By Dr. Robert B. Cohen
A major focus of the upcoming Open Networking User Group meeting in November will be security. An important panel is focused on “Open Cloud Infrastructure Security Vulnerabilities and Mitigation.” In addition, a new working group has emerged to tackle the various issues with security and Software Defined Data Centers (SDDCs). The Working Group titled Software-Defined Data Center Security Fabric has been meeting regularly leading up to the ONUG Fall Conference. This blog provides background about this issue by identifying what cybercrime costs business.
According to one estimate, cybercrime’s annual cost is between $375 billion and $575 billion. This estimate may underreport the actual size because many intrusions in the financial or utilities industries are not reported in detail.
The most direct way to estimate the cost of security breaches is to use estimates that include the entire population of firms and to include as wide a range of incidents as possible. A comprehensive estimate would include incidents based upon the categories listed above, but focusing on nation-state attackers as well as organized crime. We know that the most common nation-state incidents involve the oil and gas, aerospace and defense industries, technology and telecommunications. Financial services have also been a major target, leading the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations to provide the top 50 U.S. banks with a number of areas that it would like to see addressed. The Commissioner’s Office has told financial institutions that it will check progress in cybersecurity during upcoming inspections of these banks. Other countries, including Singapore, have set minimal requirements for cybersecurity in the financial sector and set large fines for non-compliance.
At the present time, several consulting studies have estimated the size of cybersecurity risks. In one of the largest studies, nearly 10,000 international executives were queried. Different studies have focused on medium-sized firms because they assert medium-sized intrusions are of greatest interest. This type of analysis has eliminated all intrusions involving 100,000 or more record breaches from its analysis. Nevertheless, this study estimated that the average cost in a breach was about $200 per record.
A more inclusive approach would focus on the main industries that are intrusion targets. In addition, it would be helpful to stratify the analysis of intrusions by firm size. While one large survey notes that incidents internationally increased by 66 percent compounded annually over the past few years, it is clear that larger firms have the biggest losses from intrusions and that the cost of security breaches has increased most among large firms, rising by 53 percent between 2014 and 2015 while medium sized firms saw the cost of their incidents rise by only 25 percent and smaller firms saw the cost of incidents decline.
A better way to estimate the cost of intrusions would be to focus on the main industries that experience nation-state incidents and organized crime breaches, including wealth management and retailers with extensive lists of customers, including the financial services and retailing industries. If surveys were used to formulate a clearer picture of the likely cost of intrusions by sector and the amount required to bribe intruders not to disrupt crucial infrastructure and businesses that would provide a more accurate picture of the cost from breaches than we have today.
What will cybersecurity cost in the future?
Using security spending by some of the largest financial institutions we can do a rough estimate of the worldwide budget for cybersecurity. For large banks about 8 percent of their total IT budget is for cybersecurity. Using this percentage, we can estimate that worldwide spending on cybersecurity is $165 billion to $300 billion annually. Of this total, U.S. spending would be between $66 billion and $120 billion; this assumes that the U.S. accounts for 40 percent of worldwide IT spending.
These estimates do not adjust for undercounting or under-reporting of IT expenditures. They also do not adjust for possible declines in spending when banks and other firms move software defined data centers and virtualize applications, both of which would make firms more secure as part of their transition to new, software-based IT based architectures.
Given the recent surge in security incidents, estimated at 48 percent per year, it is more than likely that intruders will persist and even multiply their efforts to access valuable information such as intellectual property, blueprints, merger and acquisition information, and research and development efforts. If a roughly 50 percent growth rate in intrusions persisted over the next 5 years, the cost of intrusions would rise by 7.6 times. Using the estimates we employed earlier, this would mean raising worldwide spending on security to $1.3 trillion to $2.3 trillion.
To provide a more accurate assessment than previous studies, a number of additional factors would need to be taken into account. One factor would be changes in firms’ IT architectures that move security from the edge to the entire compute, storage, and networking infrastructure. If this happens, it would be possible for the virtualization of firewalls and other security provisions as well as attaching security to a VLAN and hypervisor to result in a big increase in security.
Since a number of larger firms that have already virtualized much of their infrastructure, it is likely over the last 6-7 years that they have avoided substantial costs from breaches just as virtualization has become widespread. This is an important trend among big financial firms, but it is increasingly the case for big retailers (Nordstrom, Gap, and Walmart) and possibly true of a growing number of pharmaceuticals.
A second factor would be whether providing every user or every application with its own network would add to protection from breaches. This has probably had an effect during 2010-2015, as firms put more applications in software defined data centers. It is likely to be important after 2015 as more commercial products make it easier to provide apps and users with their own networks.
A related issue here is how effective new measures to prevent breaches are likely to be. Are there specific ways to evaluate the effectiveness of how firms plan to guard against security breaches? One approach would be to have experts appraise the effectiveness of the financial industry’s use of virtualization, SDDCs, and encryption. If finance effectively prevents 80-100 percent of breaches using these steps, one could use a similar approach, say interviewing Chief Information Security Officers (CISOs) and security experts to estimate how well major sectors are protecting themselves and what they might need to do during the next five years as the challenges to security multiply.
Some new approaches could include placing security and analytics applications on an SDN Controller and/or analytics APIs on the path to the SDN controller. Such steps have helped improve security in recent years. In addition, if security initiatives leverage flow technologies, such as sFlow, or sampled flow, and an SDN controller with programming capabilities via extensible API’s, they could provide a single, centralized view of a network’s behavior. With such a view, firms would be able to react to any threats by pushing policy to the network in real-time. The question is whether this approach will become important over the 2015-2020 time period and how it might be estimated. Over the next five years, would this approach complement efforts to simplify and remove layers of infrastructure? How effective would these initiatives be in terms of offering protection across different sectors?
Another key factor is the emergence of containers. Containers are likely to make a big difference during the 2015-2020 time period because security audits can be performed on everything inside a container. There are already open source security auditing tools available. In addition, Amazon is offering a managed registry for containers that will make them easier to launch on demand. Policies can also be established that will make containers a clear factor in improving security. Indeed, these controls should have a bigger impact once containers are in wider use. A well-designed survey of future expectations could help forecast what share of overall security protection initiatives might be based upon containers in the future relative to other efforts.
Another dimension that needs to be addressed is whether ActiveX controls can accelerate moving apps out onto mobile devices. This could also have an impact on security in the 2015-2020 period.
Overall, one issue that has not been framed well is the scale of improved cybersecurity capabilities that need to be put in place during the 2015-2020 period. A related question is whether new capabilities would enhance security for a number of key industries. If a well-structured survey assumed that the overall level of security in 2015 is 100 percent or somewhat short of 100 percent, it could formulate a better idea of what it will need to be by 2020 by querying what CISOs and security experts know about likely plans in a number of industries. For instance, if we assume that the overall level of security increases by two, three, or four times, this might effectively be several times what it is in 2015. It should be noted that the cost of preventing security breaches might only rise to two times or something less than the increase in security capabilities because the software needed to create improved security is likely to be part of new software and equipment deployed for computing and networking infrastructure. So security will not only be affected by changes in infrastructure, but also by the cost of new software and hardware for end-users.
Dr. Robert Cohen is an economist and fellow at the Economic Strategy Institute and the president of Cohen Communications Group. He has specialized in analyzing the economic impacts of new telecom and computing technologies. His recent work has focused on grid computing. In this area, he has analyzed the impact of grids on firms in North Carolina and in the United States. Dr. Cohen’s US study included sponsors such as IBM, AT&T, Intel, Juniper Networks, MCI, Corning, Applied Materials, Cadence and CommerceNet. He also was the co-director of a study of how Japan’s firms use grids, an effort that Japan’s AIST sponsored along with IBM, Cisco, NTT Data, and Intel. Dr. Cohen expects to do additional studies of grid adoption in Europe and China over the next year.