THE ROLE OF THE PRIVATE SECTOR

POLITICS OF CYBERSECURITY

PROF. BENJAMIN BARTLETT

MIAMI UNIVERSITY

WHY SHOULD GOVERNMENTS CARE ABOUTPRIVATE SECTOR CYBERSECURITY?

1. Governments rely on private firms for software and services.
• Including for critical infrastructure.
2. There are obvious economic consequences if firms are beingexploited or attacked.
• In some cases, such as with defense technology firms, also national securityconsequences.

WHY DO FIRMS UNDERINVEST IN CYBERSECURITY?

1. Cybersecurity does not contribute directly to revenue or profits.
2. Costs of cybersecurity are obvious, benefits are not.
3. Externalities.
1. Negative externalities.
2. Positive externalities.

CYBERSECURITY DOES NOT CONTRIBUTE DIRECTLYTO REVENUE

1. Firms have limited resources, have to decide how to spend those resources.
2. Many ways that you can spend resources that might lead to new revenues:
1. More product features.
2. Marketing.
3. Automation to reduce costs.
3. But, spending on cybersecurity does not lead to new revenues.
1. So, temptation is to spend those limited resources on other things.

TIME IS ALSO A SCARCE RESOURCE

1. Firms want to be first to market with some product.
2. Testing, debugging, etc. are all things that can make a product morecybersecure, but also take up a lot of time.
3. Often the preferred solution (from a firm’s perspective) is to put out aproduct ASAP, then fix any bugs/problems later.
1. This is easy to do because you can update software (even in physical devices).

THE PROBLEM: CONSUMERS

1. Consumers do not buy products or services based on their cybersecurity.
1. In part, because it is hard for consumers to know what products or services arecybersecure.
2. However, also little evidence that consumers stop using services/products when they arefound to be insecure.
2. Since consumers do not purchase based on cybersecurity, little reason tospend money on it.

EASY TO MEASURE COSTS, HARD TO MEASURESAVINGS

1. Can easily add up the cost of firewall software, antivirus software, the ITdepartment, penetration testing, etc.
2. But, if cybersecurity is successful, the result is a non-event (no one breachesthe system).
3. Since there is no way to directly observe the savings, it is hard for firms tomake good cost-benefit decisions when it comes to cybersecurity.

EXTERNALITIES

1. Anexternalityoccurs when a firm either:
1. Does not pay the full costs of the consequences of some action or decision (negativeexternality).
2. Does not capture the full benefits of some action or decision (positive externality).
2. Regardless of whether the externality is negative or positive, the incentive isfor the firm to underinvest in cybersecurity.

NEGATIVE EXTERNALITIES

1. In cyberspace, this happens because some breach harms not only the firm,but also its customers (including other firms).
2. However, the firm only pays the costs of the breach to itself, not the costs ofwhat happened to other firms.
3. So, from the firm’s perspective, it only wants to invest in cybersecurity to thedegree it balances out the direct costs, not the possible costs to others (whichis too little of an investment).

EXAMPLES OF NEGATIVE EXTERNALITIES

1. Data breach that leaks personal information.
2. Cyber attack that takes out an electric grid.

POSITIVE EXTERNALITIES

1. In this case, the firm invests in cybersecurity, but that investment benefits notjust the firm itself, but other firms as well.
2. In this case, the firm chooses to underinvest in cybersecurity because it isabsorbing the full cost without obtaining the full benefit.
3. Example: training your employees about good cybersecurity practices, onlyto have them go elsewhere.

HOW COULD A GOVERNMENT IMPROVE PRIVATESECTOR CYBERSECURITY?

Three models:

1. Government can provide cybersecurity.
2. Government can cooperate with the private sector (public-private cooperation).
3. Government can use tools to encourage firms to invest incybersecurity.

GOVERNMENT CAN PROVIDE CYBERSECURITY

• In theory, a government could provide all of the equipment andexpertise necessary for firms to maintain cybersecurity.
• In reality, this is expensive and probably impractical.
• But, governments often do provide some cybersecurity to firms:
• Example: deterrence
• Example: U.S. providing support from the FBI to firms

GOVERNMENT CAN COOPERATE WITH THE PRIVATESECTOR

• Government and private sector can set up joint programs.
• Example: information sharing organizations.
• Firms share information about cyber threats with government and witheach other.
• The difficulty: firms do not always have the same interests as thegovernment.
• Example: may not want to share information because do not want othersto know they were hacked.

GOVERNMENT CAN USE TOOLS TO ENCOURAGEFIRMS TO INVEST IN CYBERSECURITY

1. Information Provision
2. Incentives
3. Regulation
4. Market-based Tools
5. Liability

INFORMATION PROVISION

1. One possible problem is that firms simply do not understand thecybersecurity problem well enough, or know how to solve it.
2. In this case, government can release standards and other helpful informationabout cybersecurity.
3. Good points: cheap, politically easy.
4. Bad points: does not change firm incentives.

INCENTIVES

1. Can give firms money (loans, grants, tax incentives) in order to invest incybersecurity.
1. In essence, pay firms to invest more in cybersecurity.
2. Good points: does change firm incentives (reduces the cost of investing incybersecurity), popular with firms, no enforcement problems.
3. Bad points: expensive

REGULATION

1. Can pass laws and regulations telling firms they have to take certain stepsto invest in cybersecurity, or they will pay some cost.
2. Good points: can be very effective, since firms do not want to be penalizedfor not following the rules
3. Bad points: politically difficult, monitoring can be expensive, iflaws/regulation badly written may actually hurt cybersecurity by notkeeping up with technology

MARKET-BASED TOOLS

1. Can make changes that create price signals for cybersecurity in the market
1. Example: easy-to-understand cybersecurity ratings
2. Example: cybersecurity insurance
2. Good points: politically easier than regulation, gov’t does not have to paymonitoring costs (though others do)
3. Bad points: may fail or be overridden by other market signals

LIABILITY

1. Can make it so that customers can sue for damages
2. Good points: internalizes negative externalities
1. There is a reason banks have good cybersecurity
3. Bad points: may be politically difficult, court system can be drawn-out (andexpensive), generally reactive rather than proactive

CONCLUSION

1. Governments should care about private sector cybersecurity for bothnational security and economic reasons.
2. Firms underinvest in cybersecurity because: it does not contribute to revenue;the costs are easy to see but the benefits are hidden; and externalities.
3. There are three models for government efforts to improve private sectorcybersecurity: government provision, public-private cooperation, using toolsto encourage private sector investment.

GROUP WORK

Looking at the tools we have discussed (information provision, incentives,regulation, market-based tools, liability), do the following:

1. Come up with 2-3 specific policy recommendations for how the U.S.government could encourage firms to invest in cybersecurity.
2. Decide which you think would be most effective, and why.