Comments to Dept of Commerce on Protecting Critical Infrastructure

As a result of a recent Executive Order, the Administration is seeking comments on ways to protect national security. I was invited to submit comments to the Department of Commerce on this topic. There is a legitimate difficulty with understanding and developing public policies in order to protect privacy, or achieving secure IT systems.

Balance.

How much prviacy should we have? How much security should there be? No one really knows, yet everyone has an opinion. And most opinions are reasonable. In the case of IT security, this has been an outstanding questions for 20 years now. Maybe about half that for privacy.  In my Comment, I make the argument that while most consumer advocates want “more spending!” I suggest that “more” may not be “better.” The reason is because of waste. It is wasteful to spend more for a benefit that is less than the cost. So firms, just like individuals, should balance costs with benefits. It’s wasteful to do otherwise.

In my Comment I next present policy mechanisms that can be used to address this balance. Not necessarily ways to find the optimal level of security or privacy protection, but ways the government can induce better (i.e. optimal) behaviors. I talk about regulation, disclosure, taxes, liability, nudging, etc. These approaches all have their benefits AND limitations. So it’s not a matter of which is best, but understanding the conditions under which each are appropriate (or not). I find it all very fascinating, and hopefully you do too.

I then next discuss cyberinsurance. As you might imagine, this is an insurance product that firms purchase in order to reduce the cost of data breaches and security incidents. In short, this insurance covers losses that the firm itself suffers from being hacked (for instance), and fines or regulatory sanctions, and 3rd party liability from any resulting lawsuits. The market may be big now, but it is expected to approach $1 billion in total premiums. That’s a lot. (Though, to put it in perspective, it would be nice to know the size of other corporate insurance markets. If any reader knows, please send me a note.)

What is most interesting about insurance, is the ability — or at least the potential — to help reduce risky behavior for the insured, and across an industry. Despite moral hazard, there do appear to be practical ways to reduce risky behavior, and even to induce actors to become more safe. It’s a wonderful opportunity. And more over, insurance companies have available to them data that would be invaluable at determining which security controls are best at preventing data and privacy breaches. My Comment concludes with a plea to insurance carriers to work with researchers like me in answering those questions. It can be done, and I’d love to try!

 

The formal call: http://www.ntia.doc.gov/federal-register-notice/2013/notice-inquiry-incentives-adopt-improved-cybersecurity-practices

My comments: http://www.ntia.doc.gov/federal-register-notice/2013/comments-incentives-adopt-improved-cybersecurity-practices-noi#comment-29922

 

cheers,

Sasha