Wednesday, October 10, 2012

Analysis of Cybersecurity as a Public Good: US Government Implications: Workstation Cybersecurity a Public Good?

Is cybersecurity a public good? This is a premature moment to ask this question. First, identification of what constitutes a public good is required before an analysis about cybersecurity as a public good can be performed. Cowen applies two traits to public goods, specifically nonexcludability and nonrivalrous consumption. Nonexcludability is recognizable by the existence of, and ease of, free riding. A service or good is provided in such situation, medium, or style such that it cannot be reasonably or realistically restricted to only those who pay for the enjoyment or utilization. (Cowen, 2008)

For a very visible, and close to my own heart, example of nonexcludability, Cowen describes in detail the situation of a private entrepreneur considering a for-profit fireworks display. His illustration mirrors my own experience from this past July. On the military base I live near, a fireworks presentation was set up for the service members and the public that wanted to attend. Since there was no ‘fee’ being charged, the cost of admission was navigating the crowds and the terrible traffic upon exit. To avoid paying the admission cost, I instead took my family to a parking lot off of the base but still could see the display. This allowed me to collect the same benefit that the paying attendees received, while avoiding the cost: free riding. (Cowen, 2008)

The classic example of a public good due to free riding is geographic defense. Protecting an area from invaders is an all or nothing proposition, regardless of how many of the inhabitants chip in toward the cost. Therefore history has harnessed two methods of handling this situation: feudalism, where the non-payers are beholden to the payee, and the public supplying the security as a shared cost. Modern, developed countries address this issue by relying on their governments to provide the security and pay for it through taxes. (Cowen, 2008) The second trait of public goods is less visible but still readily important. Nonrivalrous consumption allows any consumer to consume the good without impacting the benefit to others. Geographic defense makes this readily apparent, if a space has been kept clear of invaders and a given number of people reside there then those people will be safe from invaders even if more friendly people moved into the area. (Cowen, 2008)

Since geographic defense is so readily a public good, it makes sense to naively extrapolate that to include cybersecurity as a public good. I have previously written about the networking protocols detailed in RFCs 826 and 4861, which discuss the protocols used for discovering and interacting with other workstations within a local area network, LAN. This protocols, as my paper went into great detail, require absolute adherence to the RFC specification, which renders the integrity of the whole network segment at the mercy of any malicious actor. This compromise one means a compromise of all nature does mean that defense of a LAN segment is most assuredly a public good. (Molyett, 2012)

Does the public good nature of small scale cybersecurity translate directly into nation-wide or even Internet-wide cybersecurity as a public good? I submit that the answer to that isn’t as easy and straightforward as one would like. To illustrate, allow me to describe the security of the internet as it stands. Individual workstations and secure data servers tend to be clustered into LANs which are secured from the external network typically by carefully configured routers, one or more firewalls, and policies to disallow unauthorized gateways out. Both at the gateway and inside the network intruders can be watched for and identified. Such identification only potentially mitigates the damage done by a successful intruder, it doesn’t eliminate it so the previous assumption about compromises still holds. (Vacca, 2009, pp. 149-167)

Other potential protections of the LAN can be accomplished by preconfiguring the workstations for security: using static ARP tables to protect against spoofing and man in the middle attacks, and installation of a public key infrastructure by trusted administrators. These solutions prevent use of the network resources by both malicious and benign outsiders though, so it means the security comes at the expense of nonexcludability.

Furthermore, does large scale cybersecurity have the same nonrivalrous consumption that geographic security does? It does not. When it comes to cybersecurity being a small, low value target helps. The type of infection that a typical user needs to be concerned with is wide net malware which is normally spyware or botnets. Since these enterprises want to hit as many systems as they can they target, they target vulnerabilities and softwares that are common. Being the outlier utilizing higher quality security tools will make you far safer. As the market share for your security tool grows the protection offered drops, since it will result in your configuration being targeted more. Thus adding more users to a security solution does in fact reduce the benefit that the given solution provides to the consumers. Since I have shown that network defense occurs in excludable enclaves and that security tools do not offer nonrivalrous consumption, doesn't that demonstrate that cybersecurity as an ideal does not provide a public good? It does not. Underlying the preceding analysis is the assumption that the end user and their workstation are interchangeable; interchangeable in the sense that a compromise of the user occurs if and only if their workstation or network connection to the route is compromised. Unfortunately, this is assumption does not reflect the current reality.

Cowen, T. (2008). Public Goods. The Concise Encyclopedia of Economics. Retrieved 4 October 2012 from:

Molyett, M. D. (February 2012). Network Vulnerabilities Due to Intranet Trust. Retrieved from:$FILE/MMOLYETT_Assignment1.doc

Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufmann.

Analysis of Cybersecurity as a Public Good:
US Government Implications
Workstation Cybersecurity a Public Good?
Data Security a Public Good?
Government as Trustee
Implementation Reliance back with Industry

No comments:

Post a Comment