Eleven years ago, a cyberattack was launched against Estonia in retribution for the government moving a Soviet monument to a less prominent location. Estonia, a member-state of both NATO and the European Union, was a pioneer in the paperless government movement. Estonia’s “e-government” allowed citizens to do almost everything online, from personal banking to electing parliament. While this transition generally offered citizens convenience, the cyberattack exposed the large downside of a predominantly online government: during the attack, Estonia’s institutions ground to a halt and even the ATMs stopped working.
As countries around the world increasingly embrace a new paperless paradigm, cyber threats have become an ever more pressing issue of national security. Cyberattacks, according to Estonian Defense Minister Jaak Aaviksoo, “can effectively be compared to when your ports are shut to the sea.” For a country like the United States, these attacks can have enormous ramifications for both the private and public sectors. From the electric grid to the stock market and cloud services, which alone are projected to be worth $277 billion in 2021, the nation’s economy is potentially at risk. And recent reports warn that an entire generation of U.S. weapons systems could be vulnerable to cyberattacks. These public and private sector vulnerabilities were noted in the Trump Administration’s recently-published National Cyber Strategy, which stated in its preamble that “cyberspace is an integral component of all facets of American life, including our economy and defense.”
Online threats are nothing new: many U.S. businesses have already been impacted, from Google in 2010 to Sony Pictures Entertainment in 2014. Park Jin Hyok, charged by the Justice Department for working with the North Korean government to hack Sony Pictures, was also accused of helping steal $81 million from a Bangladeshi bank; rogue state and non-state actors increasingly use cyber-attacks to self-finance, skirting banking regulations and government oversight.
Due to the seriousness of cyber threats, the government has already taken action to bolster cyber defense systems and pursue those who have attacked America’s cyber infrastructure. Indictments for hacking have been doled out to Americans and foreign citizens, U.S. departments have updated software systems and analyses of critical infrastructure are ongoing. But most analysis indicates that much more needs to be done.
The overarching problem for the United States is that cybersecurity acts like a public good. Public goods are services or commodities like clean air or national defense which are provided without profit to all members of a society. Public goods suffer from free riders, individuals “who hope to reap the benefits of a public good but refuse to contribute to its creation…” While security in the realm of cyberspace is a private good—things like anti-virus software or firm-specific security are goods and services that are bought for a price—information and knowledge about cybersecurity are public goods.
In the wake of the Google’s 2010 hack, the company surprisingly turned to the National Security Agency for help and expertise. While in general most technology firms publicly dismiss the necessity for government help—after all, about 90 percent of cyber infrastructure is operated by private entities—the government is often consulted when sophisticated actors like a foreign military launch a cyberattack. So while private firms generally rely on in-house experts to implement security measures, the government is still a necessary resource for consultation regarding information, as in the case of Google and the NSA.
But the strength of this public good could be weakening. More cybersecurity experts are leaving the government for U.S. firms, which offer much higher salaries. If these experts continued to contribute to the overall cybersecurity of America this would not be an issue, but due to misaligned incentives, with notable exceptions, technology firms have not contributed to the nationwide public good of cybersecurity as much as they’ve received benefits. The disparity in benefits is due to free riding incentives that exist both between firms and within the context of overall national security. Little information on attacks is shared between businesses because firms that have already been breached have little incentive to broadcast the news immediately. And loaning experts to the government for free is a difficult proposition because companies would generally have to pay for the experts’ time while potentially losing firm-specific security gains.
With a panoply of critical infrastructure at risk, from the stock market to the electric grid, the United States needs to take more steps to address cybersecurity. But whereas authoritarian countries like North Korea can coerce experts to work on behalf of the government, the protections provided to businesses in the United States limit the ability of the government to align the incentives of non-governmental organizations and institutions. Thus, addressing the need for more cybersecurity experts working on behalf of national infrastructure might be a good place to start.
Two approaches should be undertaken by the government: first, by increasing the number and public knowledge of scholarships-for-hire programs, more people could be recruited to work for the government on cybersecurity. These programs, which generally fund higher education in exchange for a set allotment of years of work have been popular in the past especially in the private sector. One specific method could be increasing the operating budget of the National Initiative for Cybersecurity Education. Second, investing more in technology firm working groups on national cybersecurity could help correct misaligned market incentives for free riding. Already, institutions like the Aspen Institute and CTIA have formed to address this gap. But with increased visibility and pressure from the public or legislators, the efficacy of these working groups might increase.
These recommendations aren’t completely unique. The U.S. National Cyber Strategy includes provisions for improved incident reporting and attracting more talent by continuing to “invest in and enhance programs that build the domestic talent pipeline, from primary through postsecondary education.” But continued awareness campaigns coupled with investment in technology working groups will improve the cyber and national security of the United States. And recognizing that cybersecurity is a public good susceptible to free riding will help frame solutions in a manner more actionable and targeted.
Tyler Headley is a research assistant at New York University. His work has previously been published in Foreign Affairs and The Diplomat.