Cybersecurity Technology & Innovation

Buying Down Risk

May 3, 2022

Buying down risk: Cyber poverty line

By Trey Herr, Robert Morgus, Stewart Scott, and Tianjiu Zuo

The cybersecurity poverty line (CPL), also known as simply the security poverty line, refers to grouping organizations into two categories: those that can achieve a mature security posture and those that cannot. Originally coined in 2011 by Head of Advisory CISOs at Cisco Wendy Nather, the concept principally refers to organizations that struggle with security usually because of insufficient IT budget, expertise, capability, or influence. These entities might include startups struggling to get a product to market, schools, and small-to-medium enterprises (SMEs) without the resources for dedicated security staff, or the information technology (IT) departments of state, local, tribal, and territorial governments (SLTTs) doggedly competing for scarce taxpayer funding. There are other, less intuitive examples too: large enterprises with low margins; organizations where considerations for safety far outweigh those for security, as in aviation and healthcare; and any entities that cannot influence their own supply chains to improve security. Cyber poverty exhibits dynamics very similar to real-world poverty: simply providing money or free expertise does not necessarily address poor technological designs, poor market incentives, misaligned sociocultural attitudes towards security, or other barriers.

The CPL is a challenge of considerable scope, impacting security throughout the digital ecosystem. A survey conducted in the United Kingdom by Duo Security revealed that 36 percent of SMEs considered themselves below the CPL in 2019, and Kaiser Permanente found that up to 75 percent of the healthcare industry was below the CPL in 2017. Similarly, a Verizon study found that attacks targeting SMEs comprised 43 percent of all attacks in 2019, and 46 percent in 2021, while an Accenture study found incidents in 2018 affecting 67 percent of surveyed SMEs. Other studies found that cyberattacks on SMEs cost an average of $200,000 per firm, and within six months, 60 percent of victims had gone out of business.

Cyber poverty poses threats to the entire cyber ecosystem, not just to organizations below the CPL. The increase in software supply-chain attacks in recent years—discussed in depth by the Cyber Statecraft Initiative’s Breaking Trust series—illustrates the dangers of leaving any part of the development process unsecured, as attackers focus on the supply chain’s most insecure link to reach their victims. For example, a breach into the systems of a small heating, ventilation, and air conditioning  company contracted by Target resulted in an escalation into Target’s cash register systems, compromising millions of customers’ credit card information while bypassing Target’s own security. In the public sector, entities hardly considered on the frontlines of cybersecurity can still be targets owing to their proximity to critical networks or access to valuable information. For instance, in 2019, a ransomware attack cost the city of Baltimore more than $18 million; IBM’s security division report on SLTT cybersecurity describes dozens of similar, costly attacks on systemically unprepared IT infrastructure.

Cybersecurity poverty affects more than just organizations with low cashflow. A lack of technical and security capabilities can hobble entities with significant revenue and mature workforces as much as cash-poor organizations. For example, a 2019 US Senate report found that eight entire federal agencies were systemically and catastrophically underinvesting in cybersecurity. In the public sector, where good stewardship of taxpayer funds calls for using infrastructure until its functionally fails, the conventional cybersecurity wisdom around constant updates and maintenance is fundamentally at odds with budgeting practices. Moreover, escaping cyber poverty is more complicated than just securing funding. The required system transitions can be prohibitively complex—even with assured resources—and knowing how to deploy funding is not straightforward. On top of this, larger firms continually hire away the most talented security practitioners, creating significant labor and skill shortages in SME and SLTT security divisions.

Recent legislation is promising for state and local governments. The infrastructure bill recently signed into law allocates some $1 billion in grant funding over four years as matching funds for state and local cybersecurity investments. The House also passed HR 4515, which tasks the Small Business Administration (SBA) with funding significant cyber strategy training programs in small-business development centers given SBA grants. Meanwhile, grants and tax credit programs for SMEs at the state level exist too, and industry has joined the fray, with Microsoft and Google committing to massive IT workforce development campaigns.

Recommendations

  1. Secure products as the default: Core technology vendors like Cisco, Microsoft, IBM, Google, AWS, and companies offering similar products, should publicly commit to providing the most secure versions of their products either at no additional cost or with costs for SMEs covered. Outsourced cybersecurity, including the increasing reliance on cloud services, will not improve ecosystem security if important security tools and functionality are unaffordable. In addition, the same industry players should, in coordination with CISA and NIST, determine, publish, and commit to best practices for automated configuration guidance provided to customers to ensure the usability of their secure technologies.
  2. Send training, tools, and money: The federal government and industry should collaborate to improve access by SLTTs and SMEs to basic cybersecurity tooling, services, funding, and training resources, including the following measures:
    • The Senate should pass HR 4515, as well as the cybersecurity provisions of HR 5376 and additional legislation making permanent the cybersecurity grant program under the recently passed infrastructure bill (Public Law 117-58) and adding  guidance from CISA. Further legislation should focus on federal subsidies for SME and SLTT access to basic, managed cybersecurity services like email filtering, secure file transfers, and identity and access management services.
    • CISA should coordinate with the other federal agencies and departments providing SME cybersecurity offerings to first consolidate and centralize all their resources—currently spanning many agencies and entities, including the Federal Trade Commission (FTC), Department of Justice, Department of Homeland Security (DHS), SBA, NIST, and more—under a single CISA SME cybersecurity program that centralizes tooling, training, and guidance.
    • CISA, in cooperation with the SBA and the National Association of State Chief Information Officers (NASCIO), should also expand the existing President’s Cup Cybersecurity Competition to include dedicated sections for teams from state governments and SMEs and funding dedicated to covering competition costs.
    • Large corporations with extensive cybersecurity resources—including large technology vendors such as Google, Microsoft, and AWS, as well as entities from the financial sector such as Bank of America and Capital One—should offer direct matching funds for SME cybersecurity spending (possibly for SME customers) and expand funding for training programs. The same entities should offer also open source security tooling for and contribute development and financial resources to the CISA-endorsed free security tool list and similar kits offered by entities like the Global Cyber Alliance, as well as provide training to IT employees at SMEs.
  3. Lessons on making do: NIST, starting with its Small Business Cybersecurity Center, should research and develop a minimum viable security-posture framework spanning organizations of different sizes and sitting at different points in the cyber ecosystem (for example, providing stricter recommendations to a small medical device developer than to a mobile gaming app developer). NIST should also develop, throughout its special publications, sections detailing advice specific to SMEs and SSLTs within different industry sectors, providing lower-cost paths to compliance and clarifying what corners are absolutely uncuttable. Finally, NIST should gather input from SMEs and SSLTs, coordinated by CISA and the SBA, to generate general recommendations and priorities for achieving a workable cybersecurity posture in a resource-constrained environment and outlining the most needed common services. The experts assembled by CISA and SBA should regularly convene to discuss the state of SME cybersecurity both holistically and as practitioners, generating updated recommendations. Narrowing down a combination of cybersecurity tooling and practices that are both workable and effective will be necessary, just as giving members of impoverished households a sample budget does not necessarily solve all their problems.