Is Cybersecurity a Public Good?
The usual argument for government intervention, aside from the paternalist and the distribution arguments, is some kind of “market failure,” either in the area of public goods or in the area of externalities. When economists want to make a case for government intervention, they usually do so by invoking market failure.
In a recent article in the Wall Street Journal, “Everyone Should Pay for Cyber Defense,” April 22, Harvard University economics professor Martin Feldstein, my former boss at the Council of Economic Advisers, makes a case for government intervention in the area of cybersecurity. He does mention “public goods” in the second last paragraph, writing:
The infrastructure companies should be required to meet a high standard of protection and to cooperate with government agencies in preventing incoming malware. But the cost of doing that should be born [sic] by the country as a whole, just as we pay for the military or other public goods like the weather service.
But he never makes the case that this is a public good. Here’s the case he does make:
The attackers use computer programs to look for openings in the computer systems of companies. They also send seemingly harmless emails to company employees which, when opened, provide entry to the company’s internal networks. The attackers may be foreign governments or the foreign companies that those governments assist. Governments or terrorist groups that lack the technical capability to mount such attacks can now buy the services of skilled hackers who will do it for them.
Internet attacks on critical infrastructure can create a threat to national security even before they inflict any actual damage. A foreign enemy that gains access to the computer control systems of U.S. companies can embed malicious computer code by which the hacker can cause that system to malfunction. A foreign government that has planted such malware in the electricity system of a major U.S. city could credibly threaten to trigger it at a time when the U.S. acts to protect interests or allies abroad. That threat could block the use of our military capability.
But how does this case differ in principle from that of thieves who want to enter a company’s building? When companies feel threatened, they tend to hire security guards and set up security systems. There’s no public good.
Marty goes on to say:
There are two barriers to providing that protection. Civil-liberty advocates and others are understandably concerned about the possibility of the NSA (a part of the Defense Department) intercepting and examining emails aimed at American individuals and companies. The NSA therefore lacks the legal authority to provide the protection we need.
The second problem is the cost that companies that are part of our nation’s critical infrastructure (the electric power companies, airlines, banks and others) would face if required to protect themselves from malicious attacks.
But cost per se is not a public good argument. Even if the NSA has a lower cost, that’s not a public good argument: it’s a cost argument.
Marty continues with his solutions to the two problems:
First, to protect privacy, there is no need for any person at the NSA to review the content of suspicious emails. The NSA’s computers could stop the email as it enters the United States and turn it over to the Department of Homeland Security. The NSA could be legally barred from doing more than stripping off the potentially dangerous message.
The Department of Homeland Security, a completely domestic agency, could then review the content of the email or could notify the intended recipient that a potentially dangerous email had been received. The target recipient could have an agreement with the DHS choosing what happens next: authorizing the DHS to examine the content or to destroy the email or to reroute it to a safe email address where the company could examine it.
So Feldstein sees that a company could have an agreement with DHS. Why, then, if it wants NSA to stop the e-mail, couldn’t it have an agreement with NSA? Then, if the NSA has a cost advantage, it could do so but only if authorized by the company or individual. That way, we get the advantage of NSA’s lower cost if, indeed, NSA’s costs really are lower, without the disadvantage of government intrusion without our consent.
Maybe Feldstein could make a public good case but he doesn’t even try.
By the way, here’s my prediction: if a solution such as mine above were tried–let people decide whether they want NSA “protection,” few companies or individuals would voluntarily subscribe even if NSA’s costs were lower. Robert Frost once wrote:
Something there is that doesn’t love a wall,
That wants it down.
Something there is that doesn’t love government intrusions on privacy,
That wants them gone.