The Law and Economics of Cybersecurity

Cover......Page 1
Half-title......Page 3
Title......Page 5
Copyright......Page 6
Contents......Page 7
Acknowledgments......Page 9
Contributors......Page 10
The Law and Economics of Cybersecurity: An Introduction......Page 11
Part One Problems: Cybersecurity and Its Problems......Page 21
I. Introduction......Page 23
II. Private Security Expenditures......Page 25
III. Public and Private Goods......Page 30
IV. Conclusion......Page 36
References......Page 37
Two A Model for When Disclosure Helps Security: What is Different About Computer and Network Security?......Page 39
A. Case A: The Open Source Paradigm......Page 42
B. Case B: The Military Paradigm......Page 43
C. Case C: The Information-Sharing Paradigm......Page 45
D. Case D: The Public Domain......Page 46
II. The Key Reasons Computer and Network Security May Vary from Other Types of Security......Page 48
A. Hiddenness and the First-Time Attack......Page 49
B. Uniqueness of the Defense......Page 51
C. Why Low Uniqueness May Be Typical of Computer and Network Security......Page 52
III. Relaxing the Open Source Assumptions: Computer and Network Security in the Real World......Page 58
A. The Assumption That Disclosure Will Not Help the Attackers......Page 59
B. The Assumption That Disclosure Will Tend to Improve the Design of Defenses......Page 69
C. The Assumption That Disclosure Will Spread Effective Defenses to Others......Page 73
IV. Conclusion: Security, Privacy, and Accountability......Page 75
References......Page 78
I. Introduction......Page 83
II. Survivable Systems Versus Impregnable Artifacts......Page 85
A. Ad Hoc Mesh Wireless Networks......Page 88
B. Distributed Data Storage and Retrieval......Page 94
C. Distributed Computing......Page 98
A. What Are Shareable Goods?......Page 101
B. Differences in Information Costs......Page 103
C. Differences in Motivation Structures......Page 105
D. Information and Motivation: Cumulative Considerations......Page 109
A. Pooling Resources through Firms......Page 110
B. Secondary Markets in Excess Capacity......Page 111
C. Social Production of Survivable Infrastructures......Page 114
VI. Conclusion......Page 121
References......Page 122
Four Cybersecurity: Of Heterogeneity and Autarky......Page 125
I. Redundancy: Heterogeneity Versus Autarky......Page 130
A. Monocultures: Supply versus Demand......Page 131
B. Heterogeneity and Autarky......Page 133
C. The Cost of Engineering Heterogeneity......Page 137
II. Understanding Computer Software Product Quality......Page 140
A. Consumer Software Adoption with Full Liability......Page 141
B. Quality Investment and Full Liability......Page 142
C. Timing of Software Release and Adoption......Page 143
III. Conclusion......Page 145
References......Page 147
Part Two Solutions: Private Ordering Solutions......Page 151
Five Network Responses to Network Threats: The Evolution into Private Cybersecurity Associations......Page 153
I. Introduction......Page 154
A. Private Security Associations in the “[Very] Old Economy”......Page 160
B. Private Security Assiciations in the “New Economy”: ISACs......Page 162
C. Public Subsidies of Private Network Security Associations......Page 165
A. Enforcement of Norms by Networks and Hierarchies......Page 168
B. The Paradox of Spontaneous Formation......Page 175
C. The Evolution of Private Legal Systems......Page 180
D. A Note on Game Types......Page 183
E. Assessing Enforcement Costs of Regulated Norms......Page 185
A. Network Security Norms as Noncooperative Game Types......Page 189
B. Reliance on Existing Functionality in the Chemical Sector ISAC......Page 192
C. Implications on the Public Subsidy of ISACs......Page 195
V. Conclusion......Page 197
References......Page 198
Six The Dark Side of Private Ordering: The Network/Community Harm of Crime......Page 203
I. The Network Harms from Computer Crime......Page 205
A. Network Harms......Page 207
B. Distributional Harms......Page 209
II. Some Implications of A Community Harm Approach......Page 211
A. The Case for Unlike Punishments for Like Crimes......Page 214
B. Crimes against Networks......Page 215
C. The Third-Party Liability Debate......Page 217
D. The Problem with Current Law Enforcement and White House Cyberstrategy......Page 222
References......Page 225
Abstract......Page 231
A. The Standard Model......Page 237
B. Applied to Internet Service Providers......Page 242
A. Overzealous ISPs......Page 249
B. Subscriber Self-Help......Page 252
C. Other Objections......Page 254
A. The Communications Decency Act......Page 257
B. Common Law Principles......Page 263
IV. Conclusion......Page 264
I. Introduction......Page 269
A. Terms and Parameters......Page 271
B. Analytical Framework......Page 272
C. Factors Relating to the Value, Vulnerability, and Protection of the Target......Page 273
D. Factors Relating to the Control and Jurisdiction over the Network and the Attacker......Page 277
III. Private Sector Responses......Page 279
IV. Government Intervention......Page 281
A. The Role of Law in Different Societies......Page 282
C. Externalities......Page 283
A. Territoriality and Aterritoriality......Page 284
B. Regulatory Competition and Regulatory Cartelization......Page 288
VI. Strategic Considerations and International Legal and Organizational Responses......Page 289
A. The Cybersecurity Public Goods Game......Page 290
B. Coordination Problem: The Global Cyberspace Stag Hunt......Page 292
C. State Sponsorship of Cyberterrorism: A Game of “Chicken” or of “Bully”?......Page 293
D. Relative and Absolute Gains......Page 294
A. Use of Analogs and Precedents......Page 295
B. Cybercrime and Cyberterrorism: The Council of Europe Cybercrime Model......Page 297
C. Data Flows and Funds Flows: Finance for Terrorism and the Financial Action Task Force Model......Page 298
D. Data Packets and Shipping Containers: The Maritime Security Model......Page 300
E. Results of Analogical Assessment......Page 301
VIII. Conclusion......Page 302
References......Page 303
Index......Page 307