Cybersecurity was a prime topic at this year’s Munich Security Conference. If, for instance, the cloud service provider AWS with its 42% market share was successfully attacked, it would take down large parts of the Internet, with impacts worse than kinetic warfare by some measures.
Overall economic losses from cyberattacks are estimated at 600bn $, or 1% of global GDP, with sharp growth rates as all parts of the economy are moving online. Still, these figures reflect just the tip of the iceberg. Many potentials for digital value creation cannot be realized due to lack of trust. Germans, for instance, feel queasy about online banking: Only half of Germans trust the security of digital transactions, stifling uptake of new fintech business models.
Cybersecurity, unlike conventional warfare, is all about mitigating vulnerabilities. Every line of code in a software program, and every new device connected to the Internet, could potentially harbor an entry point for attackers. The complexity of today’s IT systems requires significant additional efforts to be secured, while only few companies show the willingness for additional investments.
The market fails to secure the Internet
Consumer choices, unfortunately, hardly ever reward responsible companies for their efforts of developing secure products. This is exacerbated with the advent of the Internet of Things (IoT). Take for example a customer of a new smart TV. He or she will typically be concerned about screen size, new interactive functions, and price bargains, with little room to consider IT security. Consequently, there have been various successful attacks to smart TVs, turning them into remote controlled domestic surveillance devices. Besides being able to peek into other people’s kitchens, living rooms and bedrooms, those hacked TVs have become part of a global network of so-called „bot nets“, remote controlled armies of Internet-connected devices, that can be used to run a distributed attack flooding their target with huge amounts of data packets, so-called “DDOS” attacks, temporarily taking their victims offline.
This example illustrates why cybersecurity is a global challenge. The owner of a smart TV may not even notice that their device is being used for attacks that cause harm elsewhere on the globe. The congestion of DDOS-attacks can be so severe to sometimes cut off entire countries like Liberia from the Internet.
Where markets fail to keep the Internet reasonably secure, governmental intervention seems justified. The challenge here is to incentivize investment in secure IT, while avoiding regulations that stifle innovation. Consumer information, such as a label certifying IT security attached to an IoT-Device, can be one element; German cyber authority Bundesamt für Sicherheit in der Informationstechnik (BSI) introduced an auditing standard to certify a basic cybersecurity standard of Internet routers. Yet other approaches aim to shift legal responsibility away from the consumer and towards producers. Such shifts in product liability need a good sense of proportion, as too much product liability would eventually lead IT companies to hire many lawyers and fewer software developers, and correspondingly slowing down the pace of innovation.
Instead, I would like to suggest a market-oriented and innovation-friendly approaches towards addressing the market failure of cybersecurity. Some companies are role models for creating a secure and trustable digital world. They adopt methods of security by design in their products, and even hire external hackers to test for and report security flaws. San Francisco-based company HackerOne is leading the market in “bug bounties”. These are external security audits in the form of open competitions. If you find a serious bug inside Apple’s iOS Operating System, for example, you can expect a reward, or bounty, of up to 200,000 US Dollar for reporting the security flaw.
The black market however pays better. The controversial marketplace Zerodium offers up to 1.5 million US Dollar for the same bug. This leaves IT security experts in a moral and financial conundrum. While white hat hacker groups like the Chaos Computer Club (CCC) work hard to keep moral standards high, some security experts are tempted by the lure of money, and sell vulnerabilities on the profitable black market instead. As vulnerabilities on the black market tend to end up in the hands of criminal organizations and governmental spies instead of getting fixed, this market force further deteriorates trust and security on the Internet.
The way forward
The only way to keep the Internet secure and trustable in the long run is to pull enough IT security experts to use their expertise for securing the Internet rather than undermining security. This is determined mainly by four forces: Education, moral grounds, private sector spending and governmental spending on IT security.
Unfortunately, the latter one, governmental spending, does not automatically lead to a more secure Internet, as many of the discovered vulnerabilities are left open, in order to be used as espionage tools or even weapons. Can we imagine governments committing equal amounts of funding towards securing vulnerabilities as they are spending towards vulnerabilities left open? Free and Open Software Auditing (FOSSA), a EU-funded initiative, is a good example how governments can allocate funds towards more trust and security on the Internet.
Regarding the private sector, can we imagine that bug bounties, such as those carried out by organizations like HackerOne, covered not just a few IT products, but in fact all commercial software, by legal obligation? The bounty would be paid from a fund that the manufacturer would be obliged to pay in accordance with the seriousness of the vulnerability, and in proportion to the revenues generated by the product. Compared to far-reaching legal liabilities, such a bounty may be a cost-efficient and path towards more private sector investment in a secure Internet. As a borderless solution on a global network, we can imagine this fund being managed on a Blockchain solution like Hackenproof, and paying out anonymously to whoever submits a vulnerability.
At the same time, we must not underestimate the pulling forces of good moral standards within white hat hacker communities working towards securing the Internet. Governments should welcome these efforts, and protect benevolent hacking from legal persecution, and adopt responsible disclosure policies that encourage reporting of vulnerabilities.
Lastly, education is a key enabler. This includes computer science, electrical engineering, as well as programming courses, complemented with more specific IT security online training, and most importantly, curiosity and hands-on experience with a computer connected to the Internet.
