(Flickr Commons) Despite efforts by experienced and driven professionals, multiple cybersecurity challenges plague us today. Key indicators suggest that we are not making enough progress and, in fact, are possibly going backwards. Organizations of all types, including companies, governments, schools, and critical infrastructures, are experiencing increased data breaches,[i] criminal activity, essential e-services disruption, and property destruction.

This must change.

To make differences at scale, this paper outlines four actions, from two points of view: a view focused towards technology and practice, and a view towards policy and law.

The four actions proposed are:

  • Connected devices need minimum standards and enforcement;
  • Security practice must return to the basics;
  • The market needs additional influence; and
  • Executive accountability for cyber is required.

The paper discusses these actions and additional solutions to each, with associated key performance indicators (KPIs). These effectiveness and performance indicators should help decision makers take action and monitor their progress and success, should they adopt this advice.

 

Background and Observations:

Every year, more people connect online, companies use technology for more of their operations, and governments enable more citizen-facing services, using the Internet. Consumers, companies, and nations are all at risk, and data indicates the different types of risks are growing.

The first risk is a breach. The number of breached records rose by 350 percent in 2013,[ii] with approximately half of the U.S. population’s personal information exposed in a 12-month period.[iii] The average time it takes an organization to detect a breach is 32 days, an increase of 55 percent from last year.[iv] Most organizations experience two successful breaches per week where their core networks or enterprise system is infiltrated.[v]

The second risk is crime and financial, informational, and industrial espionage. By one estimate, cybercrime and economic espionage costs an estimated 445 billion U.S. dollars globally (this is an increase from last year).[vi] Theft of Intellectual Property (IP) in the United States is calculated as a loss to the tune of hundreds of billions of dollars.[vii] Organizations are increasing their operational expenditures to defend themselves from and attend to security issues caused by malicious software[viii] and pirated software. According to the IDC’s 2014 estimate, the global total for losses to enterprises will approach half a trillion dollars and continue climbing for 2014.[ix]

The third risk is disruption of e-services. For example, a Distributed Denial of Service (DDoS) campaign has been underway for the last year against the United States’ top financial institutions, including JPMorgan Chase, Bank of America, Citigroup, U.S. Bank, and PNC. The DDoS attacks are reaching levels that are disrupting citizens’ ability to conduct banking, and telecommunications providers can no longer guarantee quality of service or business continuity.[x]

The final risk is destruction. In August 2012, Saudi Aramco suffered a targeted attack that used malicious software to destroy data and damaged nearly 75 percent of the company’s IT infrastructure. Corporate officials declared it a targeted attack intended to affect oil production.[xi] A few months later, in March 2013, multiple financial institutions in South Korea, including Shinhan Bank—the country's fourth largest bank—suffered damages from malware similar to that used in the incident against Saudi Aramco. Their e-services were disrupted and data was destroyed.

Cyber breaches, crime, disruption, and destruction have significant implications for global trade and global business continuity. It is time to change course, and propose implementable solutions.

 

Connected Devices Need Minimum Standards and Enforcement:

When a true story is printed explaining how refrigerators were used to generate SPAM emails,[xii] it is both a humorous story and an alarming indicator.

Today, there are no standards—much less enforceable ones—for devices connecting to the Internet, aside from those inconsistently created by network operators. In addition, entire industries are now building connectable devices with little to no experience or history in building (secure, resilient, well-engineered) connectable devices. This combination of poor product testing and vendor inexperience is resulting in baby-monitors, cameras, and cars being exploitable.[xiii]

We face a crossroad. First, traditional systems such as PC’s, tablets, and smart phones already constitute a very significant cybersecurity challenge, as the data shows. Second, we have the addition of the Internet of Things (IoT) - defined here as all network/Internet-connected devices not including PCs, tablets, and smart phones. In 2014, it is estimated that an additional 6.8 billion IoT devices will be produced.[xiv] Both traditional and IoT devices have similar security requirements, albeit the IoT devices include both known and unknown vendors in the IT space, have different power, memory and CPU limitations, and are quickly redefining how much human traffic versus Machine to Machine (M2M) exists as a percentage of total network traffic.

Each traditional and IoT system has the components necessary to be a security threat. They have:

  • A network interface;
  • Software; and
  • A person who will seek to use the system in some way other than intended.

IoT devices are increasingly produced by known brands that did not grow up as IT companies (e.g., Samsung, Toyota, Epson, LG, Bosch, Coca-Cola, etc.). These next-generation devices will now have some or many network connections: Ethernet, wireless (cellular, 802.11x, ZigBee), Bluetooth, or proprietary wireless. These devices will be vulnerable, unable to have built in security protections sufficient to the task, if any at all.[xv]

Additionally, these previously standalone devices will now run software that uses a network or networks for some purpose and probably will not be built with a security development lifecycle and review.   Most large companies (e.g., Cisco, Microsoft, Oracle, etc.) that have produced Internet-connected systems to date have always had, or at least have now, a Security Development Lifecycle.[xvi] This assists in market differentiation, reduces flaws in fielded products, and assists in product certifications.[xvii] These new entrants are soon to discover how vulnerabilities in software will change their market. Unfortunately, society will also learn how these flaws change and challenge safety, resiliency, and personal privacy.

By 2020—just six years from now—over 20 billion devices[xviii] will be connected to the Internet and the number of connected people will at least double, which represents half the world’s projected population.[xix] How many new vendors will join the future Internet with their products? How many products will be innovated and built with security in mind in that same six-year period?

 

Proposed Solution(s):

Underwriters Laboratory for Connected Devices[xx]

In 1894, William Henry Merrill created the Underwriters Laboratory (UL) in Northbrook, Illinois. The electrical industry at the time suffered problems. Electricity could be dangerous, as poorly designed systems affected the power grid of the time, and needed both standards and testing labs for adherences. Today, UL is a worldwide operation addressing seven business areas, and ensuring, with its stamp of approval, that consumers are knowledgeable and testing is done.

In 2014, the Internet faces a similar problem. Anyone can build an Internet-connectable device, there are no standards, and these devices can in turn affect other devices on the Internet. There is no lab or certification process for Internet-connected devices to determine their readiness or level of security, nor any stamp of approval suggesting they were tested.

The creation of an Internet Underwriters Laboratory (IUL), which tests and has the manufacturer test their products against cybersecurity requirements, would assure a fault-tolerant range of some size. This, however, cannot be done independent of the insurance industry, as we learned from UL’s history.[xxi] Motivated by self-interest, the insurance companies helped create UL to lower the risk as products and services were created, so as to lower the cost of the insurance paid to compensate if this risk were to occur. Key to this process was the common interest that both insurance companies and consumers had to provide transparency on what the risk factors were to accurately account for the “cost” of the insurance.[xxii] Today, we do not have models to get at that type of data, as devices and systems are too often built without risk and mitigation in mind, and then not tested to verify efficacy.

An important second-order effect would be reviews and comparisons of products and services. These comparisons would be based on reporting and results from the testing, and could lead to a “Consumer Reports”-like initiative with independence and impartiality. This helps change markets, as it would ensure that the buyer understands how the products were built, and if the next refrigerator, baby monitor, or other connected device represents a lower threat for the environment, be it a business or a home.

In 1915, UL was issuing 50 million labels per year to be attached to certified products. By 1922, it was 50 million labels per month.[xxiii] A similar adoption rate should be possible in a “Connected Devices” IUL and, if created, this would be a key indicator of progress. In addition, existing industries would benefit from the testing data/empirical data (cyber insurance) to inform their future product and service lines of business. New industries (market entrants) could drive innovation using the testing results (consumer reports) to produce new products and services—displacing those that are less safe, secure, and resilient.

 

Internet Service Providers — Upstream Security for Downstream Devices:

The market for connected devices is growing quickly, as is the number of connected devices. This is enabled by some combination of low cost computing and data storage; inexpensive, portable consumer devices; and high-speed bandwidth that allows you to click, connect, and search data or provision e-services 24 hours a day, seven days a week.   More and more people bring-their-own-device (BYOD) to work or school and third party data storage or hosting facilities allow for low-latency access to that data globally. More and more organizations are installing IP cameras for protection, automated machinery that is IP connected, or building control software for heating and cooling. Even if we can get the devices to be more securely designed, tested, and provisioned, we should at the same time consider additional solutions in the network.

Connected devices require Internet connectivity and that is most-often provisioned through a single set of vendors—the Internet Service Providers (ISPs). ISPs come in many forms and sizes and go by many names: the phone company, the cable company, the wireless company, etc. Yet when you look at who is responsible for provisioning this access, you find that approximately twenty-five ISPs carry as much as 80 percent of all Internet traffic.[xxiv] That is a small number of organizations that could make a difference at scale.

ISPs have unparalleled access to global networks, giving them a unique view on network traffic. This enables them, with the proper tools and authorities, to detect cyber intrusions and attacks as they are forming and transiting towards their targets.[xxv] The bulk of Internet pollution (such as SPAM or DDoS attacks) could be stopped before it arrives at its destination using network traffic analysis and core and distributed control points. For example, some ISPs limit SPAM and partner with law enforcement to deny the distribution of child pornography.[xxvi]

ISPs, using more advanced technologies, could also stop a portion of malicious activity before it reaches an organization by invoking upstream security controls deployed at key choke points within the Internet traffic flows (established by an ISP). Bell Canada and CenturyLink are using these types of technologies to provide a safer Internet experience for their customers, and have proven that this type of service reduces overall corporate costs by reducing the rate of infections to its customers.[xxvii] As connected devices become infected with malicious software, ISPs could see that too if alerted that a device or entity is using excessive bandwidth, is trying to further spread the malicious software, or is communicating with a known command server.

ISPs in Europe, Australia, Japan, and even some in the United States have already assumed the duty to inform their customers when machines or devices appear to be participating in a botnet infection.[xxviii] They assist consumers and businesses in isolating the infected devices and, at the same time, work to eliminate or eradicate the infection.

We can no longer be one click away from an infection or worse yet, no service. Therefore, it is time to turn to the ISPs to provide upstream security for our downstream devices. To achieve this, the ISP’s concerns about consumer privacy and corporate liability may need to be addressed. Meeting tomorrow’s demands for network capacity, new applications, and an expanding base of users requires anticipating the next-generation security demands today. The ISPs can and should be a central component of the solution.

 

Security Practice Must Return to the Basics:

Common practice focuses on the protection of the physical asset and logical function of its components rather than the product or service that it is providing. We need to start focusing on critical services, not critical infrastructures, because it will likely change our views and investments regarding protection, resilience, recovery, and restoration of assets. It may also highlight the interdependencies among organizations and nations requiring different approaches to common defense and security.[xxix]

A major transition in the IT industry is the notion that servers, storage, and applications are not at all where IT builds value. It is in the identification, development (in some cases), and operations of the critical services that IT is so much more relevant. For example, the fact that an online map site has servers, storage, and applications is not the value added per se – it is the map, directions, visualization, and secondary information that generate value for the consumer.

Part and parcel in today’s day and age is where the service can be affected, and where the end consumer of that service is either denied access to the service, or the service is interdicted and so is delivered differently than expected. These are “new” threats: where what you think you are doing and the information you are getting is not the actual service or the information because it has been manipulated. Examples include malware in the browser (MITB) that manipulates bank web site surfing; a government creating a false website to lure foreign citizens into providing information or using a government intercepted communications service,[xxx] or a fake wireless access point to lure visitors and steal personal information.[xxxi]

 

Proposed Solution(s):

We need to start talking about everything in security terms, so that resiliency and integrity may be best addressed. A proper mapping for critical services would include:

  • Service’s name and purpose;
  • The critical functions that are dependent upon that service;
  • Each infrastructure element needed to deliver the service, some of which may not be operated by the corporation (e.g., the Internet being part of the way banks deliver service to their customers, although they do not control it);
  • The requirements for resiliency of the service; and
  • Continuous Independent Verification and Validation (IV&V), where possible.

 

Reduce the Threat Surface on Today’s Systems:[xxxii]

The hard work is rarely the most fun, and when talking about reducing risk, these words are highly applicable. In Germany, studies show that the average citizen is using over seventy applications from over two dozen vendors, and nearly one out of every seven people in Germany are using Operating Systems (OSs) that are not fully patched, with at least one out of every fifteen applications also not being fully patched.[xxxiii] This yields, for just that country, a significant amount of risk due to poorly maintained systems. Germany is by no means alone in this; poorly maintained systems are a global issue.

This data and others show that we are not taking proper care of the basics—patching, upgrading, and testing—and are leaving organizations and people vulnerable as a result. The Top Twenty Critical Security Controls[xxxiv] provide an easy checklist of the basic activities that ought to be done and have proven effective in increasing an overall defensive posture. Most penetrations occur against the top eight controls, suggesting that reducing the threat surface in today’s systems is possible if the eight controls are applied consistently.

“Back to basics” includes more than just patching. It also includes eliminating “dark space”—the areas where something about a system or a service is not known and needs to be in order to assure its proper operations. An example of dark space is “unknown devices,” such as a personally owned computer or unregistered data center system that is connected to a network where no one “knows” what the device is, what it does, or to whom it is related. A second dark space example is “unknown connections,” where an Internet or intra-network connection exists and is also unseen, creating an unmanaged side door to a datacenter, corporate network, or production service. Due to their unseen, unknown nature, these dark spaces provide a safe haven for illicit and illegal activity, and thus posit additional risk and fragility. Absent preventative measures, dark space is likely to only be discovered post-breach or post-failure, and dark space will likely grow with IoT.

 

The Market Needs Additional Influence:

Many governments have determined that normal market forces are insufficient for the development of effective cybersecurity. Therefore, governments are increasing their market interventions, primarily through regulation and law.   In Europe and the United States, this takes the form of defining protection requirements and demanding certain sectors to identify, assess, and correct deficiencies. These sectors include: electric utilities, financial services, transportation, and telecommunications. Other regulatory measures include mandating notification regarding breaches, the technique or method used, and outages or business disruptions (telecommunications), as well as imposing strict data protection controls.[xxxv]   Non-compliance may result in penalties, including financial ones. For example, in the United Kingdom, a breach could cost an organization £500,000 if the corporation did not have proper defenses in place.[xxxvi] These types of penalties get the attention of corporate leaders. Yet at the same time, if the necessary security preventative measures are costly, organizations may delay implementing them, quietly reflecting:“It will not happen to me.”

These interventions introduce new issues because data protection is often handled by a different part of the government than information security. Well-meaning government officials do not always consider how a new policy, sometimes localized by country or region, could conflict with other existing policies. In Europe, for example, data protection directives impose strict controls on protecting personally-identifiable information. This directly conflicts with the draft Directive on Network and Information Security, which requires organizations to notify authorities of a breach within twenty-four hours of the event. This directive would require network defenders to review log information containing personal, identifiable information. It is unclear which directive or standard takes precedence. More troubling is the fact that following one, if compelled by regulation, requires an organization or entity to break the law by not following the other. Finally, there are standards that are in conflict with one another and compete for adoption. This makes it difficult for the end user to judge which standards are the best choice for their particular requirements.[xxxvii]

 

Proposed Solution(s):

Few governments are considering incentives for rapid market adoption. Tax credits, subsidies, and rate recovery schemes provide faster paths to organizational participation and market adoption. For example, electric utilities are facing increased pressure to identify core cyber assets[xxxviii] and increase the security and resiliency thereof. This sector often has the ability to “pass” the cost on to its customers authorized by the government enabling them to “recover” cybersecurity investments. Of course, federal incentives like this only work for price-regulated industries when there is not further regulation at the state or municipal level.[xxxix]

If governments want industry to invest in developing more secure products and services to prepare for the IoT, then a research tax credit should be considered. The research and experimentation credit in the United States Internal Revenue Code is one such example. Originally enacted in 1986, the research credit is one of many temporary provisions in United States tax laws that are routinely renewed by Congress. Because the research credit is focused on basic research, it could serve as an incentive for companies to apply their research agendas (and more importantly their money) toward developing products and services that are well engineered, and therefore secure, resilient, and with few or no vulnerabilities.[xl]

Of course, the government could also choose to apply subsidies to change the market conditions. For example, many governments provide an agriculture subsidy to farmers: to supplement their income, the government influences the cost of products like milk and corn, while managing the supply of such commodities. A cybersecurity subsidy could be used to incentivize ISPs to provide particular types of security and managed security services to businesses and citizens, thereby providing upstream security for downstream devices (as discussed earlier). The reduction in price to consumers or perceived “free service” would enhance security for all. This type of economic intervention may be required.

There is at least one other form of market incentive that proves effective: the power of demand. Security requirements should be part of the procurement and acquisition process.[xli] For example, the government can use its purchasing power to influence the market toward better security. The United States has already initiated the Federal Risk and Authorization Management Program (FedRAMP), a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. It is driving market behavior by demanding security through its procurement process.

 

Executive Accountability for Cyber is Required:

It does not matter if you are a large retailer who has lost control of 100 million credit card numbers, or a large oil and gas company that has had 70 percent of its IT assets damaged, or an elementary school, or a farm. Cybersecurity constitutes a risk area for all organizations whether they acknowledge it or not. The challenge for each organization is at least two fold.

First, cybersecurity risk is a relatively new field. As a result, there is a lack of formal training, mutually agreed upon principles and measures, and actuarial tables to aid in appreciating its impact using empirical data. This is exacerbated when an organization delegates the responsibility for its cybersecurity down to the Chief Information Officer (CIO), whose main responsibility is to ensure the twenty-four/seven IT operations of the organization. Cybersecurity is an organization-wide risk area because it touches every Line of Business (LoB): the technology and fabric of the organization, its culture, brand and reputation, as well as legal and regulatory requirements. The only single place where accountability for all of the domains listed here is at the CEO level. Therefore, the only way to increase focus at scale across all industries is to shift to CEO level attestation and accountability.

Second, companies are coming under pressure from shareholders and governments to shore up their cyber defenses. In October 2011, the Securities and Exchange Commission (SEC) issued a notice to industry regarding cybersecurity. Public companies have existing obligations to disclose material risks and events on their public filings. A risk or event is considered a material one if it is important for the average investor to know before making an investment decision. Material risks can include cyber risks and material events can include cyber breaches, including the theft of intellectual property/trade secrets, penetrations that compromise operational integrity, etc. Because of past lack of reporting in this area, the SEC has issued guidance to clarify that in fact cyber risk and events should be reported to the Commission. In March 2014, the SEC convened a public meeting with all of its commissioners and Chairwoman Mary Jo White to underscore the importance of cybersecurity to the integrity of the market system and customer data protection. Ms. White further stated that the SEC intends to move the guidance into a set of rules, and thus regulate industry to comply with the guidance.[xlii] The challenge for any company (private, public, employee owned, international) then, is that no framework has emerged yet to provide them with a “standard of due care” that they can attest to having met.

 

Proposed Solution(s):

Awareness and Accountability via Regulatory Influence

Three independent agencies in the United States—SEC, the Federal Communications Commission (FCC), and the Federal Trade Commission (FTC)—have the ability to increase awareness about what is happening to our core infrastructure and drive, through regulation, an innovation agenda that can strengthen our information security posture.[xliii] For the purposes of this paper, we will focus on two. The SEC and the FCC have the authority to require publicly traded companies and telecommunications companies to attest to requirements for cybersecurity. If one or both were to require positive attestation for cybersecurity risk controls, then nearly 22,000 companies would do so.[xliv] If extrapolated across the world, then a significantly larger number of companies would be required to attest to controls.

Organizations’ response to this requirement could be answers to questions posed at the C-suite level, from the Board of Directors to the CEO. A proposed, and manageable, list of questions would be:

  • Does the company understand the cybersecurity landscape and its relevance to the business sector(s)?
  • Does the company understand its networked environment (what is connected, what it does, and to whom it is related)?
  • Is cybersecurity part of the overall planning process with clearly delineated executive ownership of the process?
  • Can the company demonstrate an adequate system of controls commensurate with the risk associated with its relevant business sector(s)?
  • Does the company have a Computer Incident Response Teams (CIRTs) or capability with a formalized process to respond?
  • Does the company have a disclosure process and has it followed it over (the last) period?
  • Has the company established relationships with law enforcement or government officials to interdict or investigate incidents?
  • Is there anything else we need to know?

In order to adequately answer these questions, a framework and practice—if not already in existence—need to be created. Today, information security frameworks such as the National Institute of Standards and Technology (NIST) CyberSecurity Framework v1.0, the British Standards Institute (PAS-555-2013), the Cyber Security Risk-Governance and Management Specifications, and the International Standards Organization (ISO) 27001/2, are too complicated and detailed to be reasonably applied and adopted at scale. ISO27001/2, for example, has over 110 controls, while the NIST CyberSecurity Framework v1.0 has 23 categories, and over 90 subcategories.

Today, most organizations do not apply, audit, and then certify to one of the existing frameworks.[xlv] If required (or regulated to use one of the existing frameworks) today, most organizations would find themselves unable to comply, and this would continue for quite some time. The impediments could include cost to certify, time to certify, inefficiency due to the complexity of existing frameworks, and inability to scale.[xlvi] To overcome these challenges, we need to approach the problem differently. We need a framework and practice that manages risk in fewer domains with fewer questions, such as the Cyber Readiness Index – Enterprise Edition.[xlvii] This framework is smaller, ensuring lower cost, quicker adoption, and flexibility to scale. Additionally, it is extensible, allowing for the addition of further requirements - improving over time and adapting to meet new needs.  Finally, it allows organizations to mature their processes and operational implementation thereof, by setting the bar higher each time as opposed to setting a the highest standard that may not be initially achievable.

 

Conclusion:

In our current state of cybersecurity, breach, crime, disruption, and destruction are growing in unacceptable ways. Key indicators suggest that we are not making enough progress and in fact, are possibly going backwards.

This paper proposed four actions to start taking right now. The four actions, revisited, are:

  • Connected devices need minimum standards and enforcement;
  • Security practice must return to the basics;
  • The market needs additional influence; and
  • Executive accountability for cyber is required.

It is time to adapt and adjust to the changing environment and anticipate the security requirements of the future Internet-connected world. An Internet Underwriters Laboratory (IUL), which tests and has the manufacturer test their products against cybersecurity requirements, would influence market behavior. Additionally, ISPs can and should provide upstream security for our downstream devices.

Security professionals need to return to the fundamentals, reducing the attack surface by taking proper care of the basic elements of cybersecurity: patching, upgrading, and testing. They also need to be diligent about eliminating dark space: detecting the “unknown devices” and “unknown connections” that provide safe haven for illicit and illegal activity. Additionally, decision makers need to start focusing on critical services, not critical infrastructures, because it will likely change their views and investments regarding protection, resilience, recovery, and restoration of assets.

Because cyber insecurity is growing, we need our governments to consider a broader range of market levers, including adopting incentives for rapid market adoption. Tax credits, subsidies, and rate recovery schemes all serve as options to affect market adoption and action.

Finally, organizations’ executives and directors must be accountable and attest to requirements for cybersecurity.

We can no longer merely talk about these problems—we need to roll-up our sleeves and solve them.   Meeting tomorrow’s demands—increased network capacity, new applications, and an expanding base of users—requires anticipating next-generation security demands today. When the four areas of breach, crime, disruption, and destruction are contained and well-managed, we will have succeeded, but we have a great deal of work to do to get there.

 

Disclaimer: This paper was prepared and authored in the authors' personal capacity. The opinions expressed in this article are the authors' own and may or may not reflect the view of Cisco Systems, Inc, or any other affiliated organizations.


[i] A data breach is an intentional or unintentional release of sensitive or secure information to an untrusted environment.

[ii] Verizon, 2014 Data Breach Investigations Report, 2014, p. 5, accessed June 21, 2014, http://www.verizonenterprise.com/DBIR/2014/ Ponemon Institute, 2013 Cost of Data Breach Study: Global Analysis, May 2013, accessed June 21, 2014,http://www.ponemon.org/local/upload/file/2013%20Report%20GLOBAL%20CODB%20FINAL%205-2.pdf.

[iii] Jose Pagliery, “Half of American Adults Hacked this Year,” CNN.com, May 28, 2014, accessed June 21, 2014, http://money.cnn.com/2014/05/28/technology/security/hack-data-breach/index.html.

[iv] Ponemon Institute, 2013 Cost of Cyber Crime Study: United States, October 2013, p. 10, 13, accessed June 21, 2014, http://media.scmagazine.com/documents/54/2013uscccreportfinal6-113455.pdf.

[v] Ponemon Institute, 2013 Cost of Cyber Crime Study: United States, ibid.

[vi] Center for Strategic and International Studies (CSIS).  "Net Losses:  Estimating the Global Cost of Cybercrime".  June 2014. (Page 6) , accessed June 21, 2014, http://csis.org/files/attachments/140609rpeconomicimpactcybercrime_report.pdf.

[vii] Commission on the Theft of American Intellectual Property, The IP Commission Report, May 22, 2013, accessed June 21, 2014, http://www.ipcommission.org/report/IPCommissionReport_052213.pdf.

[viii] Software intended to damage a computer, mobile device, computer system, or computer network, or to take partial control over its operation.

[ix] IDC and the National University of Singapore, “The Link Between Pirated Software and Cybersecurity Breaches: How Malware in Pirated Software is Costing the World Billions” March 2014, p 2, accessed June 21, 2014, http://www.microsoft.com/en-us/news/downloads/presskits/dcu/docs/idc_031814.pdf.

[x] Melissa E. Hathaway, “Change the Conversation, Change the Venue and Change Our Future,” Centre for International Governance Innovation, May 13, 2013, accessed June 21 2014,http://www.cigionline.org/publications/2013/5/change-conversation-change-venue-and-change-our-future.

[xi] “Aramco Says Cyberattack Was Aimed at Production,” The New York Times, December 9, 2012, accessed June 21 2014, http://www.nytimes.com/2012/12/10/business/global/saudi-aramco-says-hackers-took-aim-at-its-production.html?_r=0.

[xii] Bob Sullivan, “Spam in the Fridge: Hackers target home appliances,” MSN, January 21, 2014, accessed June 21 2014, http://money.msn.com/saving-money-tips/post--spam-in-the-fridge-hackers-target-home-appliances.

[xiii] Symantec, Internet Security Threat Report, April 2014, p. 7, accessed June 21 2014,http://www.symantec.com/content/en/us/enterprise/otherresources/b-istrmainreportv19_21291018.en-us.pdf.

[xiv] IHS, “More Connected than Ever: 6 Billion New Internet-Enabled Devices to Produced This Year,” February 13, 2014, accessed June 21 2014, http://press.ihs.com/press-release/design-supply-chain/more-connected-ever-6-billion-new-internet-enabled-devices-be-prod.

[xv] David Bryan and Daniel Crowley, “Video: Hacking Home Automation Systems,” SC Magazine, July 31, 2013, accessed June 21, 2014, http://www.scmagazine.com/video-hacking-home-automation-systems/article/305416.

[xvi] A Secure Development Lifecycle (SDL) is a repeatable and measureable process to reduce product vulnerability, increase resiliency, and assure software and hardware. Vendors such as Microsoft, Cisco, and Oracle each have their own public versions of SDLs.

[xvii] John N. Stewart, “Perspective: Not all Vendors and Products are Created Equal,” Georgetown Journal of International Affairs, March 23, 2013, accessed June 21, 2014, http://static1.squarespace.com/static/5994faca15d5dbf4b8a0b434/5996395064549a245f614f43/59963a8664549a245f621964/1503017606347/a?format=original>.

[xviii] Microsoft, Linking Cybersecurity Policy and Performance, February 2013, accessed June 21, 2014, http://www.microsoft.com/en-us/download/details.aspx?id=36523.

[xix] Gartner, “Gartner Says the Internet of Things Installed Base Will Grow to 26 Billion Units By 2020,” December 12, 2013, accessed June 21, 2014, http://www.gartner.com/newsroom/id/2636073.

[xx] Author’s note: this came from a discussion with Alan Paller of SANS, some years back.

[xxi] Daniel B. Klein, Reputation: Studies in the Voluntary Elicitation of Good Conduct, Economics, Cognition, and Society Series, (University of Michigan Press, May 15, 1997), 78.

[xxii] Daniel B. Klein, ibid.

[xxiii] Daniel B. Klein, ibid, 78-79.

[xxiv] Melissa E. Hathaway and John E. Savage, “Stewardship of Cyberspace: Duties for Internet Service Providers,” March 2012, p. 15, accessed June 21, 2014, http://belfercenter.ksg.harvard.edu/files/cyberdialogue2012_hathaway-savage.pdf.

[xxv] David McMahon, “Beyond Perimeter Defense: Defense-in-Depth Leveraging Upstream Security,” in Best Practices in Computer Network Defense: Incident Detection and Response (IOS Press, February 2014).

[xxvi] Center for Problem Oriented Policing. http://www.popcenter.org/problems/child_pornography/4; and see: http://www.neowin.net/news/uk-isp-bt-broadband-to-block-porn-for-new-customers-by-default

[xxvii] The Information Warfare Monitor Project, “The Dark Space Project,” 2012, accessed June 21, 2014, http://www.infowar-monitor.net/and seehttp://www.dhs.gov/national-cybersecurity-protection-system-ncps and http://www.dhs.gov/sites/default/files/publications/privacy/privacy-pia-nppd-ncps.pdf.

[xxviii] Melissa E. Hathaway and John E. Savage, “Stewardship of Cyberspace: Duties for Internet Service Providers,” Ibid.

[xxix] Melissa E. Hathaway, “Advanced Research Workshop Findings,” in Best Practices in Computer Network Defense: Incident Detection and Response (IOS Press, February 2014).

[xxx] Danielle Walker, “GCHQ used fake LinkedIn, Slashdot pages to spy on Belgacom Employees,” SC Magazine, November 11, 2013, accessed June 21, 2014, http://www.scmagazine.com/gchq-used-fake-linkedin-slashdot-pages-to-spy-on-belgacom-employees/article/320471/.

[xxxi] “Hotel scammers with fake wi-fi want your credit card information, ABC News, April 1, 2013, http://www.abcactionnews.com/news/local-news/i-team-investigates/hotel-scammers-with-fake-wi-fi-want-your-credit-card-information

[xxxii] John N. Stewart, “Advanced Technologies/Tactics, Techniques, Procedures: Closing the Attack Window, and Thresholds for Reporting and Containment,” in Best Practices in Computer Network Defense: Incident Detection and Response (IOS Press, February 2014), http://www.cisco.com/web/about/security/intelligence/JNS_TTPs.pdf.

[xxxiii] Secunia, Secunia Country Reports: Germany, 2014, http://secunia.com/resources/countryreports/de/.

[xxxiv] SANS, SANS Critical Security Controls, 2014, http://www.sans.org/critical-security-controls/.

[xxxv] EU Directive on Network and Information Security; See: North American Electric Reliability Corporation (NERC) signed Order 791 on Critical Infrastructure Protection (version 5) Cybersecurity Standards; See: National Defense Authorization Act (NDAA) of 2013; See: Directive 95/46/EC Data Protection Directive.

[xxxvi] Melissa E. Hathaway, “Toward a Closer Digital Alliance,” SAIS Review of International Affairs, vol. XXX, no. 2 (November 18, 2010).

[xxxvii] Melissa E. Hathaway, “Advanced Research Workshop Findings,” Ibid.

[xxxviii] Cyber Asset definition includes cyber assets that “if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, mis-operation, or non-operation, adversely impact one or more facilities, systems, or equipment.” For more information on this, see: https://www.ferc.gov/whats-new/comm-meet/2014/032014/E-5.pdf.

[xxxix] Department of Homeland Security, “Executive Order 13636: Improving Critical Infrastructure Cybersecurity,” June 12, 2013, http://www.dhs.gov/sites/default/files/publications/dhs-eo13636-summary-report-cybersecurity-incentives-study_0.pdf.

[xl] Melissa E. Hathaway, “Falling Prey to Cybercrime: Implications for Business and the Economy,” in Securing Cyberspace: A New Domain for National Security (Aspen Institute Press, 2012) 145-157.

[xli] It should be noted that companies could and should do this as well.

[xlii] Securities and Exchange Commission (SEC), “Video: Cybersecurity Roundtable,” March 26, 2014, http://www.sec.gov/news/otherwebcasts/2014/cybersecurity-roundtable-032614.shtml.

[xliii] Melissa E. Hathaway, “Creating the Demand Curve for Cybersecurity,” Georgetown Journal of International Affairs, Special Issue 2011: 163-170.

[xliv] Credit Risk Monitor, “Directory of Public Companies in United States,” (NASDAQ listing, NYSE listing, and Company Index), http://www.crmz.com/Directory/CountryUS.htm.

[xlv] Calculated by the number of corporations total minus the number attesting today.

[xlvi] Dejan Kosutic, “How much does ISO 27001 implementation cost?,” The Dejan Kosutic Blog, February 8, 2011, http://blog.iso27001standard.com/2011/02/08/how-much-does-iso-27001-implementation-cost/.

[xlvii] Melissa E. Hathaway and John N. Stewart, “The Cyber Readiness Index- Enterprise Version 1.0,” 2014.