Incentivizing Comprehensive Cybersecurity Solutions by Matching Accountability to Capability

Policy Analysis Exercise, Harvard Kennedy School

Executive Summary

Cyberattacks have become an increasingly common occurrence with profound and damaging effects for the public and the private sectors. Much of the resulting attention has naturally focused on how to prevent such attacks. However, the people and organizations held accountable for preventing an attack—by a court of law or the court of public opinion—are not necessarily the same as those that have the most robust capability to do so. We hypothesize that properly matching accountability with capability can help internalize the growing externality that cybersecurity incidents represent in an increasingly networked world.

Our goal in conducting this research was to help policymakers determine where to assign accountability; not necessarily to the party most proximate to the target of the attack (as has traditionally been the case) but rather who is structurally empowered and sufficiently resourced to prevent the attack. We analyzed three cases—the attack on Sony Pictures by North Korea in 2014, the theft of Target customer credit card data in 2013, and the WannaCry ransomware attack on the U.K. National Health Service (NHS) in 2017—to explore who in the networked environment had the capability to prevent these cyberattacks, who was held accountable, who could have been held accountable and finally, who should be held accountable.

We conclude that an incentive structure that motivates action and encourages not just potential victims but also their service providers and partners to address cyber risk is required. All parties in the networked environment have an important role to play, from corporate boards to insurance underwriters to government regulators. Only when all organizations begin to work together towards common short, medium and long-term solutions to address cyber risk, will meaningful impact be made.

Key Learnings from Cases:

• Sony Pictures: In the Sony case, neither Sony nor any of its service providers or partners appeared to recognize or believe that they were either liable for a potential breach or empowered to act to reduce cyber risk. The resulting collective inaction led to millions of dollars in IT costs and damages for Sony. A well-resourced and persistent hacker does not excuse unsophisticated defenses or poor post-attack actions. Incentives must encourage companies to implement existing (and future) standards and best practices. Product liability law, clarifying the duty of care standard and SEC or industry-led reporting requirements may help to hold companies accountable.
• Target: Poor contracting and monitoring practices allowed attackers to use a third party as a backdoor to Target’s corporate network. Companies must structure contracts with cybersecurity in mind, clearly assigning cyber responsibilities, risks and liabilities.
• NHS: Far too many computers are running unsupported and vulnerable operating systems. Each of these systems is an endpoint that can potentially spread risk quickly to other computers in the same network. Software providers must utilize secure coding practices, consider ways to automate updates where not already automated and incentivize users to upgrade to the most secure software where appropriate. Baseline standards must be enforced through product liability laws and government or industry oversight.

Policy Proposals:

The challenge of addressing cyber risk is rarely about determining what to do but rather how to incentivize the implementation of existing strategies, best practices and guidelines. There are a host of proven strategies, known best practices and published guidelines (e.g. cyber hygiene, red teaming and penetration testing and the National Institute of Standards and Technology (NIST) framework) that can help companies and governments address the vast majority of cyber risk.

These strategies, practices and guidelines are discussed at length in this report and the authors consider them to be vital components of any plan to address cyber risk. However, the lack of a strong incentives framework has limited the adoption of these mechanisms and methods to address cyber risk. The authors consider the following policy proposals to be the most powerful means of incentivizing widespread adoption:

• Establish Cybersecurity Product Liability Law: A framework for cybersecurity product liability law must be firmly and clearly established by legal precedent or legislation so that companies can internalize cyber risks and potential future damages in their decision-making processes.
• Expand Corporate Fiduciary Duty and Duty of Care to Include Cybersecurity Risk: Corporate fiduciary duty and duty of care need to be expanded and clarified by legal precedent or legislation to include accountability for cyber risk mitigation strategies and actions.
• Create Comparable Public Signaling Devices for Assessing Cybersecurity Quality: The market needs more information about company efforts to address cyber risk in order to reward excellence or alternatively, exert pressure on poor performers to improve. Public signaling devices that disclose cyber risks and allow companies to be compared against one another can help educate the market. These devices could take multiple forms including ranking systems (e.g. JD Power), product disclosures and company assessments (e.g. Better Business Bureau ratings), and cyber risk audit requirements and public filings (akin to current 10-Q and 10-K filings).