How the Market Can Steal Identity Thieves’ Thunder

This past June, a coalition of business leaders calling itself the Consumer Privacy Legislation Forum—representing such heavyweights as Eli Lily, Google, Microsoft, and Procter & Gamble—called on Congress to enact comprehensive data security legislation to combat a growing number of online threats facing Internet users and companies entrusted with their customers’ sensitive personal data.  Representatives from several companies testified before the U.S. House Energy and Commerce Committee, demanding a single federal regulatory regime for data protection.  

Comments the official Google blog: “This matrix of [state consumer protection laws] is complex, incomplete and sometimes contradictory. On an Internet beset with spyware, malware, phishing, identity-theft, and other privacy threats, enforcement of privacy protections has become an industrywide challenge, and highlights the lack of a coherent regulatory structure.” 

Over the last few years, several cybersecurity bills have been introduced in Congress.  The proposed regulatory fixes include everything from phasing out the use of Social Security numbers for identification purposes; requiring customer notification whenever a data breach has occurred, regardless of the risk posed to consumers; creating an Office of Identity Theft as part of the FTC; and regulating multiple aspects of how companies collect and maintain the personal data of consumers.  There have even been calls for Sarbanes-Oxley-style oversight of company data security policies with mandatory annual reporting.  (Given the current weaknesses in the federal government’s own data security practices, perhaps compiling the data security protocols for every company in the country in one central agency’s system isn’t the most prudent of policies.)

But is a one-size-fits-all regulatory regime the solution to the problem of emerging online threats?  If anything, federally standardized data security protocols will likely make sensitive personal data less secure, not more: Uniform cybersecurity protocols need only be hacked once to put all data secured by the government-backed technology in jeopardy. 

The problems cited by regulation proponents—identity theft, large scale data theft, fraud, and less nefarious online nuisances—can be addressed far more effectively and efficiently with market solutions.  Rather than shielding companies from liability by way of a governmental stamp of approval, the tech sector should encourage the development of a robust market for liability insurance, a surefire incentive to provide the best data security possible. 

In addition to traditional insurance, there may also be room for third-party firms that can issue ratings and rankings based on the demonstrated level of information protection.  With cybersecurity consulting firms already off and running, Consumer Reports-style monitoring agencies cannot be far behind.  It’s a safe bet that the technology experts in the field—both the consultants and the watchdogs—will do a far better and faster job of detecting, assessing, and reacting to new online threats than a government bureaucracy ever  could.

Both of those private solutions—using traditional liability insurance along with third-party monitoring of security efforts—will incentivize the adoption of ironclad security systems in a way that a regulatory scheme cannot.  Differentiated insurance premiums and competition through objective rankings systems will force companies to internalize the costs of lax security practices and allow them to reap the benefits of good practices. Addressing cybersecurity, then, is not a question of how best to regulate businesses that are victims of cyber-attacks, but of how best to create market incentives that will encourage improvement in securing information technology operations. 

Some non-regulatory proposals for improving information security suggest the need for a reconsideration of some of the Internet’s basic operating protocols, specifically the ease of anonymity and the open, public nature of the medium.  Though both are widely touted features of the Internet, neither is essential to its operation, and both facilitate cybercrime.  Changing Internet protocols is dependent on yet another market mechanism that must be strengthened to combat online crime: property rights.  Internet service providers and the owners of the Internet’s infrastructure must be able to assert their property rights by policing the Net for fraudulent activity. 

Tiered pricing for broadband use is one way by which service providers could assert their property rights with an eye towards reducing crime. Targeting the activities of unauthenticated bulk email senders could dramatically reduce spam and phishing attacks.  For example, Tonny Yu of Mindshell, a spam-filtering software company, has suggested a gradual move away from the reigning Internet protocols to a system that verifies a sender’s identity, enabling mail servers to certify trustworthy email.  Mechanisms to flag unusually high-volume mail senders and to limit the number of emails a single user can send per second can also help reduce spam. 

Other technological fixes from the provider side include things like employing puzzles that a would-be criminal’s computer must solve to gain access to a targeted website; this would occupy the processing capability of the querying computer and limit the number of repetitive requests that could be sent to a site targeted for a denial of service attack. These and other “plumbing” upgrades that would allow the network’s owners and operators to  police activity in the pipes could address both online nuisances—such as spam—and broader security threats. 

However, proposals to generate cybersecurity solutions on the network side—rather than the end-user side—run afoul of the concept of network neutrality, the idea that the network itself should be unable to distinguish the content that travels on it.  Leaving aside the merits of the larger debate on the value of a neutral network, regulations requiring neutrality would almost certainly limit service providers’ ability to create innovative network technologies that could help fight crime.

While threats against consumers and companies are numerous and the impulse to regulate is strong, Congress should avoid legislation that is rigid in nature—and thus would prove difficult to adapt to changing circumstances—and will likely prove ineffective anyway.  The best thing lawmakers can do in the name of information security is apprehend and prosecute criminals, and realize that it is the private sector that occupies the territory from which a successful defense against attacks on hardware and information can be mounted.