Presentation on theme: "Jon Lindsay UC Institute on Global Conflict and Cooperation University of California, San Diego Osher Institute 5 March 2013."— Presentation transcript:
Jon Lindsay UC Institute on Global Conflict and Cooperation University of California, San Diego Osher Institute 5 March 2013
Questions to Explore How has the cybersecurity situation in the U.S. changed recently? Why is U.S. cyber policy still so uncertain? Can markets improve cybersecurity by themselves? How do market failures create insecurity? Can government cyber policy remedy market imperfections? When do the remedies make the problems worse?
“incidents that have placed sensitive information at risk, with potentially serious impacts on federal operations, assets, and people….[e.g.,] installation of malware, improper use of computing resources, and unauthorized access to systems”
The New Cybersecurity Debate Perception of the threat: 2000s: “Digital Pearl Harbor” (CNA) 2010s: “Death by a Thousand Cuts” (CNE) Targets affected: 2000s: Government and military 2010s: Private and commercial Representation of US Posture: 2000s: US defense is vulnerable 2010s: US offense is formidable
U.S. Strategic Context Combat Fatigue Exit from Iraq Bin Laden Dead Drawdown in Afghanistan Rise of China Pivot to Asia Indigenous Innovation ( 自主创新 ) Follow the Money Financial crash and budgetary austerity Maturing cybersecurity industrial complex Internet innovation: cloud, mobile, supply chains
Fundamental Economic & Political Tradeoffs in Society Markets are good for… Innovation Value Creation Competition Self-Organization …but markets can fail Externalities Asym. Info & Bubbles Monopoly, Collusion Collective Action Prob Gov’t is useful for… Prop Rights & Regulation Standards & Reporting Anti-Trust & Trade Policy Planning & Enforcement …but gov’t fails too Lock-in Myopia & Oversell Capture & Pork Friction & Deadlock
Markets Drive Cybersecurity Global cybercrime ecosystem Advertising Theft & Fraud Infrastructure & Service Growing cybersecurity industry Antivirus, firewalls, vendors, incident response Customers want secure e-commerce and banking Arms race between “black hats” and “white hats” Efficacy of market-based defense is understudied "The primary business model of the Internet is built on mass surveillance“ –Bruce Schneier
Market Failures Complicate Cybersecurity Externalities Unpatched/compromised hosts harm 3 rd parties Network effects incentivize first-to-market Information Asymmetry How do you measure security? Distinguish IT “lemons”? Firms don’t report intrusions to protect reputation Cybersecurity industry competes on threat oversell Imperfect Competition Microsoft & Adobe monocultures Outsourced supply chain creates vulnerabilities Collective Action Problems Coordinating user, firm, industry defenses High-grade intelligence and active cyber defense International coordination & diplomacy
Potential Government Remedies Counter externalities Enforce industrial security standards/liability Subsidize security measures and incident response Improve information quality Mandatory or voluntary incident reporting Intelligence sharing Industrial policy Use government buying power to reward security Security-based technical trade barriers National Cybersecurity Policy Define strategy and responsibilities Invest in intelligence, military, law enforcement capacity Diplomacy, treaties, international organizations
Challenges to Govt Cyber Policy Lock-in Technological innovation vs. outdated laws/institutions Intrusive surveillance vs. attenuated threat Myopia & Oversell Focused on standards compliance instead of monitoring outcomes Threat inflation to overcome political opposition Rent-Seeking, Capture, Pork Cybersecurity industrial complex Misuse/overuse of resources & intelligence Political Friction & Deadlock Intel, military, regulators, law enforcement, commerce, finance, media, lobbies…. American government is fragmented by design
Separation of Powers in the U.S.A. Sectoral: Public, Commercial, Non-profit Horizontal: Executive, Legislative, Judicial Vertical: Federal, State, Local Internal: Agencies, Committees Temporal: Reelection, Rotation Political: Parties, Lobbies International: Treaties, UN “Wherever you are in D.C., power is elsewhere”
Where are we now? Market response is improving Improved bureaucracy & capacity Norm-based international strategy Focused on preserving an eroding status quo Treaties are a non-starter Congressional legislation in perennial limbo Agreement on executive powers Effect on industrial innovation & efficiency Protecting civil liberties—Especially post-Snowden! Most urgent need: better information Realistic threat assessment Public information sharing Legal framework for cyber operations
Summary 2010 was a watershed year for cybersecurity: debate is now about foreign espionage in the private sector and U.S. offensive capacity Cybersecurity is as much a political-economic issue as it is a technical problem Public policy must balance risks of market failure against risks of policy failure It could be worse.