Cybersecurity

That is the title of my [new working paper](http://mercatus.org/publication/internet-security-without-law-how-service-providers-create-order-online), out today from Mercatus. The abstract:

> Lichtman and Posner argue that legal immunity for Internet service providers (ISPs) is inefficient on standard law and economics grounds. They advocate indirect liability for ISPs for malware transmitted on their networks. While their argument accurately applies the conventional law and economics toolkit, it ignores the informal institutions that have arisen among ISPs to mitigate the harm caused by malware and botnets. These informal institutions carry out the functions of a formal legal system—they establish and enforce rules for the prevention, punishment, and redress of cybersecurity-related harms.

> In this paper, I document the informal institutions that enforce network security norms on the Internet. I discuss the enforcement mechanisms and monitoring tools that ISPs have at their disposal, as well as the fact that ISPs have borne significant costs to reduce malware, despite their lack of formal legal liability. I argue that these informal institutions perform much better than a regime of formal indirect liability. The paper concludes by discussing how the fact that legal polycentricity is more widespread than is often recognized should affect law and economics scholarship.

While I frame the paper as a reply to Lichtman and Posner, I think it also conveys information that is relevant to the debate over CISPA and related Internet security bills. Most politicians and commentators do not understand the extent to which Internet security is peer-produced, or why security institutions have developed in the way they have. I hope that my paper will lead to a greater appreciation of the role of bottom-up governance institutions on the Internet and beyond.

Comments on the paper are welcome!

I’m impressed with the job Ryan Radia did in this Federalist Society podcast/debate about CISPA, the Cyber Intelligence and Sharing Protection Act.

It’s also notable how his opponent Stewart Baker veers into a strange ad hominem against “privacy groups” in his rejoinder to Ryan. Baker speaks as though arguable overbreadth in privacy statutes written years ago makes it appropriate to scythe down all law that might affect information sharing for cybersecurity purposes. That’s what language like “[n]otwithstanding any other provision of law” would do, and it’s in the current version of the bill three times.

During the 1970’s, I remember a bumper sticker that summed up the prevailing anti-colonial attitude that had developed during the late 1960’s:  “U.S. Out of North America.”

That sentiment reflects nicely my activities this week, which include three articles decrying efforts by regulators to oversee key aspects of the Internet economy.  Of course their intentions—at least publicly—are always good.  But even with the right idea, the unintended negative consequences always overwhelm the benefits by a wide margin.

Governments are just too slow to respond to the pace of change of innovations in information technology.  Nothing will fix that.  So better just to leave well enough alone and intercede only when genuine consumer harm is occurring.  And provable.

The articles cover the spectrum from state (California), federal (FCC) and international (ITU) regulators and a wide range of  truly bad ideas, from the desire of California’s Public Utilities Commission to “protect” consumers of VoIP services, to the FCC’s latest effort to elbow its way into regulating broadband Internet access at the middle milel, to a proposal from European telcos to have the U.N. implement a tariff system on Internet traffic originating from the U.S.

Continue reading →

Andrew Orlowski of The Register (U.K.) recently posted a very interesting essay making the case for treating online copyright and privacy as essentially the same problem in need of the same solution: increased property rights. In his essay (“‘Don’t break the internet’: How an idiot’s slogan stole your privacy“), he argues that, “The absence of permissions on our personal data and the absence of permissions on digital copyright objects are two sides of the same coin. Economically and legally they’re an absence of property rights – and an insistence on preserving the internet as a childlike, utopian world, where nobody owns anything, or ever turns a request down. But as we’ve seen, you can build things like libraries with permissions too – and create new markets.” He argues that “no matter what law you pass, it won’t work unless there’s ownership attached to data, and you, as the individual, are the ultimate owner. From the basis of ownership, we can then agree what kind of rights are associated with the data – eg, the right to exclude people from it, the right to sell it or exchange it – and then build a permission-based world on top of that.”

And so, he concludes, we should set aside concerns about Internet regulation and information control and get down to the business of engineering solutions that would help us property-tize both intangible creations and intangible facts about ourselves to better shield our intellectual creations and our privacy in the information age. He builds on the thoughts of Mark Bide, a tech consultant:

For Bide, privacy and content markets are just a technical challenges that need to be addressed intelligently.”You can take two views,” he told me. “One is that every piece of information flowing around a network is a good thing, and we should know everything about everybody, and have no constraints on access to it all.” People who believe this, he added, tend to be inflexible – there is no half-way house. “The alternative view is that we can take the technology to make privacy and intellectual property work on the network. The function of copyright is to allow creators and people who invest in creation to define how it can be used. That’s the purpose of it. “So which way do we want to do it?” he asks. “Do we want to throw up our hands and do nothing? The workings of a civilised society need both privacy and creator’s rights.”  But this a new way of thinking about things: it will be met with cognitive dissonance. Copyright activists who fight property rights on the internet and have never seen a copyright law they like, generally do like their privacy. They want to preserve it, and will support laws that do. But to succeed, they’ll need to argue for stronger property rights. They have yet to realise that their opponents in the copyright wars have been arguing for those too, for years. Both sides of the copyright “fight” actually need the same thing. This is odd, I said to Bide. How can he account for this irony? “Ah,” says Bide. “Privacy and copyright are two things nobody cares about unless it’s their own privacy, and their own copyright.”

These are important insights that get at a fundamental truth that all too many people ignore today: At root, most information control efforts are related and solutions for one problem can often be used to address others. But there’s another insight that Orlowski ignores: Whether we are discussing copyright, privacy, online speech and child safety, or cybersecurity, all these efforts to control the free flow of digitized bits over decentralized global networks will be increasingly complex, costly, and riddled with myriad unintended consequences. Importantly, that is true whether you seek to control information flows through top-down administrative regulation or by assigning and enforcing property rights in intellectual creations or private information.

Let me elaborate a bit (and I apologize for the rambling mess of rant that follows).

Continue reading →

In their paper, “Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy,” my Mercatus Center colleagues Jerry Brito and Tate Watkins warned of the dangers of “threat inflation” in cybersecurity policy debates. In early 2011, Mercatus also published a paper by Sean Lawson, an assistant professor in the Department of Communication at the University of Utah, entitled “Beyond Cyber Doom” that documented how fear-based tactics and cyber-doom scenarios and rhetoric increasingly were on display in cybersecurity policy debates.  Finally, in my recent Mercatus Center working paper, “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle,” I extended their threat inflation analysis and developed a comprehensive framework offering additional examples of, and explanations for, threat inflation in technology policy debates.

These papers make it clear that a sort of hysteria has developed around cyberwar and cybersecurity issues. Frequent allusions are made in cybersecurity debates to the potential for a “Digital Pearl Harbor,” a “cyber cold war,” a “cyber Katrina,” or even a “cyber 9/11.” These analogies are made even though these historical incidents resulted in death and destruction of a sort not comparable to attacks on digital networks. Others refer to “cyber bombs” even though no one can be “bombed” with binary code. And new examples of such inflationary rhetoric seem to emerge each day. Continue reading →

[From *The Hill* this weekend](http://thehill.com/blogs/hillicon-valley/technology/216519-alarming-rhetoric-used-in-push-for-cybersecurity-bills):

>But James Lewis, the director of the Technology and Public Policy Program at the Center for Strategic and International Studies, said “no serious analyst doubts the risk anymore” of a cyber attack.

>”There are people who are naturally skeptical about anything the government says and there are the ones who are paid to be skeptical,” Lewis said, but he claimed almost everyone else has accepted the seriousness of the situation.

Since I’m the only other person quoted in the story–making the case that the threat of a catastrophic cyberattack has been exaggerated–that statement can be read as applying to me. I’m certainly naturally skeptical of government (for good reason, I think), and to the extent my organization is also generally skeptical of government, I guess I am paid to be skeptical of government. But the implication that I wouldn’t advocate skepticism of government but for payment is insulting. And it also has nothing to do with whether the cyber threat has been blown out of proportion and whether we should be skeptical of such threat inflation.

On that front, I’d like to quote at length from a fantastic 2006 *San Francisco Chronicle* piece entitled, “[The War on Hype](http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2006/02/19/INGDDH8E2V1.DTL),” that might as well have been written by me. It is by a certain James A. Lewis:
Continue reading →

On Wednesday, administration and military officials [simulated a cyber attack](http://thehill.com/blogs/hillicon-valley/technology/214951-white-house-simulates-cyber-attack-for-senators-as-part-of-push-for-legislation) for a group of senators in an attempt to show a dire need for cybersecurity legislation. All 100 senators were invited to the simulation, which “demonstrated how the federal government would respond to an attack on the New York City electrical grid during a summer heat wave, according to Senate aides.” Around 30 Senators attended. Some [post-game reactions](http://www.politico.com/morningtech/0312/morningtech421.html):

>After the briefing, [Sen. Jay] Rockefeller spokesman Vincent Morris said: “We hope that seeing the catastrophic outcome of a power grid takedown by cyberterrorists encourages more senators to set aside Chamber of Commerce talking points and get on this bill.” [Sen. Mary] Landrieu said the simulation “just enhanced the view that I have about how important” cybersecurity is. She added: “The big takeaway is it’s urgent that we get this done now.”

So how catastrophic did the simulation get? How many casualties? What was the extent of the simulated damage? Did thousands die a la 9/11? A “cyber 9/11” if you will? We’ll likely never know because such a simulation will be classified.

Yet as policymakers consider the cost-benefit of cybersecurity legislation, I hope they’ll remember that we’ve already had many a blackout in New York City in real life and, well, they didn’t lead to catastrophic loss of life, panic or terror. As Sean lawson [has explained](http://mercatus.org/publication/beyond-cyber-doom):

Continue reading →

After the NSA’s aggressive pursuit of a greater role in civilian cybersecurity, and last week’s statement by Sen. John McCain criticizing the Lieberman-Collins bill for not including a role for the agency, [some feared](http://www.techdirt.com/articles/20120229/17512717918/nsa-makes-its-power-play-to-spy-key-private-networks-pretending-that-only-it-can-protect-everyone-attack.shtml) that the new G.O.P. cybersecurity bill would allow the military agency to gather information about U.S. citizens on U.S. soil. So, it’s refreshing to see that the bill introduced today–the SECURE IT Act of 2012–does not include NSA monitoring of Internet traffic, which would have been very troubling from a civil liberties perspective.

In fact, this new alternative goes further on privacy than the Liberman-Collins bill. It limits the type of information ISPs and other critical infrastructure providers can share with law enforcement. Without such limits, “information sharing” could become a back door for government surveillance. With these limits in place, information sharing is certainly preferable to the more regulatory route taken by the Liberman-Collins bill.

It seems to me that despite Sen. McCain’s stated preference for an NSA role, the G.O.P. alternative is looking to address the over-breadth of the Lieberman-Collins bill without introducing any new complications. The SECURE IT bill is also more in line with the approach taken by the House, so it would make reaching consensus easier.

I’ll be posting more here as I learn about the bill.

**UPDATE 12:06 PM:** A copy of the bill is now available. Find it after the break.

**UPDATE 2:55 PM:** Having now had an opportunity to take a look at the bill and not just the summary, it does appear it includes a hole through which the NSA may be able to drive a freight train. While NSA monitoring of civilian networks is not mandated, information that is shared by private entities with federal cybersecurity centers “may be disclosed to and used by”

>any Federal agency or department, component, officer, employee, or agent of the Federal government for a cybersecurity purpose, **a national security purpose,** or in order to prevent, investigate, or prosecute any of the offenses listed in section 2516 of title 18, United States Code …

That last bit limits law enforcement’s use of shared cyber threat information to serious crimes, but the highlighted bit potentially allows sharing with the NSA or any other agency, civilian or military, for a any “national security” reasons. That is troublingly broad and a blemish on this otherwise non-regulatory bill.

Information sharing with the NSA might be fine as long as it is not mandatory and the shared information is used *only* for cyber security purposes.

**[Cross posted from JerryBrito.com](http://jerrybrito.com/2012/03/01/no-nsa-monitoring-in-mccain-cyber-bill-seems-better-on-privacy/)**

Continue reading →

Tomorrow Sen. John McCain, along with five other Republican senators, [plans to unveil a cybersecurity bill](http://techdailydose.nationaljournal.com/2012/02/gop-senators-to-unveil-rival-c.php) to rival the Lieberman-Collins bill that Majority Leader Harry Reid has said he plans to bring to the Senate floor without an official markup by committee.

At a hearing earlier this month, Sen. McCain criticized the Lieberman-Collins bill for not giving the NSA authority over civilian networks. And as we’ve heard this week, the NSA has been aggressively seeking this authority–so aggressively in fact that the White House [publicly rebuked Gen. Keith Alexander](http://jerrybrito.com/2012/02/27/the-white-house-strikes-back/) in the pages of the *Washington Post*. But as CDT’s Jim Dempsey explains in a [blog post today](https://www.cdt.org/blogs/jim-dempsey/2902will-nsa-power-grab-imperil-cybersec-consensus),

>The NSA’s claims are premised on the dual assumptions that the private sector is not actively defending its systems and that only the NSA has the skills and the technology to do effective cybersecurity. The first is demonstrably wrong. The Internet and telecommunications companies are already doing active defense (not to be confused with offensive measures). The Tier 1 providers have been doing active defense for years – stopping the threats before they do damage – and the companies have been steadily increasing the scope and intensity of their efforts.

>The second assumption (that only the NSA has the necessary skills and insight) is very hard for an outsider to assess. But given the centrality of the Internet to commerce, democratic participation, health care, education and multiple other activities, it does not seem that we should continue to invest a disproportionate percentage of our cybersecurity resources in a military agency. Instead, we should be seeking to improve the civilian government and private sector capabilities.

The military, and especially the NSA, has great experience and useful intelligence that should leveraged to protect civilian networks. But that assistance should be provided at arms-length and without allowing the military to conduct surveillance on the private Internet. Military involvement in civilian security is as inappropriate in cyberspace as it is in the physical world.

As Gene Healy [has explained](http://www.thefreemanonline.org/featured/blurring-the-civilian-military-line/), civilian law enforcement and security agencies “are trained to operate in an environment where constitutional rights apply and to use force only as a last resort”, while the military’s objectives are to defeat adversaries. The NSA’s warrantless wiretapping scandal speaks to this difference. “Accordingly, Americans going back at least to the Boston Massacre of 1770 have understood the importance of keeping the military out of domestic law enforcement.” The Senate Republicans would do well to leave NSA involvement in civilian networks out of a new cybersecurity bill.

And FYI: I will be presenting at a Cato Institute Capitol Hill briefing on cybersecurity on March 23rd along with Jim Harper and Ryan Radia. [Full details and RSVP are here](http://www.cato.org/event.php?eventid=9060).

**[Cross posted from JerryBrito.com](http://jerrybrito.com/2012/02/29/keeping-the-nsa-out-of-civilian-cybersecurity-theres-a-reason/)**

[UPDATE: 2/14/2013: As noted here, this paper was published by the Minnesota Journal of Law, Science & Technology in their Winter 2013 edition. Please refer to that post for more details and cite this final version of the paper going forward.]

I’m pleased to report that the Mercatus Center at George Mason University has just released my huge new white paper, “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle.” I’ve been working on this paper for a long time and look forward to finding it a home in a law journal some time soon.  Here’s the summary of this 80-page paper:

Fear is an extremely powerful motivating force, especially in public policy debates where it is used in an attempt to sway opinion or bolster the case for action. Often, this action involves preemptive regulation based on false assumptions and evidence. Such fears are frequently on display in the Internet policy arena and take the form of full-blown “technopanic,” or real-world manifestations of this illogical fear. While it’s true that cyberspace has its fair share of troublemakers, there is no evidence that the Internet is leading to greater problems for society.

This paper considers the structure of fear appeal arguments in technology policy debates and then outlines how those arguments can be deconstructed and refuted in both cultural and economic contexts. Several examples of fear appeal arguments are offered with a particular focus on online child safety, digital privacy, and cybersecurity. The  various  factors  contributing  to  “fear  cycles”  in these policy areas are documented.

To the extent that these concerns are valid, they are best addressed by ongoing societal learning, experimentation, resiliency, and coping strategies rather than by regulation. If steps must be taken to address these concerns, education and empowerment-based solutions represent superior approaches to dealing with them compared to a precautionary principle approach, which would limit beneficial learning opportunities and retard technological progress.

The complete paper can be found on the Mercatus site here, on SSRN, or on Scribd.  I’ve also embedded it below in a Scribd reader. Continue reading →