The Economics Of Cybersecurity

There’s a lesson Tyler Moore learned quite early in his career.

“[Tyler] I’m Tyler Moore. I’m the Tandy Professor of Cybersecurity and Chair of the School of Cyber Studies at the University of Tulsa.”

As a young computer scientist, Tyler investigated vulnerabilities in SS7, a telephone signaling protocol. Being a rather old protocol without any authentication to speak of, it wasn’t a very difficult job.

“[Tyler] We wrote these attacks, wrote papers. We got audiences with important people at the big telcos and in the government. They all listened very politely and did absolutely nothing about it. In fact, the SS7 vulnerabilities continue to this day.”

Tyler and his colleagues tried, but didn’t get anywhere. Why? Simple economics.

“[Tyler] It was a misalignment of incentives. And so you look at the incentives of the telcos and the manufacturers of telecommunication equipment, they had high fixed cost investments in these protocols that were designed for a closed telephone system. And deregulation came in the 1990s, introduced lots of new players. And so a system that was designed without authentication might have worked in an entirely closed system, but as it opened up, it no longer made sense. But the cost of actually overhauling the protocol and adding in these security features was high, and the return on that was very, very low to none, right? […] And so it was just easier to sweep the concerns under the rug. And that’s what has happened.”

You can think of money as the thing which connects the virtual world of bits and bytes – with the physical world. You might think that your code or research is excellent and valuable – but it is only when that work meets the real world, via the exchange of Dollars and Euros, that its true value is revealed. This value is what determines the incentives of different parties that participate in the economic playing field – and these incentives, in turn, determine the actions that these players will take.

“In conventional warfare you have tanks and a whole lot of other people with you to back you up – planes over your head and all that kind of stuff. But a guerrilla is on his own. All you have is a rifle, some sneakers and a bowl of rice, and that’s all you need – and a lot of heart.”

This quote from Malcolm X reveals a basic economic reality well-known to almost every American general since World War II. In the past 80 years, the US has fielded what is probably the most powerful military in history – yet this mighty army has continuously struggled against much weaker opponents such as in Vietnam and Afghanistan. And not only America: the Russians faced the same problem against the Mujahideen in Afghanistan, as does the Israeli Defence Forces against Hamas and Hezbollah. With cheap, almost dispensable weapons, the Guerrilla Warfare tactics employed by these weaker adversaries go a long way towards nullifying their opponent’s superiority, making the expensive tanks, fighter planes and aircraft carriers much less effective, relative to their cost.

The same dynamic exists in cyberspace: a gross asymmetry between the cost of an attack – and the cost of defending against it. The numbers can’t be any clearer: a DDoS attack costs less than a hundred dollars, while the price tag for mitigating it might reach tens if not hundreds of thousands of dollars. A single well crafted phishing email can easily circumvent cyber defenses which cost millions of dollars to set up.

This asymmetry incentives the attackers to constantly comb the internet for more and more targets, because when launching an attack is so cheap – they can afford to invest the time and effort required to find the vulnerabilities they can exploit, or try again and again and again against different potential victims, until they succeed.

“[Tyler] They find a particular type of victim that’s successful and then they will go to the next one and the next one. That’s why initially, six years ago, an early spate of ransomware was often targeting hospitals. So they found one hospital where they get that to work, then they move to the next and the next. Three or four years ago, it was the municipal governments. And they stumbled on a formula there where you had public sector organizations often have worse cybersecurity practices. So they were an easier target. They also happened to, were more likely to have insurance that would pay a ransom. And so they would find one unsuspecting town, target it, go to the next one and the next one, the next one. And so I think this sort of pattern of moving across different targets is a nice illustration of this asymmetry in action.”

It’s almost blindly obvious that while this extreme asymmetry between attackers and defenders persists – cybercrime will continue to be a huge problem. As one commentator put it –

“It is hard to understand how anyone can imagine the continuing engagement in these battles under these conditions, let alone prevailing in the overall war when the economies are so dramatically tilted in favor of the aggressor.”

One obvious solution for the problem of attacker-defender asymmetry is for organizations to harden their defenses – in other words, invest more funds in tightening their security posture. Sure, this will increase defense spending in the short term, thus exaggerating the cost imbalance even more – but in the long run, better defense will surely make the assailants’ lives so much harder, that cyber crime will no longer be a viable venture. Right?

Except that’s exactly what we’ve all been doing for the past 40 years or so. According to a Microsoft report, cybersecurity spending has increased by 58% between 2015 and 2020 – yet in the same period, breaches have increased by 67%. In 2017, 12% of the responders to Microsoft’s survey said they are not at all confident in their organization’s ability to prevent or mitigate a cyber-attack – and two years later, in 2019, that number not only did not decline – it actually rose to 19%.

Why is that? Why aren’t security solutions getting better fast enough to curb cybercrime? One reason is that as new technologies emerge over time, new vulnerabilities and attack vectors expose organizations to a greater risk from cyber attacks. The shift to working from home, for example, has created a larger attack surface that is harder to defend.

But there’s another possible reason why spending more on security products isn’t getting us closer to nufflying the attacker-defender asymmetry: a reason that’s hardly discussed by cybersecurity experts, who naturally tend to be more technology oriented in their way of thinking – but one that economists have been talking about for years.

“[Tyler] So, George Akerlof actually won a Nobel Prize for describing this lemons market, Nobel Prize in economics. So, what is it? It’s actually pretty easy to understand. If you’ve ever tried to buy a used car, you’ll find that that market behaves strangely. And one of the ways in which it operates oddly is that it can be often very hard to find a high quality used car. You go to a used car lot and, you know, most of the cars on the lot are actually of quite low quality. And so, the question is why does that happen? […]

So, let’s say you’ve got a town in Tulsa and we have some used car lots, you know, down the street from the campus. And you go to one of those lots, there’s, you say, 10 cars, five of which are high quality, five of which are low quality, the same make, mileage, and model. And so, on paper, they should all be worth the same. But five of them are cherries, they’re great quality, their owners maintain them well, you know, they washed them every weekend, they did all the proper maintenance. The other five are lemons, they, you know, were not well taken care of, and they’re gonna, you know, leak oil as soon as you drive them off a lot, they’re not nice.

And so, the question is, in this market, what’s the price that people are willing to pay for this car? And, you know, if the true value of the lemon, the low quality car, say $5,000, and the true quality of the cherry is $15,000, what’s the price people actually pay? And naively, you might think it’s, oh, it’s the average, it’s $10,000, and people are just gonna kind of take their chances, flip a coin. But that’s not right. The equilibrium outcome is actually to pay $5,000, which is the price for the low quality car.

And the reason for that is that there’s this information asymmetry that exists between the buyer and the seller. The buyers can’t tell if car is high quality or low quality. So, they’re not gonna pay any premium for what could be a high quality car when it could very well be low quality. And so, they don’t wanna pay more than $5,000. And the sellers know this. And so, the only people who are willing to actually sell their car are the people who own the lemons. Because if you have a car that’s not great and the lemon, you’ll take $5,000 for it. But if you’ve got the nice car that’s worth $15,000, you’re just gonna keep driving it.

And so, the only people who are willing to actually sell their car are the people who own the lemons. Because if you have a car that’s not great and a lemon, you’ll take $5,000 for it. But if you’ve got the nice car that’s worth $15,000, you’re just gonna keep driving it. And so, what you end up with is this market that’s flooded with just the lemons. The only thing you can buy is the lemon.”

And it turns out that the same information asymmetry between buyers and sellers exists in cybersecurity as well.

Say that you’re a CISO, who needs to decide on which security solution to buy for your company. How would you go about making that decision? You’d probably ask your colleagues for recommendations or browse potential vendors’ websites – but there are tens, if not hundreds of options to choose from. How can you tell if a specific product meets your organization’s needs? Sure, it might have a nice looking dashboard or an impressive list of features – but these say nothing about the actual efficacy of the product: how well it is able to detect malware or stop hackers from infiltrating the company’s network. When it comes to choosing a security solution, one has almost zero knowledge about what’s really going on inside a product. To get a real sense of how effective a certain product is in the context of your specific organization, your specific business environment and so on, you’d need to run extensive tests… but, really, who has the time for that?

This information asymmetry, says the economic theory, skews security vendors’ incentives: they have every reason to make their product’s user interface pretty and sleek, and cram as many features, bells and whistles as they possibly can into it – but almost no incentive to invest in making their product better in actually stopping cyber attacks because – as George Akerlof noted – it’s not something that their prospective clients can actually see, and so no one is going to pay them extra for that effort.

“[Tyler] And so, what we end up with is this lemons market where only the things only the characteristics that can be observed are developed and things like security, which cannot be, are not emphasized. And so, that’s, I think, one powerful explanation for why despite all this increased attention on cybersecurity and all this new spending, we are still left with largely insecure software and largely ineffective security products, because we just can’t observe their quality reliably. And so, the market can’t function properly by rewarding the actual best performers.”

There are potential solutions to the Lemons market failure – a topic worthy of its own episode in the future – but the bottom line is that with things being as they are today, spending more money on security products does nothing to alleviate the basic cost asymmetry between attacker and defenders in cybersecurity. If so, what else can we do?

Well, one option is to turn the equation on its head and strike back at the attackers: that is, launch a counter or even a preemptive attack. This will force the bad guys to invest more on their defensive capabilities, lessening the asymmetry. But as we showed in episode 19 of our podcast, titled ‘HackBack’ – such counter attacks are almost impossible from a legal point of view.

Another interesting solution – a technological one, this time – is what’s known as Moving Target Defense (MTD). The basic idea is to increase the complexity and subsequent cost of an attack by constantly changing the target system. You can think of it as the cyber equivalent of the old ‘Three Shells and a Pea’ game, where the player needs to guess which of the three shuffled containers holds the ball: if we constantly change the architecture of a system and its network configuration – such as IP addresses, for example – attackers will have a very hard time acquiring and maintaining the required system privileges.

In all honesty, as a technological geek I find this concept thrilling in a Science Fiction-y kind of way – but as an engineer, just thinking about designing, debugging and maintaining such an unstable system makes me want to throttle the wise-ass who came up with this idea.

Insurance is yet another potential solution: having cyber insurance can help companies deal with the costs due to an attack, thus alleviating at least part of the asymmetry. Prof. Moore agrees that cyber insurance can go a long way towards minimizing the damage caused by cyberattacks. However –

“[Tyler] Ultimately, a challenge for the insurance industry is that they are kind of at the mercy of their insurers sharing information with them, right? And so it’s only certain categories of cyber risks that are insurable and that lead to claims and that a business thinks is in its interest to file such a claim. So we have pretty robust cyber insurance markets as it relates to data breach and as it relates to ransomware and a couple of other limited areas like in payment fraud.

So what’s the common aspect there? One is that the knowledge about the breach happening is already coming forward, right? So we have data breach notification laws starting back in 2002 in California and now spreading all over the world. Those laws are, in fact, policies to mitigate information asymmetries. If we go back to a world before there was mandatory data breach, data breaches were happening, but no one was talking about it and no one was doing anything about it. Suddenly, the law says you have to disclose when you have a breach. Very light touch. There’s not even necessarily a penalty for the breach associated with, you just have to tell people it happened. That one intervention created a huge shift in boardrooms. […] This notification obligation actually made cyber insurance viable because now the companies had, the dirty laundry was going to get aired anyway, and so they may as well file a claim for it and involve the insurers to help fix the problem.”

In other words, insurance is mostly useful when businesses are forced, for one reason or another, to disclose the fact that they were hit by a cyber attack – but less useful otherwise.

Which actually brings us to another possible solution, which is increased transparency – because one of the underlying reasons for the attacker-defender asymmetry is the lack of knowledge sharing amongst the defenders.

“[Tyler] So if you are a company who’s been attacked by ransomware or other kinds of threats, you typically don’t like to talk about that, right? And so you’re not just going to go out and tell the public or your competitors what an attacker has been able to get away with within your system. And so this creates its own information asymmetry where one defender doesn’t know what the other is facing. And we have incomplete knowledge of what the different kinds of attacks are, their impact, what defenses worked or didn’t work, right? And so it becomes very hard to learn from our mistakes if we don’t talk about them. And that is fundamentally the most important information asymmetry that exists between attackers and defenders. The attackers exploit this fact quite regularly. They will use the same playbook often repeatedly, and they can get away with using the same sort of techniques and tactics from one defender to the next because there isn’t a lot of awareness to what was being done and how it worked.”

Yet with business incentives being what they are in a competitive market environment, it’s hard to imagine a future where organizations are willing to adopt a policy of full transparency with regards to cybersecurity.

It seems, then, that we are left with no real options to oppose the harmful outcomes of the attacker-defender asymmetry: increased spending doesn’t work, we can’t launch counter attacks against our assailants, a Moving Target Defense strategy isn’t very practical with our current technology, and insurance will at best alleviate only part of the problem.

However, there is a silver lining.

Much like how the Lemons market failure has its roots in a phenomena that has nothing to do with cybersecurity – we can find interesting parallels for the attacker-defender asymmetry in other areas. Take, for example, viruses. No, not our viruses – I’m talking about biological viruses, and also bacteria, fungi and other microbes. Much like hackers, these tiny creatures constantly try to exploit vulnerabilities – such as an open wound, for instance, in order to infiltrate our bodies and make us sick. And much like most modern organizations, our bodies have their own defense systems – and amazingly effective ones at that – but as history clearly shows, our individual immune systems can only protect us up to a point: before science and modern medicine, frequent plagues used to devastate human societies, emptying cities and decimating whole armies.

Yet in the past 150 years or so, we managed to curb many of the plagues that used to cause so much stuffing. How come? We certainly didn’t improve our immune systems: it’s only in recent years that scientists are able to start thinking seriously about such ideas. What we did manipulate, however, is our environment: by executing relatively simple actions such as making sure that our water sources are clean and disposing sewage outside of cities instead of dumping it out the window, we made it much harder for dangerous pathogens to take advantage of our inherent weaknesses.

Prof. Moore thinks we can do the same in cyberspace – by yet again changing the environment.

“[Tyler] Sure, an attacker can succeed. But, we can make lives difficult for cyber criminals, right? And for the people who are carrying out the attacks, right? So, that’s one advantage, they’re breaking the law. So, to the extent that you have a law enforcement response that’s robust, you can actually have a strong deterring effect, right? […] Fundamentally, what you need is you need a society that has laws and norms that protect against, you know, protect defenders against attackers. And I think, ultimately, that is the only viable long-term solution.”

In other words, the attacker-defender asymmetry is such a big problem mostly because right now, cyberspace is like the Wild West: a place where laws, if they even exist, can’t really be enforced. If we could enforce the law effectively in cyberspace, that would potentially create the same sort of deterrence that helps curb crime in the real world.

It took Humans thousands of years before we were smart enough to modify our environment so that plagues are not the terrible threats they once were. How long will it take until we’re smart enough to make cyberspace a lawful environment that will, hopefully, break the unhealthy asymmetry that makes our digital lives so miserable?…

Latest episodes

The Economics Of Cybersecurity

Hosted By

Ran Levi

Co-Founder @ PI Media

Special Guest

Prof. Tyler Moore

Tandy Professor of Cyber Security and Information Assurance at the University of Tulsa