David R. Henderson  

Is Cybersecurity a Public Good?

PRINT
Are Resources Exhaustible?... Schooling, Income, and Reverse...

The usual argument for government intervention, aside from the paternalist and the distribution arguments, is some kind of "market failure," either in the area of public goods or in the area of externalities. When economists want to make a case for government intervention, they usually do so by invoking market failure.

In a recent article in the Wall Street Journal, "Everyone Should Pay for Cyber Defense," April 22, Harvard University economics professor Martin Feldstein, my former boss at the Council of Economic Advisers, makes a case for government intervention in the area of cybersecurity. He does mention "public goods" in the second last paragraph, writing:

The infrastructure companies should be required to meet a high standard of protection and to cooperate with government agencies in preventing incoming malware. But the cost of doing that should be born [sic] by the country as a whole, just as we pay for the military or other public goods like the weather service.

But he never makes the case that this is a public good. Here's the case he does make:
The attackers use computer programs to look for openings in the computer systems of companies. They also send seemingly harmless emails to company employees which, when opened, provide entry to the company's internal networks. The attackers may be foreign governments or the foreign companies that those governments assist. Governments or terrorist groups that lack the technical capability to mount such attacks can now buy the services of skilled hackers who will do it for them.

Internet attacks on critical infrastructure can create a threat to national security even before they inflict any actual damage. A foreign enemy that gains access to the computer control systems of U.S. companies can embed malicious computer code by which the hacker can cause that system to malfunction. A foreign government that has planted such malware in the electricity system of a major U.S. city could credibly threaten to trigger it at a time when the U.S. acts to protect interests or allies abroad. That threat could block the use of our military capability.


But how does this case differ in principle from that of thieves who want to enter a company's building? When companies feel threatened, they tend to hire security guards and set up security systems. There's no public good.

Marty goes on to say:

There are two barriers to providing that protection. Civil-liberty advocates and others are understandably concerned about the possibility of the NSA (a part of the Defense Department) intercepting and examining emails aimed at American individuals and companies. The NSA therefore lacks the legal authority to provide the protection we need.

The second problem is the cost that companies that are part of our nation's critical infrastructure (the electric power companies, airlines, banks and others) would face if required to protect themselves from malicious attacks.


But cost per se is not a public good argument. Even if the NSA has a lower cost, that's not a public good argument: it's a cost argument.

Marty continues with his solutions to the two problems:

First, to protect privacy, there is no need for any person at the NSA to review the content of suspicious emails. The NSA's computers could stop the email as it enters the United States and turn it over to the Department of Homeland Security. The NSA could be legally barred from doing more than stripping off the potentially dangerous message.

The Department of Homeland Security, a completely domestic agency, could then review the content of the email or could notify the intended recipient that a potentially dangerous email had been received. The target recipient could have an agreement with the DHS choosing what happens next: authorizing the DHS to examine the content or to destroy the email or to reroute it to a safe email address where the company could examine it.


So Feldstein sees that a company could have an agreement with DHS. Why, then, if it wants NSA to stop the e-mail, couldn't it have an agreement with NSA? Then, if the NSA has a cost advantage, it could do so but only if authorized by the company or individual. That way, we get the advantage of NSA's lower cost if, indeed, NSA's costs really are lower, without the disadvantage of government intrusion without our consent.

Maybe Feldstein could make a public good case but he doesn't even try.

By the way, here's my prediction: if a solution such as mine above were tried--let people decide whether they want NSA "protection," few companies or individuals would voluntarily subscribe even if NSA's costs were lower. Robert Frost once wrote:

Something there is that doesn't love a wall,
That wants it down.

Similarly,
Something there is that doesn't love government intrusions on privacy,
That wants them gone.


Comments and Sharing


CATEGORIES: Public Goods , Regulation



COMMENTS (16 to date)
Daniel Kuehn writes:

I generally agree with you. The one point I'd make is that when thieves try to enter a building we do think there's some public role - it's called a policy force. Obviously, though, much of the security associated with a private, excludable building is internalized which is precisely why (as you point out) we use private security companies. Security of property is like vaccination - stopping property rights violators reduces the risk of other parties having their property rights violated.

The real, genuine public goods/national security concerns - like hacking into defense contractors - can easily be accommodated with the inclusion of data security requirements in the initial government contract (in other words, another internalization of the problem - in this case, of course, at the insistence of a public sector client that has a duty to look out for national security).

Daniel Kuehn writes:

I shouldn't limit that last paragraph to national security, though. Anyone that's done work for the government - even if its not defense work - knows about data security requirements. The threats are clearly not exclusively defense-related. But there's pretty easy contractual ways to address that.

Adam writes:

Eli Dourado has an excellent working paper that discusses exactly this subject.

Steve writes:

Great piece, David. Here's a video of Jerry Brito and Eli Dourado discussing whether the externalities of cybersecurity justify government intervention. http://www.youtube.com/watch?v=6wu1mwHFmhQ

drobviousso writes:

Sigh. The WSJ article misses the place in which public good of cybersecurity do exist - primary scientific research and well vetted, public code that implements the findings. Trucrypt, TOR, etc etc etc.

It would be more interesting to look at how much of this kind of public good we get based on the OSS and other existing models and try to determine if we should be subsidizing it.

This article just boils down to "Whaa Whaa I want a transfer payment."

Saturos writes:

David, I think the key sentence in Feldstein's article was:

Internet attacks on critical infrastructure can create a threat to national security even before they inflict any actual damage.

National security is commonly seen as the best example of a public good.

Ghislain writes:

The best solution for the security of IT infrastructure is diversity (like genetic diversity helps human kind deal with new deseases).

With everyone using the same hardware/software, if anyone (not only foreigners!) find a bug and write an exploit, it has a far greater potential effect than with a lot of different systems/architectures.

Diversity only exists through competition AND open standards, so that everyone can really choose the software he wants, instead of "the software recommanded by -put any third party here-"

The role of the government could be to help standardize some standards, but I really doubt the government is the best actor for this.

Julien Couvreur writes:

If a public good argument cannot yet be made, don't worry: wait a bit until more nationalized services come online (power infrastructure, highway cameras, you name it), such prior interventions will almost certainly justify government-provided cybersecurity...

David R. Henderson writes:

@Daniel Kuehn,
The real, genuine public goods/national security concerns - like hacking into defense contractors - can easily be accommodated with the inclusion of data security requirements in the initial government contract (in other words, another internalization of the problem - in this case, of course, at the insistence of a public sector client that has a duty to look out for national security).
Well-put.
@Adam and Steve,
Thanks. I’ll check them out.
@Saturos,
Actually I think the best example of a public good is a radio signal before the scrambling technology existed. Totally non-rival in consumption and non-excludable.
National defense is a public good, but that doesn’t mean that every input to national defense is. Soldiers require food; that doesn’t make food a public good.
@Julien Couvreur,
If a public good argument cannot yet be made, don't worry: wait a bit until more nationalized services come online (power infrastructure, highway cameras, you name it), such prior interventions will almost certainly justify government-provided cybersecurity...
I’m sure some people will make that argument but those nationalized services would still not be public goods: they would simply be government provided.

Dan Weber writes:

Zombies on the Internet are a threat to everyone. If millions of other machines are compromised, they threaten other people.

Taking out all the zombies seems to meet both requirements for a public good:

1. It's just as difficult to protect Alice and Bob from the zombies as it is just Alice. The cost scales with the number of sources, not the number of destinations.

2. Taking out zombies brings everyone's security level up. I guess we could build a "trusted Internet," but you'd still have to impose the same policies there.

Mike Hammock writes:

I was going to point to the Dourado paper, but Adam beat me to it by many hours. So instead, I will engage in some self-promotion and point to a (now somewhat dated) literature review on the economics of information security. I need to revise that thing and send it somewhere. The market failure arguments are detailed there, although I also point out that it's not clear that the externalities actually matter--they may be inframarginal.

stuhlmann writes:

When hackers break into some company's computers, they can cause loss and damage to that company, perhaps stealing trade secrets or causing company operations to stop. Unfortunately those same hackers can cause loss and damage to all the rest of us. Maybe you have done business with that company, and your credit card or other personal information is on file there. Now the hackers have that information and can sell it to someone who will use it. Given the way our personal information moves around the Internet and the ways in which we depend upon the secure movement of that information, cyber security is a public good.

How cyber security is paid for and the roles of various government agencies in providing security are open for discussion, but an attack against any one of us may turn out to have been an attack against all of us.

PrometheeFeu writes:

First and foremost, this idea of the NSA stopping emails as they come across the border and turning them over to the DHS is both absurd and horrendous. The DHS and the NSA certainly cannot be trusted with not examining email. Thankfully, it will be relatively easy and quick to deploy the necessary encryption infrastructure to foil the NSA and DHS. Most large companies are not keen to let the government get their grubby hands on proprietary information.

That said, there is a positive externality argument to be made in favor of government involvement in cybersecurity. A significant amount of cybersecurity involves identifying attack signatures, designing responses, identifying vulnerabilities, writing security patches, spreading information etc... All of those are basically public goods.

That said, the existence of a public good is not carte blanche for government intervention. The government has shown time and time again that in the provision of security-related public goods, it is particularly prone to abusing its power. I would say let's keep them out of this one. They are really not necessary.

Jeff writes:

Your implicit assumption that the government is competent to implement useful cyber-security measures is laughable. The government does its best to make all things cyber less secure, because effective cyber-security works against the interests of media companies and drug warriors. Have you forgotten the Clipper chip? The attempts to criminalize things like PGP? The attacks on the BitCoin world?

Not only is real privacy and cyber-security not in the government's interest, it is also highly unlikely that people working for government salaries are going to be able to outwit hackers who stand to make millions from successful hacks.

Essen writes:

After the theft in the company the police steps in. Catches the thieves and recovers all (or part of) the money. Is the Government entitled recompense from the Company for expenditure incurred in catching the thieves?

David R. Henderson writes:

@Jeff,
All of your points are on-target, except your first 3 words. I never made such an implicit assumption. Indeed, I share your skepticism about government competence. When I was was on The O’Reilly Factor in 2002, I said, in response to something O’Reilly said, “You will never get me to defend government competence."

Comments for this entry have been closed
Return to top