— Then-defense secretary Leon Panetta referred to the threat of cyber attacks as a “cyber Pearl Harbor.”
— A senior Cyber Command official has declared that we are in the middle of a “cyber arms race.”
— Other experts have used public health as a metaphor for the cyber security challenge facing our nation.
While all of these metaphors capture part of the challenge that we face, none of them helps policy-makers make concrete decisions about the proper role of government in addressing the cyber-security threats facing our nation.
It may be more helpful to think about cyber security, or more properly, cyber insecurity, as a by-product of Information Age activities like eCommerce, Web browsing, emailing, and using social media. In other words, our use of, and reliance upon, information technologies produces a state of insecurity—an exposure to liability, risk or loss—that impacts society as a whole.
Viewed through this lens, cyber insecurity becomes a well-understood economic phenomenon—a negative externality—that we have dealt with before. As Evan Wolff has observed, a useful analogy for the situation we face today is the challenge of air pollution in 1950s and 60s.
In the decades after World War II, the U.S. economy expanded rapidly. While this growth drove innovation, created jobs, and produced wealth, it also led to a pollution problem.
It was simply not in a company’s best interest to spend the resources needed to abate the pollution that resulted from its processes or products. While this calculation made sense for each specific enterprise, the country as a whole suffered.
In the early 1960s, the federal government determined that it needed to take action in order protect the health of its citizens. In particular, the government determined that regulations were needed to control air pollution. So Congress passed the Clean Air Act in 1963.
In many ways, our current problem with cyber insecurity is analogous to the challenge we faced with air pollution in the post-war era. Information technologies are driving innovation, creating jobs, and producing wealth. Our economy is critically reliant on these technologies and benefiting greatly from their use.
However, the software and hardware that we use every day are inherently vulnerable to exploitation, and the number of vulnerabilities is growing concomitantly with the cycle of IT innovation. This fundamental dynamic is not likely to change anytime soon; cyber insecurity will stay with us just like pollution remains a by-product of human activity.
The good news is that we can manage cyber insecurity and reduce it to an acceptable level if we are willing to take the necessary steps. There are a variety of policy options for addressing negative externalities, including regulations, financial incentives (e.g. taxes, subsidies and fines), legal remedies (e.g. liability), and education/awareness.
The true challenge lies in determining what those steps should be and implementing them in the face of the inevitable political opposition that will arise.
So far, the U.S. government has taken a laissez-faire approach to the problem, focusing on public-private partnerships, information sharing, and promulgation of best practices. While these types of remedies have value and should be included in the mix of policies that need to be implemented, they alone are unlikely to reduce the level of cyber insecurity to an acceptable level.
Some mix of incentives will be needed to change the behavior of companies whose current practices may be perfectly reasonable at the firm level, but which are producing unacceptable costs at the national level. Targeted regulations may also be needed to address specific insecurities that lend themselves well to such remedies.
Ralph Langer and Perry Pederson, for example, have made a compelling argument that the regulation of industrial control systems is feasible, necessary, and affordable. Whatever solution or solutions make the most sense, we cannot move forward without acknowledging that cyber insecurity is a natural by-product of our current economic and social activities—the “pollution” of our era.
Cyber insecurity may be a new problem, but it is not a new type of problem, and we know how to address these types of challenges. Over the last five decades, our country has made significant progress against similar challenges.
In the case of air pollution, air quality has improved significantly, standards and metrics have been developed for measuring progress, and the development of new techniques for reducing air pollution has lowered the costs of compliance.
As a result, our economy and our health are both better off. It is not clear if such a positive outcome is possible for cyber insecurity, but we will never find out unless we view the problem through the proper lens.
Irving Lachow is Senior Fellow and Director of the Program on Technology and U.S. National Security at the Center for a New American Security and a former principal cyber security engineer at the MITRE Corporation.