The Cost of Cybersecurity
The Cost of Cybersecurity
A January 2020 article in Cybersecurity magazine began with the assertion that "managing cybersecurity risk has taken center stage in organizations within the private and public sector of industrialized economies around the world. Indeed, in today's interconnected digital world, managing cybersecurity risk has become a critical component of an organization's enterprise risk management program." With this risk management come costs. And with rising risks come rising costs.
Gartner identifies the costs paid to improve security and manage this risk as rising-- organizations spent, for example, $81.6 billion in 2016 on information security, an increase of 7.9 percent over the previous year. This cost is to mitigate risks based on an "average cost of losing sensitive information [of] approximately $4 billion."
The White House also cited industry forecasts prepared by Gartner Inc. to indicate that U.S. private sector spending on cybersecurity probably rose 8.7 percent in fiscal 2019 to $124 billion, far outstripping federal spending on cybersecurity. A similar report from Gartner in early 2017 noted that private entities are moving away from a prevention-only focus and moving toward a defense-in-depth approach by enhancing capabilities to detect and respond to cybersecurity incidents.
The International Data Corporation predicts that spending will continue to grow, and at a faster rate than overall IT spending, reaching $101.6 billion in 2020.
A 2019 Cybersecurity Market Report sponsored by Secure Anchor asserts that, in 2004, the global cybersecurity market was worth $3.5 billion thirteen years later, it was expected to be worth more than $120 billion, growing by roughly 35 times. Cybersecurity Ventures predicts global spending on cybersecurity products and services will exceed $1 trillion cumulatively over the five-year period from 2017 to 2021. "While all other tech sectors are driven by reducing inefficiencies and increasing productivity, cybersecurity spending is driven by cybercrime. The unprecedented cybercriminal activity we are witnessing is generating so much cyber spending, it's become nearly impossible for analysts to accurately track," comments the editor.
The US government is set to allocate $18.78 billion for cybersecurity spending in 2021. The Department of Defense (DoD) in the September 2018 Cyber Strategy report outlines the main threats that the US faces: "Competitors deterred from engaging the United States and our allies in an armed conflict are using cyberspace operations to steal our technology, disrupt our government and commerce, challenge our democratic processes, and threaten our critical infrastructure." Among federal agencies, DoD requested the most funding for by far at $9.85 billion. This budget amounts to over 52% of federal cybersecurity spending. But compared to 2020, the DoD cybersecurity funding actually decreased by 2.27%.
The Department of Homeland Security (DHS) cybersecurity budget is a distant second at $2.6 billion--about 13.87% of the total requested budget. DHS's main priority is to protect the federal government's digital infrastructure against cyber intrusions. In 2021, the DHS requests $30 million more funding than they did in 2020, which is a 1.17% increase.
Spending assessments are difficult to calculate. Forecasts are challenged to keep pace with the dramatic rise in cybercrime, ransomware, the migration of malware to smartphones and mobile devices, the deployment of billions of under-protected Internet of Things (IoT) devices, hackers-for-hire, and increasingly sophisticated cyberattacks launched at business, government, educational institutions, and consumers. "With the increase of cyberattacks occurring, organizations continue to spend more money on security; however, they often spend it in the wrong areas," says Secure Anchor's Dr. Eric Cole. "If a company has un-patched servers, data not properly encrypted and data visible from the Internet without proper classification, and they're spending all of their security budget solely on these top priority items and not able to fix it, then companies aren't spending enough on security. However, if you aren't doing these foundation items but spending millions on the latest and greatest because they're cool, you're potentially spending enough, just in the wrong area."
A recent study by Deloitte and the Financial Services Information Sharing and Analysis Center quoted by AT&T found that financial services on average spend 10% of their IT budgets on cybersecurity, approximately 0.2% to 0.9% of company revenue. Microsoft CEO Satya Nadella revealed in a statement that the tech giant "will invest more than $1 billion each year in cybersecurity for the foreseeable future." Finally, it's worth noting that the 2019 U.S. President's budget allocated $15 billion in spending on cybersecurity, about 0.3% of the entire fiscal budget ($4.746 trillion).
One consultant noted that cybersecurity budgets are essentially the cost to meet compliance. Most seem to be a subset amount carved out of total IT budget, typically around 3-5%. Most of that budget revolves around (many) tools and few people running them. Security maturity developed around a framework with associated people, process, tech seems to be lacking for many."
These analyses and reports focus on direct costs such as hardware and software, incident responses, hiring and training, and compliance. The cost of cybersecurity research and development is not clearly identified in these studies. A decade ago, a paper titled "History of US Government Investments in Cybersecurity Research" was published that traces the history of cybersecurity research funding by the U.S. government, the challenges in accurately measuring the level of U.S. government research funding for cyber security, some of the legislative and bureaucratic mechanisms involved in funding and reporting such research, and a qualitative, personal perspective on the ups and downs of US cybersecurity research funding from the late 1960s to 2010. The essay was written for the thirtieth anniversary meeting of the IEEE Symposium on Security and Privacy, held in May 2010.
The value of such research was assessed more recently by Crossword Cybersecurity, which looked at nearly 1,200 current and past research projects from academic institutions in the United Kingdom, United States, Europe, Australia, and Africa. That assessment affirmed the value of cybersecurity research, with reported funding of EU projects at over €1 billion. Research, according to the article, has been focused in recent years on Cyber Physical Systems (CPS), privacy, the Internet of Things (IoT), and Cryptography. "The need to protect critical infrastructure has never been stronger as technology becomes more deeply embedded in every aspect of our daily lives. However, one apparent omission is research solely focused on the application of AI techniques to complex cybersecurity problems. We hope to see more of that in the future, as the industry works to stay ahead of the constantly evolving cybersecurity landscape," said Tom Ilube, CEO at Crossword Cybersecurity.
In the US, interest in AI has grown. The U.S. government has begun taking the first steps into officially supporting artificial intelligence research. AI had its own category in the president's budget request for 2020, with about $1 billion sought in funding for non-defense purposes. There has been a rapid acceleration of government interest and policy proposals regarding artificial intelligence and security, with 27 governments publishing official AI plans or initiatives by 2019. Many of these strategies focus more on countries' plans to fund more AI research activity, train more workers in this field, and encourage economic growth and innovation through development of AI technologies.
On January 24, 2020, the Congressional Research Service reports estimated U.S. R&D expenditures in 2018 were $580.0 billion, of which $96.5 billion (16.6%) was for basic research, $115.0 billion (19.8%) for applied research, and $368.5 billion (63.5%) for development. This analysis is based on aggregated amounts; cybersecurity research is not identified as a specific R&D area.
A decade ago, Carl Landwehr described cybersecurity research in secure hardware, operating systems, programming languages, networks, and user interfaces, security requirements, tools for developing systems that can meet those requirements, and assessing the extent to which the developed system really does meet those requirements. There is research in detecting and recovering from compromises, and forensics to determine how the compromise occurred and who did it. "One of the fundamental technologies used to provide both security and privacy is cryptography, which probes deep into the heart of the theory of computer science," says Landwehr.
Government-funded research includes grants supported by agencies such as NSF, DARPA, IARPA, DHS, ONR, AFOSR, ARL, and others. For example, the NSF Cybersecurity Innovation for Cyberinfrastructure (CICI) program supports research to develop, deploy and integrate "security solutions that benefit the scientific community by ensuring the integrity, resilience and reliability of the end-to-end scientific workflow." They solicit for research projects that Secure Scientific Cyberinfrastructure, Research Data Protection and Cybersecurity Center of Excellence.
DARPA is currently focused on their AI Next Campaign and Hyper-Dimensional Data Enabled Neural Networks. Ongoing research interests include Artificial Intelligence, Intelligent Neural Interfaces (INI), Photonic Edge AI Compact Hardware, Quantifying Ensemble Diversity for Robust Machine Learning, Teaching AI to Leverage Overlooked Residuals, The Physics of Artificial Intelligence, and Serial Interactions in Imperfect Information Games Applied to Complex Military Decision Making. Other areas include quantum computing, very large scale integration, and deep learning.
The need for cybersecurity and for cybersecurity research has become increasingly clear over the past decades. How much adequate security will cost remains something of an unknown. While we can track budgets and expenditures, the ability to forecast is limited by the rapid growth in new attack methods, techniques and players. Developing the capacity to get ahead of the bad guys will continue to require significant research efforts.