The environmental situation facing many nations in the mid-to-late 20th century was bleak. Industrial waste caused the Cuyahoga River in Cleveland to catch fire in 1969. The Rhine River was long one of the most polluted waterways in Europe, similarly catching fire in 1986. School children in Japan were dying from Mercury poisoning. Problems associated with drought and desertification were already underway in China; a process that has only quickened in the early 21st century. Into this world stepped seminal figures including the marine biologist Rachel Carson whose 1962 book, Silent Spring, documented the effects of widespread pesticide use in the United States and is credited with jumpstarting the modern environmental movement. Much like that time, the 21st century cybersecurity landscape is littered with failed attempts to manage the various facets of cyber attacks, from cybercrime and espionage, to nascent threats introduced below including cyber war and terrorism. But we are still waiting for our cyber Silent Spring.
In the search for analogies to get a better handle on the multifaceted cyber threat, we should not ignore the green movement. Consider the Aria hotel in Las Vegas, which is famous for more than its slot machines -- it is also known for its wet towels. "'We say, if you want us to wash your towels every day, we will do it, just let us know,' says Cindy Ortega, chief sustainability officer for MGM Resorts, which owns Aria, 'but other than that, we're just going to hang the towels up every night.'" Such measures may seem small, but they add up to Aria being a pioneer in sustainability. It is saving a bundle, and generating business in the process. Large multinationals such as IBM provide surveys to Aria that ask questions about everything from waste recycling to water use (hence the wet towels). If Aria elected not to make investments in sustainability, it would be at a competitive disadvantage to its competitors that were.
The example of Aria is illuminating as applied to promoting cybersecurity for three reasons. First, it demonstrates that furthering a company's sustainability by promoting corporate social responsibility is not necessarily at odds with the bottom line; it can be a strategic advantage to firms allowing them to distinguish themselves and add value. The same may be said of investments to enhance cybersecurity, be they technological or organizational, allowing firms with best-in-class cybersecurity to charge a premium for their services. Second, the Aria example illustrates the cost savings that can come from investing in sustainability initiatives with a short return on investment. Although determining a cost-benefit analysis for cybersecurity investments is more problematic than figuring out the amount saved on utility bills, firms with more proactive cybersecurity investments have been shown to save in the event of cyber attacks. The third dimension to the Aria tale is the power of leveraging supply chains through information sharing to attain a corporate goal and even build trust. In this case, "IBM encourages MGM. MGM encourages its vendors. And more and more businesses feel pressure to go green." If more companies used the power of their supply chains to signal the need to invest in cybersecurity best practices, then the cause of sustainable cybersecurity could be enhanced.
Along with the growth of the sustainability movement generally in the private sector, there has been a concomitant evolution of tools designed to better inform managers about the various impacts of their business decisions. Among the most common sustainability reporting tools today, especially in Western Europe and the United States, is the Global Reporting Initiative (GRI). Nearly 7,000 organizations have submitted more than 17,000 GRI reports as of December 2014 making the framework the dominant sustainability-reporting standard for international business. The movement for a more robust disclosure regime for sustainability mirrors the clamoring by investors for more information regarding cyber attacks. In fact, it has been reported that, "almost 80 percent [of surveyed firms] would likely not consider investing in a company with a history of attacks." The Securities and Exchange Commission (SEC) published its views on disclosure requirements in 2011, and although it stopped short of requiring publicly traded firms to disclose all cyber attacks, it interpreted existing regulations broadly, for example, in requiring disclosure of "material" attacks leading to financial losses, and hinted that additional reporting requirements may be coming. Companies would be well-advised to get ahead of both the sustainability and cybersecurity regulatory curves and begin integrated reporting that combines a firm's impact on the environment, economy, and surrounding communities with its cybersecurity footprint.
Other tools drawn from the sustainability movement beyond integrated reporting may also have some application to enhancing cybersecurity. Elements within the private sector could also, for example, begin developing the digital equivalent of Leadership in Energy and Environmental Design (LEED standards), which would help identify firms with best-in-class cybersecurity. The program is a "voluntary, consensus-based, market-driven program that provides third-party verification of green buildings." As of October 2014, more than three billion square feet of building space were LEED certified in the United States. The NIST Cybersecurity Framework could provide a foundation on which to build a LEED-type cybersecurity certification scheme. Already, according to the White House, for example, Bank of America has announced that it is using the NIST Framework and will also require it of its vendors.
Rachel Carson's Silent Spring similarly was not written overnight, and it took years before the first Earth Day and decades more before tools matured for companies to more effectively measure and improve their sustainability goals. Unfortunately, we don't have decades to wait. The time for action is now, and the path forward includes learning from what has worked and what has not in other contexts including the green movement to pave a path toward sustainable cybersecurity. In the introduction of Silent Spring, Carson speaks of a once idyllic U.S. town now blighted by a "white granular powder ..." It was not caused by "witchcraft ... The people had done it to themselves." That is equally true in sustainability as cybersecurity; we are to blame, and we are the solution.
--
Scott Shackelford is an Assistant Professor of Business Law and Ethics at Indiana University. He is also a W. Glenn Campbell and Rita Ricardo-Campbell National Fellow at Stanford University's Hoover Institution, a Senior Fellow at the Center for Applied Cybersecurity Research, and a term member of the Council on Foreign Relations. The full article on which this op-ed is based is forthcoming with Professor Timothy L. Fort in the University of Illinois Law Review (2016), a draft of which is available here.