190 likes | 342 Views
The Political Economy of Cybersecurity. Jon Lindsay UC Institute on Global Conflict and Cooperation University of California, San Diego Osher Institute 5 March 2013. Questions to Explore. How has the cybersecurity situation in the U.S. changed recently?
E N D
The Political Economy of Cybersecurity Jon Lindsay UC Institute on Global Conflict and Cooperation University of California, San Diego Osher Institute 5 March 2013
Questions to Explore • How has the cybersecurity situation in the U.S. changed recently? • Why is U.S. cyber policy still so uncertain? • Can markets improve cybersecurity by themselves? • How do market failures create insecurity? • Can government cyber policy remedy market imperfections? • When do the remedies make the problems worse?
“incidents that have placed sensitive information at risk, with potentially serious impacts on federal operations, assets, and people….[e.g.,] installation of malware, improper use of computing resources, and unauthorized access to systems”
Cybersecurity Evolving • 1957-1990 B.C. – “Before Cyberspace” • Invention • 1991 –WWW • Experimentation • 2001 –September 11th • Institutionalization • 2010 –Google, Stuxnet, Wikileaks, Cybercom • Maturation
The New Cybersecurity Debate • Perception of the threat: • 2000s: “Digital Pearl Harbor” (CNA) • 2010s: “Death by a Thousand Cuts” (CNE) • Targets affected: • 2000s: Government and military • 2010s: Private and commercial • Representation of US Posture: • 2000s: US defense is vulnerable • 2010s: US offense is formidable
Advanced Persistent Threat • Publicly reported intrusions • Earliest activity estimate
U.S. Strategic Context • Combat Fatigue • Exit from Iraq • Bin Laden Dead • Drawdown in Afghanistan • Rise of China • Pivot to Asia • Indigenous Innovation (自主创新) • Follow the Money • Financial crash and budgetary austerity • Maturing cybersecurity industrial complex • Internet innovation: cloud, mobile, supply chains
Fundamental Economic & Political Tradeoffs in Society • Markets are good for… • Innovation • Value Creation • Competition • Self-Organization • …but markets can fail • Externalities • Asym. Info & Bubbles • Monopoly, Collusion • Collective Action Prob • Gov’t is useful for… • Prop Rights & Regulation • Standards & Reporting • Anti-Trust & Trade Policy • Planning & Enforcement • …but gov’t fails too • Lock-in • Myopia & Oversell • Capture & Pork • Friction & Deadlock
Markets Drive Cybersecurity • Global cybercrime ecosystem • Advertising • Theft & Fraud • Infrastructure & Service • Growing cybersecurity industry • Antivirus, firewalls, vendors, incident response • Customers want secure e-commerce and banking • Arms race between “black hats” and “white hats” • Efficacy of market-based defense is understudied • "The primary business model of the Internet is built on mass surveillance“ –Bruce Schneier
Market Failures Complicate Cybersecurity • Externalities • Unpatched/compromised hosts harm 3rd parties • Network effects incentivize first-to-market • Information Asymmetry • How do you measure security? Distinguish IT “lemons”? • Firms don’t report intrusions to protect reputation • Cybersecurity industry competes on threat oversell • Imperfect Competition • Microsoft & Adobe monocultures • Outsourced supply chain creates vulnerabilities • Collective Action Problems • Coordinating user, firm, industry defenses • High-grade intelligence and active cyber defense • International coordination & diplomacy
Potential Government Remedies • Counter externalities • Enforce industrial security standards/liability • Subsidize security measures and incident response • Improve information quality • Mandatory or voluntary incident reporting • Intelligence sharing • Industrial policy • Use government buying power to reward security • Security-based technical trade barriers • National Cybersecurity Policy • Define strategy and responsibilities • Invest in intelligence, military, law enforcement capacity • Diplomacy, treaties, international organizations
Challenges to Govt Cyber Policy • Lock-in • Technological innovation vs. outdated laws/institutions • Intrusive surveillance vs. attenuated threat • Myopia & Oversell • Focused on standards compliance instead of monitoring outcomes • Threat inflation to overcome political opposition • Rent-Seeking, Capture, Pork • Cybersecurity industrial complex • Misuse/overuse of resources & intelligence • Political Friction & Deadlock • Intel, military, regulators, law enforcement, commerce, finance, media, lobbies…. • American government is fragmented by design
Separation of Powers in the U.S.A. “Wherever you are in D.C., power is elsewhere” • Sectoral: Public, Commercial, Non-profit • Horizontal: Executive, Legislative, Judicial • Vertical: Federal, State, Local • Internal: Agencies, Committees • Temporal: Reelection, Rotation • Political: Parties, Lobbies • International: Treaties, UN
Where are we now? • Market response is improving • Improved bureaucracy & capacity • Norm-based international strategy • Focused on preserving an eroding status quo • Treaties are a non-starter • Congressional legislation in perennial limbo • Agreement on executive powers • Effect on industrial innovation & efficiency • Protecting civil liberties—Especially post-Snowden! • Most urgent need: better information • Realistic threat assessment • Public information sharing • Legal framework for cyber operations
Summary • 2010 was a watershed year for cybersecurity: debate is now about foreign espionage in the private sector and U.S. offensive capacity • Cybersecurity is as much a political-economic issue as it is a technical problem • Public policy must balance risks of market failure against risks of policy failure • It could be worse.