An online attack on Bank of America could compromise the financial data of millions of customers. One aimed at Google could result in a Gmail outage affecting millions more. And it’s been estimated that a cyber attack causing a 24 hour disruption in service of an energy company could cost as much as $8.4 million. Secondary and tertiary effects of online attacks could affect millions of users around the globe, especially as cloud computing continues to expand and internet content and traffic become more concentrated. They could also cost millions of dollars in downtime and service disruptions. As cybersecurity appears to produce a positive externality, the lack of cybersecurity may produce a negative one.
In the case of distributed denial of service (DDoS) attacks, an unprotected computer poses a risk to every other networked computer because it can be used in such an attack. A bot herder sees millions of unprotected machines as potential zombies for his next onslaught.
Who is responsible for protecting third party clouds that store critical data and provide services to millions of customers? Who is liable for damages from DDoS attacks? Consequently, how should society defend cyberspace? With cyber national defense? Private cybersecurity measures?
The answer lies somewhere in the middle, but exactly where is unclear. Police forces exist to protect and defend, but people still use additional security measures. And it hasn’t been determined that a police force actually exists that can reliably and effectively protect and defend cyberspace. Furthermore, in the physical world private security measures, such as alarms and guards, most often actively prevent crime. Police and courts generally resolve disputes and problems after the fact and are provided by the state. And this is possible even with the global nature of the internet. The knowledge that these institutions exist passively serves to protect citizens. The state, therefore, focuses on passive protection through resolution; the private sector focuses on active protection through prevention. The same institutional structure–privately produced prevention, state-sponsored resolution–should govern online crime.
Bank of America has every incentive to prevent online customer data or proprietary information from being stolen, just as it has every incentive to keep safe hard copies of sensitive information. Their reputation as a financial institution is on the line. They have the local, specialized knowledge to know how to best protect against theft and espionage. Customers know that there’s a risk personal data will be stolen. They factor that risk into their banking decisions. The state’s role is to make potential hackers aware that they will be held accountable for attacks, and then hold them accountable through the judiciary.
Within the appropriate institutional structure, secondary and tertiary effects of online attacks are internalized. Gmail downtime resulting from an online attack isn’t much different than downtime resulting from a glitch.
Regarding DDoS attacks, it’s evident that defending every computer from worms and trojans that plant bots is tremendously difficult and inefficient, if not impossible. Chances for successful protection greatly increase by defending against a single concentrated offensive. Instead of promoting publicly provided ubiquitous cybersecurity, it seems much more efficient to concede the small negative externality produced by unprotected computers and focus protection on targets of centralized DDoS attacks. Targets internalize all direct costs and therefore have enormous incentives to protect their own networks, property, and reputations.
Online attacks illuminate the negative externalities that result from a lack of cybersecurity. But private defenders acting within the proper institutional structure might be best equipped and motivated to mitigate the externalities efficiently and effectively.
Every week we bring you in-depth interviews with leading thinkers and entrepreneurs from the world of technology. The most recent episode features 