Systems Models and Ideologies
Cybersecurity and economics as both a system model and an ideology share many similarities.
Cybersecurity is a system model for the protection of internet-connected systems – including hardware, software and data – from cyberattacks. Economics is a social science that studies the production, distribution and consumption of goods and services. While one is a system and the other is an ideology, economics is often expressed as a system model and cybersecurity as an ideology.
An ideology is a collection of normative beliefs and values held for other than purely epistemic (based on knowledge) reasons.
Examples?
Products, Production, Profits
The cybersecurity system model is presented as a regularly interacting or interdependent group of products and services forming a unified whole integrated with a network especially designed for defense against cybersecurity attacks. The capitalist economic system model operates on a group of regularly interacting mechanisms that are designed to assure the private ownership of the means of production and their operation for profit.
The cybersecurity ideology is the collection of normative beliefs and values held by the InfoSec community that ascribe to the ideals of good (lawfulness) triumphing over evil (cybercriminals).
Economic ideologies range from Marxism, which is an economic ideology in which the concept of class struggle plays a central role in understanding society’s allegedly inevitable development from bourgeois oppression under capitalism to a socialist and ultimately classless society, to capitalism which believes that the most efficient and balanced model for growth and economic health is one in which the underlying system is based on the private ownership of the means of production and their operation for profit.
Question and Answer
The question here is whether understanding the relationship between these two apparently disparate fields can tell us anything about why we appear to be losing the war against cybercrime and whether there are clues from the science of economics that we can use to shift the course in our favor.
I remember taking some economics courses in college, though it was not my major. As I recall, this notion of workers being paid less than the value they create comes right out of the Karl Marx thesis about the “Labour Theory of Value,” where he posits that:
“A cow doesn’t slaughter itself and magically transform itself into a pair of leather shoes. That only happens because workers apply labor to the cow’s corpse, turning its skin into leather and then sewing that leather into shoes. Only after labor has been applied do shoes have any value. It’s the labor that creates the value, not just the fact that the shoes can be traded for cash.”
With an amazingly limited world view, Marx believed for example that capitalism was inherently unstable precisely because workers are not paid the full value of their labor, and precisely because it is impossible for capitalists to pay them the full value without going bankrupt. A weird closed logic loop that supposes a zero-sum game where none exists.
Greedy Capitalists
To further aggravate Marx, the reality is that not all profits are invested in new equipment. Factory owners take a slice for themselves, and it is a much bigger slice than the workers get. Why and how is that fair? Well, let’s see. It was the factory owners’ (aka capitalists’ and today Venture Capitalists’ and oh by the way, workers’ pension funds like CalPERS who benefit immensely from these investments) money that brought the factory into existence. And the inevitable collapse that Marx foresaw is usually avoided through the reinvestment of capital into new ventures, like maybe a coat factory, that in turn creates new jobs for workers who can then afford to buy all those shoes.
Factory bosses (aka capitalists) always get richer than their workers, which results in two groups of people doing the same thing (making shoes or coats) but being paid wildly unequal sums for doing so. It is inarguable that in 2021 the share of national income going to the top 1% of earners is increasing while the share of income going to the bottom 50% of people is declining.
Divvying up Pieces of the Pie
The rich get richer. And everyone else shares in a smaller slice of pie.
That is precisely how capitalism works, and it is a system model and not an ideology which has been the foundation underneath our constitution since it was imagined, created and signed back in 1787. You can try to argue that Marxism is morally superior to the capitalist model, but you would be hard pressed to find much of an audience in Cuba or Venezuela unless you were lunching in the royal palace.
If you saw Hamilton, you might now have an alternative view (than the one you were taught in school) of the history of an ambitious young Alexander upon his arrival in America from a different form of government he knew on the small island where he was born.
Land of Opportunity
It is why America is the most desired country on the planet and why in spite of frequent capitalistic greed-fueled financial recessions, depressions, corruptions and collapses, the system manages to survive all of the accidental and purposeful challenges and soldiers on. It continues to provide unlimited opportunities for entrepreneurs like Benioff, Gates, Allen, McChord, Moore, Omidyar, Dangermond, Zuckerberg, Sandberg, Chan, Dell and the other 50 or so success stories who have given $15 billion to charity just last year alone. With a ‘B’.
And to the future gazillionaires who will follow in their footsteps after the lockup following the 576 IPOs as of June 30, 2021. Which, by the way, is +487.8% more than the same time in 2020, which had 98 IPOs by this date.
Economists’ Concern Over Inequality
On the other hand, folks concerned about fiscal equity are not alone in worrying about what workers get paid. They are joined by a surprising number of investment bank analysts at money places like Citi, HSBC and Macquarie who are convinced that inequality and low pay may lead to recessions, or at the very least hold back economic growth. While these folks are obviously not Marxists, they are in fact economists and are genuinely concerned that inequality in the U.S. and the West is becoming so extreme that ordinary people won’t have enough money to keep the economy going.
As folks in the SF Bay Area brace themselves for the flood of the 10,000 instant millionaires those IPOs will create, some local economists fear that $3 million-dollar homes today will be selling for $10 million in September.
In the cybersecurity business, the system model operates in much the same way as capitalism.
Modern Day Shoe Factories
Individuals have an idea, they seek and receive investment capital to develop their product or service (or “solution” in the vernacular) and some of them succeed and create the equivalent of modern day shoe factories. As expected, the factory workers get paid relatively little to produce the shoes (or code) from the raw material (compute power) creating a whole lot more value than the wages they are paid and a disparity between the workers’ pay and the factory net incomes expands enormously. This allows the factory owners to reinvest that capital into the acquisition of smaller companies with great ideas and pay themselves and their investors handsomely in the process, because that is where the capital to start the business in the first place came from.
In that process, more new factory jobs are created and the few really dominant factories begin to form partnerships with smaller more agile companies to create vertical cabals enabling further domination of a particular specialty, say athletic shoes or in the case of cybersecurity, Endpoint Detection and Response (EDR). This system model assures that capital is applied in the most efficient way possible and that the most successful companies are able to sustain that success through market performance and social associations like the annual RSA conference. Or in the case of enterprise software, Oracle OpenWorld, SAPPHIRE or the former MACWorld expo which offered similar assurances to Apple devotees.
Good vs. Evil
It is through these associations where the ideology of cybersecurity bumps up against the system model and results in an apparent contradiction. The very essence of the social association we call RSAC is the ideology that insists that the community is in a morally correct struggle against the evil of the cybercriminals who are intent upon stealing information assets (PII, credit data, IP, health records, etc.) and the adversarial nation-state actors who are attempting to dominate and control through disruption, destruction and outright theft. But the tools created by the system model are insufficient to combat the evil enemy.
These Shoes Weren’t Made for Walking
We have more shoes, but they don’t keep our feet dry, warm or protected from the mud and gravel.
So, while we are OK with the system model because most of us are paid handsomely to make the shoes even though “the bosses” make so much more, we no longer believe that the work we are doing is useful, that it has value, or is effective for its stated purpose.
We talk the talk, but the shoes won’t walk.
The Heartbeat of the Nation
In Timothy Carney’s excellently researched and extremely well-written book called Alienated America, he convincingly makes the case that social capital is the key to America’s success, and without it, we experience poverty, depression, isolation and the outlook prevalent within the pockets of our society that choose to seek solace in anarchy or others who found it an unusual form of presidential leadership. Just as civil society and local community are the beating heart of the American dream, so too is the collective belief among the 50,000 members of the InfoSec community who pilgrimage each year to the RSA Conference in San Francisco that we are winning this war against the bad guys in cyberspace.
MACWorld Expo no longer exists not because Apple stopped making cool product, but because the Apple tribe stopped believing in the mission.
Smoke and Mirrors
With a mountain of evidence supporting the notion that Marxism does not and has never worked, it is not hard to argue against those theses, but an equivalent mountain of evidence supports the case that we are losing this war in cybersecurity.
The former Chairman of RSA, Art Coviello, commented in his keynote speech at an earlier RSA Conference that “The security industry’s state of the union is precarious, attacks are escalating in intensity and sophistication, we are not turning out enough skilled personnel to fight the fight, the security technology industry has not kept up, no single product can provide true defense-in-depth, and on-balance, it’s not a pretty picture.” Seven years later and I am pretty sure Art would say that it has only gotten worse.
And in a very current assessment of our present state, Amit Yoran, now chairman and CEO of Tenable and the former president of RSA said, “It’s an industry that has fed and continues to feed, to a large extent, off of fearmongering, The millions of dollars that people are spending, all the hype and the sexy marketing and the AI and the anomaly-behavioral…whatever buzzword you want to use, it’s a bunch of smoke and mirrors.”
The Clock is Ticking
Yet, beneath all of the noise, blunder and hype, I hear the quiet voices of the CISO and InfoSec community questioning the mission, the focus of our targets, the rules of engagement and even the direction of the technology solutions. When the social capital erodes, and the community dissolves, the question becomes who then will mount the steed and tilt at windmills over that distant horizon?
Cyber has no Steve Jobs.
Is RSAC pondering the same question or has the strength of the system model destroyed the ideology on which it feeds? Like Apple needed its crusaders, RSAC needs the community of true believers it once had.
It is not too late, but the clock is ticking.