC.