Cause Evaluation: Cybersecurity
I’m interested in doing a decently hard pivot with my life into the internet privacy (and security) space. Here, I explore, at a very high-level, the scope of the problems in these fields, in order to get a sense of an order-of-magnitude of the problems involved.
In this post, I am looking into: What scale of social impact would improvements to policies surrounding internet cybersecurity make? I will focus on security because the effects of security are more quantifiable and tangible; and I will save a more in-depth analysis of privacy for a later date.
Fast facts + context
The social cost per leaked PII record is around 150-180$ (IBM data breach report)
Looking into just the Fintech market (from the IBM data breach report):
We can low-ball that there are 5,000 Financial institutions in the US. (plaid)
Cyber attack stats:
Frequency of an attack: 2-4 times per year
Likelihood of successful attack: 5% - 15%
500,000 to 1M- Estimated number of sensitive records in a database
75 - 100% PII/PCI - Estimated percentage that contain PII
“4.24m is the average cost of a data breach”
“high level of compliance failures [were] associated with breach costs $2.3 million higher than breach costs at organizations without this factor present.”
We can estimate that strong compliance can decrease costs by ~50%.
Putting these numbers in context: Current spend on cybersecurity products:
For 2019, they forecast the market to grow to $124 billion, and $170.4 billion in 2022 (Gartner).
“By 2020, we expect IT analysts covering cybersecurity will be predicting five-year spending forecasts (to 2025) (cybersecurity ventures).
U.S. Government spending on cybersecurity: The 2019 U.S. President’s budget includes $15 billion for cybersecurity, a $583.4 million (4.1 percent) increase over 2018. The Department of Defense (DoD) was the largest contributor to the budget. The DoD reported $8.5 billion in cybersecurity funding in 2019, a $340 million (4.2 percent) increase over 2018.
Estimate of potential benefits from improved cybersecurity regulation and compliance
Just for the financial sector:
The low-ball estimate of costs due to insufficient cybersecurity compliance and regulation:
2 * 15% * 500k record * 75% * 180$/record = 6.75 M per org
Social Cost for Fin-tech : low-ball 30 Billion/yr (a mid-level estimate is 500 Billion).
50% reduction would mean ~30/2 to ~500/2 Billion $ /yr.
Even a 10% effect would range from 1.5 Billion to 25 Billion/yr.
Additionally there are 16 other industries (Public sector, Media..). Potentially multiplying the effect by 17x, to range from 25 to 425 billion per year.
And on top of this, security and privacy have trickle down effects like improved democratic processes (e.g. weaker monopolies and stronger elections).
Evidence that cybersecurity is still relatively neglected
Market based argument: cybersecurity has a 0% unemployment rate (link)
Software positions for security experts routinely go unfilled.
Events like the Equifax hack (2017) and SolarWinds are occurring regularly (2020 hacks)
Cybersecurity market is forecast to be around $170.4 billion in 2022, which is less than the estimate of social benefit of just improving compliance.
Right now we have a dearth of technical people in policy making. (Bridging the Gap).
How effective could policy changes be?
Congress is relatively immobile, and the US court system is extremely precedent-based. Any effect on laws + legal cases that occur now will have a strong effect in future laws.
There is strong momentum now, and we have a lot of laws and court cases coming up (36 states, D.C. sue Google; Executive Order on Improving the Nation’s Cybersecurity; CCPA; Virginia passes comprehensive privacy bill)
What can people and organizations do?
Some top advice right now is simply to “bridge the gap” to develop more intelligent policies. Philanthropy organizations like OpenPhil can fund getting tech people + policy people talking with one another.
Organizations like OpenPhil can put more resources in programs like its new tech policy fellows program.
See my post on Better Hedges (in Public Interest-Technology)
Organizations like OpenPhil can give grants to individuals and other organizations to produce more good standards for security + privacy.
Organizations like 80,000 hours can support getting tech people working in government, at places like CISA.
I also think that there is room for the creation of an entirely new organization to get tech people to directly consult for policy people.
CISA, 18F, the USDS, and CSET have been relatively new organizations that have had a really strong, positive impact on the government. New organizations that are similarly organized are one potential direction (though, this is more of a thought exercise than anything else). As a rough cost estimate:
We can estimate that the average tech employee salary is 200k$ in the US. With 10 employees allocated for each of 50 states, and 50 federal level employees. 550 employees * 200k$ = ~110 million dollars.
And this is a dramatically larger number than is really needed (180 employees work at the USDS, which has quickly garnered respect in the tech industry and had a positive impact on the US government).
I’d guess that a moderate systemic change can be created with only 2 employees per state and 10 at the federal level (~22 million dollars per year).