THE LAW AND ECONOMICS OF CYBERSECURITY

Vol. 16 No. 9 (September, 2006) pp.657-659

THE LAW AND ECONOMICS OF CYBERSECURITY, by Mark F. Grady and Francesco Parisi (eds.). Cambridge and New York: Cambridge University Press, 2006. 328pp. Hardback $75.00/£45.00. ISBN: 0-521-85527-6. e-book format. $60.00. ISBN: 051113830X.

Reviewed by Thomas H. Koenig, Professor and Chair, Department of Sociology and Anthropology, Northeastern University. Email: T.Koenig[at]neu.edu

In this edited collection, eleven leading law and economics scholars discuss the most efficient methods of defending the integrity of the information superhighway. The World Wide Web provides a rapidly expanding venue for wrongdoers who wish to intercept, distort or disrupt information for fun (hackers and cybervandals), for profit (scammers, extortionists and rivals) or in order to create societal disorder (terrorists and anarchists). Protecting Internet security is difficult because the cost of launching an on-line attack is generally very low and the perpetrator runs little risk of punishment. Laissez faire solutions have proven to be inadequate. The authors recommend enhanced government initiatives, collective industry action and/or strengthened tort remedies to augment the current efforts of public and private entities.

These eight essays, most of which are extensions of papers originally presented at George Mason University’s June 2004 Conference on the Law and Economics of Cybersecurity, represent some of the most advanced thinking about solutions to this pressing social quandary. Each paper is a tightly written, theoretically sophisticated exploration of the costs and benefits of various approaches to on-line security. The articles assume a basic familiarity with the core concepts of law and economics, game theory, systems theory and at least a rudimentary understanding of the technology that forms the backbone of the Internet.

Readers who are uncomfortable with the vocabulary of law and economics may find this book slow going, but those with at least an elementary grounding in the fundamentals of this literature will appreciate the authors’ direct and elegant approach to complex issues. Bruce H. Kobayashi of George Mason University, for example, tackles a possible market failure that occurs because “private security goods may serve to divert crime from protected to unprotected assets and that as a result equilibrium expenditures may exceed socially optimal levels” (p.14). Kobayashi notes that “[i]f security goods are collective goods, then individuals or firms that invest in information and other public security goods will not be able to exclude others from using them, resulting in an incentive to free-ride” (p.21). Kobayashi concludes that a promising approach would be for “the government [to] facilitate the protection of [security] information through the creation and enforcement of property rights to information” (p.27).

Law professor Peter W. Swire of Ohio State University presents an intriguing [*658] discussion of whether disclosure of security breaches will help or hurt defenders. “The open source approach makes three assumptions: (1) disclosure will offer little or no help to attackers; (2) disclosure will tend to upgrade the design of defenses; and (3) disclosure will spread effective defenses to third parties” (p.31). In sharp contrast to most military operations, a company’s on-line defenses can be probed repeatedly without expending significant resources, so the advantages of alerting others to attempted incursions may be greater than the cost of letting the cybercriminal gain some information about the nature of the existing defenses.

Yochai Benkler of Yale Law School argues against the construction of impregnable cyberfortresses because the value of the Internet lies in its global accessibility. The proper approach, in his opinion, is to focus on insuring the survivability of critical infrastructure against attack, failure or accident rather than to deny access to an enemy or competitor. A network that is redundant, topographically diverse, and capable of self-configuring can be easily penetrated but is unlikely to be destroyed because of its self-healing properties. The peer-to-peer file sharing networks that are currently frustrating the music industry’s efforts to protect their intellectual property from misappropriation provide a possible model for designing a highly survivable system.

Randal Picker (University of Chicago Law School) disputes the “monoculture” argument; that more diverse software and operating systems should be employed to make the Internet less vulnerable to cascading failure. Picker argues that the great benefits that arise from a homogenous, densely connected World Wide Web outweigh the risks that result from technological uniformity. E-commerce is totally dependent on rapid and reliable access, which may be undermined by excessive defensive measures. Picker’s solution is to separate truly critical infrastructure from the public network, while continuing to allow most information to flow freely. He also advocates increasing liability for the production of inadequately tested software that proves to be excessively susceptible to exploitation by cybercriminals. However, Picker also recognizes that there are societal benefits to the early release of computer programs that can be improved after their vulnerabilities are revealed by real world exposure to hackers.

Amitai Aviram (Florida State University) advocates the development of private legal systems (PLSs) that can initiate and enforce norms of good on-line behavior. Public subsidies may be necessary to provide PLSs with the incentives and resources necessary to perform this function. Aviram warns, however, that granting excessive benefits to members of PLSs may undermine the dynamism of the free market.

Neal Katyal (Georgetown University Law School) focuses on the harm that cybercrime imposes on communities rather than the price paid by the individual victim. An aggressive approach to cybercrime is needed because insecurity on the Internet undermines the public’s trust and [*659] willingness to use this valuable resource. Katyal observes that “[g]overnments write laws against computer crime, and enforce them, not only because crime would otherwise spiral, but also because they fear the way in which private actors would structure their interactions without the government backbone of security” (p.215).

Doug Lichtman and Eric Posner (University of Chicago Law School) argue for imposing liability on Internet Service Providers (ISPs) in order to create stronger incentives to develop procedures for blocking malicious code. The Communications Decency Act (CDA), which absolves ISPs of liability, mistakenly departs from common law tort principles of responsibility for negligently enabling the misdeeds of third parties. Without the legal shield provided by the CDA, ISPs would become more proactive in identifying, blocking and helping to prosecute on-line wrongdoers.

Tuft University’s Joel Trachtman reviews a number of strategies for countering global cyberterrorism, raising such issues as how to update the traditional legal concepts of territoriality and jurisdiction in order to deal with misdeeds in cyberspace. International harmonization agreements will be difficult to implement because diverse regimes have varied interests, resources, and ideologies. Trachtman turns to game theory and existing forms of coordination to suggest ways to develop more effective cross-national responses. Side payments to third world nations may be necessary, for example, because technologically backward regions have fewer resources and less to fear from cyberspace attacks.

This book is of enormous value for designers of cybersecurity systems and for legal experts, both of whom must carefully balance security concerns against the many economic and societal benefits of a seamless Web. All of the contributors do an excellent job of weighing the economic advantages of interconnectivity against society’s interest in blocking undesirable on-line activities. Law and economics scholars and game theorists will particularly appreciate the adroit extension of these fields into the dilemmas of cybersecurity. Anyone looking for a quick read, however, is likely to be disappointed. This volume contains none of the gripping accounts of chasing down cybercriminals and on-line terrorists that fill the popular literature.

*************************************************