“The world should think better about catastrophic and existential risks.” So says a new feature essay in The Economist. Indeed it should, and that includes existential risks associated with emerging technologies.

The primary focus of my research these days revolves around broad-based governance trends for emerging technologies. In particular, I have spent the last few years attempting to better understand how and why “soft law” techniques have been tapped to fill governance gaps. As I noted in this recent post compiling my recent writing on the topic;

soft law refers to informal, collaborative, and constantly evolving governance mechanisms that differ from hard law in that they lack the same degree of enforceability. Soft law builds upon and operates in the shadow of hard law. But soft law lacks the same degree of formality that hard law possess. Despite many shortcomings and criticisms, compared with hard law, soft law can be more rapidly and flexibly adapted to suit new circumstances and address complex technological governance challenges. This is why many regulatory agencies are tapping soft law methods to address shortcomings in the traditional hard law governance systems.

I argued in recent law review articles as well as my latest book, despite its imperfections, I believe that soft law has an important role to play in filling governance gaps that hard law struggles to address. But there are some instances where soft law simply will not cut it. As I noted in Chapter 7 of my new book, there may be very legitimate existential threats out there that we should be spending more time addressing because the scope, severity, and probability of severe risk are present. Hard law solutions will still be needed in such instances, even if they may be challenged by many of the same factors that are fueling the shift toward soft law for other sectors or issues.

Of course, we are immediately confronted with a definitional challenge: What exactly counts as an “existential risk”? I argue that it is important that we spend more time discussing this question because far too many people today throw around the term “existential risk” when referencing risks that are noting of the sort. For example, increased social media use may indeed be a threat to data security and personal privacy, but those risks are not “existential” in the same way chemical or nuclear weapons proliferation are threats to our existence. This gets to the heart of the matter: the root of “existential” is existence. By definition, an existential risk needs to have some direct bearing on the future of humanity’s ability to survive. Efforts to conflate lesser risks into existential ones cheapen the very meaning of the term.

This shouldn’t be controversial, but somehow it is. Countless pundits today want to suggest that almost every new technological development might somehow pose an existential threat to humanity. But it just isn’t the case. That does not mean their concerns are not important, or potentially deserving of some government attention. It simply means that we need to take risk prioritization more seriously. If everything is an existential risk, than nothing is an existential risk. We must have some sort of ranking of risks if we hope to have a rational conversation about how to use scare societal resources to address matters of public concern.

These issues are discussed at far greater length in the sections of my book (pgs. 228-240) that you will find embedded down below. How should society deal with “killer robots” or the accelerated development of genetic editing capabilities? What kind of coordinated compliance regime might help address rouge actors who seek to use new technological capabilities for nefarious purposes? What can we learn from past global enforcement efforts for chemical and nuclear weapons? These are just some of the questions I take on in this section of the book and plan to spend more time addressing in coming years. Scan these pages from the book to see my initial thoughts on these matters. But I am really just scratching the surface here. I’ll have much more to say on these matters in coming months and years. It’s a massively complicated topic.

by Adam Thierer & Andrea Castillo

Cybersecurity policy is a big issue this year, so we thought it be worth reminding folks of some contributions to the literature made by Mercatus Center-affiliated scholars in recent years. Our research, which can be found here, can be condensed to these five core points:

1)         Institutions, societies, and economies are more resilient than we give them credit for and can deal with adversity, even cybersecurity threats.

See: Sean Lawson, “Beyond Cyber-Doom: Assessing the Limits of Hypothetical Scenarios in the Framing of Cyber-Threats,” December 19, 2012.

2)         Companies and organizations have a vested interest in finding creative solutions to these problems through ongoing experimentation and they are pursing them with great vigor.

See: Eli Dourado, “Internet Security Without Law: How Service Providers Create Order Online,” June 19, 2012.

3)         Over-arching, top-down “cybersecurity frameworks” threaten to undermine dynamism in cybersecurity and Internet governance, and could promote rent-seeking and corruption. Instead, the government should foster continued dynamic cybersecurity efforts through the development of a robust private-sector cybersecurity insurance market.

See: Eli Dourado and Andrea Castillo, “Why the Cybersecurity Framework Will Make Us Less Secure,” April 17, 2014.

4)         The language sometimes used to describe cybersecurity threats sometimes borders on “techno-panic” rhetoric that is based on “threat inflation.

See the Lawson paper already cited as well as: Jerry Brito & Tate Watkins “Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy,” April 10, 2012; and Adam Thierer, “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle,” January 25, 2013.

5)         Finally, taking these other points into account, our scholars have conclude that academics and policymakers should be very cautious about how they define “market failure” in the cybersecurity context. Moreover, to the extent they propose new regulatory controls to address perceived problems, those rules should be subjected to rigorous benefit-cost analysis.

See: Eli Dourado, “Is There a Cybersecurity Market Failure,” January 23, 2012.

Developing cybersecurity policies—like the White House’s “Securing Cyberspace” proposal and the Senate Intelligence Committee’s risen-from-the-grave Cybersecurity Information Sharing Act (CISA) of 2015—prioritize government-led “information-sharing” among federal agencies and private organizations as a one-stop technocratic solution to the dynamic problem of cybersecurity provision. But, as Eli and Andrea pointed out in a Mercatus chart series from this year, the federal government’s own success with internal information-sharing policies has been abysmal for decades.

The Federal Information Security Management Act of 2002 compelled federal investment in IT security infrastructure along with internal information-sharing of system breaches and proactive responses among agencies. Apparently, this has not worked like a charm. The chart shows that reported federal breaches have risen by over 1000% since 2006 despite spending billions of dollars on agency systems and information sharing capabilities over the same time.

Many of the same agencies who would be imbued with power to coordinate information-sharing among private and government entities through CISA and other cybersecurity proposals were responsible for coordinating threat-sharing on the federal level. These are the National Institute of Standards and Technology (NIST), the Office of Management and Budget (OMB), and the Department of Homeland Security (DHS). Are we to believe these bodies will become magically efficient once they have more power to cajole the private sector?

Government Accountability Office (GAO) reports analyzing the failure of federal information security practices and threat coordination find that the technocratic solutions that look so perfectly rational and controlled on paper break down when imposed from above on employees that have no buy-in. The report concludes, “As we and inspectors general have long pointed out, federal agencies continue to face challenges in effectively implementing all elements of their information security programs.” Repeating the same failed policies in the private sector is unlikely to result in success.

Cybersecurity provision is too important of an issue to be left to brittle, technocratic policies with proven track records of failure. Rather, good cybersecurity policy will be grounded in an understanding of the incentives and norms that have allowed the Internet to develop and thrive as the system that it is today to target specific sources of failure.

Industry analyses find again and again that with cybersecurity, the problem exists between chair and keyboard—“human error,” not insufficient government meddling, is responsible for the vast majority of cyber incidents. Introducing more error-prone humans to the equation, as government cybersecurity plans seek to do, will only complicate the problem while neglecting the underlying factors that need addressing.

Cybersecurity will be an issue we continue to cover closely at the Mercatus Center Technology Policy Program.

Apologies for the non-technology post, but since the only topics of conversation these days are Wall Street, credit default swaps, and Putin’s flights over Alaska, I thought I’d post my review of Dave Smick’s new book The World is Curved: Hidden Dangers to the Global Economy…the Mortgage Crisis Was Only the Beginning.

                                                                                                            <div style="100%"><a href="http://www.scribd.com/doc/6320801/Not-So-Flat-After-All-Forbescom-092908-by-Bret-Swanson">"Not So Flat After All" - Forbes.com - 09.29.08 - by Bret Swanson</a> - <a href="http://www.scribd.com/upload">Upload a Document to Scribd</a></div>