The Political Economy of Cybersecurity

Jon LindsayUC Institute on Global Conflict and Cooperation

University of California, San Diego

Osher Institute5 March 2013

Questions to ExploreHow has the cybersecurity situation in the

U.S. changed recently?Why is U.S. cyber policy still so uncertain?

Can markets improve cybersecurity by themselves?How do market failures create insecurity?

Can government cyber policy remedy market imperfections?When do the remedies make the problems

worse?

“incidents that have placed sensitive information at risk, with potentially serious impacts on federal operations, assets, and people….[e.g.,] installation of malware, improper use of computing resources, and unauthorized access to systems”

Cybersecurity Evolving1957-1990 B.C. – “Before Cyberspace”

Invention1991 –WWW

Experimentation2001 –September 11th

Institutionalization2010 –Google, Stuxnet, Wikileaks, Cybercom

Maturation

The New Cybersecurity DebatePerception of the threat:

2000s: “Digital Pearl Harbor” (CNA)2010s: “Death by a Thousand Cuts” (CNE)

Targets affected: 2000s: Government and military2010s: Private and commercial

Representation of US Posture: 2000s: US defense is vulnerable2010s: US offense is formidable

Titan RainState Dept

BISNWC

Sec DefRep Wolf

CampaignsGhost Net

JSFAurora

Shadow NetStuxnet

Byzantine HaydesNight Dragon

RSAShady RAT

DuquNitro

TaidoorLuckycat

FlameGauss

ShamoonElderwood

Cyber-SitterMahdi

Major US MediaRed October

APT1BeebusTelventQinetiQ

ASIOSCADA Honeypot

2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

Advanced Persistent ThreatPublicly reported

intrusionsEarliest activity

estimate

U.S. Strategic ContextCombat Fatigue

Exit from IraqBin Laden DeadDrawdown in Afghanistan

Rise of ChinaPivot to AsiaIndigenous Innovation ( 自主创新 )

Follow the MoneyFinancial crash and budgetary austerity Maturing cybersecurity industrial complexInternet innovation: cloud, mobile, supply chains

Security Tradeoffs

Fundamental Economic & Political Tradeoffs in SocietyMarkets are good for…

InnovationValue CreationCompetitionSelf-Organization

…but markets can failExternalitiesAsym. Info & BubblesMonopoly, CollusionCollective Action Prob

Gov’t is useful for…Prop Rights &

RegulationStandards & ReportingAnti-Trust & Trade

PolicyPlanning & Enforcement

…but gov’t fails tooLock-inMyopia & OversellCapture & PorkFriction & Deadlock

Markets Drive CybersecurityGlobal cybercrime ecosystem

AdvertisingTheft & FraudInfrastructure & Service

Growing cybersecurity industryAntivirus, firewalls, vendors, incident responseCustomers want secure e-commerce and banking

Arms race between “black hats” and “white hats”Efficacy of market-based defense is understudied

"The primary business model of the Internet is built on mass surveillance“ –Bruce Schneier

Market Failures Complicate CybersecurityExternalities

Unpatched/compromised hosts harm 3rd partiesNetwork effects incentivize first-to-market

Information Asymmetry How do you measure security? Distinguish IT “lemons”?Firms don’t report intrusions to protect reputationCybersecurity industry competes on threat oversell

Imperfect CompetitionMicrosoft & Adobe monoculturesOutsourced supply chain creates vulnerabilities

Collective Action ProblemsCoordinating user, firm, industry defensesHigh-grade intelligence and active cyber defenseInternational coordination & diplomacy

Potential Government RemediesCounter externalities

Enforce industrial security standards/liabilitySubsidize security measures and incident response

Improve information qualityMandatory or voluntary incident reportingIntelligence sharing

Industrial policyUse government buying power to reward securitySecurity-based technical trade barriers

National Cybersecurity PolicyDefine strategy and responsibilitiesInvest in intelligence, military, law enforcement capacityDiplomacy, treaties, international organizations

Challenges to Govt Cyber PolicyLock-in

Technological innovation vs. outdated laws/institutions

Intrusive surveillance vs. attenuated threatMyopia & Oversell

Focused on standards compliance instead of monitoring outcomes

Threat inflation to overcome political oppositionRent-Seeking, Capture, Pork

Cybersecurity industrial complexMisuse/overuse of resources & intelligence

Political Friction & DeadlockIntel, military, regulators, law enforcement,

commerce, finance, media, lobbies….American government is fragmented by design

Separation of Powers in the U.S.A.

Sectoral: Public, Commercial, Non-profitHorizontal: Executive, Legislative, JudicialVertical: Federal, State, LocalInternal: Agencies, CommitteesTemporal: Reelection, RotationPolitical: Parties, LobbiesInternational: Treaties, UN

“Wherever you are in D.C., power is elsewhere”

Where are we now?Market response is improvingImproved bureaucracy & capacityNorm-based international strategy

Focused on preserving an eroding status quoTreaties are a non-starter

Congressional legislation in perennial limboAgreement on executive powersEffect on industrial innovation & efficiencyProtecting civil liberties—Especially post-Snowden!

Most urgent need: better informationRealistic threat assessmentPublic information sharingLegal framework for cyber operations

Summary2010 was a watershed year for cybersecurity:

debate is now about foreign espionage in the private sector and U.S. offensive capacity

Cybersecurity is as much a political-economic issue as it is a technical problem

Public policy must balance risks of market failure against risks of policy failure

It could be worse.

Questions