The next American president will be tasked with deterring foreign government-sponsored cyber attacks against US citizens and companies. And under the current system, that task will be next to impossible. Cyber war is on the rise, from Russian cyber soldiers knocking out the power grid in Ukraine to Iranian hackers compromising American dams to Chinese agents stealing trade secrets from U.S. defense, technology, and pharmaceutical companies (to say nothing of the theft of millions of records from the Office of Personnel Management).
President Obama has threatened to retaliate against egregious cyber attacks with bombs and missiles, but as a former military man myself, I don’t think even a President Trump would have the gall to actually push the button.
Right now the government’s options for responding to cyber attacks are retaliation, sanctions, or, in very rare cases, individual indictments. These are insufficient for deterrence and ill-suited to the speed and reality of cyber warfare. Deterrence requires a credible threat. In the middle ages, kingdoms ensured the enforcement of peace treaties by exchanging their princes as hostages. In the Cold War, we had the doctrine of mutually assured destruction. Now we need something new. What if there was a way to deter cyber attacks by automatically hitting countries that launch them right where it hurts—in the wallet? What if Wall Street could solve a challenge that has confounded Silicon Valley and the NSA for years? Enter our unlikely hero: sophisticated financial instruments. Specifically, a kind of securitized cyber insurance that I will call Cyber Bonds.
Securitized insurance began with catastrophe bonds engineered in the wake of Hurricane Andrew in 1992. Hurricanes, like cyber attacks, are expensive to insure conventionally given that claims are not independent and often catastrophic. Catastrophe bonds solve this problem by securitizing the risk and passing it on to a wide pool of investors. The bonds pay handsome coupons to investors in seasons when natural disasters don’t happen, and liquidate the investment principal to pay for damages in seasons when they do.
A similar framework for Cyber Bonds would have three parts. First, each country would identify which companies and infrastructure are systemically important to the economy, and compel those entities to buy standardized cyber insurance policies. These companies would pay premiums into a national insurance pool from which damage claims for cyber attacks would be drawn. Second, each country would then securitize its insurance pool on the private market, creating country-specific Cyber Bonds. Third, at the next round of international cyber security talks, each country would agree to buy an untradeable basket of each other’s’ Cyber Bonds and hold them in their sovereign wealth funds that pay out pensions and stabilize government spending. (The equivalent for the US would be the Social Security Trust Fund.) Each basket would comprise Cyber Bonds from every country of the world and be weighted toward each country’s unique historical adversaries. Excess Cyber Bonds and investment-grade variants would be made available for investors to buy and trade on the secondary markets.
Much like a mortgage-backed security, each Cyber Bond would pay out a fraction of the total income generated by the pool of insurance contracts and lose principal in case of insolvency. Revenues generated by the sales of each Cyber Bond would be used for reserve funds to indemnify cyber loses, bolster cyber forensic capabilities, and cover administrative expenses.
The Real World Calculus
This system would change the calculus for countries like Russia, whose cyber operations currently operate largely unchecked. Before launching an attack against a foreign company, Vladimir Putin would have to worry about erasing billions of dollars from his own country’s pension funds, possibly leading to riots in the streets. With a system of Cyber Bonds in place, Putin would have financial incentive to remove domestic safe havens for criminal hackers, share threat intelligence, and actively protect foreign companies. If tensions reached the brink, and cyber war became unavoidable, the floating market price of tradable Cyber Bonds would provide useful warnings and threat intelligence about the security of the underlying companies.
Some might counter that financial losses aren’t sufficient to deter Russia. Though we don’t have an exact correlate to look at with cyber attacks, critics could highlight efforts to deter Putin’s military invasion of Crimea. US and EU sanctions crippled the Ruble and led to negative Russian GDP growth, but did not deter him from further occupation. Nor did it stop his domestic approval rating from jumping 20-points. If the attack were cyber in nature, Cyber Bonds can actually correct a number of shortcomings with sanctions-based deterrence because they are more definite, immediate, targeted, and productive.
Under a Cyber Bond system, any cyber attack against Ukrainian companies would cause a massive and calculable drop in the value of the Ukrainian Cyber Bonds owned by Russia. The full cost of cyber attacks would be extracted from bond-holding countries as soon as the damage claims are adjudicated. Contrast that with the ad-hoc and piecemeal US and EU sanctions against Russia that took months to plan, three rounds to pass, and years to achieve full effect. In that time, Putin could plausibly believe that sanctions would get stymied in Congress, international resolve would fracture, and that his political elites could outmaneuver the restrictions, none of which is possible for Cyber Bonds. And unlike sanctions, Cyber Bonds have no middle man for Putin to vilify for domestic political gain.
Attribution for cyber attacks is notoriously hard. So, what happens in a Cyber Bond system if we can’t definitively determine the source of an attack? The answer may be startling, but it’s a simple one: with Cyber Bonds in place, forensic attribution is unnecessary. Cyber Bonds bypass an investigation by immediately punishing the most likely culprits: historical adversaries. An assessor would need only to determine that a cyber attack has occurred, calculate the damage, and indemnify the victim out of the national insurance pool, a large proportion of which would be held by that country’s historical enemies.
This is a radical idea, I know. For example, last Thursday Symantec researchers linked a series of multi-million dollar electronic bank thefts in Bangladesh, the Philippines, and Vietnam to North Korea. If historical antagonists have to bear a disproportionate amount of those countries’ Cyber Bonds, is it fair that some innocent countries (in this case, China) would pay a substantial portion of the cost? The fact is that they already do.
Corporate cyber attacks rob the common investor, the laid-off employee, the wounded corporate partner, and tax-deprived governments all across the world. Insurance solves problems like these by spreading risk to minimize individual damage. Cyber Bonds are more equitable than both the status quo and conventional insurance, because they go further by shifting the cost of cyber attacks directly to those entities with the power to stop them. Countries may lack the political will to share threat intelligence about foreign cyber attacks, root out cyber criminals, or work through international organizations to bolster cyber security. But if they are forced to hold a basket of Cyber Bonds drawn from every other country in the world, each suddenly has a strong financial incentive to take these important steps. Many countries have also been reluctant to protect domestic companies in the cyber domain the way they do against military threats in the physical domain. Forcing those countries to hold their own Cyber Bonds aligns defensive priorities and acknowledges new security realities in cyberspace.
The fact is that in each of the recent cyber attacks from Stuxnet to Sony, those initially thought responsible were the ones eventually proved guilty through multi-year investigations. Weighting the allocation of Cyber Bonds toward those countries with historical antagonism is an elegant way to acknowledge this reality. Waiting for 100-percent confirmation is a recipe for inaction—the opposite of deterrence. Currently, lengthy investigations delay payment to the victim, prolong economic damage, and allow guilty parties the chance to avoid penalties through deception, delay, and coercion.
Getting to Yes and Staying There
Getting the global community to sign such a Cyber Bond treaty would be difficult, of course. But it’s not impossible. The fact that the 2015 United Nations Climate Change Conference in Paris was able to achieve a consensus agreement among 195 countries to reduce carbon emissions bodes well for an agreement in cyber. However unlike carbon emissions caps where every country would retain incentives to cheat, once a Cyber Bond agreement is in place, every country would have incentive to join and cooperate because no nation would want to be left out of the common protection pool.
Imagine a Cyber Bond treaty that began by covering Systemically Important Financial Institutions (SIFIs) in the US and EU. Those institutions like Deutsche Bank and Bank of America would be insured against cyber attack at the same time that their premiums provided potentially handsome dividends, uncorrelated with the market, to their sovereign wealth funds. China might still try to hack banks like CitiGroup, but any damage done would now be mitigated, and a large set of backers would now be invested in their defense. Meanwhile Chinese Banks like ICBC would be completely exposed. To gain similar protection, Xi Jingping would clamor to join the Cyber Bond Treaty, and thereby gain financial incentives to stop his country’s offensive cyber operations. Because the treaty would obligate China to hold a large fraction of Cyber Bonds from historical adversaries like Vietnam and the Philippines, Xi would then also have financial incentive to reign in or block the cyber operations of rogue states like North Korea.
The system is scalable so new entrants can easily join. Israel and the United States have similar levels of connectivity with dissimilarly sized populations and economies. By devoting a fixed percentage of their sovereign wealth funds to Cyber Bonds, we ensure that each government feels a similar anxiety for curbing cyber attacks while recognizing that, in absolute terms, the bulk of the responsibility belongs to larger countries. Selling tradable investment-grade Cyber Bonds on the open market could open up an enormous pool of money that can be used to underwrite these policies and increases the number of stakeholders.
We should not shy away from suggesting new solutions because they might be hard to implement. The best thing about this system is that once in place, it would be fairly self-sustaining. Additionally, nothing about Cyber Bonds supersedes existing treaties or takes the option of military retaliation off the table. Sophisticated derivative financial instruments may have contributed to the last economic disaster, but perhaps they can help prevent the next one.