Strategic Cybersecurity, Module 13: Economics, Government Regulation, and Cybersecurity.
Cybersecurity may be considered both a public and a private good, requiring cooperation and collaboration between the public and private sectors. This can be difficult, given the private sector’s typical suspicion of government assistance. This lecture discusses economics and government regulation in achieving cybersecurity.
Once you have completed the readings, lecture, activity, and assessment, you will be able to
- Articulate the difference between public and private goods and how cybersecurity may be conceptualized as both.
- Explain the need for both the public and private sectors to work together to achieve adequate cybersecurity.
Welcome to Strategic Cybersecurity, Module 13. In this module, we will focus on economics and government regulation in achieving cybersecurity. It may be surprising to learn that nearly 90% of the critical infrastructure in the country is owned and operated by the private sector.
But as this module's readings indicate, the U.S. government plays an important role in helping to protect that infrastructure, including that of telecommunications to ensure the Internet's safe, efficient operation.
The combined responsibility of the public and private sectors may seem confusing, and, in fact, the private sector seems to have an ever-present suspicion of government assistance.
One example of this is found in the readings, with Google's hacking and subsequent request for assistance from the National Security Agency in 2010.
Google sought help from the government to identify how its state-of-the-art firewalls were bypassed and asked the National Security Agency to conduct an evaluation of its network's vulnerabilities.
Many in Silicon Valley were perplexed by these requests, assuming that such a gigantic technology-driven company as Google would possess far more ability to identify and stop cyber intruders than any government agency.
This example highlights not only common biases that many in the private sector have toward government's technological capabilities. It also highlights the advantages of collaboration on the part of the public and private sectors to approach cybersecurity more efficiently.
It begs the question of why more interaction and coordination does not occur between these sectors.
Public or Private Good
To answer this question, Rosenzweig notes that we must first understand the fundamental economics driving cybersecurity. He states that one of the more confusing aspects of cybersecurity is that it may be considered both a public and private good.
Some aspects of protecting the information highway, including infrastructures like routers, servers, and computers themselves, are private goods, but information about vulnerabilities within, or threats to, infrastructure may be best supplied by the government as a public good.
A primary reason for conceptualizing both threat and vulnerability information as a public good handled by the public sector is that many private sector organizations, such as multinational corporations, are loath to report internal vulnerabilities or breaches.
This reluctance from private companies is based on the belief that identifying unlawful cyber intrusions may lead to a loss of consumer confidence and, ultimately, a decrease in market share.
Information Sharing and Analysis Centers
How might government policies positively address this situation? One answer is the creation of public-private organizations called Information Sharing and Analysis Centers.
These centers allow the private sector to share both threat and vulnerability information with the government, with the expectation that the government will mask the attribution of the information before sharing it with the other private sector entities.
Defense Industrial Base
In addition, let's consider the Defense Industrial Base or DIB. The DIB comprises a consortium of U.S. defense contractors, who, in many cases, are performing highly sensitive or classified work on behalf of the U.S. government.
Some cybersecurity analysts see these contractors who joined the DIB voluntarily as weak links for cyber intruders because they are not necessarily required to maintain the same level of cybersecurity protection as government agencies.
For example, if a small defense contractor is developing a classified technology for the Department of Defense's new F-35 Joint Strike Fighter, a criminal or adversary nation might find it easier to hack the contractor's computer systems instead of the contracting government agency's since the defense contractor may not be thought to have implemented security measures to the same robust level.
To alleviate the likelihood of such weaknesses in the system, DIB members allow their Internet service providers to monitor their computer networks with government-supplied threat recognition software.
The software provided helps the contractors to protect their networks, although, notably, the contractors are under no obligation to alert the government if they experience an intrusion. Ideally, a compromised DIB member would alert its Information Sharing and Analysis Center so that both the government and other private sector organizations could identify and mitigate serious cyber threats.
In the next module, we will look at protection of critical infrastructure.
Quiz Question 1: According to the textbook, which of the following is a classic example of a public good?
A: the United States Postal Service (USPS).
B: the National Defense.
C: the Environmental Protection Agency (EPA).
D: Social Security.
The answer is B: the National Defense.
Quiz Question 2: True or false: Coordination between the public and private sectors is necessary when it comes to providing robust cybersecurity.
The answer is True.
Quiz Question 3: Which of the following best describes why cybersecurity can be considered both a private and public good?
A: Some aspects of cybersecurity, e.g., threat information, are best provided by the government, whereas other aspects are best provided by private companies.
B: Cybersecurity requires a common pool resource.
C: Cybersecurity is too expensive to be provided solely by the government.
D: The assurance problem explains this.
The answer is A. Some aspects of cybersecurity, e.g., threat information, are best provided by the government, whereas other aspects are best provided by private companies.
The activity for this module asks that you consider this module's descriptions of the Information Sharing and Analysis Centers, or ISACs, which provide one way for the private sector and public sector to work effectively in sharing threat and vulnerability information. Locate the ISAC most associated with your own work sector or that you find most interesting.
Read about that ISAC, and determine whether you feel that it can be effective in its goals.