Cybersecurity: the Power of Private Sector Solutions
One of the recurring arguments we hear in the debate about cybersecurity policy is that the government needs to step in to secure private networks because the private sector is not doing enough on its own. Some say there has been a “market failure” that requires government intervention because there is an insufficient financial incentive for entities in the private sector to provide an appropriate level of security. A major reason to be skeptical about these arguments for government intervention is that the government has failed to date to secure its own systems. And, many of the government-knows-best security solutions – like security mandates for software, government monitoring of communications across private networks, and authority in the President to shut down or limit Internet traffic to particular systems – would stifle innovation and threaten privacy.
Further evidence that the private sector is quite well-incentivized to improve security comes in the form of two recent corporate announcements.
Facebook and McAfee announced this week that McAfee will offer all 350 million users of Facebook free security software for six months. The software will protect users against viruses, spyware and other online threats. After six months, users can purchase the security software from McAfee. This might be good for McAfee, which should gain paid subscribers in the long term, and for Facebook, which will help users to use McAfee software to clean their computers, thus generating more happy users.
But it also suggests that, left to their own self interest, companies can, and are, doing a lot to address cybersecurity. Facebook and McAfee didn’t launch this effort in response to a government mandate; they responded to the needs of consumers.
The same is true of the second recent announcement: Google is making https (which encrypts email as it moves from a user’s browser to Google’s servers) the default for all users. Google didn’t make Gmail more secure against unauthorized access because Uncle Sam told it to do so. It responded to the security needs of its users and their expectations about privacy.
Market failure for cybersecurity? If there is one, maybe the government solution should be to tweak the market. It could do that by educating computer users about the security risks they face (thus creating more demand for security solutions), by providing tax and other incentives to companies to pay for better security for critical networks, and by using its own purchasing power to pay only for systems that meet strong security requirements. This kind of approach leaves companies free to develop their own cybersecurity measures, and even helps them do it.