Abstract
Congress and the Obama administration have advanced dozens of proposals addressing cybersecurity. While many of these bills propose admirable policies, they often attempt to address a wide range of issues under a poorly matched set of frameworks.
This paper offers three observations built around a framework of risk management to help focus the discussion. First, we caution against conflating different threats simply because they all involve information technology. Crime, espionage and international conflict are very different threats, and grouping them together can lead to poorly framed solutions. Second, we argue that looking at cybersecurity from the perspective of economics can offer important insight into identifying important policy opportunities. Finally, we suggest a series of governance frameworks that can be used in a complementary fashion to address many of the issues discussed.
Introduction
A frequent refrain is that the Internet was not designed with security in mind. While this is true, it fails to capture the nature of the problem: risk is a part of information systems. It is not simply a matter of bolting on security components, or even building a new, trustworthy network to handle our key transactions. The fact is that the risk has been there all along, and there are no direct, technical solutions to addressing systematic risk. Risk is a natural side effect of complex systems. Security itself is a subcomponent of risk; the past few years have demonstrated that a country is just as likely to be knocked off the internet by a typo (Mills, 2009) or a scrap metal scavenger (Parfitt, 2011) as they are by an unfriendly neighbor.
One can draw an analogy to the state of the world at the publication of Rachel Carson’s Silent Spring. Her book did not introduce the risks to a world dependent on heavy industry and toxic pesticides. The dangers were present, but increased awareness forced a decision of how to adapt as a society. What threats will we protect ourselves against, what will we tolerate for the sake of efficiency, and what risk will remain exposed simply because we cannot overcome the policy problems to fix it?
As of July, 2011, Congress was considering or about to consider 22 bills on cybersecurity, in addition to proposed legislation from the White House (CSIS, 2011). While many of these bills propose admirable policies, they still attempt to address a wide range of issues under a poorly matched set of frameworks. This paper offers three observations to help focus the discussion:
- First, we caution against conflating different threats simply because they all involve information technology. Crime, espionage and international conflict are very different threats, and grouping them together can lead to poorly framed solutions.
- Second, we argue that looking at cybersecurity from the perspective of an economist can offer important insight into identifying important policy opportunities.
- Finally, we suggest a series of governance frameworks that can be used in a complementary fashion to address many of the issues discussed. It is important to note that this essay does not attempt to address every challenge we face in addressing the risks in our information infrastructure, but rather offers an approach to thinking about that risk more generally.