Numerous high-profile cyber-attacks have spawned intense calls for government intervention into information security practices. Tired of the many online threats—including identity theft, data security breaches, and destructive viruses—the public and even some industry representatives are increasingly open to using government regulation to deal with electronic security issues.
Several bills introduced in Congress address what is popularly perceived as a matter of market failure in the area of cybersecurity: According to some, imperfect information, externalities, and a lack of proprietary incentives in the Internet “commons” will perpetually leave the industry incapable of solving its own problems. A sampling of the legislative proposals includes plans to require reporting to customers when a data breach has occurred, regardless of the severity, and to mandate annual security audits not unlike the financial audits required by the Sarbanes-Oxley legislation.
But are the problems that legislative solutions can address really market failures, or has the industry simply been slow to adapt to emerging threats? The problems identified by proponents of regulation could all be fixed far more effectively and efficiently with market solutions—among them, liability, insurance, third-party monitoring and ratings, and property rights—than with government mandates. Thus, claims of market failure are unsubstantiated. Addressing cybersecurity, then, is not a question of how best to regulate businesses that are victims of cyber-attacks, but a question of how best to put market mechanisms into Internet and information technology operations to create incentives for improved security.
Improving information security will require a reconsideration of some of the basic features of the Internet, specifically the ease of anonymity and the open, public nature of the medium. Improvements can also be induced in the market by making individuals and companies internalize the costs of lax security practices and letting them reap the benefits of good practices through both lower insurance premiums and higher industry rankings.
Government solutions, on the other hand, will tend to disincentivize honesty and cooperation among industry players in the long term, leading to even greater problems of imperfect information. Intervention can also interfere with prices, meaning a less efficient allocation of resources. In addition to economic inefficiency, regulations can define industry standards down and reduce innovations in the field of cybersecurity, leading to lower levels of security than we have now.
The threats against consumers and companies are numerous and the impulse to regulate is strong, but Congress would be well advised to avoid legislation that is rigid in nature and will likely prove ineffective. The best thing lawmakers can do in the name of information security is apprehend and prosecute criminals, realizing that it is the private sector that occupies the territory from which a successful defense against attacks on hardware and information can be mounted. The need to preserve a dynamic market role can be summed up in a single Cybersecurity Commandment:
Do not take steps in the name of security that make it:
(1) impossible to liberalize or deregulate infrastructure or
(2) impossible or undesirable to self-regulate.