I remember buying my first home (the one I still live in today) back in 2003. I remember the mortgage broker cajoling me to take advantage of the no money down loans that were being handed out like candy, and watching a world where everyone I knew was jumping on the gravy train. I took on a primary and secondary loan. One at a crazy high interest rate, and the other was interest only. Everyone was doing it, and there seemed to be no risk involved. Homes were skyrocketing in value (mine rose a WHOPPING 60% in value before the crash of 2008), and everyone was making money.
It made no fianancial sense whatsoever to me, and it certainly did not make financial sense to Peter Schiff. He was the guy that people laughed at on FOX News interviews for claiming that the market was going to collapse. Nassim Nicholas Taleb also felt it was all going to end in a bad way, and said so in his book "The Black Swan". I would recommend everyone alive today read this book.
So, this morning I read an article on Infosecurity.com titled "Cybersecurity threat rhetoric not supported by evidence, researchers argue", which references a paper written by Jerry Britto and Tate Watkins of George Mason University. It is a well written paper. It is well cited and referenced, and I am sure Britto and Watkins are a couple of smart guys. The paper refers to another paper "Securing Cyberspace for the 44th Presidency: A Report of the CSIS Commission on Cybersecurity for the 44th Presidency", which was a product of a project directed by James A. Lewis, who is the senior fellow and director of the Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS). Britto and Watkins are critical of some of the assertions in the CSIS paper, and I can certainly follow their logic. For example, here is a quote from the Britto and Watkins paper:
"Nevertheless, the Commission report and the cybersecurity bills it inspired prescribe regulation of the Internet. The report asserts plainly: “It is undeniable that an appropriate level of cybersecurity cannot be achieved without regulation, as market forces alone will never provide the level of security necessary to achieve national security objectives.”52 But without any verifiable evidence of a threat, how is one to know what exactly is the “appropriate level of cybersecurity” and whether market forces are providing it? How is one to judge whether the recommendations that make up the bulk of the Commission’s report are necessary or appropriate?"
I cannot argue against the point that without empirical evidence, one cannot determine what is an appropriate level of security, IF an appropriate level of security is predicated by empirical evidence bound by a narrowly defined context.
So what the heck am I trying to say here? Let's go back to the financial collapse of 2008. Despite the assertions made by Schiff and Taleb that the financial situation was headed for disaster (and they were not the only ones predicting this), the "geniuses" in the high towers and in the hallowed halls of our government sponsored institutions decided that there simply was not enough evidence to get them to change their ways. This was despite the fact that we had lived through a Great Depression, and despite the fact that financial analysts interviewed after the collapse claimed that they had indeed told those in charge the that things were not going to end well (and in some cases were terminated for saying so). This was a new way of doing business, as some claimed, and the old rules did not apply. Everyone is making money, so shut up and don't rock the boat.
So the market did collapse after all. We now have LOTS of empirical evidence that our privately run financial system gave us the shaft, and yet some of the very instruments that led to the financial demise of millions of people worldwide remain unregulated.
So this leads me to the conclusion of the Britto and Watkins paper:
"Cybersecurity is an important policy issue, but the alarmist rhetoric coming out of Washington that focuses on worst-case scenarios is unhelpful and dangerous. Aspects of current cyber policy discourse parallel the run-up to the Iraq War and pose the same dangers. Pre-war threat inflation and conflation of threats led us into war on shaky evidence. By focusing on doomsday scenarios and conflating cyber threats, government officials threaten to legislate, regulate, or spend in the name of cybersecurity based largely on fear, misplaced rhetoric, conflated threats, and credulous reporting. The public should have access to classified evidence of cyber threats, and further examination of the risks posed by those threats, before sound policies can be proposed, let alone enacted.
Furthermore, we cannot ignore parallels between the military-industrial complex and the burgeoning cybersecurity industry. As President Eisenhower noted, we must have checks and balances on the close relationships between parties in government, defense, and industry. Relationships between these parties and their potential conflicts of interest must be considered when weighing cybersecurity policy recommendations and proposals.
Before enacting policy in response to cyber threats, policymakers should consider a few things. First, they should end the cyber rhetoric. The alarmist rhetoric currently dominating the policy discourse is unhelpful and potentially dangerous. Next, they should declassify evidence relating to cyber threats. Overclassification is a widely acknowledged problem, and declassification would allow the public to verify before trusting blindly. They must also disentangle the disparate cyber threats so that they can determine who is best suited to address which threats. In cases of cyber crime and cyber espionage, for instance, private network owners may be best suited and may have the best incentive to protect their own valuable data, information, and reputations. After disentangling threats, policymakers can then assess whether a market failure or systemic problem exists when it comes to addressing each threat. Finally, they can estimate the costs and benefits of regulation and its alternatives and determine the most effective and efficient way to address disparate cyber threats.
No one wants a “cyber Katrina” or a “digital Pearl Harbor.” But honestly assessing cyber threats and appropriate responses does not mean that we have to learn to stop worrying and love the cyber bomb."
While I have to agree that being alarmist tends to turn some people off, I cannot help but think of the tongue-in-cheek saying "Just because I'm paranoid doesn't mean they're not watching me." I wholeheartedly agree that our government is not good at spending our money in a reasonable manner, and I feel they do not spend our money wisely even when given correct and verifiable information. In fact, I currently have very little evidence to support that our government does anything based on a well thought out assessment of facts. While Mason and Britto point out a plausible and seemingly correct way to go about this, perhaps they should consider that Mr. Lewis does indeed live in a world where he faces policy makers regularly, and there seems to be no hurry to address the issues at hand. Furthermore, in January of 2011 (this year) CSIS published a followup to the previous paper titled "Cybersecurity Two Years Later" where some specific significant attacks are cited:
"2010 should have been the year of cybersecurity. It began with a major penetration of Google and other Fortune 500 companies, saw the Department of Defense describe how its classified networks had been compromised, watched the Stuxnet worm cut through industrial control systems, and ended with annoying denial of service attacks over Wikileaks. These public incidents were accompanied by many other exploits against government agencies, companies, and consumers. They show how the United States is reliant on, but cannot secure, the networks of digital devices that make up cyberspace. As a nation, we must do more to reduce risk, and we must do it soon."
The report also points to a document titled "Significant Cyber Incidents Since 2006", which (as of the date this blog was posted) list 70 significant incidents (not only in the US).
So how do we solve this problem? Making claims that "the sky is falling" tends to lead to public ridicule (Schiff and Taleb know that well). Theoretical attacks tend to become marginalized ignored due to a critical flaw in risk based formulas that tends to zero out risk for attacks that have never occurred (which is what I am presenting on at the ICSJWG conference on May 3rd, 2011 in Dallas). Finally, empirical evidence only seems to lead to some policy changes as long as it is accompanied by an alarmist outcry (e.g. Congress made some minor changes to our financial system while the world was screaming about the collapse of our economy, but seemed to wind down when the crying stopped, and the risks still exist despite plenty of empirical evidence).
The reality is this: We are not going to do much about cybersecurity until we all feel it in a major way, and then maybe we will get better at dealing with the issues, but maybe not.
One thing is certain, however, Mr. Lewis and the CSIS team will suddenly seemed a lot smarter.
By the way, I got into a less risky loan a year after buying my house. The alarmist rhetoric hit home with me.