Claudia Biancotti is a senior economist in the World Trade and Emerging Economies Division of Banca d’Italia.
When economics and cybersecurity are mentioned together, it is usually in the context of assessing the economic consequences of cyberattacks, such as the damage done to the victims, or the need for defensive expenditure on the part of businesses and individuals. Less attention has been devoted to the economic causes of cyberattacks, namely distorted incentives in the cybersecurity market that, in the absence of policies to correct them, result in generalised vulnerability.
Cybersecurity is largely seen as a technical problem. But in many cases, it is not. Attacks that are difficult to neutralise even with state-of-the-art defences do exist: they are known as advanced persistent threats, and the significant financial and human resources they require are typically provided by states or large criminal organisations.
They are an important part of the story, but they are not the beginning and the end, especially with respect to incidents happening outside the perimeter of government institutions and critical infrastructure. The 2013 breach that cost American retailer Target about US$300m was caused by old, well-known malware, bought online for a few hundred dollars, and deployed via trivial flaws in the victim’s network configuration. Large data breaches have resulted from ‘SQL injection’, an attack technique that exploits preventable errors in the code underlying some online forms.
Over the past two decades academics have singled out a number of micro-economic mechanisms that yield sub-optimal cyber protection, even in the face of unsophisticated threats.
There are reasons why software – and, to a lesser extent, hardware – is born unsafe. The market for such goods is characterised by ‘network externalities’. The value of a product depends on the size of the installed base - nobody is interested in a messaging service that does not connect anyone. When choosing an operating system, most will opt for a widely used one that supports a large number of applications and is expected to pose no interoperability issues.
Features that are not of particular interest to the average consumer, such as security, are overlooked in an effort to get the product out as early as possible
When network externalities are present, the producer who first secures a sufficient share of the market ends up in a dominant position, as new users flock to what is already popular. Time-to-market is prized by developers above (almost) anything else. Features that are not of particular interest to the average consumer, such as security, are overlooked in an effort to get the product out as early as possible – hence the ‘release now, patch later’ model that has dominated the software industry for years. This model has facilitated countless breaches, including the WannaCry crisis in May 2017.
Once the unsafe software or hardware has reached the user, informational issues prevent the remediation of existing vulnerabilities and introduce new ones. In addition, awareness of cybersecurity threats is still limited among the general public, small businesses, and even some larger companies: cybersecurity is seen as a cost without any significant benefit.
Even those who have a cybersecurity protection budget must face the ‘principal agent’ problem: the average user of an IT system is not technically competent enough to understand which defensive products they need, so delegates the decision to a vendor who has a conflicting incentive – namely, to sell the most profitable products.
And the problem of a lack of awareness is also visible when it comes to ‘cyber-hygiene’: simple safety rules such as ‘do not click on suspicious links’ or ‘do not connect unknown mobile devices to the computer’ often go unheeded.
Sometimes, those who leave their systems unprotected pay the full price of an attack, but more often than not this is not the case. In the language of economics, vulnerabilities produce ‘negative externalities’: the cost of someone’s choices is borne, totally or partially, by someone else, and this induces a level of expenditure that is insufficient from a social perspective.
When email provider Yahoo! was breached, millions of customers’ personal details were stolen on account of the company’s poor security: Yahoo! suffered a damaged reputation and lost business, but the customers suffered damage to their privacy and the security of their online communications. In 2015, hackers publicly released names and credit card details of millions of subscribers to Ashley Madison, an online dating service facilitating extramarital encounters. Divorces, and even suicides, ensued. Class actions lawsuits were filed; two years later, the company had spent more than $11m on settlements, with more to come.
Attention is currently focused on how to preserve the incentive to innovate while introducing liability for damage done in the physical world by a hacked IoT device
Negative externalities are not confined to data breach incidents. The 2016 Distributed Denial of Service (DDoS) attack that took down the websites of Twitter, Reddit, Paypal and many other companies was carried out through household devices connected to the internet, such as video recorders or internet protocol cameras. Tens of thousands of these devices were, without their owners’ knowledge, deployed against a company that provided critical network services to the victims. Hackers try to avoid direct contact between their own systems and their targets; to preserve anonymity and increase firepower, they gain illicit access to as many unprotected devices as they can, and then use them as a weapon. Networks of hacked, remotely-controllable devices known as botnets are sold or rented for very low prices on the ‘dark web’: they can be used to carry out an attack even by someone with limited computing skills.
So what are the policy solutions? The case for liability of software producers for vulnerabilities in code has been made for decades; so far, the software industry has blocked any attempt to translate it into law, claiming that it would kill technological progress. But it is very likely that, with the expansion of the ‘internet of things’ (IoT), this will change. Attention is currently focused on how to preserve the incentive to innovate while introducing liability for damage done in the physical world by a hacked IoT device, such as an internet-connected car. The industry, partly because of this and partly because of a growing interest in security on the part of customers, is moving toward a ‘security by design’ approach.
European legislation on cybersecurity has evolved quickly in the past few years. In 2018, the Network and Information System Directive (NIS-D), the new Payment System Directive (PSD), and the General Data Protection Regulation (GDPR) will become effective: all of them are positive steps in encouraging cybersecurity. The most significant innovation, in terms of the number of people potentially affected, is perhaps the introduction of disclosure obligations for anyone handling personal data on behalf of third parties: if a breach is detected, data subjects have to be notified. Such obligations have existed in the United States for some time, but they were absent in most EU jurisdictions.
But this is not enough. The NIS-D and the PSD impose strict security requirements, but only for providers of essential services, critical infrastructure and the financial system. The GDPR has a wider scope, but only covers the protection of systems where personal data is stored. In the final communiqué of their May 2017 meeting, finance ministers and central bank governors of G7 countries stated “[w]e recognise that cyber incidents represent a growing threat for our economies and that appropriate economy-wide policy responses are needed. No point of cyberspace can be absolutely secure as long as cyber threats persist in the surrounding environment”. This principle must now be transposed into rules that apply to all users of cyberspace.
This article was originally published in the print journal Europe's World issue 35. To order a copy of this issue, please click here.