RSAC 2018 Blog Day One: Time to Invest

By Phil Reitinger

Earlier this year the Center for Strategic and International Studies and McAfee estimated the global cost of cybercrime may be up to $600 billion, or 0.8% of global GDP.  Let that sink in for a moment – 0.8% of global GDP already, not counting the additional benefits we could gain if the Internet were really trustworthy.

The trend is obvious.  I’ve been working in cybersecurity for over 20 years.  Each year, every year, I could make one prediction: next year, things will be worse.  I make it now for 2019.  I am confident in telling you that at the RSA conference in 2019, I will make the same prediction for 2020.  At this rate, one day the entire world economy will be consumed by cybercrime!  While I am being facetious, the risk from and cost of cybercrime is soaring.

So how do we move forward?  At least in the U.S., trust that the government will fix privacy and cybersecurity is low.  On “Meet the Press” on Sunday morning (April 15, 2017), Chuck Todd presented a recent NBC poll on Americans’ concerns about online privacy: “66% of Democrats and 68% of Republicans say they want more control over the information companies have about them.”  But “neither party trusts the federal government on [the privacy] issue either although Republicans are even more skeptical than the Democrats.” (Only 21% of Democrats and 14% of Republicans trust the federal government on privacy.)  With regard to the cybersecurity of personal information, according to the Pew Research Center last year, “28% of Americans are not confident at all that the federal government can keep their personal information safe and secure from unauthorized users[.]”

While there is no simple answer, there are magical solutions aplenty.  Whether it is the market, innovation, public-private partnerships, regulation, the NIST Framework, artificial intelligence, or the latest whiz-bang gizmo, you can choose your preferred silver bullet.  All of these are valuable, but none will work standing alone.  The more mature view is that we will need hard work in all these areas – yes, even regulation – if we are to make headway.  That will require something different.

I am heartened by increasing calls for a Cyber Moonshot, including from both Accenture and the U.S. National Security Telecommunications Advisory Committee.  It is abundantly clear that our current approach is not working.  There are different technologies and tactics to be tried, but by far the most important thing we must do is invest.  The actual Apollo program cost about 2.5% of U.S. GDP over a 10-year period.  In contrast, Gartner predicts that worldwide enterprise security spending will be $96 billion in 2018.  While there are other elements of cybersecurity investment, including government spending and business investment in security services, $96 billion is about 0.1% of global GDP, or a gap of about $2 trillion.  Note also that at the current rate of growth, the cost of global cybercrime will reach $2 trillion shortly: the firm Cybersecurity Ventures estimated cybercrime would cost $6 trillion by 2021.

Closing this gap, even a little, will take extensive investment from both the public and private sectors.  Governments and companies need to spend up to the level required by the cybersecurity risk they face to solve their own problems.  And investment must be focused not only on making government and big companies more secure, but the entire Internet community more secure.  It is possible to buy very good security, but the majority of companies and people are below the cybersecurity poverty line and can’t afford effective cybersecurity.  While moving these companies and people to cloud services will help significantly, it won’t solve the problem.  That will take a different type of investment, one in entities that make solutions available to anyone – nonprofits and NGOs.

The author, Phil Reitinger, is the President and CEO of the Global Cyber Alliance. You can follow him on Twitter @CarpeDiemCyber.