Why cybersecurity is not a public good

by Tate Watkins on April 5, 2010 · View Comments

SSGN-OHIO_launch_Tomahawk-04
Creative Commons License photo credit: MATEUS_27:24&25

Former CIA Director Michael Hayden likens cyberspace to the Wild West.  “Everybody has to defend themselves, so everyone’s carrying a gun.”  He even implies that under the current system everyone must provide their own cyber national defense:  “You wouldn’t go to a post office and ask them how they’re tending to their own ballistic missile defense…but that is the current set-up in cybersecurity” (p.26).

But cybersecurity is not like traditional national defense.  It’s not a public good, at least not in the true economic definition, nor as national defense is one.  A true economic public good is one whose consumption is non-exclusive and non-rivalrous.

The U.S. mainland’s defense against a missile attack from a foreign nation is a public good.  If a Navy warship shoots down an incoming missile, then everyone in the country is protected—there is no way to exclude certain citizens and leave them unprotected (not that anyone would want to).  This case of missile defense is also non-rivalrous.  My consumption of defense—protection from the missile—does not prevent you from also consuming it and being defended simultaneously.  Contrarily, cheeseburgers are rivalrous in consumption.  My eating one prevents you from consuming it.

Viewed through this lens, cybersecurity is not a public good.  It is definitely exclusive.  A firm’s network or a person’s computer will only be protected if someone provides defense for it.  And defending one network clearly does not automatically defend a neighboring one, as is the case with national defense.  Furthermore, there is a limited supply of cybersecurity–security companies can produce and sell only a finite amount of protection services.  Many people who want cybersecurity, therefore, compete with each other in the market for these services, and the quantity provided is rationed by price.  It’s consumption is rivalrous.

To illustrate these concepts, imagine an online corollary to the missile attack.  Because of the dispersed, decentralized nature of the Internet, a foreign nation’s cyber attack on the U.S. would target only specific networks or computers.  The target may be the Pentagon, federal agencies, private companies, individual users, or a combination of these–the attack can vary in scale, as in the 2007 month-long attack on Estonia.  But it is limited in scope and is more concentrated than a traditional missile attack, let alone the extreme example of a nuclear attack.  Protection, therefore, is exclusive to parties who purchase it.  And numerous parties rival each other for a finite supply of protection services.

The only cyber defense that might be comparable to national defense is protection of government and public utility networks.

The McAfee “In the Crossfire” report that quotes Hayden concludes,

As long as major governments desire unimpeded operational freedom in cyberspace, it will continue to be the Wild West.  In the meantime, the owners and operators of the critical infrastructure which makes up this new battleground will continue to get caught in the cross-fire–and may indeed need what amounts to their own ballistic missile defense.

But that simply isn’t true.

Share Print Email This Post Email This Post

About Tate Watkins

Tate Watkins is a research assistant at the Mercatus Center at George Mason University. He holds a master's degree in economics from Clemson University. His research interests include cybersecurity policy, development economics, and international migration patterns.

Read more articles by Tate Watkins.

  • This argument is deeply confusing. What exactly is the referent of "cyber-security"? If it is the protection of the global Internet from threats, then there are definitely some elements that are public goods (e.g., maintenance of the technical and administrative systems that sustain the universal norm of Internet protocol resource uniqueness). If it means protection of the purely local (in-house, intra-enterprise) networking capabilities of individuals or isolated institutions, as the examples cited herein suggest, then why would anyone think that comparing it to the provision of a national-level security service would be anything other than confusing? Furthermore, the supply of "network protection services" in no more finite than is the supply of guns, plane, and soldiers, and the "consumption" of means for securing national defense by one entity is no more -- and no less -- rivalrous with respect to the security of neighboring countries than is "consumption" of means for securing network security by one individual or enterprise to another. In both cases, every instance of such consumption implicitly creates two groups: those who are covered, and presumably made more secure, and those who are not. Attempting to compare the covered beneficiaries from one class-type to the excluded parties of the other effectively renders this argument meaningless, at best.


    Technically, there is no "U.S. cyber-space," unless perhaps you're using that abstraction as a convenient shorthand reference for the sum of (appx 11-12k) independently managed (and independently secured) IP networks that are operated by self-declared US institutions (ISPs, universities, banks, government agencies, etc., etc.). Of course if that's what you meant, it would probably be prudent to note that many of those networks extend far beyond the borders of U.S. sovereign territory. Or perhaps your intention was to suggest the set of IP networks that have some physical presence within US borders -- in which case it would be appropriate to point out that many of those networks are not in fact owned and managed by U.S. entities. In this sense, the Internet is very much like the data-delivery equivalent of a supply chain (or rather the set of all supply chains) that link U.S. commodities, manufactured goods, and labor to the rest of the global economy. Some countries, like the US, are great beneficiaries of those supply chains, while others are not. But just as in the case of those more conventional supply chains, every beneficiary must also acknowledge that participation entails some increased exposure and vulnerability to unanticipated and potentially unwelcome developments from afar.

    This is not to suggest that the challenges of network security are not real, or that the USG (and other US and non-US) entities should not respond to those challenges, but rather that the challenges are fairly universal and quite *non*-national in nature. In some cases, adding a "US" to thoughts about possible responses to these challenges may have practical merits, but characterizing the problems themselves as inherently national -- or the solutions as inherently rivalrous -- is most certainly not.
  • tatemwatkins
    Tom,

    I agree that my argument should have been clearer as "cybersecurity" can refer to lots of different things. As you guessed, I was referring to "protection of the purely local (in-house, intra-enterprise) networking capabilities of individuals or isolated institutions".

    In retrospect, I also agree that my argument for the rivalrous nature of cybersecurity is suspect. But the fact that it is exclusive makes the rivalrous point moot. It may in fact be non-rivalrous. But the exclusivity, in my mind, clearly differentiates these internet protection measures from public goods like national defense. Non-exclusivity and non-rivalry are both necessary conditions of a public good.

    Your next point, "why would anyone think that comparing it to the provision of a national-level security service would be anything other than confusing?" is exactly what I was trying to get at with Hayden's example. I think it is completely confusing to compare the two, which is why I tried to contrast the two.

    Your other point, that "Technically, there is no "U.S. cyber-space," is another crucial distinction that seems to be completely lost on some government officials. I completely agree and think that lots of their rhetoric about "cybersecurity" is based on hearsay, unfounded claims, and speculation. I tried to demonstrate, in this specific context, how there is no online analogy to the U.S. mainland. I may not have succeeded in doing so, but I intended to do so.

    I'm trying to dig through all the noise and learn more about the topic. So I very much appreciate you reading and commenting.
  • Hi Tate,

    It also took me a second reading of the original reference material to recognize that the confusion was overdetermined, so to speak. No doubt my remarks were somewhat further sharpened by what initially seemed like the attempt to reduce every dimension of network security to the domain of privately provisionable goods. The truly private elements are indeed absolutely indispensable to the achievement/maintenance of (local scope) network security. However, while necessary those private elements are by no mean sufficient -- except perhaps for those whose local network security objectives would be consistent with the act of permanently disconnecting from everything that is not "local." In order for network security to be achieveable while remaining attached to the Internet, a second, quite different set of inputs is also necessary. These include things like a comprehensive database that associates each of the individual (unique but otherwise invisible, ephemeral, and anonymous) protocol resources that mediate all Internet transactions to the corresponding entity that is ultimately operationally responsible for its presence/attachment to the rest of the Internet, and (ideally) a regime of self-sustaining voluntary mechanisms (e.g., behavioral norms, administrative practices, private incentives and material constraints) that will assure that that database, and the general expectation of protocol resource uniqueness (translation: generally predictable operational behavior) that it makes possible will remain complete, accurate, and up-to-date despite the constant addition of new resources and the not-infrequent transfer or resources from one ultimate beneficial user to another.

    The fact that those two systems have not only worked extremely well, for a couple of decades and counting, but have also done so on an unprecedented *global* scale probably represents some kind of unique (if as-yet unacknowledged and largely under-appreciated) achievement in the history of international relations. Attempting reduce these systems down or to replace them with purely private mechanisms might not be impossible -- but it would most certainly destroy the seamless global (or more accurately, extra-territorial) end-to-end interoperability that is the Internet's defining and most important feature.

    It's more than a little ironic when you think about it; the Internet represents the ultimate (sector-specific) fulfillment of Adam Smith's vision of a world of seamless "international" commerce -- but that virtue depends absolutely on the exclusion of at least a few narrow "goods" from the push and pull of market forces.

    Or maybe not so ironic -- Smith's didn't have much to say about the Internet, but in his writings about money (i.e., monetary liquidity/intermediation mechanisms) he arrives at exactly the same conclusion.

    Best of luck with your research into this topic ;-)
blog comments powered by Disqus

Previous post:

Next post: