1 / 19

The Political Economy of Cybersecurity

The Political Economy of Cybersecurity. Jon Lindsay UC Institute on Global Conflict and Cooperation University of California, San Diego Osher Institute 5 March 2013. Questions to Explore. How has the cybersecurity situation in the U.S. changed recently?

jael-warner
Download Presentation

The Political Economy of Cybersecurity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Political Economy of Cybersecurity Jon Lindsay UC Institute on Global Conflict and Cooperation University of California, San Diego Osher Institute 5 March 2013

  2. Questions to Explore • How has the cybersecurity situation in the U.S. changed recently? • Why is U.S. cyber policy still so uncertain? • Can markets improve cybersecurity by themselves? • How do market failures create insecurity? • Can government cyber policy remedy market imperfections? • When do the remedies make the problems worse?

  3. “incidents that have placed sensitive information at risk, with potentially serious impacts on federal operations, assets, and people….[e.g.,] installation of malware, improper use of computing resources, and unauthorized access to systems”

  4. Cybersecurity Evolving • 1957-1990 B.C. – “Before Cyberspace” • Invention • 1991 –WWW • Experimentation • 2001 –September 11th • Institutionalization • 2010 –Google, Stuxnet, Wikileaks, Cybercom • Maturation

  5. The New Cybersecurity Debate • Perception of the threat: • 2000s: “Digital Pearl Harbor” (CNA) • 2010s: “Death by a Thousand Cuts” (CNE) • Targets affected: • 2000s: Government and military • 2010s: Private and commercial • Representation of US Posture: • 2000s: US defense is vulnerable • 2010s: US offense is formidable

  6. Advanced Persistent Threat • Publicly reported intrusions • Earliest activity estimate

  7. U.S. Strategic Context • Combat Fatigue • Exit from Iraq • Bin Laden Dead • Drawdown in Afghanistan • Rise of China • Pivot to Asia • Indigenous Innovation (自主创新) • Follow the Money • Financial crash and budgetary austerity • Maturing cybersecurity industrial complex • Internet innovation: cloud, mobile, supply chains

  8. Security Tradeoffs

  9. Fundamental Economic & Political Tradeoffs in Society • Markets are good for… • Innovation • Value Creation • Competition • Self-Organization • …but markets can fail • Externalities • Asym. Info & Bubbles • Monopoly, Collusion • Collective Action Prob • Gov’t is useful for… • Prop Rights & Regulation • Standards & Reporting • Anti-Trust & Trade Policy • Planning & Enforcement • …but gov’t fails too • Lock-in • Myopia & Oversell • Capture & Pork • Friction & Deadlock

  10. Markets Drive Cybersecurity • Global cybercrime ecosystem • Advertising • Theft & Fraud • Infrastructure & Service • Growing cybersecurity industry • Antivirus, firewalls, vendors, incident response • Customers want secure e-commerce and banking • Arms race between “black hats” and “white hats” • Efficacy of market-based defense is understudied • "The primary business model of the Internet is built on mass surveillance“ –Bruce Schneier

  11. Market Failures Complicate Cybersecurity • Externalities • Unpatched/compromised hosts harm 3rd parties • Network effects incentivize first-to-market • Information Asymmetry • How do you measure security? Distinguish IT “lemons”? • Firms don’t report intrusions to protect reputation • Cybersecurity industry competes on threat oversell • Imperfect Competition • Microsoft & Adobe monocultures • Outsourced supply chain creates vulnerabilities • Collective Action Problems • Coordinating user, firm, industry defenses • High-grade intelligence and active cyber defense • International coordination & diplomacy

  12. Potential Government Remedies • Counter externalities • Enforce industrial security standards/liability • Subsidize security measures and incident response • Improve information quality • Mandatory or voluntary incident reporting • Intelligence sharing • Industrial policy • Use government buying power to reward security • Security-based technical trade barriers • National Cybersecurity Policy • Define strategy and responsibilities • Invest in intelligence, military, law enforcement capacity • Diplomacy, treaties, international organizations

  13. Challenges to Govt Cyber Policy • Lock-in • Technological innovation vs. outdated laws/institutions • Intrusive surveillance vs. attenuated threat • Myopia & Oversell • Focused on standards compliance instead of monitoring outcomes • Threat inflation to overcome political opposition • Rent-Seeking, Capture, Pork • Cybersecurity industrial complex • Misuse/overuse of resources & intelligence • Political Friction & Deadlock • Intel, military, regulators, law enforcement, commerce, finance, media, lobbies…. • American government is fragmented by design

  14. Separation of Powers in the U.S.A. “Wherever you are in D.C., power is elsewhere” • Sectoral: Public, Commercial, Non-profit • Horizontal: Executive, Legislative, Judicial • Vertical: Federal, State, Local • Internal: Agencies, Committees • Temporal: Reelection, Rotation • Political: Parties, Lobbies • International: Treaties, UN

  15. Where are we now? • Market response is improving • Improved bureaucracy & capacity • Norm-based international strategy • Focused on preserving an eroding status quo • Treaties are a non-starter • Congressional legislation in perennial limbo • Agreement on executive powers • Effect on industrial innovation & efficiency • Protecting civil liberties—Especially post-Snowden! • Most urgent need: better information • Realistic threat assessment • Public information sharing • Legal framework for cyber operations

  16. Summary • 2010 was a watershed year for cybersecurity: debate is now about foreign espionage in the private sector and U.S. offensive capacity • Cybersecurity is as much a political-economic issue as it is a technical problem • Public policy must balance risks of market failure against risks of policy failure • It could be worse.

  17. Questions

More Related