Is Cybersecurity a Public Good? Evidence from the Financial Services Industry

The September 11, 2001, terrorist attacks on the United States heightened concerns about vulnerabilities to future attacks. One new area of concern is cyberterrorism: the possibility of terrorists using computers to attack our critical infrastructure electronically. The government has made efforts to better secure its own computer networks to prevent terrorists from hacking into computer systems in the Pentagon, FBI, and other government agencies. Increasingly, however, the government has been concerned that the private sector is vulnerable to cyberterrorism. The private sector owns approximately 85 percent of the critical infrastructure in the U.S. (Deloitte 2004 p. 15). There are concerns that a cyber attack on dams, trains, electrical grids, pipeline pumps, communications networks, or the financial services industry could cause significant physical or economic damage to the U.S. The policy question being asked is whether private businesses, when left to their own devices, provide enough cybersecurity or if some form of government involvement is justified.

Some policy makers are skeptical of the ability of the market to provide enough cybersecurity. In a speech to the National Academy Conference on “Partnering Against Terrorism,” Congressman Boehlert said, “Here is a case in which the government can’t carry out its most basic mission--providing security--without the cooperation of the
private sector. And here is a case in which the private sector will quickly need a range of products on which the market has never before put a premium--the classic market failure that calls out for government involvement” (Boehlert 2002). Similarly, in a February 2004 speech Richard Clarke, the former counterterrorism czar for Bill Clinton and George W. Bush, said, “Last year was a market failure in cybersecurity, and 2004 doesn’t look much better. In general, Internet Service Providers (ISPs) do nothing about security. The market isn’t forcing the ISPs to do anything about security”(Ricadela 2004). Along with proclamations of “market failure” have come calls for government regulation of cybersecurity. In 2003 the federal government published The National Strategy to Secure Cyberspace. The plan’s three main goals are to prevent cyber attacks against America’s critical infrastructures, reduce national vulnerability to cyber attacks, and minimize damage and recovery time from cyber attacks that do occur. Before moving forward with any policies, the government needs to better consider the economics of cybersecurity. Specifically, we need to examine if the market truly “fails” to provide the correct amount of cybersecurity. We should also consider if the government will be able to improve the situation or if “government failure” could be as pervasive as “market failure.”

This paper proceeds by first examining the economics of cybersecurity and its applicability to defense against cyberterrorism. The financial services industry is regarded as one area of critical infrastructure requiring protection from cyberterrorism, so it is examined as a case study in section II to see if the market is failing. Section III considers the problems confronting government cybersecurity policy with a focus on the financial services industry and examines the potential for government failure. Section IV concludes.