Date post: | 31-Dec-2015 |
Category: |
Documents |
Upload: | jael-warner |
View: | 23 times |
Download: | 0 times |
The Political Economy of Cybersecurity
Jon LindsayUC Institute on Global Conflict and Cooperation
University of California, San Diego
Osher Institute5 March 2013
Questions to ExploreHow has the cybersecurity situation in the
U.S. changed recently?Why is U.S. cyber policy still so uncertain?
Can markets improve cybersecurity by themselves?How do market failures create insecurity?
Can government cyber policy remedy market imperfections?When do the remedies make the problems
worse?
“incidents that have placed sensitive information at risk, with potentially serious impacts on federal operations, assets, and people….[e.g.,] installation of malware, improper use of computing resources, and unauthorized access to systems”
Cybersecurity Evolving1957-1990 B.C. – “Before Cyberspace”
Invention1991 –WWW
Experimentation2001 –September 11th
Institutionalization2010 –Google, Stuxnet, Wikileaks, Cybercom
Maturation
The New Cybersecurity DebatePerception of the threat:
2000s: “Digital Pearl Harbor” (CNA)2010s: “Death by a Thousand Cuts” (CNE)
Targets affected: 2000s: Government and military2010s: Private and commercial
Representation of US Posture: 2000s: US defense is vulnerable2010s: US offense is formidable
Titan RainState Dept
BISNWC
Sec DefRep Wolf
CampaignsGhost Net
JSFAurora
Shadow NetStuxnet
Byzantine HaydesNight Dragon
RSAShady RAT
DuquNitro
TaidoorLuckycat
FlameGauss
ShamoonElderwood
Cyber-SitterMahdi
Major US MediaRed October
APT1BeebusTelventQinetiQ
ASIOSCADA Honeypot
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
Advanced Persistent ThreatPublicly reported
intrusionsEarliest activity
estimate
U.S. Strategic ContextCombat Fatigue
Exit from IraqBin Laden DeadDrawdown in Afghanistan
Rise of ChinaPivot to AsiaIndigenous Innovation ( 自主创新 )
Follow the MoneyFinancial crash and budgetary austerity Maturing cybersecurity industrial complexInternet innovation: cloud, mobile, supply chains
Security Tradeoffs
Fundamental Economic & Political Tradeoffs in SocietyMarkets are good for…
InnovationValue CreationCompetitionSelf-Organization
…but markets can failExternalitiesAsym. Info & BubblesMonopoly, CollusionCollective Action Prob
Gov’t is useful for…Prop Rights &
RegulationStandards & ReportingAnti-Trust & Trade
PolicyPlanning & Enforcement
…but gov’t fails tooLock-inMyopia & OversellCapture & PorkFriction & Deadlock
Markets Drive CybersecurityGlobal cybercrime ecosystem
AdvertisingTheft & FraudInfrastructure & Service
Growing cybersecurity industryAntivirus, firewalls, vendors, incident responseCustomers want secure e-commerce and banking
Arms race between “black hats” and “white hats”Efficacy of market-based defense is understudied
"The primary business model of the Internet is built on mass surveillance“ –Bruce Schneier
Market Failures Complicate CybersecurityExternalities
Unpatched/compromised hosts harm 3rd partiesNetwork effects incentivize first-to-market
Information Asymmetry How do you measure security? Distinguish IT “lemons”?Firms don’t report intrusions to protect reputationCybersecurity industry competes on threat oversell
Imperfect CompetitionMicrosoft & Adobe monoculturesOutsourced supply chain creates vulnerabilities
Collective Action ProblemsCoordinating user, firm, industry defensesHigh-grade intelligence and active cyber defenseInternational coordination & diplomacy
Potential Government RemediesCounter externalities
Enforce industrial security standards/liabilitySubsidize security measures and incident response
Improve information qualityMandatory or voluntary incident reportingIntelligence sharing
Industrial policyUse government buying power to reward securitySecurity-based technical trade barriers
National Cybersecurity PolicyDefine strategy and responsibilitiesInvest in intelligence, military, law enforcement capacityDiplomacy, treaties, international organizations
Challenges to Govt Cyber PolicyLock-in
Technological innovation vs. outdated laws/institutions
Intrusive surveillance vs. attenuated threatMyopia & Oversell
Focused on standards compliance instead of monitoring outcomes
Threat inflation to overcome political oppositionRent-Seeking, Capture, Pork
Cybersecurity industrial complexMisuse/overuse of resources & intelligence
Political Friction & DeadlockIntel, military, regulators, law enforcement,
commerce, finance, media, lobbies….American government is fragmented by design
Separation of Powers in the U.S.A.
Sectoral: Public, Commercial, Non-profitHorizontal: Executive, Legislative, JudicialVertical: Federal, State, LocalInternal: Agencies, CommitteesTemporal: Reelection, RotationPolitical: Parties, LobbiesInternational: Treaties, UN
“Wherever you are in D.C., power is elsewhere”
Where are we now?Market response is improvingImproved bureaucracy & capacityNorm-based international strategy
Focused on preserving an eroding status quoTreaties are a non-starter
Congressional legislation in perennial limboAgreement on executive powersEffect on industrial innovation & efficiencyProtecting civil liberties—Especially post-Snowden!
Most urgent need: better informationRealistic threat assessmentPublic information sharingLegal framework for cyber operations
Summary2010 was a watershed year for cybersecurity:
debate is now about foreign espionage in the private sector and U.S. offensive capacity
Cybersecurity is as much a political-economic issue as it is a technical problem
Public policy must balance risks of market failure against risks of policy failure
It could be worse.
Questions