The Political Economy of Cybersecurity
Download
Report
Transcript The Political Economy of Cybersecurity
Jon Lindsay
UC Institute on Global Conflict and Cooperation
University of California, San Diego
Osher Institute
5 March 2013
Questions to Explore
How has the cybersecurity situation in the U.S.
changed recently?
Why is U.S. cyber policy still so uncertain?
Can markets improve cybersecurity by themselves?
How do market failures create insecurity?
Can government cyber policy remedy market
imperfections?
When do the remedies make the problems worse?
“incidents that have placed
sensitive information at risk,
with potentially serious
impacts on federal operations,
assets, and people….[e.g.,]
installation of malware,
improper use of computing
resources, and unauthorized
access to systems”
Cybersecurity Evolving
1957-1990 B.C. – “Before Cyberspace”
Invention
1991 –WWW
Experimentation
2001 –September 11th
Institutionalization
2010 –Google, Stuxnet, Wikileaks, Cybercom
Maturation
The New Cybersecurity Debate
Perception of the threat:
2000s: “Digital Pearl Harbor” (CNA)
2010s: “Death by a Thousand Cuts” (CNE)
Targets affected:
2000s: Government and military
2010s: Private and commercial
Representation of US Posture:
2000s: US defense is vulnerable
2010s: US offense is formidable
Advanced Persistent Threat
2002
Titan Rain
State Dept
BIS
NWC
Sec Def
Rep Wolf
Campaigns
Ghost Net
JSF
Aurora
Shadow Net
Stuxnet
Byzantine Haydes
Night Dragon
RSA
Shady RAT
Duqu
Nitro
Taidoor
Luckycat
Flame
Gauss
Shamoon
Elderwood
Cyber-Sitter
Mahdi
Major US Media
Red October
APT1
Beebus
Telvent
QinetiQ
ASIO
SCADA Honeypot
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
Publicly reported
intrusions
Earliest activity
estimate
2014
U.S. Strategic Context
Combat Fatigue
Exit from Iraq
Bin Laden Dead
Drawdown in Afghanistan
Rise of China
Pivot to Asia
Indigenous Innovation (自主创新)
Follow the Money
Financial crash and budgetary austerity
Maturing cybersecurity industrial complex
Internet innovation: cloud, mobile, supply chains
Security Tradeoffs
Fundamental Economic & Political
Tradeoffs in Society
Markets are good for…
Innovation
Value Creation
Competition
Self-Organization
…but markets can fail
Externalities
Asym. Info & Bubbles
Monopoly, Collusion
Collective Action Prob
Gov’t is useful for…
Prop Rights & Regulation
Standards & Reporting
Anti-Trust & Trade Policy
Planning & Enforcement
…but gov’t fails too
Lock-in
Myopia & Oversell
Capture & Pork
Friction & Deadlock
Markets Drive Cybersecurity
Global cybercrime ecosystem
Advertising
Theft & Fraud
Infrastructure & Service
Growing cybersecurity industry
Antivirus, firewalls, vendors, incident response
Customers want secure e-commerce and banking
Arms race between “black hats” and “white hats”
Efficacy of market-based defense is understudied
"The primary business model of the Internet is built
on mass surveillance“ –Bruce Schneier
Market Failures Complicate Cybersecurity
Externalities
Unpatched/compromised hosts harm 3rd parties
Network effects incentivize first-to-market
Information Asymmetry
How do you measure security? Distinguish IT “lemons”?
Firms don’t report intrusions to protect reputation
Cybersecurity industry competes on threat oversell
Imperfect Competition
Microsoft & Adobe monocultures
Outsourced supply chain creates vulnerabilities
Collective Action Problems
Coordinating user, firm, industry defenses
High-grade intelligence and active cyber defense
International coordination & diplomacy
Potential Government Remedies
Counter externalities
Enforce industrial security standards/liability
Subsidize security measures and incident response
Improve information quality
Mandatory or voluntary incident reporting
Intelligence sharing
Industrial policy
Use government buying power to reward security
Security-based technical trade barriers
National Cybersecurity Policy
Define strategy and responsibilities
Invest in intelligence, military, law enforcement capacity
Diplomacy, treaties, international organizations
Challenges to Govt Cyber Policy
Lock-in
Technological innovation vs. outdated laws/institutions
Intrusive surveillance vs. attenuated threat
Myopia & Oversell
Focused on standards compliance instead of monitoring
outcomes
Threat inflation to overcome political opposition
Rent-Seeking, Capture, Pork
Cybersecurity industrial complex
Misuse/overuse of resources & intelligence
Political Friction & Deadlock
Intel, military, regulators, law enforcement, commerce,
finance, media, lobbies….
American government is fragmented by design
Separation of Powers in the U.S.A.
“Wherever you are in D.C., power is elsewhere”
Sectoral: Public, Commercial, Non-profit
Horizontal: Executive, Legislative, Judicial
Vertical: Federal, State, Local
Internal: Agencies, Committees
Temporal: Reelection, Rotation
Political: Parties, Lobbies
International: Treaties, UN
Where are we now?
Market response is improving
Improved bureaucracy & capacity
Norm-based international strategy
Focused on preserving an eroding status quo
Treaties are a non-starter
Congressional legislation in perennial limbo
Agreement on executive powers
Effect on industrial innovation & efficiency
Protecting civil liberties—Especially post-Snowden!
Most urgent need: better information
Realistic threat assessment
Public information sharing
Legal framework for cyber operations
Summary
2010 was a watershed year for cybersecurity: debate is
now about foreign espionage in the private sector and
U.S. offensive capacity
Cybersecurity is as much a political-economic issue as
it is a technical problem
Public policy must balance risks of market failure
against risks of policy failure
It could be worse.
Questions