Either way though, the advantage definitely belongs to the criminals.
"Ultimately, with respect to cyber security economics, the dispiriting realization is that all of the current economic incentives favor cyber attackers:
- Cyber attacks are comparatively cheap and easy to execute.
- The profits that can be generated from cyber attacks are enormous.
- Because of the typically long distance physical proximity, there is very little risk of being caught or suffering retaliation.
- The cyber defensive perimeter is nearly limitless.
- Losses are difficult to assess.
- Defense is costly and often does not generate perceived adequate return on investment."
A SUSTAINABLE MODEL OF CYBER SECURITY
The very essence of the ISA report supersedes that of merely a cautionary device meant to highlight red flags and vulnerabilities.
The bulk of the seventy-four page report is dedicated to forward thinking strategies that align the multitude of singular efforts that currently characterize the infosec realm, while maintaining the free market independence and innovation that already provides protection from the majority of threats.
As noted in the report, numerous authorities agree that more than 80% of data loss incidents could have been prevented by following existing protocols and best practices.
The ISA maintains that the key to increased adherence to infosec best practices is the creation of an environment where security innovation will be rewarded by existing market forces.
This is readily evidenced by the success with which viruses and rogue malware are regularly neutralized by the private sector.
An argument could be made that the success of the likes of McAfee (MFE) and Symantec (SYMC) at protecting consumers' computers is not attributed to some cottage industry that arose out of regulatory compliance mandates.
The private sector works well in this virtual medium, where solutions can be applied to problems in a measure of minutes not months, and so the private sector should be employed to its fullest.
"While all of the frameworks described are already in some degree of implementation, they are, naturally, at varying stages, and each could benefit from further collective work. The issue areas are:
- Creating a new, practical model for information sharing
- Using incentives to develop a market for good security standards and practices
- Creating an enterprise education program to properly structure industry
- Addressing the technical and legal disconnect created by digital systems
- Managing the global IT supply chain
- Addressing the international nature of cyber security issues"
- The overall tone of the report was very optimistic, but it made no effort to whitewash the very serious issues facing every industry from healthcare to energy, education to aeronautics.
Security problems pervade every aspect of the economy and our national security.
"An effective method of stimulating security would be to create a competitive market for the development and adoption of sound security practices, standards, and technologies. By creating a competitive market, the power of the market can be harnessed to motivate improved cyber security and, since many of the organizations targeted are international, improvements on a worldwide basis are quite possible."
With a lagging economy, healthcare on the national docket, the need for new energy policies and other looming national security issues like war in two theaters and the emergence of new global threats, it remains to be seen whether cybersecurity can push itself further into the national spotlight on its own merits without a catastrophic security event to propel it.
This report is undoubtedly an important step in the right direction.
