Jon Lindsay
UC Institute on Global Conflict and Cooperation
University of California, San Diego
Osher Institute
5 March 2013
Questions to Explore
 How has the cybersecurity situation in the U.S.
changed recently?
 Why is U.S. cyber policy still so uncertain?
 Can markets improve cybersecurity by themselves?
 How do market failures create insecurity?
 Can government cyber policy remedy market
imperfections?
 When do the remedies make the problems worse?
“incidents that have placed
sensitive information at risk,
with potentially serious
impacts on federal operations,
assets, and people….[e.g.,]
installation of malware,
improper use of computing
resources, and unauthorized
access to systems”
Cybersecurity Evolving
 1957-1990 B.C. – “Before Cyberspace”
 Invention
 1991 –WWW
 Experimentation
 2001 –September 11th
 Institutionalization
 2010 –Google, Stuxnet, Wikileaks, Cybercom
 Maturation
The New Cybersecurity Debate
 Perception of the threat:
 2000s: “Digital Pearl Harbor” (CNA)
 2010s: “Death by a Thousand Cuts” (CNE)
 Targets affected:
 2000s: Government and military
 2010s: Private and commercial
 Representation of US Posture:
 2000s: US defense is vulnerable
 2010s: US offense is formidable
Advanced Persistent Threat
2002
Titan Rain
State Dept
BIS
NWC
Sec Def
Rep Wolf
Campaigns
Ghost Net
JSF
Aurora
Shadow Net
Stuxnet
Byzantine Haydes
Night Dragon
RSA
Shady RAT
Duqu
Nitro
Taidoor
Luckycat
Flame
Gauss
Shamoon
Elderwood
Cyber-Sitter
Mahdi
Major US Media
Red October
APT1
Beebus
Telvent
QinetiQ
ASIO
SCADA Honeypot
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
 Publicly reported
intrusions
 Earliest activity
estimate
2014
U.S. Strategic Context
 Combat Fatigue
 Exit from Iraq
 Bin Laden Dead
 Drawdown in Afghanistan
 Rise of China
 Pivot to Asia
 Indigenous Innovation (自主创新)
 Follow the Money
 Financial crash and budgetary austerity
 Maturing cybersecurity industrial complex
 Internet innovation: cloud, mobile, supply chains
Security Tradeoffs
Fundamental Economic & Political
Tradeoffs in Society
 Markets are good for…
 Innovation
 Value Creation
 Competition
 Self-Organization
 …but markets can fail
 Externalities
 Asym. Info & Bubbles
 Monopoly, Collusion
 Collective Action Prob
 Gov’t is useful for…
 Prop Rights & Regulation
 Standards & Reporting
 Anti-Trust & Trade Policy
 Planning & Enforcement
 …but gov’t fails too
 Lock-in
 Myopia & Oversell
 Capture & Pork
 Friction & Deadlock
Markets Drive Cybersecurity
 Global cybercrime ecosystem
 Advertising
 Theft & Fraud
 Infrastructure & Service
 Growing cybersecurity industry
 Antivirus, firewalls, vendors, incident response
 Customers want secure e-commerce and banking
 Arms race between “black hats” and “white hats”
 Efficacy of market-based defense is understudied
 "The primary business model of the Internet is built
on mass surveillance“ –Bruce Schneier
Market Failures Complicate Cybersecurity
 Externalities
 Unpatched/compromised hosts harm 3rd parties
 Network effects incentivize first-to-market
 Information Asymmetry
 How do you measure security? Distinguish IT “lemons”?
 Firms don’t report intrusions to protect reputation
 Cybersecurity industry competes on threat oversell
 Imperfect Competition
 Microsoft & Adobe monocultures
 Outsourced supply chain creates vulnerabilities
 Collective Action Problems
 Coordinating user, firm, industry defenses
 High-grade intelligence and active cyber defense
 International coordination & diplomacy
Potential Government Remedies
 Counter externalities
 Enforce industrial security standards/liability
 Subsidize security measures and incident response
 Improve information quality
 Mandatory or voluntary incident reporting
 Intelligence sharing
 Industrial policy
 Use government buying power to reward security
 Security-based technical trade barriers
 National Cybersecurity Policy
 Define strategy and responsibilities
 Invest in intelligence, military, law enforcement capacity
 Diplomacy, treaties, international organizations
Challenges to Govt Cyber Policy
 Lock-in
 Technological innovation vs. outdated laws/institutions
 Intrusive surveillance vs. attenuated threat
 Myopia & Oversell
 Focused on standards compliance instead of monitoring
outcomes
 Threat inflation to overcome political opposition
 Rent-Seeking, Capture, Pork
 Cybersecurity industrial complex
 Misuse/overuse of resources & intelligence
 Political Friction & Deadlock
 Intel, military, regulators, law enforcement, commerce,
finance, media, lobbies….
 American government is fragmented by design
Separation of Powers in the U.S.A.
“Wherever you are in D.C., power is elsewhere”
 Sectoral: Public, Commercial, Non-profit
 Horizontal: Executive, Legislative, Judicial
 Vertical: Federal, State, Local
 Internal: Agencies, Committees
 Temporal: Reelection, Rotation
 Political: Parties, Lobbies
 International: Treaties, UN
Where are we now?
 Market response is improving
 Improved bureaucracy & capacity
 Norm-based international strategy
 Focused on preserving an eroding status quo
 Treaties are a non-starter
 Congressional legislation in perennial limbo
 Agreement on executive powers
 Effect on industrial innovation & efficiency
 Protecting civil liberties—Especially post-Snowden!
 Most urgent need: better information
 Realistic threat assessment
 Public information sharing
 Legal framework for cyber operations
Summary
 2010 was a watershed year for cybersecurity: debate is
now about foreign espionage in the private sector and
U.S. offensive capacity
 Cybersecurity is as much a political-economic issue as
it is a technical problem
 Public policy must balance risks of market failure
against risks of policy failure
 It could be worse.
Questions