The threats emanating from cyberspace are becoming consistent features in the news. Earlier this year, Google revealed it and dozens of other companies had come under cyber attack. Cyber criminals have stolen millions of dollars and the intellectual property of America’s leading corporations are at risk. Scott Borg, director and CEO of the nonprofit U.S. Cyber Consequences Unit, is a leading expert on the economic impact of cyber attacks. The New New Internet recently had the opportunity to ask Borg about the economic impact of cyber attacks, increasing cooperation and his advice for IT professionals.
TNNI: Tell us a bit about your background.
Borg: Security was not something with which I was intending to get involved. I was doing work as a business consultant on how much value could be created using information systems. Shortly after the 9/11 attacks, someone asked me how much value could be destroyed using information systems. When I started looking at the problem, I got results that were very frightening. They were frightening for two reasons. One reason was that, according to my calculations, information systems could be used to destroy enormous amounts of value. The other reason was that the way this could be done wasn’t what people at that time were worried about. People at that time were focused almost exclusively on cyber attacks that would shut down information systems. I said that really serious cyber attacks would hijack information systems to do much worse damage. When I tried to warn people in the government about this and provided a detailed economic analysis to back up my claims, I found myself suddenly being regarded as a cybersecurity expert. I decided then that I had better actually become a cybersecurity expert, so that people wouldn’t be disappointed.
TNNI: You serve as the director and CEO of the US Cyber Consequences Unit. What is the goal of the US-CCU and what do your duties entail?
Borg: Our job at the US-CCU is essentially to figure out how to destroy America and its allies using computers and then to figure out what’s the cheapest thing we could do to make it harder. To do this well, we need to investigate what kinds of cyber attacks are possible, what their economic and strategic consequences would be, what knock-on effects could be expected, how likely the attacks would be to succeed, what counter-measures are available, what policies and market conditions might promote those counter-measures, and what the costs and benefits would be at every level. Investigating these things conscientiously requires an enormous amount of interdisciplinary research and lots of on-site visits to critical infrastructure facilities. Fortunately, I have the help of brilliant, nationally known experts, such as John Bumgarner, Warren Axelrod, Joel Gordes, and several others who are similarly talented. They do their own investigations and are passionate about getting to the bottom of things. I have already done most of the relevant theoretical work and developed the necessary analytic models. So when we are adequately funded (which is not always the case!), the main things I need to do are to arrange periodic brain-storming sessions, to turn our associates loose for a while, and then to help synthesize their results. The US-CCU team are extraordinarily creative and a joy to work with. It would be hard to stop them from doing innovative and insightful work!
TNNI: One of the purposes of the US-CCU is to examine the economic consequences of a cyber attack. What are some of the more damaging attacks in terms of their economic impact?
Borg: The worst cyber attacks would be ones that would physically destroy critical infrastructures: wrecking large numbers of big electric generators, blowing up oil refineries and pipelines, crashing trains in tunnels and on bridges, causing leakages of toxic substances from chemical plants, and so on. In addition to killing some people immediately, these sorts of attacks could deprive large populations of essential goods and services for extended periods of time. Some of them would cause most of the economic activity in the affected region to shut down. The total economic destruction caused by an intense campaign of such attacks could be greater than the damage done to Germany and Japan by strategic bombing during World War II. Fortunately, these kinds of attacks are very difficult to carry out and are currently only within the capabilities of high-tech nation states. These nation states have no desire to do such things. My biggest worry is that less responsible groups will acquire such capabilities in the future.
TNNI: There have been a number of recent media reports about the attacks on Google and the oil industry. How prevalent is the threat to private industry and what are the economic consequences for industry and the U.S. economy?
Borg: The biggest cyber crime being carried out today is the theft of business information. The total losses from this activity are much greater than the total amounts being stolen by false credit card charges, even though that amount is itself huge. People often say that we operate in an information economy. Actually, it would be more accurate to say we operate in an information differential economy. The amount of value a business can create is often proportionate to the amount of information that it can put into play that its competitors can’t. The theft of business information can eliminate most of this information differential. This means that information thefts could cause entire businesses and even entire national industries to lose the ability to survive in the global economy.
TNNI: In your experience, how cognizant are corporate leaders of the impact appropriating intellectual property has on their organization, particularly when the data isn’t actually disappearing?
Borg: This is still a new issue for most executives, and they are only now beginning to appreciate its importance. Addressing the issue, however, is complicated. If the specifics of the massive thefts of business information were to become publicly known, the executives who let it happen could be sued by their shareholders. What’s more, the companies who were victimized would need to sue the companies who benefited, and those companies would countersue, claiming libel, and anyone else who got involved would probably be sued as well. It’s such a nightmare scenario from a legal standpoint that some executives would prefer not to know. They cross their fingers and hope that warnings like this one in this interview are exaggerated—or, if not exaggerated, that the full effects won’t be felt until after they’ve retired. Many other executives who are more courageous and conscientious are tackling the problem right now. But it will take them a while to get a handle on it.
TNNI: Cybersecurity professionals are often forced, like most managers, to justify their budgets to keep them from being trimmed, yet cybersecurity is proven by what does not happen as opposed to more positive based indicators. What advice would you give to cybersecurity managers when seeking to justify or increase their budgets?
Borg: The most important thing a security professional can do is learn how their company creates value. This especially means understanding how any given information system contributes to the company’s bottom line. It means knowing what will substitute if that information system can’t function properly. It means knowing roughly how much value is created by the things the information system supports, such as customer relationships. It means knowing how much value would be lost by damage to these systems. These are things a cyber security actually needs to know, because they are necessary for determining the priorities and strategies for responding to cyber attacks. But few cyber security professionals have sufficient knowledge of these matters. Without making a greater effort to understand these things, security professionals won’t know what value their own efforts are contributing.
TNNI: How should the U.S. look to increase cooperation between the private and public sectors, and what should that cooperation look like?
Borg: It’s all about costs and benefits. The key to fostering public-private cooperation is to look at the costs and benefits to each participant that result from participating in a given cooperative activity. Cooperative efforts fostered by the government generally founder, because no one in the government has thought through the opportunity costs properly. If the government wants an executive with any power to show up for a meeting, then the government officials need to think about what other management activity that executive will need to skip in order to be there. If the government wants information from a corporation, then the government officials need to think about the costs and liabilities a company incurs in supplying that information. If there are adequate benefits to private sector corporations—even indirect benefits—they will usually cooperate; if there aren’t, they won’t. I am very optimistic about the prospect for future public-private cooperation, but it needs to be thought through better.
By the way, I will have a long-promised book coming out soon that will address all of the issues raised in your questions. It’s called Cyber Attacks: A Handbook for Understanding the Economic and Strategic Risks.