Cybersecurity as a public good

The highest level of professionalism, it can be said, is when you make the profession redundant.

Cybersecurity domain is witnessing increasing mind space this decade, not least due to some high profile cyber attacks like the Sony in 2011, Target in 2013, Code Spaces in 2014, Bangladesh Bank in 2016, evolving ransomware attacks in the last few years and the threats from nation-state actors. Recently I heard of a professional cameraman in Nashik — a small town 200 kms north-west of Mumbai — whose full body of work, including photographs and videos of events he was still processing, got impacted by a ransomware attack. As the above examples show, the attacks in the cyber space has impacted entities across the spectrum — from public institutions of significant national importance to large private organisations that had pockets to invest heavily in cybersecurity (and many of them did invest heavily in cybersecurity) to small start-ups that had to shutdown due to the cyber attack to individuals whose simple life was disrupted due to unseen, unheard rogues probably thousands of miles away.

No one today is secure in the cyber space.

Image courtesy https://www.personofinterestdiscussion.com/content/literary-references-episode-matsya-nyaya

Mahabharata is famous for the Kurukshetra battle where the Pandavas fought the Kauravas. However it is interesting to note that of the 18 parvas (books) that make the epic, the longest parva is the Shanti Parva that comes after the battle — in which the Pandavas emerged victorious — is over.

In Shanti Parva of Mahabharata, Bheeshma, lying on a bed of arrows, does an Ask-Me-Anything with the Pandavas. Pandavas ask questions on morality, virtues and statecraft, and Bheeshma counsels Yudhishthira and other Pandavas on governance and duties of a king.

In one instance (chapter 67), Bheeshma explains the advent of state and government as a progression from the state of matsyanyaya (law of the fish, indicating big fish eating the small fish) that prevailed in society. This state of anarchy was not conducive for growth with people feeling insecure of their wealth, family and life. Hence people got together and decided to formulate certain rules — dharma — for the society. Whilst this brought in a semblance of peace for some time, it could not be sustained. People then appealed to Brahma for a solution. Brahma anointed Manu as the king to ensure dharma thrives. In turn, the citizens decided to give up a part of their income and wealth to the king as taxes to provide him the resources to run the government. This rule of law enabled people to feel secure and provide them the confidence to pursue higher purposes.

Rule of law facilitates people to work hard, improve productivity and innovate, and hence resulting in society achieving higher states of progress.

The state of anarchy in cyber space is neither conducive for productivity improvement nor for innovation.

The two key characteristics of a public good are — it should be non-rivalrous and it should be non-excludable. Security in the physical world is by and large a public good. The military provides protection from external threats, and the law enforcement agencies provide protection from internal threats. Of course there are certain people or organisations who need enhanced level of security and who then buy enhanced protection as a private good.

However common citizen do not live in nuclear bunkers because of the fear of someone dropping a bomb. They trust the military to take care of this threat. Neither do they walk around with bodyguards since they trust the police to ensure appropriate level of internal security. Nor do they need to secure from all conceivable vulnerabilities — chain snatchers, pick-pockets, robbers, underworld criminals or spies. Of course, people need to follow basic security hygeine, for example — lock house doors. But this limited investment in security provides the strength, the resources and the peace of mind to pursue higher purposes without living in fear of criminals.

It may however be noted that not all countries provide the same level of assurance of security to their citizens. Developed countries provide their citizens a higher level of security than the not-so-developed countries. It is invariably the case that the countries where the rule of law exists and the citizenry are provided high level of security as a public good are able to move along the path of development faster than the countries with weak security.

The need for private provisioning of security is hence an inverse indicator of the evolution of the society.

Door security in a developing country vs door security in a developed country

The diagram shows two doors — one typical of a country where security as a public good is of inferior quality, and another typical where security is a well provisioned public good. As the above example shows, where security is not a well provisioned public good, the individuals would need to deploy more security controls — and hence need to invest higher on security — to secure themselves.

Gartner in 2016 said organisations spend around 5.6% of their IT spend on cyber security. Government of India in 2017 recommended their departments to spend 10% of their IT spend on cyber security. In a conference some months ago, we had a CISO saying organisations may need not spend upwards of 30% on cyber security.

The necessity to privately provision cyber security has resulted in a significant gap between the demand for cyber security professionals and the supply of professionals with appropriate skills. Multiple studies have identified cyber security as the domain with one of the highest skills gap.

When a significant skills gap occurs in the market, it results in two things.

1. The remuneration demanded by the professionals will sky rocket since there are many chasing the scarce resources.
2. Professionals who are not so skilled will also survive — rather thrive — since lack of alternatives means they will continue to be in demand.

Warren Buffet famously said “Only when the tide goes out do you discover who’s been swimming naked”. The tide is still high in the profession of Cybersecurity.

Security as a public good involves trade-offs with privacy. Whether it is police patrols, or CCTV cameras — a trade-off with privacy is imperative to make security a public good. The privacy trade-off risks will be higher in the cyber world because technology would provide the capability to conduct surveillance at larger scale and also larger depth. It is crucial , delicate — and hence difficult — to strike the right balance between security and privacy such that the extent of privacy sacrificed meets the test of proportionality. However, the complexity of the task, or the associated risks with it, should not prevent us from getting out of the path down a rabbit hole.

Consider the process involved in obtaining a SIM card. In one end of the spectrum, you have countries where obtaining a SIM card is easy, quick and painless. You walk in to a shop, pay the money and you are provided a new SIM card. On the other end of the spectrum, you need strong KYC to be conducted to purchase a new SIM card.

In India, Ministry of Communications issued a circular in March 2017 that made Aadhaar-based verification mandatory for issuance of all SIM card owners. Whilst this would have made the KYC process more robust, this also raised concerns on compromise of privacy. The Supreme Court, in the landmark Puttaswamy case judgement found this directive failing the test of proportionality and ordered a stop to Aadhaar-based verifications.

The flip side of this judgement was that it made it easier for criminals to obtain SIM cards with fake KYC. Equally significantly, this deprived Indian fintech and several other tech platforms of a robust and cost effective way of carrying out authentication of users. This “cheap authentication” had the potential to usher trust at scale in the cyber world, and hence reduce cyber crimes.

There is probably a case for a middle ground between the two extremes of making Aadhaar based verification mandatory and completely doing away with Aadhaar based verifications. This can be done as follows.

1. Make Aadhaar based verifications optional.
2. Display a green-tick when incoming calls from those numbers with Aadhaar based KYC.

This has the potential to usher trust in the society. Then, if one gets a call from a green-tick number, one can be assured to a good extent of the genuiness of the caller. This also allows for those who value privacy more to lead their daily lives without being forced to divulge personal information to private or government entities.

What technology taketh, technology giveth. Technology now also provides ability to run confidential computing that allows for processing of sensitive data while preserving the privacy aspects.

A right combination of policy and technology can provide strong privacy protection whilst providing protection from cyber criminals as a public good.

It is important that we make life simpler for common netizens, as well as enterprises. Whilst awareness of cyber risks and cyber best practices are important to be dissiminated, it is equally important to improve the capacity of law enforcement and crime prevention in the cyber space. It is not fair to leave everyone to the wolves and blame them when they become the victim of an attack. Of course individuals and enterprises need to take sufficient safety measures to protect themselves from cyber attacks. However they should not be burdened with an overload of such measures either.

It is time we come out of the uneasy and unsustainable state of matsya nyaya in the cyber world.