In my latest R Street Institute blog post, “Mapping the AI Policy Landscape Circa 2023: Seven Major Fault Lines,” I discuss the big issues confronting artificial intelligence and machine learning in the coming year and beyond. I note that the AI regulatory proposals are multiplying fast and coming in two general varieties: broad-based and targeted. Broad-based algorithmic regulation would address the use of these technologies in a holistic fashion across many sectors and concerns. By contrast, targeted algorithmic regulation looks to address specific AI applications or concerns. In the short-term, it is more likely that targeted or “sectoral” regulatory proposals have a chance of being implemented.

I go on to identify seven major issues of concern that will drive these policy proposals. They include:

1) Privacy and Data Collection

2) Bias and Discrimination

3) Free Speech and Disinformation

4) Kids’ Safety

5) Physical Safety and Cybersecurity

6) Industrial Policy and Workforce Issues

7) National Security and Law Enforcement Issues

Of course, each of these issues includes many sub-issues and nuanced concerns. But I also noted that “this list only scratches the surface in terms of the universe of AI policy issues.” Algorithmic policy considerations are now being discussed in many other fields, including education, insurance, financial services, energy markets, intellectual property, retail and trade, and more. I’ll be rolling out a new series of essays examining all these issues throughout the year.

But, as I note in concluding my new essay, the danger of over-reach exists with early regulatory efforts:

AI risks deserve serious attention, but an equally serious risk exists that an avalanche of fear-driven regulatory proposals will suffocate different life-enriching algorithmic innovations. There is a compelling interest in ensuring that AI innovations are developed and made widely available to society. Policymakers should not assume that important algorithmic innovations will just magically come about; our nation must get its innovation culture right if we hope to create a better, more prosperous future.

America needs a flexible governance approach for algorithmic systems that avoids heavy-handed, top-down controls as a first-order solution. “There is no use worrying about the future if we cannot even invent it first,” I conclude.

Additional Reading

• Adam Thierer, “Artificial Intelligence Primer: Definitions, Benefits & Policy Challenges,” Medium, December 2, 2022.
• Neil Chilson & Adam Thierer, “The Coming Onslaught of ‘Algorithmic Fairness’ Regulations,” Regulatory Transparency Project of the Federalist Society, November 2, 2022.
• Adam Thierer, “We Really Need To ‘Have a Conversation’ About AI … or Do We?” Discourse, October 6, 2022.
• Adam Thierer, “How the Embedding of AI Ethics Works in Practice & How It Can Be Improved,” Medium, September 22, 2022.
• Adam Thierer, “No Goldilocks Formula for Content Moderation in Social Media or the Metaverse, But Algorithms Still Help,” Medium, September 13, 2022.
• Adam Thierer, “AI Eats the World: Preparing for the Computational Revolution and the Policy Debates Ahead,” Medium, September 10, 2022.
• Adam Thierer, “‘Running Code and Rough Consensus’ for AI: Polycentric Governance in the Algorithmic Age,” Medium, September 1, 2022.
• Adam Thierer, “AI Governance ‘on the Ground’ vs ‘on the Books,’” Medium, August 19, 2022.
• Adam Thierer, “Why the Future of AI Will Not Be Invented in Europe,” Technology Liberation Front, August 1, 2022.
• Adam Thierer, “Existential Risks & Global Governance Issues around AI & Robotics,” [DRAFT CHAPTER, July 2022].
• Adam Thierer, “How Science Fiction Dystopianism Shapes the Debate over AI & Robotics,” Discourse, July 26, 2022.
• Adam Thierer, “Why is the US Following the EU’s Lead on Artificial Intelligence Regulation?” The Hill, July 21, 2022.
• Adam Thierer, “Algorithmic Auditing and AI Impact Assessments: The Need for Balance,” Medium, July 13, 2022.
• Adam Thierer, “The Proper Governance Default for AI,” Medium, May 26, 2022.
• Adam Thierer, “What I Learned about the Power of AI at the Cleveland Clinic,” Medium, May 6, 2022.
• Adam Thierer, Governing Emerging Technology in an Age of Policy Fragmentation and Disequilibrium, American Enterprise Institute (April 2022).

Here’s yesterday’s full launch event video for the release of my new book, Evasive Entrepreneurs and the Future of Governance: How Innovation Improves Economies and Governments. My thanks to Matthew Feeney, Director of the Project on Emerging Technologies at the Cato Institute, for hosting the discussion and sorting through audience questions. The video is below and some of the topics we discussed are listed down below:

Congress has become a less important player in the field of technology policy. Why did that happen, and what are the ramifications for technological governance efforts going forward?

I’ve spent almost 30 years covering technology policy. There was a time in my life when I spent almost all my time as a policy analyst preoccupied with developments in the federal legislative arena. I lived in the trenches of Capitol Hill and interacted with lawmakers and their staff morning, noon, and night.

In recent years, however, I have spent very little time focused on the Legislative Branch because it has effectively become a non-actor on technology policy. It is not that congressional lawmakers stopped caring about tech policy. Interest actually remains quite high—perhaps higher than ever before. Congress also continues to introduce lots of bills, host plenty of hearings, and issue mountains of press releases related to tech policy issues.

Nonetheless, all that interest and activity has not really translated into much important legislation. While it is hard to track tech-oriented legislative trends statistically because of the complication of defining “technology policy” over time, judged by substantive output, Congress has largely checked out of technological policymaking.

Think about digital privacy. How many years now have people been predicting a comprehensive “baseline” privacy bill would pass in each legislative session? It never happens. Perhaps it will this year, but if you would like to place a wager on it, I will take that bet.

Speaking of bets, for several years now, I have been wagering with friends that Congress will not pass federal legislation creating a national autonomous vehicles framework. Each session I win that bet. Keep in mind, a framework for driverless cars is far less controversial than privacy policy. Still, nothing substantive ever gets done in Congress.

Same goes for cybersecurity with lots of calls for big measures, but no final action. Folks are now also telling me to expect a big artificial intelligence bill one day soon. I sincerely doubt it. Again, I’ll bet on it if you’d like to lose some money!

Let me be clear, there may actually be some very good reasons why Congress should implement a national framework for privacy, driverless cars, and some AI policy issues. But all the wishful thinking in the world will not magically make it happen.

We need to entertain the possibility that Congress has largely checked out of the world of substantive tech policymaking and isn’t coming back. We may get a few big surprise measures here and there, as we did with clumsily-drafted FOSTA-SESTA. If anything, it is more likely that we instead see misguided legislative riders attached to non-germane measures during late night negotiations. But even haphazard efforts like those will be extremely rare. The days of Congress passing big bills like the Telecom Act of 1996 or the Cable Act of 1992 appear mostly over.

Why Congress Is No Longer the Major Player It Once Was

I think there are probably many obvious explanations for why Congress has checked out of tech policymaking, but let me try to boil it down to a couple of interrelated trends:

The “pacing problem” has intensified: The pacing problem refers to the inability of legal or regulatory regimes to keep adjust to the intensifying pace of technological change. There are just more emerging technologies than ever, and they are evolving faster than ever, too. “New technologies that used to have two-year cycle times now can become obsolete in six months, and the pace of change is not slowing,” says consulting firm Deloitte.

A growing multiplicity of technologies means more tech policy issues to cover. And those issues grow more complicated each year. As soon as lawmakers wrap their heads around one technology (if they do at all), another innovation pops up that complicates things further or crowds out their attention.

Technological convergence and blurring governance boundaries: Technology policymaking increasingly involves metaphysical questions about the underlying nature of things. For example, what is a “phone,” a “medical device,” or an “aerial vehicle”? These things used to be relatively easy to define and had well-understood meanings in federal statutes and regulations. But those concepts evolved rapidly in an age of widespread technological convergence and rapid-fire “combinatorial innovation,” with new technologies multiplying and building on top of one another in the symbiotic fashion. Basically, almost as soon as new tech laws or regulations are enacted, they are confronted with new marketplace realities and technological changes that call into question legal classifications or regulatory distinctions.

For example, today’s smartphones combine dozens of different functions that were previously quite distinct, including health tracking capabilities, mobile payment systems, and video distribution, all of which remain heavily regulated by an assortment of federal laws and agencies. But the convergence of all these capabilities in a single device that we can carry in our pockets creates massive governance challenges, not only for archaic legislative frameworks, but even for newer semantic distinctions that may seem current one moment only to be obliterated the next. These factors also make it harder to figure out who in Congress should be driving policy because technological convergence blurs previously distinct governance categories among legislative committees and the laws they have crafted.

Legislative dysfunctionalism: Policymaking processes move slowly by design. Constitutional constraints and other legal requirements demand it. But things move even slower today because of what Jonathan Rauch calls “demosclerosis,” or the “government’s progressive loss of the ability to adapt.” “[A]s layer is dropped upon layer,” he argued, “the accumulated mass becomes gradually less rational and less flexible.”

Inadequate resources are also part of the problem with Congress facing a complex, rapidly-evolving set of issues but devoting only limited resources to technical staff or studies to better understand these developments. This combined with the factors cited above has led to a never-ending “competency trap,” with lawmakers and their staffs seemingly always one step behind technological developments and societal demands or expectations.

Meanwhile, partisanship increases and the work load on many other fronts grows alongside it. There’s just a lot more on Congress’s plate than ever before. Plus, tech policy matters seemingly always take a back seat to tax, budget, entitlements, defense, and other issues.

Many people hope that boosting technology assessment efforts might help correct these problems. Perhaps better technical advice could help lawmakers ask less ignorant questions at tech-oriented congressional hearings, which have become showcases for the staggering lack of congressional understanding of modern technologies. But just adding new technology assessment capacity, such as in the form of a revived Office of Technology Assessment, won’t likely move the needle much in terms of actual legislative output. More serious structural reforms will be required.

Globalization: Many modern technologies “are truly global and call out for policy approaches that do not respect traditional national borders,” note former NITA officials Lawrence E. Strickling and Jonah Force Hill. Congress only has so much control over technologies that defy national boundaries, further complicating tech governance questions.

Yet, one would think that when America’s global competitive advantage was on the line, Congress would have greater reason to assert itself and craft frameworks to ensure US firms are not disadvantaged by a lack of policy clarity. That has not proven to be the case, however. Congressional lawmakers do plenty of huffing and puffing about the tech governance choices made by Europe, China, and other governments, but they then leave the field wide open to them (as well as lower levels of government) to craft policies that govern national markets throughout the United States.

Endless delegation: Speaking of passing the buck, Congress has been doing it for decades on tech policy by delegating massive and quite amorphous authority to technocratic administrative agencies. Over the past half century, scholars from various disciplines—economics, law, political science, history, and others—have explored the growth of what has been alternatively called the “interest group society,”  “receivership by regulation,”  “iron triangles,” and “client politics.” This literature identifies the way Congress has increasingly abdicated its constitutional role as lawmaker by shifting hard policy questions to regulatory agencies and then hoping that bureaucrats could figure out all the answers.

Delegation is even more common for the most technical policy matters, and that trend has only accelerated in recent years as the complexity increases and overwhelms lawmakers and their staff.

Ramifications for Tech Governance Going Forward

If Congress remains largely incapable of ever getting the ball over the goal line on important tech policy matters, what are some of the ramifications? There are many, but I will identify just a few of the most obvious ones:

• More tech-oriented legislative activity will shift to the states: In fact, it already has. For each of the tech policy issues I identified earlier (privacy, driverless cars, cybersecurity, and even some AI-related issues like facial recognition), states are—for better or worse—picking up the slack. We should expect that trend to accelerate. This will create an increasingly confusing patchwork of policies that will potentially raise serious barriers to entry and innovation. Nonetheless, I can’t see this trend reversing anytime soon. Perhaps Congress will finally act on privacy or driverless cars legislation if for no other reason than to preempt a crazy-quilt of contradictory policies. Of course, that’s what people have been predicting for years, and it never happens.
• “Soft law” becomes the dominate governance force for tech: Again, it already has. Soft law refers to informal, collaborative, and constantly evolving governance mechanisms that differ from hard law in that they lack the same degree of enforceability. Soft law can include things like multi-stakeholder processes, industry best practices and standards, agency workshops and guidance documents, and educational efforts. But that just scratches the surface of soft law mechanisms. For better or worse, soft law is becoming the dominant modus operandi for most modern technological governance. We can expect that trend to accelerate to fill the governance gap left by Congressional inaction. For example, we don’t have any formal “rules of the road” for driverless cars, but we do now have four iterations of Department of Transportation guidance on driverless cars. Version 4.0of the DoT guidance for automated vehicles was just released this month. Expect the “soft law-ization” of technological governance to expand considerably in coming years because it is really the only way for agencies to cope with the pacing problem and those metaphysical issues identified earlier. Because soft law is not boxed in by rigid preconceptions of what a particular technology or technological process is or entails, it is often better able to address new marketplace realities. Soft law can adapt as technologies do. With Congress out of the picture, it will have to.
• The congressional tech policy death spiral accelerates. Some may think (or at least hope) that the situation described here can’t get any worse. To the contrary, it can get radically worse. With our politics increasingly infected with bitter partisanship and rancor, what are the chances that lawmakers can work together to craft comprehensive tech policy measures? I’d say the odds are approaching zero. The Cable Act, the Telecom Act (and Sec. 230), and the Internet Tax Freedom Act all enjoyed broad, bipartisan support when they passed in the 1990s. People reached across the aisle to get things done. It didn’t always work, and sometimes it resulted in misguided policies (like the Communications Decency Act’s provisions trying to censor internet “indecency”). But bipartisan lawmaking scenarios like those seem almost unthinkable now. To the extent many lawmakers even show up at tech-oriented congressional hearings anymore, it is mostly to score points in front of the cameras for Team Red or Team Blue back home. Serious legislative oversight and policymaking is dead; it’s mostly just show-trials and media circuses at this point.

Should I Care about Congress Anymore?

If you believe this miserable thesis is correct but continue to focus on the Legislative Branch for a living, you may be asking yourself: Am I wasting all my time here? Not necessarily. Congress is still actively interested in tech policy matters. For those who hope to limit that damage Congress might do by hastily passing ham-handed, crisis-driven policy measures, your efforts in the trenches will continue to be important in curbing the worst instincts of some lawmakers. In many instances, preserving a perpetual stalemate may go down as a tremendous victory.

For example, as the debate over Section 230 intensifies—with politicians of all stripes looking to gut the most important of all Internet freedom policies—it is vital that smart people work with lawmakers and their staff to beat back misguided and destructive measures. Hopefully this becomes another instance of legislative gridlock winning out! And I think it will.

More realistically, your role will not be to stop Congress from doing insanely destructive things, it will be to just stop them from saying those things. In fact, that seems to be what a lot of people who work with Congress already do today. When I chat with various inside-the-Beltway policy advocates and industry reps today, they usually acknowledge that the prospects for actual legislation on any given issue are quite slim. They will, of course, continue to try to work with lawmakers, their committees, and their staff to either advance or stop legislative measures. Yet, they all seem to accept the utter futility of it all.

Why do they persist? Most obviously, they want to at least preserve the legislative stalemate and not cede the ground to their enemies who might succeed in getting lawmakers to do something if only one side was communicating with Congress.

But the other thing these policy advocates are hoping to achieve is better messaging. Regulatory advocates want lawmakers to use the power of the bully pulpit to put pressure on various people or groups to change behavior, even in the absence of any legislative action. By contrast, many in industry want to make sure that their technologies are understood and not endlessly demonized. Bad press isn’t good for business, even if all the congressional threats never result in final legislation. Also, those defending innovation more generally will want to make sure that even if lawmakers aren’t making any actual laws, they still better understand and appreciate the importance of new technological capabilities for improving human welfare.

Those are all good reasons not to give up your legislative advocacy. For some of us, however, the personal cost-benefit analysis just doesn’t add up. Our focus has shifted to where the real action is at: federal administrative agencies, statehouses and state administrative agencies, the courts, and the growing world of multi-stakeholder governance and other soft law efforts. Congress has checked out, but technological governance lives on in many other forms and venues.

On August 1, Sens. Mark Warner and Cory Gardner introduced the “Internet of Things  Cybersecurity Improvement Act of 2017.” The goal of the legislation according to its sponsors is to establish “minimum security requirements for federal procurements of connected devices.” Pointing to the growing number of connected devices and their use in prior cyber-attacks, the sponsors aims to provide flexible requirements that limit the vulnerabilities of such networks. Most specifically the bill requires all new Internet of Things (IoT) devices to be patchable, free of known vulnerabilities, and rely on standard protocols. Overall the legislation attempts to increase and standardize baseline security of connected devices, while still allowing innovation in the field to remain relatively permissionless. As Ryan Hagemann[1] at the Niskanen Center states, the bill is generally perceived as a step in the right direction in promoting security while limiting the potential harms of regulation to the overall innovation in the Internet of Things.

The proposed legislation only creates such security requirements for the Internet of Things products purchased by the government. As a result, it does not directly affect the perceived market failure in securing the Internet of Things for either state and local governments or consumers. As a result, it is possible that either further state or federal legislation could develop different security norms in these areas or allow the market to sort out what level of security is needed in such products. Similarly, innovators might create different versions of products for consumers as opposed to the government if they found the security requirements of the federal procurement laws unnecessary. At the same time, consumers and other levels of government might reject such products if they feel they are less secure. For example, states and federal governments have independently developed their protocols and requirements for security in IT and Telecommunications services, and while all require some level of security, the exact requirements may vary. While most consumers still expect or opt in to some level of security for their personal computers, there are different expectations in security protocols for government and medical computer networks. A similar phenomena could emerge in the Internet of Things where the devices procured by the government are more secure than those available to the average consumer.

Defining and quantifying the Internet of Things can be difficult as new connected devices from toasters to teddy bears continue to arrive seemingly daily. As Ariel Rabkin discusses the bill defines the scope of devices covered in a broad ambiguous term of “Internet-connected device” which could cover not only new connected devices but much more mundane and common general purpose items such as laptops and smart phones. This ambiguity presents a serious concern regarding the proposed legislation. Given the security guidelines are being issued by the Office of Management and Budget in conjunction with each executive agency, we could see issues in agency’s use of soft law in an attempt to get Internet of Things entrepreneurs to adopt such standards beyond the items which the government procures. Because the items covered by the proposed legislation is ambiguous, it also raises concerns of what happens to emerging technologies such as connected cars where current security standards are already being discussed by agencies and devices such as laptops and cell phones where there are existing government and agency standards. If not clarified such a broad definition has potential to create uncertainty if the agency-based security standards for procurement. While initial standards are aimed at federal procurement, the delegation to agencies of these standards could lead to broader could lead to agency threats more generally in the Internet of Things and the use of government procurement standards as a type of soft law to influence the pace and course of innovation.

The proposed legislation provides a basic start on limiting the liability for Internet of Things researchers and systems security architects especially when coupled with existing intermediary protections. Unlike the FTC’s strict liability data security rules, the proposed legislation carves out safe harbors for both good faith security research and testing and updating the Digital Millennium Copyright Act (DMCA) and Computer Fraud and Abuse Act (CFAA) to have safe harbors provided the device was in compliance with the issued guidelines under the new legislation. This, however, creates questions of liability for non-federal government purchasers. First, if the devices fail to comply with the proposed standards in the consumer market could the presence of a more secure government alternative be used to support a design defect argument as the availability of a reasonable alternative design? And if not for an individual consumer, then what about a state or local government. Under the proposed legislation, merely not complying with standards in a consumer grade product does not seem likely to give rise to a case against an Internet of Things producer. The proposed legislation also does not appear to adequately address a safe harbor for insufficient fix or a latent defect. While these situations should not immediately find a company negligent, there are concerns that an inefficient patch might exacerbate rather than solve a problem.  It also does not address a possible situation where a third party fails to update the security measures or the government in some way modifies existing protocols on the device inadvertently changing existing security features.

In general, the Internet of Things Cybersecurity Act of 2017 provides a base level of security that could lead to greater adoption by government entities without disrupting the innovation in the consumer market. At the same time its broad definition of the Internet of Things risks potential soft law abuse and its specificity to government procurement limits its potential broader impact on IoT security. If passed, the Internet of Things Cybersecurity Act might lead to promotion of security across devices and broader innovation in such protocols without requiring such technology into captivity.

[1] Ryan provided feedback on an earlier draft of this post.

[This is an excerpt from Chapter 6 of the forthcoming 2nd edition of my book, “Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom,” due out later this month. I was presenting on these issues at today’s New America Foundation “Cybersecurity for a New America” event, so I thought I would post this now.  To learn more about the contrast between “permissionless innovation” and “precautionary principle” thinking, please consult the earlier edition of my book or see this blog post.]

Viruses, malware, spam, data breeches, and critical system intrusions are just some of the security-related concerns that often motivate precautionary thinking and policy proposals.^[1] But as with privacy- and safety-related worries, the panicky rhetoric surrounding these issues is usually unfocused and counterproductive.

In today’s cybersecurity debates, for example, it is not uncommon to hear frequent allusions to the potential for a “digital Pearl Harbor,”^[2] a “cyber cold war,”^[3] or even a “cyber 9/11.”^[4] These analogies are made even though these historical incidents resulted in death and destruction of a sort not comparable to attacks on digital networks. Others refer to “cyber bombs” or technological “time bombs,” even though no one can be “bombed” with binary code.^[5] Michael McConnell, a former director of national intelligence, went so far as to say that this “threat is so intrusive, it’s so serious, it could literally suck the life’s blood out of this country.”^[6]

Such outrageous statements reflect the frequent use of “threat inflation” rhetoric in debates about online security.^[7] Threat inflation has been defined as “the attempt by elites to create concern for a threat that goes beyond the scope and urgency that a disinterested analysis would justify.”^[8] Unfortunately, such bombastic rhetoric often conflates minor cybersecurity risks with major ones. For example, dramatic doomsday stories about hackers pushing planes out of the sky misdirects policymakers’ attention from the more immediate, but less gripping, risks of data extraction and foreign surveillance. Well-meaning skeptics might then conclude that our real cybersecurity risks are also not a problem. In the meantime, outdated legislation and inappropriate legal norms continue to impede beneficial defensive measures that could truly improve security.

Meanwhile, similar concerns have already been raised about security vulnerabilities associated with the Internet of Things^[9] and driverless cars.^[10] Legislation has already been floated to address the latter concern through federal certification standards.^[11] More broad-based cybersecurity legislative proposals have also been proposed, most notably the Cybersecurity Information Sharing Act, which would extend legal immunity to corporations that share customer data with intelligence agencies.^[12]

Ironically, these efforts to expand federal cybersecurity authority come before the federal government has even gotten its own house in order. According to a recent report, federal information security failures had increased by an astounding 1,169 percent, from 5,503 in fiscal year 2006 to 69,851 in fiscal year 2014.^[13] Of course, many of these same agencies would be tasked with securing the massive new datasets containing personally identifiable details about US citizens’ online activities that legislation like the Cybersecurity Information Sharing Act would authorize. In the worst-case scenario, such federal data storage could counterintuitively encourage more attacks on government systems.

It’s important to put all these security issues in some context and to realize that proposed legal remedies are often inappropriate to address online security concerns and sometimes end up backfiring. In his research on the digital security marketplace, my Mercatus Center colleague Eli Dourado has illustrated how we are already able to achieve “Internet Security without Law.”^[14] Dourado documented the many informal institutions that enforce network security norms on the Internet to show how cooperation among a remarkably varied set of actors improves online security without extensive regulation or punishing legal liability. “These informal institutions carry out the functions of a formal legal system—they establish and enforce rules for the prevention, punishment, and redress of cybersecurity-related harms,” Dourado says.^[15]

For example, a diverse array of computer security incident response teams (CSIRTs) operate around the globe, sharing their research on and coordinating responses to viruses and other online attacks. Individual Internet service providers (ISPs), domain name registrars, and hosting companies work with these CSIRTs and other individuals and organizations to address security vulnerabilities.

Encouraging the development of robust and lawful software vulnerability markets would provide even more effective cybersecurity reporting. Some private companies and nonprofit security research firms have offered financial incentives for hackers to find and report software vulnerabilities to the proper parties for years now.[16] Such “bug bounty” and “vulnerability auction” programs better align hackers’ monetary incentives with the public interest. By allowing a space for security researchers to responsibly report and profit from discovered bugs, these markets dissuade hackers from selling vulnerabilities to criminal or state-backed organizations.[17]

A growing market for private security consultants and software providers also competes to offer increasingly sophisticated suites of security products for businesses, households, and governments. “Corporations, including software vendors, antimalware makers, ISPs, and major websites such as Facebook and Twitter, are aggressively pursuing cyber criminals,” notes Roger Grimes of Infoworld.^[18] “These companies have entire legal teams dedicated to national and international cyber crime. They are also taking down malicious websites and bot-spitting command-and-control servers, along with helping to identify, prosecute, and sue bad guys,” he says.^[19] Meanwhile, more organizations are employing “active defense” strategies, which are “countermeasures that entail more than merely hardening one’s own network against threats and instead seek to unmask one’s attacker or disable the attacker’s system.”^[20]

A great deal of security knowledge is also “crowd-sourced” today via online discussion forums and security blogs that feature contributions from experts and average users alike. University-based computer science and cyber law centers and experts have also helped by creating projects like Stop Badware, which originated at Harvard University but then grew into a broader nonprofit organization with diverse financial support.^[21] Meanwhile, informal grassroots security groups like The Cavalry have formed to build awareness about digital security threats among developers and the general public and then devise solutions to protect public safety.^[22]

The recent debacle over the Commerce Department’s proposed new export rules for so-called cyberweapons provides a good example of how poorly considered policies can inadvertently undermine such beneficial emergent ecosystems. The agency’s new draft of US “Wassenaar Arrangement” arms control policies would have unintentionally criminalized the normal communication of basic software bug-testing techniques that hundreds of companies employ each day.[23] The regulators who were drafting the new rules had good intentions. They wanted to crack down on cyber criminals’ abilities to sell malware to hostile state-backed initiatives. However, their lack of technical sophistication led them to unknowingly write a proposal that would have compelled software engineers to seek Commerce Department permission before communicating information about minor software quirks. Fortunately, regulators wisely heeded the many concerned industry comments and rescinded the initial proposal.[24]

Dourado notes that informal, bottom-up efforts to coordinate security responses offer several advantages over top-down government solutions such as administrative regulatory regimes or punishing liability regimes. First, the informal cooperative approach “gives network operators flexibility to determine what constitutes due care in a dynamic environment.” “Formal legal standards,” by contrast, “may not be able to adapt as quickly as needed to rapidly changing circumstances,” he says.^[25] Simply put, markets are more nimble than mandates when it comes to promptly patching security vulnerabilities.

Second, Dourado notes that “formal legal proceedings are adversarial and could reduce ISPs’ incentives to share information and cooperate.”^[26] Heavy-handed regulation or threatening legal liability schemes could have the unintended consequence of discouraging the sort of cooperation that today alleviates security problems swiftly.

Indeed, there is evidence that existing cybersecurity law prevents defensive strategies that could help organizations to more quickly respond to system infiltrations. For example, some argue that private individuals and organizations should be allowed to defend themselves using special measures to expel or track system infiltrators, often called “hacking back” or “active defense.” Anthony Glosson’s analysis for the Mercatus Center discusses how the Computer Fraud and Abuse Act currently prevents computer security specialists from utilizing defensive hacking techniques that could improve system defenses or decrease the number of attempted attacks.[27]

Third, legal solutions are less effective because “the direct costs of going to court can be substantial, as can be the time associated with a trial,” Dourado argues.^[28] By contrast, private actors working cooperatively “do not need to go to court to enforce security norms,” meaning that “security concerns are addressed quickly or punishment . . . is imposed rapidly.”^[29] For example, if security warnings don’t work, ISPs can “punish” negligent or willfully insecure networks by “de-peering,” or terminating network interconnection agreements. The very threat of de-peering helps keep network operators on their toes.

Finally, and perhaps most importantly, Dourado notes that international cooperation between state-based legal systems is limited, complicated, and costly. By contrast, under today’s informal, voluntary approach to online security, international coordination and cooperation are quite strong. The CSIRTs and other security institutions and researchers mentioned above all interact and coordinate today as if national borders did not exist. Territorial legal system and liability regimes don’t have the same advantage; enforcement ends at the border.

Dourado’s model has ramifications for other fields of tech policy. Indeed, as noted above, these collaborative efforts and approaches are already at work in the realms of online safety and digital privacy. Countless organizations and individuals collaborate on educational initiatives to improve online safety and privacy. And many industry and nonprofit groups have established industry best practices and codes of conduct to ensure a safer and more secure online experience for all users. The efforts of the Family Online Safety Institute were discussed above. Another example comes from the Future of Privacy Forum, a privacy think tank that seeks to advance responsible data practices. The think tank helps create codes of conduct to ensure privacy best practices by online operators and also helps highlight programs run by other organizations.^[30] Likewise, the National Cyber Security Alliance helps promote Internet safety and security efforts among a variety of companies and coordinates National Cyber Security Awareness Month (every October) and Data Privacy Day (held annually on January 28).^[31]

What these efforts prove is that not every complex social problem requires a convoluted legal regime or heavy-handed regulatory response. We can achieve reasonably effective safety and security without layering on more and more law and regulation.^[32] Indeed, the Internet and digital systems could arguably be made more secure by reforming outdated legislation that prevents potential security-increasing collaborations. “Dynamic systems are not merely turbulent,” Postrel notes. “They respond to the desire for security; they just don’t do it by stopping experimentation.”^[33] She adds, “Left free to innovate and to learn, people find ways to create security for themselves. Those creations, too, are part of dynamic systems. They provide personal and social resilience.”^[34]

Education is a crucial part of building resiliency in the security context as well. People and organizations can prepare for potential security problems rationally if given even more information and better tools to secure their digital systems and to understand how to cope when problems arise. Again, many corporations and organizations already take steps to guard against malware and other types of cyberattacks by offering customers free (or cheap) security software. For example, major broadband operators offer free antivirus software to customers and various parental control tools to parents. In the context of “connected car” technology, automakers have banded together to come up with privacy and security best practices to address worries about remote hacking of cars as well as concerns about how much data they collect about our driving habits.[35]

Thus, although it is certainly true that “more could be done” to secure networks and critical systems, panic is unwarranted because much is already being done to harden systems and educate the public about risks.^[36] Various digital attacks will continue, but consumers, companies, and others organizations are learning to cope and become more resilient in the face of those threats through creative “bottom-up” solutions instead of innovation-limiting “top-down” regulatory approaches.

[1]    This section partially adapted from Adam Thierer, “Achieving Internet Order without Law,” Forbes, June 24, 2012, http://www.forbes.com/sites/adamthierer/2012/06/24/achieving-internet-order-without-law. The author wishes to thank Andrea Castillo for major contributions to this section.

[2]    See Richard A. Serrano, “Cyber Attacks Seen as a Growing Threat,” Los Angeles Times, February 11, 2011, A18. (“[T]he potential for the next Pearl Harbor could very well be a cyber attack.”)

[3]    Harry Raduege, “Deterring Attackers in Cyberspace,” The Hill, September 23, 2011, 11, http://thehill.com/opinion/op-ed/183429-deterring-attackers-in-cyberspace.

[4]    Kurt Nimmo, “Former CIA Official Predicts Cyber 9/11,” InfoWars.com, August 4, 2011, http://www.infowars.com/former-cia-official-predicts-cyber-911.

[5]    Rodney Brown, “Cyber Bombs: Data-Security Sector Hopes Adoption Won’t Require a ‘Pearl Harbor’ Moment,” Innovation Report, October 26, 2011, 10, http://digital.masshightech.com/launch.aspx?referral=other&pnum=&refresh=6t0M1Sr380Rf&EID=1c256165-396b-454f-bc92-a7780169a876&skip=; Craig Spiezle, “Defusing the Internet of Things Time Bomb,” TechCrunch, August 11, 2015, http://techcrunch.com/2015/08/10/defusing-the-internet-of-things-time-bomb.

[6]    “Morning Edition: Cybersecurity Bill: Vital Need or Just More Rules?” NPR, March 22, 2012, http://www.npr.org/templates/transcript/transcript.php?storyId=149099866.

[7]    Jerry Brito and Tate Watkins, “Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy” (Mercatus Working Paper No. 11-24, Mercatus Center at George Mason University, Arlington, VA, 2011).

[8]    Jane K. Cramer and A. Trevor Thrall, “Introduction: Understanding Threat Inflation,” in American Foreign Policy and the Politics of Fear: Threat Inflation Since 9/11, ed. A. Trevor Thrall and Jane K. Cramer (London: Routledge, 2009), 1.

[9]    Tufekci, “Dumb Idea”; Byron Acohido, “Hackers Take Control of Internet Appliances,” USA Today, October 15, 2013, http://www.usatoday.com/story/cybertruth/2013/10/15/hackers-taking-control-of-internet-appliances/2986395.

[10]   Ed Markey, Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk, US Senate, February 2015, http://www.markey.senate.gov/imo/media/doc/2015-02-06_MarkeyReport-Tracking_Hacking_CarSecurity%202.pdf.

[11]   Ed Markey, “Markey, Blumenthal to Introduce Legislation to Protect Drivers from Auto Security and Privacy Vulnerabilities with Standards and ‘Cyber Dashboard,’” press release, February 11, 2015, http://www.markey.senate.gov/news/press-releases/markey-blumenthal-to-introduce-legislation-to-protect-drivers-from-auto-security-and-privacy-vulnerabilities-with-standards-and-cyber-dashboard.

[12]   Andrea Castillo, “How CISA Threatens Both Privacy and Cybersecurity,” Reason, May 10, 2015, https://reason.com/archives/2015/05/10/why-cisa-wont-improve-cybersecurity.

[13]   Eli Dourado and Andrea Castillo, “Poor Federal Cybersecurity Reveals Weakness of Technocratic Approach” (Mercatus Working Paper, Mercatus Center at George Mason University, Arlington, VA, June 22, 2015), http://mercatus.org/publication/poor-federal-cybersecurity-reveals-weakness-technocratic-approach.

[14]   Eli Dourado, “Internet Security without Law: How Security Providers Create Online Order” (Mercatus Working Paper No. 12-19, Mercatus Center at George Mason University, Arlington, VA, June 19, 2012), http://mercatus.org/publication/internet-security-without-law-how-service-providers-create-order-online.

[15]   Ibid.

[16]   Charlie Miller, “The Legitimate Vulnerability Market: Inside the Secretive World of 0-day Exploit Sales,” Independent Security Evaluators, May 6, 2007, http://www.econinfosec.org/archive/weis2007/papers/29.pdf.

[17]   Andrea Castillo, “The Economics of Software-Vulnerability Sales: Can the Feds Encourage ‘Pro-social’ Hacking?” Reason, August 11, 2015, https://reason.com/archives/2015/08/11/economics-of-the-zero-day-sales-market.

[18]   Roger Grimes, “The Cyber Crime Tide Is Turning,” Infoworld, August 9, 2011, http://www.pcworld.com/article/237647/the_cyber_crime_tide_is_turning.html.

[19]   Dourado, “Internet Security.”

[20]   Anthony D. Glosson, “Active Defense: An Overview of the Debate and a Way Forward,” (Mercatus Working Paper, Mercatus Center at George Mason University, Arlington, VA, August 10, 2015), http://mercatus.org/publication/active-defense-overview-debate-and-way-forward-guardians-of-peace-hackers-cybersecurity.

[21]   http://stopbadware.org.

[22]   https://www.iamthecavalry.org.

[23]   Andrea Castillo, “The Government’s Latest Attempt to Stop Hackers Will Only Make Cybersecurity Worse,” Reason, July 28, 2015, https://reason.com/archives/2015/07/28/gov-ploy-to-stop-hackers-will-backfire.

[24]   Russell Brandom, “The US is Rewriting its Controversial Zero-Day Export Policy,” The Verge, July 29, 2015, http://www.theverge.com/2015/7/29/9068665/wassenaar-export-zero-day-revisions-department-of-commerce.

[25]   Dourado, “Internet Security.”

[26]   Ibid.

[27]   Glosson, “Active Defense.”

[28]   Dourado, “Internet Security.”

[29]   Dourado, “Internet Security.”

[30]   Future of Privacy Forum, “Best Practices,” http://www.futureofprivacy.org/resources/best-practices/.

[31]   See http://www.staysafeonline.org/ncsam and http://www.staysafeonline.org/data-privacy-day.

[32]   Glosson, “Active Defense,” 22. (“The precautionary principle is especially inadvisable in the dynamic realm of tech policy, and until the ostensible harms of active defense materialize, the law should facilitate maximum innovation in the network security field.”)

[33]   Postrel, Future and Its Enemies, at 199.

[34]   Ibid., 202.

[35]   See Future of Privacy Forum, “Connected Cars Project,” accessed October 16, 2015, http://www.futureofprivacy.org/connectedcars; Auto Alliance, “Automakers Believe That Strong Consumer Data Privacy Protections Are Essential to Maintaining the Trust of Our Customers,” accessed October 16, 2015, http://www.autoalliance.org/automotiveprivacy. See also Future of Privacy Forum, “Comments of the Future of Privacy Forum on Connected Smart Technologies in Advance of the FTC ‘Internet of Things’ Workshop,” May 31, 2013, http://www.futureofprivacy.org/wp-content/uploads/FPF-Comments-Regarding-Internet-of-Things.pdf.

[36]   Adam Thierer, “Don’t Panic over Looming Cybersecurity Threats,” Forbes, August 7, 2011, http://www.forbes.com/sites/adamthierer/2011/08/07/dont-panic-over-looming-cybersecurity-threats.

On the whiteboard that hangs in my office, I have a giant matrix of technology policy issues and the various policy “threat vectors” that might end up driving regulation of particular technologies or sectors. Along with my colleagues at the Mercatus Center’s Technology Policy Program, we constantly revise this list of policy priorities and simultaneously make an (obviously quite subjective) attempt to put some weights on the potential policy severity associated with each threat of intervention. The matrix looks like this: [Sorry about the small fonts. You can click on the image to make it easier to see.]

I use 5 general policy concerns when considering the likelihood of regulatory intervention in any given area. Those policy concerns are:

1. privacy (reputation issues, fear of “profiling” & “discrimination,” amorphous psychological / cognitive harms);
2. safety (health & physical safety or, alternatively, child safety and speech / cultural concerns);
3. security (hacking, cybersecurity, law enforcement issues);
4. economic disruption (automation, job dislocation, sectoral disruptions); and,
5. intellectual property (copyright and patent issues).

I realize that some of these five categories could be sub-divided and refined. I also understand that these five groupings may not encapsulate the full range of potential policy issues out there, but I’ve tried to avoid having too many categories to keep this as conceptually tidy as is possible. However, I might need to add a separate category for civil rights and disabilities-related policy issues eventually. Likewise, “psychological considerations” might deserve its own category because they do not necessarily perfectly fit into either the privacy or safety buckets right now, even though that’s where I have them currently. For example, some privacy activists call for regulation of “big data” and large databases based on fears about how all that data collection makes people feel about themselves. I consider that a privacy-related concern now, but you could imagine that being in a separate category. Meanwhile, there’s long been calls to regulate various types of media content (music, movies, video games, online porn, etc) based on the psychological impact they have on children. Those “media effects” theories have always been considered a child safety issue, which is where I currently have them slotted, but they could probably be its own category that also included concerns about distraction and addiction (which could come to haunt VR technologies in the future).

Anyway, my colleagues and I use this current matrix to help us determine what we should be paying more attention to and what sort of scholarly outputs are needed to address regulatory threats on each front. Generally speaking, this is the portfolio of issues I try to stay on top of full-time at Mercatus as part of our ongoing “Permissionless Innovation” project.

Several people who have seen that matrix in my office tell me I should do something more with it, but I’m not really sure what that something would be. In any event, I thought it might make sense to post it here to give others a feel for the current set of emerging tech policy issues that interest us at Mercatus. I will try to upload new versions of the matrix as that giant whiteboard in my office morphs over time and the list of technologies and regulatory threats changes or grows.

Incidentally, I am often asked to explain the relative weights I’ve assigned to each potential regulatory threat, so I will try to justify some of those rankings here briefly. (Again, it’s all quite subjective and I’m always open to hearing the case for tweaking the rankings.)

• Big Data / Online Marketing / the Internet of Things (IoT): Privacy is the #1 policy threat for these sectors. From a public policy perspective, what unifies these technologies is a growing concern about how expanding private sector data collection efforts could affect our privacy or reputations. We’ve already seen a flurry of legislative and regulatory activity here in the U.S. aimed at placing restrictions on data collection or use. And it goes without saying that other countries, especially in Europe, already impose a wide variety of controls on data collection in the name of privacy protection. There also exists a variety of closely-related security concerns here. But the rise of IoT technologies have introduced safety concerns into the mix in a major way, too. That’s especially true because of the large number of Big Data services and IoT devices that are health and medical related.  Taken together, this is the issue set I spend the majority of my time covering because the privacy and security implications of a data-driven economy already occupies the attention of countless regulatory activists and public policymakers across the globe. I think that will continue to be the case for many years to come.
• Robotics: Safety concerns tend to be the biggest driver of calls for regulation of robotic and autonomous technology. For example, new laws and regulations are already being proposed for driverless cars based on fears about the hacking of connected vehicles. And commercial drones attract policy attention based on safety-related concerns such as whether a drone could strike an airplane, or even just fall on our heads. Proposals have been floated to mandate the equivalent of DRM for drones, which would force drone innovators to embed federally-approved technological controls into their systems designating where they are allowed to fly. Even if most of these concerns are overstated or are currently being dealt with, we can expect more safety-related policy proposals for robotic tech in coming years.  Economic concerns would be a close second here due to the increasing worry that robots will eat all our jobs. At least so far, however, that concern has tended to be more of an academic nature rather than a public policy consideration. And it remains unclear what the policy prescription would be in this regard without becoming a neo-Luddite, “smash-the-machines” sort of proposal. That could change in coming years, however. It all depends on the labor market situation over time. Meanwhile, academics are floating the idea of a Federal Robotics Commission to provide greater policy “expertise” in the form of yet another technocratic Beltway bureaucracy.
• Additive manufacturing / 3D printing: Safety is probably the #1 concern here, although depending on what type of 3D-printed object we are talking about, it could be the case that intellectual property concerns will be a bigger driver of calls for regulatory intervention. A lot of the policy-related concerns around 3D printing today are being driven by worries over things like 3D-printed guns. That’s mostly a safety concern, of course. But it we are talking about the replication of branded commercial objects (3D-printed toys or other things, for example), then IP tends to be the bigger concern. The question of product liability also looms large here and it remains unclear how claims might be sorted out when there are fewer large, deep-pocketed intermediaries to go after in a world of decentralized production. Hopefully, those liability norms will be left to the courts and common law to sort out over time, but I wouldn’t be surprised to see more calls for preemptive legislative interventions here in both directions: i.e., some will call legislators to impose greater liability on certain parties while others will push to immunize intermediaries from punishing forms of liability for the downstream actions of others (like a Sec. 230 norm for 3D printing).
• Medical tech innovation: It goes without saying that traditional safety concerns will drive policy for advanced medical technologies, just as they have for earlier drugs, devices, and treatments. As software continues to “eat the world” and invade the world of health and medicine, regulators are increasingly going to be trying to figure out how to pigeonhole new technologies into old regulatory constructs. That’s why I have been watching how the FDA continues to deal with 3D-printed prosthetics and mobile medical apps on our smartphones. Eventually, the continuing decentralized democratization of 3D printing (driven by rapidly falling costs) will collide with old medical device regulatory realities and a century’s worth of FDA command-and-control style regulation. Oh my, what a fight that will be! And then chemical printers will become more widespread and this issue will get even more intense. The policy fight here is even more interesting because of all the thorny ethical issues pertaining to the rise of embeddable technology, biohacking, and genome innovation. I have a feeling that my policy portfolio will shift rapidly in this direction in coming years as the modern info-tech revolution spreads to the world of medicine and health. I already have two new papers coming out on these issues in the next few weeks.
• Sharing economy: Economic disruption is clearly the big policy issue here. Specifically, many policymakers and incumbent industries aren’t very happy about new entrants coming into their sectors and offering consumers services without strictly complying with traditional regulations. But safety issues often pop up in these debates when regulators or advocates claim we can’t trust sharing economy operators. What’s particularly interesting about this space is how these policy battles are playing out at almost every level of government: federal, state, local, and international. At least thus far, sharing economy innovators tend to be winning most of those battles. But the fight continues.
• Crypto & Bitcoin: I think safety would probably be the biggest issue here, in the sense that policymakers fear a world of unregulated crypto and decentralized blockchain applications are a world in which the “bad guys” will be able to use those technologies to harm the public in some fashion. We’ve heard this all before, of course, but (going all the way back to the Clipper Chip wars) you can always bank on law enforcement officials resorting to Chicken Little claims about terrorists and child predators thriving in a world of unregulated crypto. In many ways, this is the most important of all these policy fights because if the government can regulate crypto and blockchain technologies, it severely undermines the fabric of almost all the other technologies and platforms discussed herein. This is why the current debate over government-mandated “backdoors” is so important; it has profound ramifications for every other tech regulation debate that follows.
• Immersive Tech (VR and augmented reality): This is an amorphous and evolving area that I am getting increasingly interested in, but the policy issues here have yet to come into clear focus. However, when Google Glass was launched, there was a brief technopanic of sorts over its privacy and security ramifications. Those concerns have subsided a bit as Google Glass has seemingly faded away (probably because of its high price point more than because of its privacy concerns), but I suspect that future iterations of augmented reality technologies will raise similar concerns. That will especially be true as more sophisticated biometric (and facial recognition) capabilities are integrated into them. Academics are already wondering how to enforce “notice and consent” privacy norms and rules in a world where everyone is wearing miniature body cams and heads-up displays in their sunglasses. I’m not sure it’s even possible, but that debate will continue and include all sorts of calls for technological controls. OK, that’s augmented reality, but what about virtual reality technologies? I think safety concerns could drive some policy proposals as critics grow concerned about the psychological implications of people (especially kids) spending more and more time in immersive virtual worlds. In that sense, we might see a replay of the earlier debate over violent video games and/or video game addition. But it remains to be seen.

Incidentally, I use this matrix and provide more context to it in my big presentation on “Permissionless Innovation & the Clash of Visions over Emerging Technologies.” [It’s embedded below.] And I discuss most of these issues in more detail in my book, Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom. I am in the process of finishing up the second edition of that book and will be expanding the case studies about the issues discussed above. Finally, I discussed many of these policy threats during my recent appearance on the Andreessen Horowitz podcast.

Update 10/2/15: For another take on various new technology trends and the potential policy issues they raise, check out this report from the World Economic Forum, Deep Shift: Technology Tipping Points and Societal Impact. The WEF report identifies 21 technology “shifts” and then groups them into six “mega-trend” categories. Almost all these issues are on my matrix above, but the WEF report provides some nice additional context on why each technology trend will be so disruptive.

by Adam Thierer & Andrea Castillo

Cybersecurity policy is a big issue this year, so we thought it be worth reminding folks of some contributions to the literature made by Mercatus Center-affiliated scholars in recent years. Our research, which can be found here, can be condensed to these five core points:

1)         Institutions, societies, and economies are more resilient than we give them credit for and can deal with adversity, even cybersecurity threats.

See: Sean Lawson, “Beyond Cyber-Doom: Assessing the Limits of Hypothetical Scenarios in the Framing of Cyber-Threats,” December 19, 2012.

2)         Companies and organizations have a vested interest in finding creative solutions to these problems through ongoing experimentation and they are pursing them with great vigor.

See: Eli Dourado, “Internet Security Without Law: How Service Providers Create Order Online,” June 19, 2012.

3)         Over-arching, top-down “cybersecurity frameworks” threaten to undermine dynamism in cybersecurity and Internet governance, and could promote rent-seeking and corruption. Instead, the government should foster continued dynamic cybersecurity efforts through the development of a robust private-sector cybersecurity insurance market.

See: Eli Dourado and Andrea Castillo, “Why the Cybersecurity Framework Will Make Us Less Secure,” April 17, 2014.

4)         The language sometimes used to describe cybersecurity threats sometimes borders on “techno-panic” rhetoric that is based on “threat inflation.

See the Lawson paper already cited as well as: Jerry Brito & Tate Watkins “Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy,” April 10, 2012; and Adam Thierer, “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle,” January 25, 2013.

5)         Finally, taking these other points into account, our scholars have conclude that academics and policymakers should be very cautious about how they define “market failure” in the cybersecurity context. Moreover, to the extent they propose new regulatory controls to address perceived problems, those rules should be subjected to rigorous benefit-cost analysis.

See: Eli Dourado, “Is There a Cybersecurity Market Failure,” January 23, 2012.

Developing cybersecurity policies—like the White House’s “Securing Cyberspace” proposal and the Senate Intelligence Committee’s risen-from-the-grave Cybersecurity Information Sharing Act (CISA) of 2015—prioritize government-led “information-sharing” among federal agencies and private organizations as a one-stop technocratic solution to the dynamic problem of cybersecurity provision. But, as Eli and Andrea pointed out in a Mercatus chart series from this year, the federal government’s own success with internal information-sharing policies has been abysmal for decades.

The Federal Information Security Management Act of 2002 compelled federal investment in IT security infrastructure along with internal information-sharing of system breaches and proactive responses among agencies. Apparently, this has not worked like a charm. The chart shows that reported federal breaches have risen by over 1000% since 2006 despite spending billions of dollars on agency systems and information sharing capabilities over the same time.

Many of the same agencies who would be imbued with power to coordinate information-sharing among private and government entities through CISA and other cybersecurity proposals were responsible for coordinating threat-sharing on the federal level. These are the National Institute of Standards and Technology (NIST), the Office of Management and Budget (OMB), and the Department of Homeland Security (DHS). Are we to believe these bodies will become magically efficient once they have more power to cajole the private sector?

Government Accountability Office (GAO) reports analyzing the failure of federal information security practices and threat coordination find that the technocratic solutions that look so perfectly rational and controlled on paper break down when imposed from above on employees that have no buy-in. The report concludes, “As we and inspectors general have long pointed out, federal agencies continue to face challenges in effectively implementing all elements of their information security programs.” Repeating the same failed policies in the private sector is unlikely to result in success.

Cybersecurity provision is too important of an issue to be left to brittle, technocratic policies with proven track records of failure. Rather, good cybersecurity policy will be grounded in an understanding of the incentives and norms that have allowed the Internet to develop and thrive as the system that it is today to target specific sources of failure.

Industry analyses find again and again that with cybersecurity, the problem exists between chair and keyboard—“human error,” not insufficient government meddling, is responsible for the vast majority of cyber incidents. Introducing more error-prone humans to the equation, as government cybersecurity plans seek to do, will only complicate the problem while neglecting the underlying factors that need addressing.

Cybersecurity will be an issue we continue to cover closely at the Mercatus Center Technology Policy Program.

Originally posted at Medium.

The federal government is not about to allow last year’s rash of high-profile security failures of private systems like Home Depot, JP Morgan, and Sony Entertainment to go to waste without expanding its influence over digital activities.

I’ve spent much of the past year studying the potential public policy ramifications associated with the rise of the Internet of Things (IoT). As I was preparing some notes for my Jan. 6th panel discussing on “Privacy and the IoT: Navigating Policy Issues” at this year’s 2015 CES show, I went back and collected all my writing on IoT issues so that I would have everything in one place. Thus, down below I have listed most of what I’ve done over the past year or so. Most of this writing is focused on the privacy and security implications of the Internet of Things, and wearable technologies in particular.

I plan to stay on top of these issues in 2015 and beyond because, as I noted when I spoke on a previous CES panel on these issues, the Internet of Things finds itself at the center of what we might think of a perfect storm of public policy concerns: Privacy, safety, security, intellectual property, economic / labor disruptions, automation concerns, wireless spectrum issues, technical standards, and more. When a new technology raises one or two of these policy concerns, innovators in those sectors can expect some interest and inquiries from lawmakers or regulators. But when a new technology potentially touches all of these issues, then it means innovators in that space can expect an avalanche of attention and a potential world of regulatory trouble. Moreover, it sets the stage for a grand “clash of visions” about the future of IoT technologies that will continue to intensify in coming months and years.

That’s why I’ll be monitoring developments closely in this field going forward. For now, here’s what I’ve done on this issue as I prepare to head out to Las Vegas for another CES extravaganza that promises to showcase so many exciting IoT technologies.

• essay: “A Nonpartisan Policy Vision for the Internet of Things,” December 11, 2014.
• slide presentation: “Policy Issues Surrounding the Internet of Things & Wearable Technology,” September 12, 2014.
• law review article: “The Internet of Things and Wearable Technology Addressing Privacy and Security Concerns without Derailing Innovation,” November 2014.
• essay: “CES 2014 Report: The Internet of Things Arrives, but Will Washington Welcome It?” January 8, 2014.
• essay: “The Growing Conflict of Visions over the Internet of Things & Privacy,” January 14, 2014.
• oped: “Can We Adapt to the Internet of Things?” IAPP Privacy Perspectives, June 19, 2013
• agency filing: My Filing to the FTC in its ‘Internet of Things’ Proceeding, May 31, 2013
• book: Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom, 2014.
• video: Cap Hill Briefing on Emerging Tech Policy Issues, June 2014.
• essay: “What’s at Stake with the FTC’s Internet of Things Workshop,” November 18, 2013.
• law review article: “Removing Roadblocks to Intelligent Vehicles and Driverless Cars,” September 16, 2014.

2014 was quite the year for high-profile hackings and puffed-up politicians trying to out-ham each other on who is tougher on cybercrime. I thought I’d assemble some of the year’s worst hits to ring in 2015.

In no particular order:

Home Depot: The 2013 Target breach that leaked around 40 million customer financial records was unceremoniously topped by Home Depot’s breach of over 56 million payment cards and 53 million email addresses in July. Both companies fell prey to similar infiltration tactics: the hackers obtained passwords from a vendor of each retail giant and exploited a vulnerability in the Windows OS to install malware in the firms’ self-checkout lanes that collected customers’ credit card data. Millions of customers became vulnerable to phishing scams and credit card fraud—with the added headache of changing payment card accounts and updating linked services. (Your intrepid blogger was mysteriously locked out of Uber for a harrowing 2 months before realizing that my linked bank account had changed thanks to the Home Depot hack and I had no way to log back in without a tedious customer service call. Yes, I’m still miffed.)

The Fappening: 2014 was a pretty good year for creeps, too. Without warning, the prime celebrity booties of popular starlets like Scarlett Johansson, Kim Kardashian, Kate Upton, and Ariana Grande mysteriously flooded the Internet in the September event crudely immortalized as “The Fappening.” Apple quickly jumped to investigate its iCloud system that hosted the victims’ stolen photographs, announcing shortly thereafter that the “celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions” rather than any flaw in its system. The sheer volume produced and caliber of icons violated suggests this was not the work of a lone wolf, but a chain reaction of leaks collected over time triggered by one larger dump. For what it’s worth, some dude on 4chan claimed the Fappening was the product of an “underground celeb n00d-trading ring that’s existed for years.” While the event prompted a flurry of discussion about online misogyny, content host ethics, and legalistic tugs-of-war over DMCA takedown requests, it unfortunately did not generate a productive conversation about good privacy and security practices like I had initially hoped.

The Snappening: The celebrity-targeted Fappening was followed by the layperson’s “Snappening” in October, when almost 100,000 photos and 10,000 personal videos sent through the popular Snapchat messaging service, some of them including depictions of underage nudity, were leaked online. The hackers did not target Snapchat itself, but instead exploited a third-party client called SnapSave that allowed users to save images and videos that would normally disappear after a certain amount of time on the Snapchat app. (Although Snapchat doesn’t exactly have the best security record anyways: In 2013, contact information for 4.6 million of its users were leaked online before the service landed in hot water with the FTC earlier this year for “deceiving” users about their privacy practices.) The hackers received access to 13GB library of old Snapchat messages and dumped the images on a searchable online directory. As with the Fappening, discussion surrounding the Snappening tended to prioritize scolding service providers over promoting good personal privacy and security practices to consumers.

Las Vegas Sands Corp.:  Not all of these year’s most infamous hacks sought sordid photos or privateering profit. 2014 also saw the rise of the revenge hack. In February, Iranian hackers infiltrated politically-active billionaire Sheldon Adelson’s Sands Casino not for profit or data, but for pure punishment. Adelson, a staunchly pro-Israel figure and partial owner of many Israeli media companies, drew intense Iranian ire after fantasizing about detonating an American nuclear warhead in the Iranian desert as a threat during his speech at Yeshiva University. Hackers released crippling malware into the Sands IT infrastructure early in the year, which proceeded to shut down email services, wipe hard drives clean, and destroy thousands of company computers, laptops, and expensive servers. The Sands website was also hacked to display “a photograph of Adelson chumming around with [Israeli Prime Minister] Netanyahu,” along with the message “Encouraging the use of Weapons of Mass Destruction, UNDER ANY CONDITION, is a Crime,” and a data dump of Sands employees’ names, titles, email addresses, and Social Security numbers. Interestingly, Sands was able to contain the damage internally so that guests and gamblers had no idea of the chaos that was ravaging casino IT infrastructure. Public knowledge of the hack did not serendipitously surface until early December, around the time of the Sony hack. It is possible that other large corporations have suffered similar cyberattacks this year in silence.

JP Morgan: You might think that one of the world’s largest banks would have security systems that are near impossible to crack. This was not the case at JP Morgan. From June to August, hackers infiltrated JP Morgan’s sophisticated security system and siphoned off massive amounts of sensitive financial data. The New York Times reports that “the hackers appeared to have obtained a list of the applications and programs that run on JPMorgan’s computers — a road map of sorts — which they could crosscheck with known vulnerabilities in each program and web application, in search of an entry point back into the bank’s systems, according to several people with knowledge of the results of the bank’s forensics investigation, all of whom spoke on the condition of anonymity.” Some security experts suspect that a nation-state was ultimately behind the infiltration due to the sophistication of the attack and the fact that the hackers neglected to immediately sell or exploit the data or attempt to steal funds from consumer accounts. The JP Morgan hack set off alarm bells among influential financial and governmental circles since banking systems were largely considered to be safe and impervious to these kinds of attacks.

Sony: What a tangled web this was! On November 24, Sony employees were greeted by the mocking grin of a spooky screen skeleton informed they had been “Hacked by the #GOP” and that there was more to come. It was soon revealed that Sony’s email and computer systems had been infiltrated and shut down while some 100 terabytes of data had been stolen. The hackers proceeded to leak embarrassing company information, including emails in which executives made racial jokes, compensation data revealing a considerable gender wage disparity, and unreleased studio films like Annie and Mr. Turner. We also learned about “Project Goliath,” a conspiracy among the MPAA, Sony, and five other studios (Universal, Sony, Fox, Paramount, Warner Bros., and Disney) to revise the spirit of SOPA and attack piracy on the web “by working with state attorneys general and major ISPs like Comcast to expand court power over the way data is served.” (Goliath was their not-exactly-subtle codeword for Google.) Somewhere along the way, a few folks got wild notions that North Korea was behind this attack because of the nation’s outrage at the latest Rogen romp, The Interview. Most cybersecurity experts doubt that the hermit nation was behind the attack, although the official KCNA statement enthusiastically “supports the righteous deed.” The absurdity of the official narrative did not prevent most of our world-class journalistic and political establishment from running with the story and beating the drums of cyberwar. Even the White House and FBI goofed. The FBI and State Department still maintain North Korean culpability, even as research compiled by independent security analysts points more and more to a collection of disgruntled former Sony employees and independent lulz-seekers. Troublingly, the Obama administration publicly entertained cyberwar countermeasures against the troubled communist nation on such slim evidence. A few days later, the Internet in North Korea was mysteriously shut down. I wonder what might have caused that? Truly a mess all around.

LizardSquad: Speaking of Sony hacks, the spirit of LulzSec is alive in LizardSquad. On Christmas day, the black hat collective knocked out Sony’s Playstation network and Microsoft’s Xbox servers with a massive distributed denial of service (DDoS) attack to the great vengeance and furious anger of gamers avoiding family gatherings across the country. These guys are not your average script-kiddies. NexusGuard chief scientist Terrence Gareu warns the unholy lizards boast an artillery that far exceeds normal DDoS attacks. This seems right, given the apparent difficulty that giants Sony and Microsoft had in responding to the attacks. For their part, LizardSquad claims the strength of their attack exceeded the previous record against Cloudflare this February. Megaupload Internet lord Kim Dotcom swooped to save gamers’ Christmas festivities with a little bit of information age, uh, “justice.” The attacks were allegedly called off after Dotcom offered the hacking collective 3,000 Mega vouchers (normally worth $99 each) for his content hosting empire if they agreed to cease. The FBI is investigating the lizards for the attacks. LizardSquad then turned their attention to the TOR network, creating thousands of new relays and comprising a worrying portion of the network’s roughly 8,000 relays in an effort to unmask users. Perhaps they mean to publicize the networks’ vulnerabilities? The group’s official Twitter bio reads, “I cry when Tor deserves to die.” Could this be related to the recent Pando–Tor drama that reinvigorated skepticism of Tor? As with any online brouhaha involving clashing numbers of privacy-obsessed computer whizzes with strong opinions, this incident has many hard-to-read layers (sorry!). While the Tor campaign is still developing, LizardSquad has been keeping busy with it’s newly-launched Lizard Stresser, a distributed DDoS tool that anyone can use for a small fee. These lizards appear very intent on making life as difficult as possible for the powerful parties they’ve identified as enemies and will provide some nice justifications for why governments need more power to crack down on cybercrime.

What a year! I wonder what the next one will bring.

One sure bet for 2015 is increasing calls for enhanced regulatory powers. Earlier this year, Eli and I wrote a Mercatus Research paper explaining why top-down solutions to cybersecurity problems can backfire and make us less secure. We specifically analyzed President Obama’s developing Cybersecurity Framework, but the issues we discuss apply to other rigid regulatory solutions as well. On December 11, in the midst of North Korea’s red herring debut in the Sony debacle, the Senate passed the Cybersecurity Act of 2014, which contains many of the same principles outlined in the Framework. The Act, which still needs House approval, strengthens the Department of Homeland Security’s role in controlling cybersecurity policy by directing DHS to create industry cybersecurity standards and begin routine information-sharing with private entities.

Ranking Member of the Senate Homeland Security Committee, Tom Coburn, had this to say: “Every day, adversaries are working to penetrate our networks and steal the American people’s information at a great cost to our nation. One of the best ways that we can defend against cyber attacks is to encourage the government and private sector to work together and share information about the threats we face. ”

While the problems of poor cybersecurity and increasing digital attacks are undeniable, the solutions proposed by politicians like Coburn are dubious. The federal government should probably try to get its own house in order before it undertakes to save the cyberproperties of the nation. The Government Accountability Office reports that the federal government suffered from almost 61,000 cyber attacks and data breaches last year. The DHS itself was hacked in 2012,while a 2013 GAO report criticized DHS for poor security practices, finding that “systems are being operated without authority to operate; plans of action and milestones are not being created for all known information security weaknesses or mitigated in a timely manner; and baseline security configuration settings are not being implemented for all systems.” GAO also reports that when federal agencies develop cybersecurity practices like those encouraged in the Cybersecurity Framework or the Cybersecurity Act of 2014, they are inconsistently and insufficiently implemented.

Given the federal government’s poor track record managing its own system security, we shouldn’t expect miracles when they take a leadership role for the nation.

Another trend to watch will be the development of a more robust cybersecurity insurance market. The Wall Street Journal reports that 2014’s rash of hacking attacks stimulated sales of formerly-obscure cyberinsurance packages.

The industry had suffered in the past due to its novelty and lack of previous data to use to accurately price insurance packages. This year, demand has been sufficiently stimulated and actuaries have been familiar enough with the relevant risks that the practice has finally become mainstream. Policies can cover “the costs of [data breach] investigations, customer notifications and credit-monitoring services, as well as legal expenses and damages from consumer lawsuits” and “reimbursement for loss of income and extra expenses resulting from suspension of computer systems, and provide payments to cover recreation of databases, software and other assets that were corrupted or destroyed by a computer attack.” As the market matures, cybersecurity insurers may start more actively assessing firms’ digital vulnerabilities and recommend improvements to their systems in exchange for a lower premium payment, as is common in other insurance markets.

Still, nothing ever beats good old-fashioned personal responsibility. One of the easiest ways to ensure privacy and security for yourself online is to take the time to learn how to best protect yourself or your business by developing good habits, using the right services, and remaining conscientious about your digital activities. That’s my New Year’s resolution. I think it should be yours, too! :)

Happy New Year’s, all!

I’ve spent a lot of time here through the years trying to identify the factors that fuel moral panics and “technopanics.” (Here’s a compendium of the dozens of essays I’ve written here on this topic.) I brought all this thinking together in a big law review article (“Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle”) and then also in my new booklet, “Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom.”

One factor I identify as contributing to panics is the fact that “bad news sells.” As I noted in the book, “Many media outlets and sensationalist authors sometimes use fear-based tactics to gain influence or sell books. Fear mongering and prophecies of doom are always effective media tactics; alarmism helps break through all the noise and get heard.”

In line with that, I want to highly recommend you check out this excellent new oped by John Stossel of Fox Business Network on “Good News vs. ‘Pessimism Porn‘.”  Stossel correctly notes that “the media win by selling pessimism porn.” He says:

Are you worried about the future? It’s hard not to be. If you watch the news, you mostly see violence, disasters, danger. Some in my business call it “fear porn” or “pessimism porn.” People like the stuff; it makes them feel alive and informed. Of course, it’s our job to tell you about problems. If a plane crashes — or disappears — that’s news. The fact that millions of planes arrive safely is a miracle, but it’s not news. So we soak in disasters — and warnings about the next one: bird flu, global warming, potential terrorism. I won Emmys hyping risks but stopped winning them when I wised up and started reporting on the overhyping of risks. My colleagues didn’t like that as much.

He continues on to note how, even though all the data clearly proves that humanity’s lot is improving, the press relentlessly push the “pessimism porn.” He argues that “time and again, humanity survived doomsday. Not just survived, we flourish.” But that doesn’t stop the doomsayers from predicting that the sky is always set to fall. In particular, the press knows they can easily gin up more readers and viewers by amping up the fear-mongering and featuring loonies who will be all too happy to play the roles of pessimism porn stars. Of course, plenty of academics, activists, non-profit organizations and even companies are all too eager to contribute to this gloom-and-doom game since they benefit from the exposure or money it generates.

The problem with all this, of course, is that it perpetuates societal fears and distrust. It also sometimes leads to misguided policies based on hypothetical worst-case thinking. As I argue in my new book, which Stossel was kind enough to cite in his essay, if we spend all our time living in constant fear of worst-case scenarios—and premising public policy upon them—it means that best-case scenarios will never come about.

Facts, not fear, should guide our thinking about the future.

______________________

Related Reading:

• Journalists, Technopanics & the Risk Response Continuum (July 15, 2012)
• How & Why the Press Sometimes “Sells Digital Fear” (April 8, 2012)
• danah boyd’s “Culture of Fear” Talk (March 26, 2012)
• Prophecies of Doom & the Politics of Fear in Cybersecurity Debates (Aug. 8., 2011)
• Cybersecurity Threat Inflation Watch: Blood-Sucking Weapons! (March 22, 2012)

Andrea Castillo and I have a new paper out from the Mercatus Center entitled “Why the Cybersecurity Framework Will Make Us Less Secure.” We contrast emergent, decentralized, dynamic provision of security with centralized, technocratic cybersecurity plans. Money quote:

The Cybersecurity Framework attempts to promote the outcomes of dynamic cybersecurity provision without the critical incentives, experimentation, and processes that undergird dynamism. The framework would replace this creative process with one rigid incentive toward compliance with recommended federal standards. The Cybersecurity Framework primarily seeks to establish defined roles through the Framework Profiles and assign them to specific groups. This is the wrong approach. Security threats are constantly changing and can never be holistically accounted for through even the most sophisticated flowcharts. What’s more, an assessment of DHS critical infrastructure categorizations by the Government Accountability Office (GAO) finds that the DHS itself has failed to adequately communicate its internal categories with other government bodies. Adding to the confusion is the proliferating amalgam of committees, agencies, and councils that are necessarily invited to the table as the number of “critical” infrastructures increases. By blindly beating the drums of cyber war and allowing unfocused anxieties to clumsily force a rigid structure onto a complex system, policymakers lose sight of the “far broader range of potentially dangerous occurrences involving cyber-means and targets, including failure due to human error, technical problems, and market failure apart from malicious attacks.” When most infrastructures are considered “critical,” then none of them really are.

We argue that instead of adopting a technocratic approach, the government should take steps to improve the existing emergent security apparatus. This means declassifying information about potential vulnerabilities and kickstarting the cybersecurity insurance market by buying insurance for federal agencies, which experienced 22,000 breaches in 2012. Read the whole thing, as they say.

Here are a few Internet policy essays I collected over the past year which I thought were particularly well done and worth highlighting once more. They are listed in chronological order:

• L. Gordon Crovitz – “Silicon Valley’s ‘Suicide Impulse,'” Wall Street Journal, January 28. (“It’s a measure of how far Silicon Valley has strayed from its entrepreneurial roots that a top regulator is calling on technology companies to do less lobbying and more competing,” Crovitz argued. “Rather than lobby government to go after one another, Silicon Valley lobbyists should unite to go after overreaching government. Instead of the “suicide impulse” of lobbying for more regulation, Silicon Valley should seek deregulation and a long-overdue freedom to return to its entrepreneurial roots.”)
• John Gruber – “Open and Shut,” Daring Fireball, March 1. (An absolutely brutal evisceration of Tim Wu’s recent work.)
• R. U. Sirius – “Cypherpunk Rising: WikiLeaks, Encryption, and the Coming Surveillance Dystopia,” The Verge, March 7.
• Julian Sanchez – “A Reply to Epstein & Pilon on NSA’s Metadata Program,” Cato at Liberty, June 16. (A meticulous point-by-point takedown of an essay by Roger Pilon & Richard Epstein defending NSA’s online surveillance tactics.)
• Ethan Zuckerman – “Is Cybertopianism Really Such a Bad Thing?” Slate, June 17 (A “defense of believing that technology can do good.”)

• Jill Lepore – “The Prism: Privacy in an Age of Publicity,” New Yorker, June 24. (An examination of the evolution of privacy norms over the past 150 years. Lepore argued that “As a matter of historical analysis, the relationship between secrecy and privacy can be stated in an axiom: the defense of privacy follows, and never precedes, the emergence of new technologies for the exposure of secrets. In other words, the case for privacy always comes too late. The horse is out of the barn.”)
• Michael Nelson – ” Six Myths of Innovation Policy,” The European Institute Blog, July 2013. (An interesting examination of some myths about innovation policy with a discussion about how it impacts policy in both U.S. and E.U.)
• Daniel O’Connor – “Rent Seeking and the Internet Economy (Part 1): Why is the Internet So Frequently the Target of Rent Seekers?” DisCo blog, August 15. (Nice overview of what rent-seeking is and why it is increasing in the tech economy.)
• Bruce Schneier – “Our Decreasing Tolerance To Risk,” Forbes, August 23. (Good exploration of the psychology of risk by one of the great experts on the topic. It’s not strictly about information technology policy, but it has profound ramifications for it. He notes: “We need to relearn how to recognize the trade-offs that come from risk management, especially risk from our fellow human beings.  We need to relearn how to accept risk, and even embrace it, as essential to human progress and our free society.  The more we expect technology to protect us from people in the same way it protects us from nature, the more we will sacrifice the very values of our society in futile attempts to achieve this security.”)
• Clive Thompson – “Googling Yourself Takes on a Whole New Meaning,” New York Times Magazine, August 30, 2013. (I’d be hard-pressed to find a more gifted and insightful technology pundit than Clive Thompson and he delivers yet again in this interesting piece. My review of his excellent new book was published by Reason. Needless to say, I loved it.)
• Eli Noam – “Towards the Federated Internet,” InterMEDIA, Autumn 2013. (A provocative essay advocating for an “internet of internets” to replace the current unified global Internet. Noam argues that the time has come to abandon our slavish allegiance to the dream of a single, uniform global network and “we should instead think about a system of federated internets working together in some form of technological coexistence of interoperability.”)

And my vote for worst Internet policy essay of the year goes to Washington Post columnist Robert J. Samuelson for his astonishing essay, “Beware the Internet and the Danger of Cyberattacks,” in which he says, “If I could, I would repeal the Internet. It is the technological marvel of the age, but it is not — as most people imagine — a symbol of progress. Just the opposite. We would be better off without it.”  Where does one even begin with such logic?!  Well, I responded here.  [A close runner-up for the Worst of Year prize would be this essay by Benjamin Kunkel, “Socialize Social Media! A Manifesto.” But it’s so hard to take that essay seriously that it should probably just be disqualified from the competition entirely.]

Anyway, let me know some of your favorite (or even least favorite) Net policy essays of 2013. (And yes, I fully expect some of you to list some of my essays as candidates for Worst of Year honors!)

Last summer at an AEI-sponsored event on cybersecurity, NSA head General Keith Alexander made the case for information sharing legislation aimed at improving cybersecurity. His response to a question from Ellen Nakashima of the Washington Post (starting at 54:25 in the video at the link) was a pretty good articulation of how malware is identified and blocked using algorithmic signatures. In his longish answer, he made the pitch for access to key malware information for the purpose of producing real-time defenses.

What the antivirus world does is it maps that out and creates what’s called a signature. So let’s call that signature A. …. If signature A were to hit or try to get into the power grid, we need to know that signature A was trying to get into the power grid and came from IP address x, going to IP address y.

We don’t need to know what was in that email. We just need to know that it contained signature A, came from there, went to there, at this time.

…

[I]f we know it at network speed we can respond to it. And those are the authorities and rules and stuff that we’re working our way through.

…

[T]hat information sharing portion of the legislation is what the Internet service providers and those companies would be authorized to share back and forth with us at network speed. And it only says: signature A, IP address, IP address. So, that is far different than that email that was on it coming.

Now it’s intersting to note, I think—you know, I’m not a lawyer but you could see this—it’s interesting to note that a bad guy sent that attack in there. Now the issue is what about all the good people that are sending their information in there, are you reading all those. And the answer is we don’t need to see any of those. Only the ones that had the malware on it. Everything else — and only the fact that that malware was there — so you didn’t have to see any of the original emails. And only the ones that had the malware on it did you need to know that something was going on.

It might be interesting to get information about who sent malware, but General Alexander said he wanted to know attack signatures, originating IP address, and destination. That’s it.

Now take a look at what CISPA, the Cybersecurity Information Sharing and Protection Act (H.R. 624), allows companies to share with the government provided they can’t be proven to have acted in bad faith:

information directly pertaining to—

(i) a vulnerability of a system or network of a government or private entity or utility;

(ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or utility or any information stored on, processed on, or transiting such a system or network;

(iii) efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or private entity or utility; or

(iv) efforts to gain unauthorized access to a system or network of a government or private entity or utility, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity or utility.

That’s an incredible variety of subjects. It can include vast swaths of data about Internet users, their communications, and the files they upload. In no sense is it limited to attack signatures and relevant IP addresses.

What is going on here? Why has General Alexander’s claim to need attack signatures and IP addresses resulted in legislation that authorizes wholesale information sharing and that immunizes companies who violate privacy in the process? One could only speculate. What we know is that CISPA is a vast overreach relative to the problem General Alexander articulated. The House is debating CISPA Wednesday and Thursday this week.

Marc Hochstein, Executive Editor of American Banker,  a leading media outlet covering the banking and financial services community, discusses bitcoin.

According to Hochstein, bitcoin has made its name as a digital currency, but the truly revolutionary aspect of the technology is its dual function as a payment system competing against companies like PayPal and Western Union. While bitcoin has been in the news for its soaring exchange rate lately, Hochstein says the actual price of bitcoin is really only relevant for speculators in the short-term; in the long-term, however, the anonymous, decentralized nature of bitcoin has far-reaching implications.

Hochstein goes on to talk about  the new market in bitcoin futures and some of bitcoin’s weaknesses—including the volatility of the bitcoin market.

Download

Related Links

• VIDEO: Why Banks Should Care About Bitcoin, Hochstein
• Why Bitcoin Matters: It’s the Payment System, Stupid!, Hochstein
• Bitcoin vs. Big Government: How the virtual currency undermines government authority, Brito
• Online Cash Bitcoin Could Challenge Governments, Banks, Brito

Susan W. Brenner, associate dean and professor of law at the University of Dayton School of Law,  discusses her new paper published in the Minnesota Journal of Law, Science & Technology entitled “Cyber-threats and the Limits of Bureaucratic Control.”

Brenner argues that the approach the United States, like other countries, uses to control threats in real-space is ill-suited for controlling cyberthreats. She explains that because this approach evolved to deal with threat activity in a physical environment, it is predicated on a bureaucratic organizations. This is not an effective way of approaching cyber-threat control, she argues. 

Brenner also explains why congressional efforts at cybersecurity legislation are flawed and why U.S. authorities persist in pursuing antiquated strategies that cannot provide an effective cyberthreats defense system. She outlines an alternative approach to the task of protecting the country from cyberthreats, and approach that is predicated on older, more fluid threat control strategies.

Download

Related Links

• Cyber-Threats and the Limits of Bureaucratic Control, Brenner
• Cybercrime and the Law, Brenner
• Cyberwar: you lack imagination, Brenner
• Approaches to Cybercrime Jurisdiction, Brenner

Politicians from both parties are now saying that although President Obama took comprehensive action on cybersecurity through executive order, we still need legislation. Over at TIME.com I write that no, we don’t.

Republicans want to protect businesses from suit for breach of contract or privacy statute violations in the name of information sharing, but there’s no good reason for such blanket immunity. Democrats would like to see mandated security standards, but top-down regulation is a bad idea, especially in such a fast-moving area. But as I write:

Yet guided by their worst impulses – to extend protections to business, or to exert bureaucratic control – members of Congress will insist that it is imperative they get in on the action.

If they do, they will undoubtedly be saddling us with a host of unintended consequences that we will come to regret later.

The executive order does most of what Congress failed to do in its last session. What Congress could add now is unnecessary and likely pernicious. The executive order should be given time to work. Only then will Congress now if and how it might need to be “strengthened.”

Earlier today on Twitter, I listed what I thought were the Top 5 “Biggest Internet Policy Issues of 2012.” In case you don’t follow me on Twitter — and shame on you if you don’t! — here were my choices:

1. Copyright wars reinvigorated post-SOPA; tide starting to turn in favor of copyright reform. [TLF posts on copyright.]
2. Privacy still red-hot w ECPA reform, online advertising regs & kids’ privacy issues all pending. [TLF posts on privacy.]
3. WCIT makes Internet governance / NetFreedom a major issue worldwide. [TLF posts on Net governance.]
4. Antitrust threat looms larger w pending Google case + Apple books investigation. [TLF posts on antitrust.]
5. Cybersecurity regulatory push continues in both legislative (CISPA) & executive branch. [TLF posts on cybersecurity.]

Lists like these are entirely subjective, of course, but I am basing my list on the general amount of chatter I tended to see and hear about each topic over the course of the year.

What do you think the top tech policy issues of the year were?

Scott Shackelford, assistant professor of business law and ethics at Indiana University, and author of the soon-to-be-published book Managing Cyber Attacks in International Law, Business, and Relations: In Search of Cyber Peace, explains how polycentric governance could be the answer to modern cybersecurity concerns.

Shackelford  originally began researching collective action problems in physical commons, including Antarctica, the deep sea bed, and outer space, where he discovered the efficacy of polycentric governance in addressing these issues. Noting the similarities between these communally owned resources and the Internet, Shackelford was drawn to the idea of polycentric governance as a solution to the collective action problems he identified in the online realm, particularly when it came to cybersecurity.

Shackelford contrasts the bottom-up form of governance characterized by self-organization and networking regulations at multiple levels to the increasingly state-centric approach prevailing in forums like the International Telecommunication Union (ITU).  Analyzing the debate between Internet sovereignty and Internet freedom through the lens of polycentric regulation, Shackelford reconceptualizes both cybersecurity and the future of Internet governance.

Download

Related Links

• Managing Cyber Attacks in International Law, Business, and Relations: In Search of Cyber Peace, by Shackelford
• Toward Cyber Peace: Managing Cyber Attacks Through Polycentric Governance, by Shackelford
• Is There a Cybersecurity Market Failure, by Eli Dourado

I’m impressed with the job Ryan Radia did in this Federalist Society podcast/debate about CISPA, the Cyber Intelligence and Sharing Protection Act.

It’s also notable how his opponent Stewart Baker veers into a strange ad hominem against “privacy groups” in his rejoinder to Ryan. Baker speaks as though arguable overbreadth in privacy statutes written years ago makes it appropriate to scythe down all law that might affect information sharing for cybersecurity purposes. That’s what language like “[n]otwithstanding any other provision of law” would do, and it’s in the current version of the bill three times.

In their paper, “Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy,” my Mercatus Center colleagues Jerry Brito and Tate Watkins warned of the dangers of “threat inflation” in cybersecurity policy debates. In early 2011, Mercatus also published a paper by Sean Lawson, an assistant professor in the Department of Communication at the University of Utah, entitled “Beyond Cyber Doom” that documented how fear-based tactics and cyber-doom scenarios and rhetoric increasingly were on display in cybersecurity policy debates.  Finally, in my recent Mercatus Center working paper, “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle,” I extended their threat inflation analysis and developed a comprehensive framework offering additional examples of, and explanations for, threat inflation in technology policy debates.

These papers make it clear that a sort of hysteria has developed around cyberwar and cybersecurity issues. Frequent allusions are made in cybersecurity debates to the potential for a “Digital Pearl Harbor,” a “cyber cold war,” a “cyber Katrina,” or even a “cyber 9/11.” These analogies are made even though these historical incidents resulted in death and destruction of a sort not comparable to attacks on digital networks. Others refer to “cyber bombs” even though no one can be “bombed” with binary code. And new examples of such inflationary rhetoric seem to emerge each day. For example, today’s NPR’s Morning Edition program featured a segment by Tom Gjelten entitled, “Cybersecurity Bill: Vital Need Or Just More Rules?” that included the comments of Michael McConnell, a former director of National Intelligence, Here’s what McConnell said about cyberwar at the 6:30 mark of the show:

“this threat is so intrusive, it’s so serious, it could literally suck the life’s blood out of this country, and if we don’t address it, it’s going to be a severe impact and so I think we have no choice but to address it and some of that process will be regulatory.”

Wow, who knew the blood could literally be drained from our bodies by cyberattacks! Have the Chinese or Iranians developed a cyber-superweapon that can reach through our screens and suck the life right out of us? (Like a cross between Videodrome and Halloween III: Season of the Witch!)

I’m being silly, of course. And some might dismiss such rhetorical flourishes or even defend them in the name of “doing whatever it takes” to raise awareness about an important concern. But these fear-based tactics are dangerous. As Brito and Watkins note, “when a threat is inflated, the marketplace of ideas on which a democracy relies to make sound judgments—in particular, the media and popular debate—can become overwhelmed by fallacious information.” In my paper, I argue that technopanics and threat inflation can have many troubling ramifications. They can:

1. Foster animosities and suspicions among the citizenry;
2. Create distrust of many institutions, especially the press;
3. Often divert attention from actual, far more serious risks; and,
4. Lead to calls for information control.

But we shouldn’t expect such rhetorically tactics to subside any time soon. After all, bombastic predictions of an impending cyber-apocalypse are nothing new, especially because they are such an effective way to grab attention, headlines, and funding.

Back in January 1996, the conservative Weekly Standard magazine ran a truly over-the-top cover story by Charles J. Dunlap entitled “How We Lost the High-Tech War of 2007.” (The actual cover appears above and the whole outlandish article is worth reading for its comedic value if noting else.) It included a dramatic Tom Clancy-esque cover illustration of the U.S. Capitol building smoldering in flames after an apparent cyber-attack of some sort.  Of course, there was no High-Tech War of 2007. But talk is cheap and there are few downsides to using such alarmist tactics. Pessimistic critics who use threat inflation to advance their causes are rarely held accountable when their panicky predictions fail to come to pass. As journalist Matt Ridley correctly observes, “Pessimism has always been big box office.”  Bad news sells, and there are always plenty of buyers.

It’s a shame rational debate is increasing impossible in this and other Internet policy arenas.

After the NSA’s aggressive pursuit of a greater role in civilian cybersecurity, and last week’s statement by Sen. John McCain criticizing the Lieberman-Collins bill for not including a role for the agency, some feared that the new G.O.P. cybersecurity bill would allow the military agency to gather information about U.S. citizens on U.S. soil. So, it’s refreshing to see that the bill introduced today–the SECURE IT Act of 2012–does not include NSA monitoring of Internet traffic, which would have been very troubling from a civil liberties perspective.

In fact, this new alternative goes further on privacy than the Liberman-Collins bill. It limits the type of information ISPs and other critical infrastructure providers can share with law enforcement. Without such limits, “information sharing” could become a back door for government surveillance. With these limits in place, information sharing is certainly preferable to the more regulatory route taken by the Liberman-Collins bill.

It seems to me that despite Sen. McCain’s stated preference for an NSA role, the G.O.P. alternative is looking to address the over-breadth of the Lieberman-Collins bill without introducing any new complications. The SECURE IT bill is also more in line with the approach taken by the House, so it would make reaching consensus easier.

I’ll be posting more here as I learn about the bill.

UPDATE 12:06 PM: A copy of the bill is now available. Find it after the break.

UPDATE 2:55 PM: Having now had an opportunity to take a look at the bill and not just the summary, it does appear it includes a hole through which the NSA may be able to drive a freight train. While NSA monitoring of civilian networks is not mandated, information that is shared by private entities with federal cybersecurity centers “may be disclosed to and used by”

any Federal agency or department, component, officer, employee, or agent of the Federal government for a cybersecurity purpose, a national security purpose, or in order to prevent, investigate, or prosecute any of the offenses listed in section 2516 of title 18, United States Code …

That last bit limits law enforcement’s use of shared cyber threat information to serious crimes, but the highlighted bit potentially allows sharing with the NSA or any other agency, civilian or military, for a any “national security” reasons. That is troublingly broad and a blemish on this otherwise non-regulatory bill.

Information sharing with the NSA might be fine as long as it is not mandatory and the shared information is used only for cyber security purposes.

Cross posted from JerryBrito.com

SECURE IT.introduction

My seen-it-all cool was shaken yesterday when I examined how a Senate cybersecurity bill would scythe down legal protections for privacy. Anyone participating in government “cybersecurity exchanges” would have nearly total immunity from liability under any law. No Privacy Act, no ECPA, no E-Government Act, no contract law, no privacy torts. The scuttlebutt is that Senator Reid (D-NV) may push this especially hard as payback to the Internet for the SOPA/PIPA debacle.

In the push for cybersecurity legislation, Congress is driven far more by its desire to act (and D.C. lobbyists’ desire to have Congress act) than by any plausible contribution it can make to the difficult problem of securing computers, networks, and data. That’s why this cybersecurity bill, and all others I have seen, have greater costs than benefits.

Read about the devastation for privacy and the rule of law on offer in a current draft in “The Senate’s SOPA Counterattack?: Cybersecurity the Undoing of Privacy.”

My latest Forbes column is entitled “Why Doesn’t Society Just Fall Apart?” and it’s a short review of Bruce Schneier’s latest book, Liars & Outliers: Enabling the Trust that Society Needs to Thrive.  It’s an interesting exploration of the societal pressures that combine to ensure that (most!) societies don’t go off the rails and end in anarchic violence. In particular, he identifies and discusses four “societal pressures” combine to help create and preserve trust within society. Those pressures include: (1) Moral pressures; (2) Reputational pressures; (3) Institutional pressures; and (4) Security systems. By “dialing in” these societal pressures in varying degrees, trust is generated over time within groups.

Of course, these societal pressures also fail on occasion, Schneier notes. He explores a host of scenarios — in organizations, corporations, and governments — when trust breaks down because defectors seek to evade the norms and rules the society lives by. These defectors are the “liars and outliers” in Schneier’s narrative and his book is an attempt to explain the complex array of incentives and trade-offs that are at work and which lead some humans to “game” systems or evade the norms and rules others follow.

The most essential lesson Schneier teaches us is that perfect security is an illusion. We can rely on those four societal pressures in varying mixes to mitigate problems like theft, terrorism, fraud, online harassment, and so on, but it would be foolish and dangerous to believe we can eradicate such problems completely. “There can be too much security,” Schneier explains, because, at some point, constantly expanding security systems and policies will result in rapidly diminishing returns. Trying to eradicate every social pathology would bankrupt us and, worse yet, “too much security system pressure lands you in a police state,” he correctly notes.

Schneier’s framework is particularly useful when addressing a variety of security dilemmas in the field of information policy. “Parasites are all over the Internet,” he notes, and “new technologies, new innovations, and new ideas increase the scope of defection in several dimensions.” Whether its spam, malware attacks, data theft, copyright piracy, or cybersecurity, the defectors have a first-mover advantage in that “they get to try the new attack first.” The Net and new digital networks and technologies have created a never-ending cat-and-mouse game: “It’s a race between the ability to deceive and the ability to detect deception,” Schneier notes. Again, there are no silver-bullet solutions because “this process never ends.” As he correctly concludes, we must accept the fact that “security is a process, not a product.”

I recommend Schneier’s book and encourage your to read my entire review over at Forbes.

This week I will again be attending the Family Online Safety Institute’s excellent annual summit. The 2-day affair brings together some of the world’s leading experts on online safety and privacy issues. It’s a great chance to learn about major developments in the field. As I was preparing for the session I am moderating on Thursday, I thought back to the first FOSI annual conference, which took place back in 2007. What is remarkable about that period compared to now is that there was a flurry of legislative and regulatory activity related to online child safety then that we simply do not see today.

In fact, just 3 1/2 years ago, John Morris of the Center for Democracy and Technology and I compile a legislative index [summary here] that cataloged the more than 30 legislative proposals that had been introduced in the the 110th session of Congress. There was also a great deal of interest in these issues within the regulatory community. Finally, countless state and local measures related to online safety and speech issues had been floated. Today, by contrast, it is hard for me to find any legislative measures focused on online safety regulation at the federal level, and I don’t see much activity at the agency level either. I haven’t surveyed state and local activity, but it seems like it has also died down.

Generally speaking, I think this is a good development since I am opposed to most proposals to regulate online speech, expression, or conduct. But let’s ignore the particular wisdom of such measures and ask a simple question: What explains the decline in Internet safety legislation and online content regulation? I believe there are three possible explanations:

1) The effectiveness of education and awareness-building strategies

I would like to believe that all the efforts made by various groups and individuals (including myself) to encourage policymakers to adopt  “Educate & Empower” approaches over “Legislative & Regulate” approaches are finally bearing fruit. The first instinct for many policymakers is to legislate immediately and then worry about the consequences later (if at all). But such approaches, no matter how well-intentioned, often backfire and have myriad unintended consequences (including the problem addressed next). So, perhaps it is the case that lawmakers and regulators are finally coming to realize that education and awareness approaches — married to empowerment-based efforts — are actually the more sensible approach compared to a flurry of legislative measures that ultimately accomplish very little.

2) The deterrent effect of inevitable and lengthy constitutional challenges

Here are two things I know for certain: First, almost every Internet-related measure faces a constitutional challenge, typically on First Amendment grounds (but sometimes also on Sec. 230 grounds). Second, most of those challenges succeed. I don’t have hard stats to back up this assertion, but I’d bet that there are few areas of modern law that have witnessed a higher percentage of successful constitutional challenges in recent years than the field of cyberlaw.  Taking that as a given, one must assume that at some point it becomes a deterrent to additional state action in this field.  Why waste years legislating and regulating if it is all enjoined and then overturned a short time later?

3) Resurgence of privacy as major policy issue and the emergence of cybersecurity as a policy issue

It could also be that case that privacy policy crowds out congressional interest in online safety legislation. In fact, it seems like these issues often move in opposing waves. When a wave of online safety legislative and regulatory activity is cresting, interest in privacy policy seems to fall. That certainly seemed to be the case between roughly 2005 and 2008 when online safety dominated congressional debates and privacy was hardly on the radar.  Today the reverse is true. Privacy has been the dominant Internet policy issue of the past year or so. It is sucking all the oxygen out of the room — whether that room is a congressional hearing room, a regulatory agency event, or even academic conferences.

Importantly, cybersecurity has rapidly emerged as a major new fault line in Internet policy debates. It, too, is eating up a lot of the “attention bandwidth” available among policymakers today.  And intellectual property matters always seem to be percolating out there.

It is my belief that because some of these Net policy issues are so complicated, policymakers are sometimes discouraged from doing a “deep dive” on them. To the extent they do, it seems unlikely that lawmakers are willing to invest serious time in more than a couple of these arcane matters at one time. Also, don’t forget how busy the relevant committees (Commerce and Judiciary) are with other, not tech policy-related matters. On any given legislative day, they could be handling a wide range of other policy issues that crowd out the amount of attention they can devote to Net policy matters, which are often far down the list of legislative priorities. Again, I’m generally pretty happy about that fact! I’d rather lawmakers go slow on these issues, whether the slow pace of the action is intentional or not.

So, what do you think? Are there other possible explanations for why we’ve seen less activity on the online safety / Internet content regulation front in recent years?

In my ongoing work on technopanics, I’ve frequently noted how special interests create phantom fears and use “threat inflation” in an attempt to win attention and public contracts. In my next book, I have an entire chapter devoted to explaining how “fear sells” and I note how often companies and organizations incite fear to advance their own ends. Cybersecurity and child safety debates are littered with examples.

In their recent paper, “Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy,” my Mercatus Center colleagues Jerry Brito and Tate Watkins argued that “a cyber-industrial complex is emerging, much like the military-industrial complex of the Cold War.” As Stefan Savage, a Professor in the Department of Computer Science and Engineering at the University of California, San Diego, told The Economist magazine, the cybersecurity industry sometimes plays “fast and loose” with the numbers because it has an interest in “telling people that the sky is falling.” In a similar vein, many child safety advocacy organizations use technopanics to pressure policymakers to fund initiatives they create. [Sometimes I can get a bit snarky about this.]

That Economist story cites new research by scholars who are dispassionately evaluating the actual evidence and finding that data about cybercrime is often exaggerated and skewed in various ways, often by proponents of greater government regulation — as well as greater government funding for their companies or organizations. Again, we’ve seen this at work for many years in the child safety arena, too. In my book, I discuss the online “predator panic” that many child safety groups blew completely out of proportion in past years.

So, next time you hear such folks advocating increased government regs and funding, ask them what they personally have to gain from it.  Chances are, quite a lot.

Additional reading:

• Prophecies of Doom & the Politics of Fear in Cybersecurity Debates (8/8/11)

Mark Thompson has a new essay up over at Time on “Cyber War Worrywarts” in which he argues that in debates about cybersecurity, “the ratio of scaremongers to calm logic [is] currently about a 2-to-1 edge in favor of the Jules Verne crowd.”  He’s right.  In fact, I used my latest Forbes essay to document some of the panicky rhetoric and examples of “threat inflation” we currently see at work in debates over cybersecurity policy. “Threat inflation” refers to the artificial escalation of dangers or harms to society or the economy and doom-and-gloom rhetoric is certainly on the rise in this arena.

I begin my essay by noting how “It has become virtually impossible to read an article about cybersecurity policy, or sit through any congressional hearing on the issue, without hearing prophecies of doom about an impending “Digital Pearl Harbor,” a “cyber Katrina,” or even a “cyber 9/11.”” Meanwhile, Gen. Michael Hayden, who led the National Security Administration and Central Intelligence Agency under president George W. Bush, recently argued that a “digital Blackwater” may be needed to combat the threat of cyberterrorism.

These rhetorical claims are troubling to me for several reasons. I build on the concerns raised originally in an important Mercatus Center paper by my colleagues Jerry Brito and Tate Watkins, which warns of the dangers of threat inflation in policy debates and the corresponding rise of the “cybersecurity industrial complex.” In my Forbes essay, I note that:

Panics and threat inflation can create distrust in many institutions, especially the press, and result in a “boy who cried wolf” problem. When panic becomes the norm, it becomes more difficult for the public to take seriously those who propagate such tall tales. “When a threat is inflated,” argue Brito and Watkins, “the marketplace of ideas on which a democracy relies to make sound judgments—in particular, the media and popular debate—can become overwhelmed by fallacious information.”

Moreover:

Apocalyptic rhetoric and prophecies of doom are also inappropriate—even offensive—when comparisons are made to horrific events that are not analogous to cybersecurity attacks. Thousands lost their lives or were injured in the attacks on Pearl Harbor in 1941 and the World Trade Center during 9/11, and Hurricane Katrina also resulted in thousands of deaths and injuries in 2005. To compare cybersecurity attacks to those incidents is to insult the memories of those who lost their lives.

Finally, the technopanic mentality is also troubling because it can lead to calls for comprehensive regulation of the Internet or forms of information control. We are starting to hear calls by a variety of policymakers and cyberwar pundits for more “oversight” and “control.” In a National Journal essay last month, Michael Hirsh noted that “the cyberwar threat is being hyped because of a fear of unknown dangers [but] the biggest threat of all may come from our own overreaction.”  Hirsh documents how “a new multibillion-dollar military-industrial complex is emerging,” and billions are already being spent. In my Forbes piece, I note how in his recent book, Cyber War: The Next Threat to National Security and What to Do About It, cyberwar prophet of doom Richard A. Clarke, a former cybersecurity advisor in the Clinton and Bush Administrations, calls for government to impose a fairly sweeping set of new rules on Internet Service Providers to better secure their networks against potential attacks.  Clarke wants ISPs to engage in a great deal more network monitoring for digital dangers (using deep-packet inspection techniques) under threat of legal sanction if things go wrong. He admits there are corresponding costs and privacy concerns, but largely dismisses them in the name of a safer and more secure cyberspace. [See my review of his book here.]

My primary fear is that this panic is all prelude to a big push for a “precautionary principle” approach for cybersecurity. That is, progress in the digital technology arena will increasingly be subjected to preemptive prohibitions and ongoing “oversight” out of fear of any and all “worst case” risk scenarios that policymakers and cyberwar pundits can conjure up.

As I note in concluding my essay, the better approach to cybersecurity going forward is education and resiliency:

People and institutions can prepare for potential security problems in a rational fashion if given more information and tools to better secure their digital systems and understand how to cope when problems arise. Panic, by contrast, is never the right answer.

Yet, fear remains a remarkably powerful force in public policy debate and I am willing to bet that these threat inflation tactics will only increase in coming months and years. As I’ve noted here many times before, fear sells.

Related TLF Reading (all from Jerry Brito)

• Langevin: Panetta is cyberdoom certified
• Can cyber-kamikazes cyberbombard our cyberdefenses?
• Overclassification stifles the cybersecurity conversation

When it comes to information control, everybody has a pet issue and everyone will be disappointed when law can’t resolve it. I was reminded of this truism while reading a provocative blog post yesterday by computer scientist Ben Adida entitled “(Your) Information Wants to be Free.” Adida’s essay touches upon an issue I have been writing about here a lot lately: the complexity of information control — especially in the context of individual privacy. [See my essays on “Privacy as an Information Control Regime: The Challenges Ahead,” “And so the IP & Porn Wars Give Way to the Privacy & Cybersecurity Wars,” and this recent FTC filing.]

In his essay, Adida observes that:

In 1984, Stewart Brand famously said that information wants to be free. John Perry Barlow reiterated it in the early 90s, and added “Information Replicates into the Cracks of Possibility.” When this idea was applied to online music sharing, it was cool in a “fight the man!” kind of way. Unfortunately, information replication doesn’t discriminate: your personal data, credit cards and medical problems alike, also want to be free. Keeping it secret is really, really hard.

Quite right. We’ve been debating the complexities of information control in the Internet policy arena for the last 20 years and I think we can all now safely conclude that information control is hugely challenging regardless of the sort of information in question. As I’ll note below, that doesn’t mean control is impossible, but the relative difficulty of slowing or stopping information flows of all varieties has increased exponentially in recent years.

But Adida’s more interesting point is the one about the selective morality at play in debates over information control. That is, people generally expect or favor information freedom in some arenas, but then get pretty upset when they can’t crack down on information flows elsewhere. Indeed, some people can get downright religious about the whole “information-wants-to-be-free” thing in some cases and then, without missing a beat, turn around and talk like information totalitarians in the next breath.

I discussed this in relation to the privacy debates in my essays referenced above. I’ve noted how some “cyber-progressives” (or whatever you prefer to call tech thinkers and advocates on the Left) have been practically giddy with delight at the sight of copyright owners scrambling to find methods to protect their content from widespread distribution over distributed digital networks. Just about every information control effort attempted in the copyright arena — whether we are talking about efforts like DRM  & paywalls or even suing end-users — has failed to provide the degree of protection desired. The “darknet” critique remains fairly cogent. It doesn’t mean I’m excusing copyright piracy as a normative matter; it’s just to say that the cyber-progressives were certainly on to something as an empirical matter when they detailed the deficiencies of various IP control efforts.

But here’s the interesting question: Why shouldn’t we believe that the exact same critique applies to privacy and personal information flows? Again, it’s not to say that, as a normative matter, privacy isn’t important. And data security certainly is. It’s just to say that, as an empirical matter, information control in this context is going to be every bit as difficult as information control in the copyright context. Yet, the same crowd of cyber-progressives who were all for information freedom in the copyright context are now hoping to crack down on personal information flows in the name of protecting privacy.

And it is not going to work.

Nor will it work well for those who are looking to crack down on the flow of bits that contain porn or violent content.

Nor will it work well for those “cyber-conservatives” who are looking to crack down on the flow of bits that contain state secrets or online gambling.

Nor will it work well for those who want to curb what they regard as “harassing” speech, “hate speech,” or defamatory comments.

And so on. And so on.

I will be accused of being too much of a technological determinist, but I think there’s a lot of evidence suggesting that at least “soft determinism” is the order of the day. In a brilliant and highly provocative new paper, ” Hasta La Vista Privacy, or How Technology Terminated Privacy,”  Konstantinos K. Stylianou of the University of Pennsylvania Law School discusses varieties of technological determinism as it pertains to information control and notes:

In-between the two extremes (technology as the defining factor of change and technology as a mere tangent of change) and in a multitude of combinations falls the so called soft determinism; that is, variations of the combined effect of technology on one hand and human choices and actions on the other. (p. 46)

Unfortunately, Stylianou notes, “The scope of soft determinism is unfortunately so broad that is loses all normative value. Encapsulated in the axiom ‘human beings do make their world, but they are also made by it,’ soft determinism is reduced to the self-evident.”  Nonetheless, he argues, “a compromise can be reached by mixing soft and hard determinism in a blend that reserves for technology the predominant role only in limited cases,” since he believes “there are indeed technologies so disruptive by their very nature they cause a certain change regardless of other factors.” (p. 46) He concludes his essay by noting:

it seems reasonable to infer that the thrust behind technological progress is so powerful that it is almost impossible for traditional legislation to catch up. While designing flexible rules may be of help, it also appears that technology has already advanced to the degree that is is able to bypass or manipulate legislation. As a result, the cat-and-mouse chase game between the law and technology will probably always tip in favor of technology. It may thus be a wise choice for the law to stop underestimating the dynamics of technology, and instead adapt to embrace it. (p. 54)

That pretty much sums up where I’m at on most information control issues and explains why I sound so fatalistic at times, even if I do believe that law can have an impact at the margins. Such “soft determinism” will be hard for some to swallow. Many will simply refuse to accept it, especially when they hear statements like those Stylianou makes in the context of privacy, such as: “the advancement of digital technology is ineluctably bound to have a destructive impact on privacy” (p. 47), or “technology has made it indeed so easy to collect personal data that in many cases they have lost their individual value, and instead function merely as statistical or ancillary data” (p. 51), or “What technological determinism teaches us so far is that people will always react negatively to more intrusive technology, but in the end they will probably succumb.” (p. 54)

One might cynically view this simply as a more eloquent restatement of Scott McNealy’s famous quip: “privacy is dead, get over it.”  While that’s an a bit of overstatement, it’s nonetheless true that privacy is under enormous strain because of modern digital developments (summarized in Exhibit 3 below). But, again, everything is under enormous strain. Perhaps, therefore, we need a reformulation of McNealy’s quip: “Information control is dead, get over it.”

Anyway, going forward, we need a framework to think about information control efforts. I’ve been working with my Mercatus Center colleague Jerry Brito to develop just that in a forthcoming paper (current running title: “The Trouble with Information Control.”)  To begin, we simplify matters by dividing information control efforts into four big buckets, as shown in Exhibit 1 below. ( Note: With Jerry Brito’s help, I have reworked these categories since first outlining them here):

Exhibit 1: RATIONALES FOR INFORMATION CONTROL

(1) Censorship / Speech Control

• politically unpopular speech
• porn
• violent content
• hate speech
• cyberbullying

(2) Privacy

• defamation
• reputation

(3) Copyright & Trademark Protection

(4) Security

• state secrets
• national security
• law enforcement
• cybersecurity
• online gambling

Next, we can consider various legal responses to these objects of information control, as detailed in Exhibit 2:

Exhibit 2: LEGAL & REGULATORY RESPONSES / APPROACHES TO INFORMATION CONTROL

• Intermediary deputization / secondary liability
• Individual prosecutions / fines
• Controls on speech / expression
• Controls on monetary flows
• Other Regulation
• Taxation / fines
• Agency enforcement / adjudication

Finally, we need to consider how efforts to control information today are greatly complicated by problems or phenomena that are unique to the Internet or the Information Age, as outlined in Exhibit 3:

Exhibit 3: INFORMATION CONTROL CONSIDERATIONS / COMPLICATIONS

• Media & Technological Convergence
• Decentralized, Distributed Networking
• Unprecedented Scale of Networked Communications
• Explosion of the Overall Volume of Information
• Unprecedented Individual Information Sharing Through User-Generation of Content and Self-Revelation of Data

In this upcoming paper, Jerry and I will provide case studies based on many of the issues outlined in Exhibit 1 and show how the information control methods shown in Exhibit 2 typically fail to slow or restrict information flows because of the factors outlined in Exhibit 3. Assuming we can prove our thesis — that soft determinism is the order of the day and information control efforts of all varieties are increasingly difficult (and often completely futile) — I fully expect that we will make just about everybody unhappy with us!

However, I want to conclude by noting that just because I am somewhat fatalistic or deterministic about the likely failure of most information control proposals or mechanisms, it doesn’t mean I am willing to just throw my hands in the air and say there’s absolutely nothing that can be done to address some of the concerns listed in Exhibit 1.  In my work on how to address online child safety issues, I tried to develop what I call a “3-E Solution” to address these concerns.  In my paper with Jerry, I’m hoping to use this as a framework for how to deal with all information control concerns going forward:

1. Education: Get more information out about the issue / concern.
2. Empowerment: Give consumers more and better tools to act on that information.
3. (Selective) Enforcement: Have law step in at the margins when it’s appropriate and cost-efficient, and only after education and empowerment fail.

Of course, how much stress we place on each component of this toolbox will depend on the issue. I’ve already suggested that the last “E” of enforcement will be largely ineffective, especially when outright prohibition of particular information flows is the objective. But enforcement could be more effective in other contexts, such as holding companies accountable for the promises they make to consumers, by policing industry self-regulatory schemes, or by demanding more transparency / disclosure. Those enforcement practices have helped in the child safety and privacy contexts. In other contexts, the severity of the harm in question may be so severe — ex: child pornography — that we would bypass the education and empowerment steps altogether and go to much greater lengths to make the enforcement option work. Even then, we should keep our expectations in check and avoid a rush to extreme solutions.

There’s much more to be explored here. Stay tuned.

I’m currently plugging away at a big working paper with the running title, “Argumentum in Cyber-Terrorem: A Framework for Evaluating Fear Appeals in Internet Policy Debates.” It’s an attempt to bring together a number of issues I’ve discussed here in my past work on “techno-panics” and devise a framework to evaluate and address such panics using tools from various disciplines. I begin with some basic principles of critical argumentation and outline various types of “fear appeals” that usually represent logical fallacies, including: argumentum in terrorem, argumentum ad metum, and argumentum ad baculum.  But I’ll post more about that portion of the paper some other day. For now, I wanted to post a section of that paper entitled “The Problem with the Precautionary Principle.” I’m posting what I’ve got done so far in the hopes of getting feedback and suggestions for how to improve it and build it out a bit. Here’s how it begins…

________________

The Problem with the Precautionary Principle

“Isn’t it better to be safe than sorry?” That is the traditional response of those perpetuating techno-panics when their fear appeal arguments are challenged. This response is commonly known as “the precautionary principle.” Although this principle is most often discussed in the field of environment law, it is increasingly on display in Internet policy debates.

The “precautionary principle” basically holds that since every technology and technological advance poses some theoretical danger or risk, public policy should be crafted in such a way that no possible harm will come from a particular innovation before further progress is permitted. In other words, law should mandate “just play it safe” as the default policy toward technological progress.

The problem with that logic, notes Kevin Kelly, author of What Technology Wants, is that because “every good produces harm somewhere… by the strict logic of an absolute precautionary principle no technologies would be permitted.”^[1] Or, as journalist Ronald Bailey has summarized this principle: “Anything new is guilty until proven innocent.”[2] Under an information policy regime guided at every turn by a precautionary principle, digital innovation and technological progress would become impossible because trade-offs and uncertainly would be considered unacceptable.

This is why Aaron Wildavsky, author of the seminal 1988 book, Searching for Safety, spoke of the dangers of “trial without error” as compared to trial and error.  Wildavsky argued that:

The direct implication of trial without error is obvious: if you can do nothing without knowing first how it will turn out, you cannot do anything at all. An indirect implication of trial without error is that if trying new things is made more costly, there will be fewer departures from past practice; this very lack of change may itself be dangerous in forgoing chances to reduce existing hazards. … [E]xisting hazards will continue to cause harm if we fail to reduce them by taking advantage of the opportunity to benefit from repeated trials.[3]

Simply stated: Life involves and requires that some level of risk be accepted for progress to occur. While some steps to anticipate or control for unforeseen circumstances and “plan for the worse” are sensible, going overboard forecloses opportunities and experiences that offer valuable lessons for individuals and society. University of Chicago legal scholar Cass Sunstein, who currently serves as Administrator of the White House Office of Information and Regulatory Affairs, has argued that “If the burden of proof is on the proponent of the activity or processes in question, the Precautionary Principle would seem to impose a burden of proof that cannot be met.”[4]

Importantly, Wildavsky pointed out that the precautionary principle also downplays the important role of resiliency in human affairs. Through constant experimentation, humans learn valuable lessons about how the world works, which risks are real versus illusory or secondary, and how to assimilate new cultural, economic, and technological change into our lives.  A rigid precautionary principle would disallow such a learning progress from unfolding and leave us more vulnerable to the most serious problems we might face as individuals or a society. “Allowing, indeed, encouraging, trial and error should lead to many more winners, because of (a) increased wealth, (b) increased knowledge, and (c) increased coping mechanisms, i.e., increased resilience in general.”[5]

Recent work by Sean Lawson, an assistant professor in the Department of Communication at the University of Utah, has underscored the importance of resiliency as it pertains to cybersecurity. “Research by historians of technology, military historians, and disaster sociologists has shown consistently that modern technological and social systems are more resilient than military and disaster planners often assume,” he finds.[6] “Just as more resilient technological systems can better respond in the event of failure, so too are strong social systems better able to respond in the event of disaster of any type.”[7]

Resiliency is also a wise strategy as it pertains to Internet child safety issues, online privacy concerns, and online reputation management. Some risks in these contexts – such as underage access to objectionable content or the release of too much personal information – can be prevented through anticipatory regulatory policies. Increasingly, however, information proves too challenging to bottle up. Information control efforts today are greatly complicated by five phenomena unique to the Information Age: (1) media and technological convergence; (2) decentralized, distributed networking; (3) unprecedented scale of networked communications; (4) an explosion of the overall volume of information; and (5) unprecedented individual information sharing through user-generation of content and self-revelation of data. “The truth about data is that once it is out there, it’s hard to control,” says Jeff Jonas, an engineer with IBM.^[8]

This is why resiliency becomes an even more attractive strategy compared to anticipatory regulation. Information will increasingly flow freely on interconnected, ubiquitous digital networks and getting those information genies back in their bottles would be an enormous challenge. Moreover, the costs of attempting to control information will exceed the benefits in most circumstances. Consequently, a strategy based on building resiliency will focus on education and empowerment-based strategies that allow for trial and error and encourage sensible, measured responses to the challenges posed by technological change.

[ Note: I next plan to go on to discuss several case studies and outline the sorts of education and empowerment-based strategies that I believe represent the better approach to coping with technological change.]

Experienced debaters know that the framing of an issue often determines the outcome of the contest. Always watch the slant of the ground that debaters stand on.

The Internet kill-switch debate is instructive. Last week, Senators Lieberman (I-CT), Collins (R-ME) and Carper (D-DE) introduced a newly modified bill that seeks to give the government authority to seize power over the Internet or parts of it. The old version was widely panned.

In a statement about the new bill, they denied that it should be called a “kill switch,” of course—that language isn’t good for their cause after Egypt’s ousted dictator Hosni Mubarak illustrated what such power means. They also inserted a section called the “Internet Freedom Act.” It’s George Orwell with a clown nose, a comically ham-handed attempt to make it seem like the bill is not a government power-grab.

But they also said this: “The emergency measures in our bill apply in a precise and targeted way only to our most critical infrastructure.”

Accordingly, much of the reportage and commentary in this piece by Declan McCullagh explores whether the powers are indeed precisely targeted.

These are important and substantive points, right? Well, only if you’ve already conceded some more important ones, such as:

1) What authority does the government have to seize, or plan to seize, private assets? Such authority would be highly debatable under any of the constitutional powers kill-switchers might claim. Indeed, the constitution protects against, or at least severely limits, takings of private property in the Fifth Amendment.

and

2) Would it be a good idea to have the government seize control of the Internet, or parts of it, under some emergency situation? A government attack on our private communications infrastructure would almost certainly undercut the reliability and security of our networks, computers, and data.

The proponents of the Internet kill-switch have not met their burden on either of these fundamental points. Thus, the question of tailoring is irrelevant.

I managed to get in a word to this effect in the story linked above. “How does this make cybersecurity better? They have no answer,” I said. They really don’t.

No amount of tailoring can make a bad idea a good one. The Internet kill-switch debate is not about the precision or care with which such a policy might be designed or implemented. It’s about the galling claim on the part of Senators Lieberman, Collins, and Carper that the U.S. government can seize private assets at will or whim.