NATO leaders have made resourcing cyber defence a top priority. They adopted a Cyber Defence Pledge at the NATO Summit in Warsaw in July 2016 and underlined their commitment to enhance and strengthen the cyber defences of national infrastructures and networks as a matter of priority.
The Cyber Defence Pledge comes against the background of the evolving complexity and impact of cyber attacks. In the past few years, attacks against critical energy infrastructures, telecommunications companies, government authorities and most recently political parties, demonstrate the societal and economic impact of cyber attacks.
Closer to home the 2016 Secretary General’s Annual Report notes that last year NATO’s own cyber defenders dealt with 500 incidents per month, a rise of approximately 60% compared to 2015.
Cyber attacks serve to undermine the trust and confidence in cyberspace – a fundamental issue given how much we rely upon interconnected technologies, not only for our communications but also for our future economic growth and social model.
How do we allocate resources to best effect?
The Alliance has recognised at the highest levels that to address these challenges, advanced capabilities, education and training need to be resourced.
To achieve this, policy makers in capitals will need to grapple with a number of important questions. These include: how much should we spend? What is a minimal level of investment? What should we spend it on to achieve a basic level of cyber security, particularly given the dynamic nature of the threat landscape?
From publicly available information, we can see that some Allies have already made progress in answering these questions. For example, the French Pacte Défense Cyber from 2014 included €1 billion dedicated to cyber defence and, in 2016, the UK announced a £1.9 billion investment to underpin its national cyber security programme.
Spending on defence is a complex area which does not lend itself to a simple cost/benefit analysis. However, it is worthwhile to bear in mind that the costs of cyber (in)security may be significant. For example, a 2015 study by the Atlantic Council and University of Denver suggested that, under a worst case scenario, by 2030 the costs of cyber insecurity have the potential to knock US$ 90 trillion off global Gross Domestic Product. More worryingly, their study highlights the possibility that in the future, the costs of cyber insecurity could well outweigh the benefits that cyberspace offers. So the spending reported above appears small, when compared against the potential total costs of insecurity.
What can a cyber defence budget be spent on?
Prior to answering this question, a few considerations are worth noting.
Firstly, what nations spend on cyber defence may well be driven in part by their dependency on secure and unfettered access to cyberspace and exposure to cyber risks. Or else, only if a nation does not use communications and information technology there is an argument that there is no need to spend anything. Furthermore, the dynamic nature of the threat landscape and the specificity of exposure to cyber risks in any given situation – what the experts call the ‘attack surface’ – makes for complexity in deciding what to spend. This points to the need for an approach to cyber defence based on assessment and management of risks, so that resources can be prioritised against those threats likely to cause the most damage.
Secondly, from a theoretical perspective, a given amount of a cyber defence budget may well buy more defence relative to the acquisition of other forms of defence capability. Budget spent on a firewall or user awareness helps protect against a range of cyberattacks including those which aim to steal money or disrupt infrastructure. The implication is that for cyber defence spending a little can go a long way.
Lastly, those budgeting for cyber defence need to appreciate that effective cyber defence stems not only from the right technology, but getting the right people, trained to the right level and through the enforcement of good policies. In general, unlike the acquisition of traditional forms of defence capability that places an emphasis on tangible equipment, effectiveness with cyber defence may be more determined by information sharing, cooperation and coordination. These are all things which are somewhat intangible.
In addition to accounting for the nebulous nature of these types of activities, it becomes very challenging to understand the costs of other parts of the cyber defence puzzle: for example the additional costs of the time spent by users conducting basic cyber hygiene or the additional development effort needed to implement cyber defences to the software of military hardware.
Finally, the cycle of upgrades may be more frequent in cyber defence than in other forms of defence capability. Anti-virus software is a good illustrative example: the increasing ubiquity of cyberspace means that the lists of the digital fingerprints of different viruses used by anti-virus software can be updated in real-time. By comparison, major pieces of defence equipment are intended to last years – the Hercules C-130, for example, first flew in 1954 and in its different variants is still going strong.
The tangible and intangible costs of cyber defence
With this in mind, cyber defence spending can be spread across a number of different things. These can be both tangible and intangible and may be one-off investments or may recur monthly, annually or irregularly.
People are perhaps the most obvious recipient of spending. This can be either in terms of salaries and other indirect costs such as pensions but also time spent on their training, courses and exercises. Given that recruitment and retention of cyber specialists by government is challenging (due to the attractive salaries that can be offered by the private sector) these costs may be significant: indeed, expert views suggest that they may account for the biggest driver of spending in cyber defence.
The cost of labour also needs to be taken into account: this might include time spent on designing, implementing and maintaining cyber defences, including performing upgrades to security systems, decompiling malicious code or performing certification exercises.
A final type of intangible cost driven by the nature of cyber defence is the time and labour spent on coordination, information sharing, establishing cooperation. It is often said that cyber defence is a ‘team sport’ and that ‘trust is key’. The importance of these principles is obvious when we come to appreciate the amount of time that goes into creating and establishing a trusted network and exchanging information. Even in the time of video teleconferencing, there is no replacement for a face-to-face meeting to build trust.
The tangible types of cost are often the most obvious, but relative to the activities above may be a small proportion of the total spent on cyber defence. These costs could go to hardware and software, software licences (which can often run into thousands or even millions of dollars or euros) and the customisation and integration necessary for them to work in their intended environment. Increasingly, recurring costs are associated with services offered by Managed Security Service Providers who offer a form of outsourced cyber defence by for example, conducting threat analysis on behalf of their customers. Other costs that might be also labelled under technology include purchase of as yet undiscovered and software vulnerabilities (known as ‘zero-days’) as a way to avoid them being bought and used by others.
Finally, spending might go toward stimulating innovation – an increasingly important theme which can take advantage of early stage research and development for improving cyber defence. This might be through grants to industry or research and development activities.
The cost of doing nothing
Understanding the imperceptible budgetary implications of cyber defence can be just as challenging as investigating the seemingly ghostly attacks that come from the virtual world.
Nonetheless, when we look at some estimates regarding the costs of cyber insecurity and the relative importance that many countries have afforded cyber risks, it is obvious that spending on cyber defence may well be good defence value for money. For example, the cyber attack against the Bangladeshi central bank involving the Swift network cost approximately US$81 million – a significant sum for that country.
In the private sector, following the cyber attack in 2015, UK communications provider TalkTalk reportedly suffered exceptional costs of £40 - £45 million with £15 million damage to their trading revenue, in addition to the loss of over a hundred thousand customers.
Spending priorities
To avoid incurring these sorts of economic damage it is important to pay attention to what spending goes on, as well as how much.
Spending on human capital – in terms of recruitment, retention, training and education, appears to be key to getting results. Therefore, targeting of spending is necessary – especially now that the global hunt for talent means that the private sector can easily lure away highly skilled and knowledgeable experts. Spending considerations also need to take into account that, like an iceberg, much of cyber defence spending lies ‘below the waterline’ with time (and therefore budget) needed for sustainable coordination, cooperation and information exchange to build trust.
The value of the Cyber Defence Pledge
Within NATO these aspects will need to be resolved in the context of wider political discussions about defence spending among the Allies. The Cyber Defence Pledge can provide a platform to stimulate discussion in the Alliance about cyber defence spending and prioritisation. Through the insights that Allies learn from the reporting on implementation of the Cyber Defence Pledge, it will be possible to share experiences and best practices regarding cyber defence spending, thereby contributing to more effective and efficient cyber defence for the Alliance as a whole.