The recent cyberattack on the Ukrainian power grid coupled with a ransomware attack targeted at the Israeli Electric Authority have cast increased attention on the security of North America’s power infrastructure. The electrical grid is essentially a life support system for our society, and the consequences of its failure in a worst-case scenario could be catastrophic – major loss of life and over $1 trillion in economic damage, according to the Department of Homeland Security. It’s imperative that the grid be secured against attack, though there are some significant challenges to accomplishing this:
- First, diverse private ownership makes coordination of cybersecurity for the entire system – any component of which could make the entire system vulnerable – a challenge.
- Second, the introduction of new IoT technologies such as smart metering and distributed sensing and control expands potential attack vectors and makes the implementation of countermeasures both more complex and more expensive.
- Third, the increasing sophistication of attacks and attackers can make them extremely difficult to defend against. Stuxnet, an extraordinarily sophisticated computer worm with a three-phase, multi-vector attack cycle, is one example of what we can expect moving forward.
- And finally, the asymmetry of economic incentives such as potential damages among stakeholders makes optimization of security spending more difficult – I’ll explore this in further detail below.
Asymmetries of Stakeholder Economics
In the case of the electrical grid, is it reasonable to expect private owners to make the major investment required to manage risk? On the one hand, it does make economic sense for a private owner to invest in security up to the point of their own risk-weighted losses – mainly the expected loss of electricity revenue. On the other, the cost to society and the economy of a major electrical outage are two to three orders of magnitude more expensive, and therefore justify much greater security spending to manage the risk of sophisticated attacks.
In other words, it is quite possible that private investment will be insufficient. With this in mind, it’s no surprise that the government wants to institute some form of security oversight on critical infrastructure. To ignore these asymmetries of cost puts too much faith that free market economics will optimize outcomes.
The issue of cost asymmetry is itself part of a larger field known as security economics. A newer economic discipline, security economics is focused on an understanding of security incentives and cost misalignments (more commonly known as cost externalities)– making its study worthwhile for stakeholders concerned with optimizing security outcomes. Today, I’d like to explore a few other elements of this field.
The Absence of Software Liability
In the software industry, the use of ‘non-adhesion contracts’ with software licensing is unfortunately widespread. These contracts completely absolve vendors from all liability, including security vulnerabilities that are at the heart of the cybersecurity problem. This is truly a poor security incentive – any economist will tell you that you cannot expect good security outcomes if a key stakeholder has no financial skin in the game.
The recent case where home routers have been impacted by decade-old vulnerabilities is something we don’t want happening with our connected devices – especially essential infrastructure. If we want better security outcomes, such behavior must have some sort of liability attached.
That said, it’s unreasonable to demand that vendors shoulder the full cost of every security failure. With existing technology, no software product can ever be 100% secure – it’s the nature of software. That’s no excuse, of course: there are many best practices for secure code development that significantly reduce vulnerabilities. At the same time, it’s also true that security can slow down software development, and that vendors run the risk of impairing the speed of innovation with expensive security.
We must therefore seek an economic middle ground between non-adhesion contracts and full liability that will optimize outcomes for the entire system, not just the share price of software companies.
The automotive industry’s approach to IoT provides one example of how we might do so. As self-driving car technology finds its way into the mainstream (bringing with it a host of questions pertaining to liability), automotive manufacturers – who traditionally have been held to a higher standard of liability than software developers – are working side-by-side with regulators and security companies like BlackBerry to ensure that in-vehicle systems are sufficiently secure. The regulations and industry practices that result from this partnership could prove useful in establishing liability guidelines for other IoT-connected devices.
The Security Impact of Time-To-Market Incentives
In burgeoning markets where there are large economic networking effects – where the growth of goods or services increases their value – there are significant advantages to being a first-mover. The first organizations to gain a foothold in such markets, for example, often experience exponential customer growth, leaving them in a dominant position from a competitive perspective. Time-to-market is therefore critical to business success.
Due to a lack of liability as well as the opaque nature of security during the buying process – it’s difficult to effectively assess the security of a vendor’s product – this has historically meant shipping products with required features first and seeing to security later. In a sense, this meant that organizations which delayed time-to-market for security’s sake were competitively penalized for doing so. In the IoT market, this dynamic need not exist.
Many security concerns arise from operating system defects and design issues. Traditionally, these operating systems were consumer-facing, but with many new IoT devices, they are mostly invisible to the user. It is therefore advantageous for IoT vendors to leverage third-party embedded system platforms as a starting point for product development: this not only makes their products more secure and scalable, but also ensures a faster time-to-market.
The Internet of Things has paved the way for secure, manageable, and developer-friendly embedded operating systems like QNX. I’d even argue that it’s outright counterproductive to try to manage IoT security on your own, as you’re likely to fall prey to a cognitive bias known as the IKEA Effect (you can find a list of other biases here, it’s a great read for the security-minded). You might place a disproportionately high value on an incomplete, poor-quality security solution simply because you had a hand in its creation.
At least some of the battles that will be fought for the future of IoT security won’t be about technology at all. Rather, they’ll be about the economics of security incentives in the heart of the market. It’s therefore imperative that stakeholders – whether they be regulators, owners/operators, vendors, or consumers – understand the intrinsic role that security economics plays in determining outcomes.
There are many more security incentives than those we discussed above. Keep an eye out for them, and plan accordingly. By doing so, you’ll equip yourself with both a better understanding of other stakeholders’ actions and a better capacity to ensure positive security outcomes.
For more about today’s IT security challenges and solutions, join us for our free Executive Panel: Security, Productivity, and the Cloud webcast April 27 at 11 a.m. EDT. You’ll gain key insight from David Kleidermacher, Chief Security Officer at BlackBerry, and John Hewie, National Security Officer at Microsoft Canada, on how to balance security with productivity, take more control over your data security and more. Reserve your place by registering today.