InfoTech and Public Policy

If improving internet security requires that individual users have anti-virus software installed on their consumers, then as I will argue, the best means to pursue this goal is the use of individual mandates and anti-virus vouchers. Before I outline the reasons for this, it is perhaps most important to first establish the feasibility of such a measure from a cost perspective.

The figure of $20 for a voucher was tossed around in class, and examining current offerings on the market, it seems as though $20 would cover the entire cost of a reputable anti-virus program for one year for a single computer (for example, Symantec offers Norton 360 with a 1-year subscription for $80 with licenses for 3 computers). Let us assume that one $20 voucher will be given to any individual who purchases anti-virus protection for the year. Additionally, operating under the liberal assumption that there are about 100 million household computers connected to the internet in the US, the total cost of this program would amount to $2 billion.

Now, while $2 billion would seem like a staggering figure, to put it in perspective, the Love Bug virus cost over $8 billion to exterminate (cite). It is difficult to determine the total cost of virus and worm attacks in the US but it is a figure that is sure to be in the billions. The $2 billion cost of the program seems justifiable if some small percentage of attacks are stopped as a result.

While the goal of getting anti-virus onto every individual’s computer is important, the question remains as to why vouchers to individuals are needed. Vouchers to computer manufacturers or ISPs would surely lead to greater anti-virus usage. However, it alters the dynamics of the market. Manufacturers and ISPs would presumably choose the anti-virus to be distributed based on which company is offering the sweetest deal as opposed to which anti-virus company is offering the best product. If consumers are offered a voucher and are forced to pick between several different products, then for a given price, their decision will be motivated on quality. Competitive forces in the anti-virus market will still drive manufacturers towards creating the best possible product. However, if anti-virus purchasing decisions are now placed in the hands of ISPs and manufacturers, the dynamics of the market would be shifted.

The need for a mandate stems from the similarities between anti-virus and vaccinations, for anti-virus software to have the greatest effect, to realize the greatest benefits to anti-virus everyone must be using some type of the software. As for enforcement of a mandate, ISPs could be forbidden from allowing individuals without anti-virus from accessing the internet. To further improve security, ISPs may also be required to remove computers that are believed to be infected with a virus or worm, much as Princeton’s Dormnet does. Given the negative externalities that unprotected individuals place upon other users, justification for the use of an individual mandate seems available as well.

Vouchers could be implemented as in the form of a tax-rebate, etc, but the exact manner in which it is to be distributed is not the greatest concern. Another benefit of the voucher is that it would greatly expand the market for anti-virus software and given that the marginal cost of distributing more software is very low as most of the costs involved in the creation of software lies in research and development, increasing the size of the market for anti-virus software would allow companies to spend more on research since their revenues have increased. All things considered, if the best means to improving internet security is to ensure that all individuals are running anti-virus software, individual vouchers and mandates should be considered as a possible solution.

I think it is important to keep in mind that the true cost of computer hacking is yet to be convincingly determined. In the previous post by John Galt, we were provided with the $10-$100 billion dollar estimate (a rough estimate by Symantec), but after scouring the internet for a couple of hours I noticed that there is no real consensus on this. One interesting source listed a variety of “cost estimates” and the numbers are all over the place. One estimate was as high as $266 billion, and that was for 1999, so I would assume the associated costs have increased over the last nine years.

Another thing we should keep in mind when looking at these estimates is what is really being measured. Laura Koetzle, an IT consultant, states that estimates can measure “hard costs” like employee hours and hardware costs, but do a bad job in measuring loss of productivity or reputation. Perhaps what is even more costly is that companies have to reallocate their IT staff during virus crises and this can compromise general network stability and operations.

The scariest part is that we are becoming increasingly dependent on the internet and we require network security for our economy to operate. Could you imagine the cost of an internet blackout that lasted even an hour? It is naïve to measure the size of the problem in terms of dollar figures because it forces us to live in a constant state of fear regarding the safety of e-commerce, data storage, and general network dependency. For example, would it be fair to measure the cost of the September 11^th attacks by only considering the cost of lost lives and damage to structures? One would have to consider the general loss of productivity, the increased requirement for preventive measures, and the fear it creates. Network security is no different. There are still plenty of people who refuse to do online transactions because they do not believe it is safe. A single network attack is enough to bring a company’s operations to a halt for several days or to destroy years of unbacked up data on personal computers.

The good news is, the majority of these costs are currently from the corporate side. This means that the problem can really be isolated to having better corporate network security and this makes implementation considerably easier because we do not need vouchers or mandates. Education classes on safe network use can easily be handled in-house by companies who would like to preserve their network safety. At the same time, the government should look at network security as a “national security” issue. In other words, their main concern should be to consider the worst case blackout scenario and figure out how to circumvent any such national internet failure. Overall, I think network safety is a problem that will be propelled into the forefront over the next decade or so, but we should be careful at calculating the costs associated with it and also realizing that the main threat is not on the personal computer level.

References:

http://www.cnn.com/2007/US/09/18/traffic.congestion.ap/index.html

Sam’s post from Tuesday contained the following argument: “the government should first and foremost follow the ‘do no harm’ principle when concocting new regulations.” I wholeheartedly agree and would like to point out why exactly the harm from security regulation could (would) happen.

If the government regulates security, it will have three avenues: overseeing development of security software, choosing/setting standards, or running a program for the public. Either scenario will intend deadweight losses that vastly exceed the opportunity for gain from better security.

First it must be reiterated that somewhere in the realm of $10-100 B dollars is the extent of harm. America’s GDP in 2006 was around $12 T, or 100-1000x greater than this problem. That means we are dealing with 0.1-1% of societal harm. Many other things likely cause much more harm than the “I Love You” virus. More importantly, the costs of remedy are probably lower. Consider the following examples.

Our broadband network is deplorable compared to much of the developed world (Mossberg), and our economic productivity will likely suffer in the future if this harm is not rectified. 40,000 people per year (a substantial fraction of the population born) dies from a car accident, and countless more are injured. Even more inocuous harms like traffic pose a serious threat: the average American worker sits in traffic for 40 hours a year (CNN), or an average work week. Given Americans work 50 weeks a year (an entire week is 2% of productivity), traffic alone causes more harm that viruses. This is not to mention the other harms from traffic (pollution, inconvenience, etc.). In fact, we wasted about $80 B alone in 2005 from cars sitting in traffic. A 10% improvement in idling efficiency is sizable compared to the harms of computer viruses.

If we are to engage in a costly procedure of standardizing software security, educating the general population about the virtues of network externalities, or (gasp) disseminating specific “government backed” security programs, a proper cost accounting is crucial. If the solution costs greater than $10-100 B per year, it is certainly not welfare improving. Even if it is less, it will likely entail a sizable opportunity cost relative to the alternatives (remember 50 cents on the dollar in government is lost to waste (Pritchett, 1996)).

This is not to say that the threat from destructive computer hackers is not serious, especially if these types of harms have historically followed an exponential trajectory. Rather, endorsing private solutions (which create other public benefits like employment) or diverting funds to be used on security improvements to other areas instead of spending resources on questionable returns is simply wiser. Government staking claims of authority over the issue is the first step towards a wasteful endeavor.

While standardization of security software would allow users to know what they are buying when they buy it, many arguments can be made that standardization leads to an inferior product. When given a standard to fulfill, companies tend to fulfill that standard and little else. Further, standardization is difficult from a workload point of view. The federal government alone cannot evaluate the security of every internet log-in in even a moderately rigorous fashion without taking years to do so. In fact, so much standardization is needed that standards companies have popped up all over the globe, each one providing a unique standard for security.

While both these problems are legitimate, placing the federal government in a role that allows them to standardize standardizations would allow them to manage a complex system in a simple and easy to achieve way, and to create a program that only certifies security systems that not only meet the minimum standard, but can move beyond it.
The idea is this: the federal government’s security standards committee would license security standards providers. The providers would be able to leverage this by providing security programs the ability to stamp their systems with a government seal recognizing that they have achieved a certification from a government-issued certifier. To be given certification from the government, security standards providers must be able to show that the following are a part of their business process:

1.) Prove that an adequate level of security is available before the user is accesses any part of the internet other than the security provider’s servers.
2.) Prove that security updates made by providers are created and distributed in a timely and effective manner when new viruses are discovered, or that the infrastructure is in place for doing so for new software
3.) Prove that software from security providers does not do damage to a user’s computer
4.) Show a willingness to update their standards based on both new viruses and an advance in virus detection, quarantine, or removal.

By certifying standardization businesses that adhere to these four principles, the federal government can ensure the manpower is available to certify security programs while still keeping businesses from playing to the minimum standard. The key to eliminating play to the minimum standard is the second part of #4 – if standards can change based on new technology, it is in a businesses’ favor to make inroads in that technology in the hope of getting other companies to lose their certification until they can catch up. Rule number 4 in fact lets this policy promote innovation, rather than stifling it.

While many of us in class favored options to improve computer security that chipped away at the ends through either bounties/enforcement to catch and deter hackers or through research to preempt and stunt attacks, we collectively remained stumped on delivery to the end user and questions of cost and effectiveness. End users undervalue their own need for security and the externalites caused by an individual securing or not securing himself. And the dynamics of a lemons market make it hard to distinguish good from bad software in regards to security. Clearly there are market failures for a problem that will inevitably grow larger and more costly over time. How can government intervene to correct these in a non-harmful way at minimal direct government cost and minimal distortions?

One answer which could work in the case of computer security is defaults. It is a strategy that is becoming more popular for everything from savings plans to organ donation. Essentially, people will tend to follow the default outcome (the one they are placed into when a proactive step is not taken otherwise) even though they are free to choose to do other things. Therefore, if something is made a default, then more people “choose” it than if it is merely an option that would take proactive steps to pursure. This happens both because people are lazy but also because they are uninformed about many things and take defaults as a sort of advice of what the norm is. Socially desirable outcomes can thus be set as default outcomes to increase the instance of their being chosen without restricting the actual choice of the individual. Instead of mandating a behavior, which is rather parternalistic and would lead to calls for offsetting new burdens through funding, the government could simply make certain behaviors default so that choice is maintained but allowing the cost to be bourne by the chooser.

So, how can this be applied to the computer security and software market? First, the government would have to make a mandate of sorts, but on either computer manufacturers or ISPs. This mandate, however, would only require either of these entry points to computers or the internet to make virus software and other protections available to consumers as the default choice when they begin to use the product/service. For instance, on each new computer bought, virus software could figure automatically into the price quoted to the consumer and will come on the machine, unless it is requested to be taken off. This happens with cars all the time. Features are automatically thrown in and added as line items to the price, but can be taken off or not automatically added should the request be made. Thinking long-term, the pre-installed software can be automatically set up and paid for for a few years to avoid lapses in security at later dates. Consumers could still opt out of these costs at will, but they will have to actively choose insecurity, which is much less likely to happen.  And if all computer sellers are required to build this cost into their price automatically, then companies do not have as much room to gain an edge over competitors by offering cheaper comptuers without these protections.  Such requirements for virus software can be placed on ISPs instead, just perhaps in a more complicated way.  When consumers sign up for internet access, they can be steered into packages with antivirus protections.  That, or when starting to use an ISP, their machine is checked to detect virus software, and if it is lacking, then they can be presented with prompts to buy software and warnings of its importance. The prompts could automatically check off a reasonable protection package, but offer a variety of other options, and the consumer would have to take several steps to actively avoid purchasing protection. To really push this, such annoying prompts could appear every time the internet is used by an unprotected consumer to remind them of dangers and to help internalize the externalities they cause in being unprotected. This may ultimately influence them to buy software to end the prompts and pop-ups. Again, choice is maintained, but people are steered into a socially desirable result.

In either the case of computers sellers or ISPs, the costs of such a change are minimal in that it only requires direct offering of protections to consumers. Consumers would end-up bearing the costs, but through their own choice. Some may wish to defend consumers against this cost, but in all honesty, it would not be much. Decent software is not expensive, and if demand goes way up due to default changes, the price is likely to fall.  As for government, it would have to spend very little to enforce a rule as simple as requiring companies to offer software in an automatic fashion.

The question may still remain as far as standards for the level of default that is automaticlaly offered and how to avoid the race to the bottom. But these are issues that can be overcome perhaps by structuring some expert panels or boards to set standards. And these can be very broad. Further, I want to reiterate, a race to the bottom has very little place to go when the cost of decent protection is already rather small, so it may not be a huge problem.

Anyway, default policies can be one option to increase end-user adoption that may work. Along with research and bounties, this combinaiton of approaches would be a good start to containing the computer security threat without overbearing government and ridiculous cost.

Near the end of class today, we discussed what we thought the best ways that government could spend money to help improve computer security (and decrease the effects of all of the problems caused by insecurity). There were several suggestions: educational programs, research, more law enforcement, bounties for catching offenders, and subsidies given to either ISPs or end users to help pay for the cost of anti-virus software (we called this last option the voucher option). While I find the first suggestions to have some merit, I personally believe that vouchers toward anti-virus software are counterproductive and would be a waste of government money.

Let’s first consider the case where the government directly subsidizes the end users. As an example of this case, the government might give out twenty dollar vouchers to all US residents with a registered internet connection that could be spent only on anti-virus software. A typical consumer wouldn’t be able to tell the difference between good and bad security software, and would likely end up buying something that cost right about twenty dollars since they wouldn’t want to waste any extra money on a product for which they cannot assess the quality. This, of course, assumes that average people would actually spend the time to buy the software and use the voucher, which many might not if it is both relatively difficult to acquire the software (say it has a long download time, which is a reasonable assumption) and if no one is requiring that they have this software. As an aside, in the past many electronics companies have offered mail-in rebates on a wide variety of products (you have probably seen these in a Best Buy or Circuit City, for instance). However, while it may seem like a bargain to the consumer, the companies tend to view it as money in the bank due to the very low response rate, despite the fact that it is “free money.” If people are too lazy to address and stamp an envelope for cash, would they be willing to use a voucher to download anti-virus software that they don’t know too much about if it is not required by the government? I doubt a government subsidy without a mandate would do much good, and, as we discussed in class, a government mandate requiring everyone to run anti-virus software of a certain quality on all of their computers would be a terrific mess.

Now let’s move on to the case where the government subsidizes the ISPs in some way. Rewarding the ISPs based on performance seems silly—there is no accurate or precise way to gauge this. If you look at figures of the size of botnets, the number of computers infected by given viruses/worms, or the number of spam e-mails send over a given network in a certain time period, you will notice that they are typically very, very imprecise. Since there is no accurate way to measure the performance of an ISP in terms of security, it just does not make sense to reward the ISPs monetarily based on this. Finally, requiring the ISPs to be responsible for making sure that all of their end users run anti-virus software runs into all of the same problems as the case where the government directly subsidizes the end users, except it is worse, because generally the ISPs would have less of an incentive to force the users to run a good anti-virus program than the government would due to the spillover effects of the market for computer security.

Unfortunately, the computer security market seems to be a place where the government is hamstrung and cannot effectively directly attack the problem from an economic standpoint. All it can do is fund initiatives like research or more law enforcement, which, while not ideal, still will have good results in the long run.

As a software developer, I take some offense to Douglas Barnes’s unfair assignment of blame for worms primarily to the software companies. While every software developer aspires to write bug free code, those of us who have worked with programs of more than 1000 lines or so know that bug free code does not exist in such programs. Unfortunately, applications like operating systems and web browsers generally take much more than 1000 lines of code. If you could sue me or demand a bounty for every bug you found in my code, I probably would have never gravitated toward this industry, and I certainly would not be tempted to create a start-up, even if I thought of the next Google. It wouldn’t be profitable.

Like a good doctor, the government should first and foremost follow the “do no harm” principle when concocting new regulations. While Barnes is well intentioned, his ideas for regulating the software industry would most likely come at a high cost to innovation. He correctly identifies several market failures in the software industry due to externalities like network traffic from worms and lemon effects from closed source standards monopolies. However, he underestimates the power of the market as a whole. As suggested in the article, significantly raising the bar for security expectations would lead to slower product development with fewer features, which customers want. If this comes at the price of a little more network traffic and a few distributed denial of service (DDoS) attacks, who is the government to say that is a bad thing?

Before you try to burn me in effigy for suggesting DDoS attacks might not be such a bad thing, I am rather suggesting that it is not worth sacrificing the wealth of software solutions currently available and spending millions of dollars regulating the software industry in a quixotic quest to rid the world of software bugs. Market forces already do a decent (but not perfect) job of promoting security. The biggest targets for security exploits are the biggest players in a given market (namely, Windows, Internet Explorer, and Office). In the early part of this decade, a number of horrendously embarrassing worms and viruses exploited these programs, causing Microsoft public humiliation and damaging their once more valuable brand name. As a result, Microsoft has focused much more on security and things have generally improved. Smaller companies, like startups, are generally less targeted and thus it is less necessary for them to spend the resources to adhere to the absolute best practices with regard to security. This allows more innovation, which is good for the economy. It would be impossible for any government regulation scheme to balance what is best for the economy with regard to both Microsoft and a small startup.

It would be nice to create incentives to improve overall network security through measures like firewalls and anti-virus software. Doing so at the consumer level is probably worse than hopeless; I imagine if you sent everyone in the country virus scanning software on a CD, you would not significantly increase the number of computers protected. Most end users lack the economic motivation or technical know-how to protect themselves. The one place Barnes’s article really resonates with me is the paragraph before the conclusion:

To a certain extent, the answer may lie with ISPs, rather than users themselves. Some ISPs have taken to cutting off internet access for a period of time when user equipment becomes worm infected. This approach has merit because ISPs are already motivated to reduce worm traffic; requiring a consistent response from ISPs with respect to worm-infected users would eliminate any tendency of ISPs to compete on the basis of turning a blind eye.

If only we could somehow hold ISPs responsible for the BotNet activity and worms coming from their users, maybe they would force users to install virus scanning software, as Princeton University DormNet does. I’ll leave the exact policy implementation for someone else to ponder…

As Douglas Barnes had eloquently pointed out the market failures that allowed internet worms (and other variant cousins) to wreak havocs on the consumer, I would like to continue the case by laying out how government intervention can help improve consumer’s welfare.   Benevolent government interventions are better than no government intervention at all.

The software market is a lemon market.  Typical consumers cannot distinguish bad software from good software. Software publishers face perverse incentives to release software as soon as possible to gain market shares.  Once the software is bought, consumers have no recourse to return the products, except if the medium was defective.  With the proliferation of “medium-less license” software (download via the internet), when a consumer buys a piece of software, he or she has crossed a point of “no-return.”

The intervention for this case is rather straightforward.  Software publishers should be required to allow for a grace-period of 10 days, which should be long enough for the consumers to test the software.  The software should be fully functional during this period.  Many software publishers do this already in the form of demo, but the government should take a step further, mandating a baseline grace period for all software sold.  This should create incentives for software publishers to test for security flaws more thoroughly.  Many markets for other products are already under similar mandates.  For example, the state of California requires a grace period for used cars. 

The other reason for intervention is the consumers themselves.  Humans, unfortunately, are over-optimistic when estimating their chances of getting infected by worms and other evil lurkers on the internet.  It is a well-documented phenomenon in the psychology field.  People tend to see the future through “rose-colored glasses,” as the saying goes.  Hence, most people do not spend extra money to buy security software, if it does not come with the computer already. One possible solution is for the government to create a clear, immediate, and easy incentive for people to buy security software to protect their computers.  The easiest form is a voucher.  Anytime a person buys a computer, he or she will automatically get a voucher, which subsidizes most of the cost of basic security software.  If most consumers take advantage of the vouchers, they would inoculate themselves (and others) against most viruses and worms.  This will not be the first time nor the last time our government gives out technological related vouchers.  Our government is currently offering vouchers for digital television converters to help people with the transition to digital television.

Government intervention is warranted when there is a market failure and the intervention will make consumers better off.  Any intervention will face political obstacles, including opposition from the computer industry.  I believe that the clamor for intervention will happen when a hacker uses a crippling known software breach to render most personal computers useless for a considerable period of time.  The clamor for a “flyer’s bill of rights” erupted when there were massive airlines’ delays due to factors within the airlines’ control.  When will the software industry face the call?

In July of 2001, Napster shut down leaving 26.4 million people scrambling for a new way of getting their music.  There would be those who would shift to the next large file sharing sites, like Grokster, Kazaa, Bearshare, etc.  There would be those who would revert back to buying CDs, which had been the way people had done things for as long as they could remember.  But then a funny thing happened.  Online music downloads were front and center once again in 2003 with the introduction of the iTunes Music Store.  But this time it was legal.  People were buying their own music, just like they had always been doing, yet everything had changed forever.

            Let’s backtrack a bit for those who may not fully comprehend the revolution that Napster started.  This is what the RIAA used as the basis of their lawsuit:  “Napster is about facilitating piracy, and trying to build a business on the backs of artists and copyright owners.”  Napster responded with, “We’re this tiny company caught between two industries: the Net and music industry.  We look forward to working with the RIAA to create laws for the good of artists and music lovers.”  Well the truth was somewhere in between the press releases from the two companies.  It is true that Napster facilitated the violation of copyright by individuals, but at the same time it served legal purposes.  Moreover, it’s arguable how much it really hurt the artists and copyright owners. 

The constitutional justification for copyright has very little to do with a personal entitlement to have ownership over your work, but rather, belongs to the more vague reasoning of “promoting the progress of science and useful arts, by securing for limited times to authors and inventors the exclusive right to their respective writings and discoveries.”  Well what does this actually mean?  The argument can be made that copyright exists to promote the spread of the arts to as many people as possible.  So then, is it possible that the breach of copyright, through a program like Napster, does far more to spread music to all income levels, than protecting copyright ensures the creation of more art.  In other words, if our objective is to maximize the promotion of music, it is unclear if we should focus on its creation or its distribution.

Now, let’s return to the case of Napster.  Even if we assume that the primary usage of Napster was for illegal activity, one has to wonder if it is fair that someone else gets the complete benefits of the product they created.  The entire MP3 revolution and the iTunes revolution would have never existed without Napster.  Napster created a whole new way to distribute music and popularized a rapidly growing form of music compression.  However, the “rents” from this new distribution channel were quickly captured by Apple, the music industry, and the artists, while the innovator behind the entire process was left with lawsuits.  Of course, I do not bring up Napster just to reminisce.  Napster is particularly pertinent in today’s world because we are faced with an extremely situation with YouTube and it is interesting to see if YouTube will be rewarded for revolutionizing the way video media is distributed or if the courts will come down hard on the company. 

After the hullaballoo surrounding Comcast’s treatment of BitTorrent traffic, the question of net neutrality with regards to the operation of ISPs has gained greater importance. Last year, Comcast was found to be interfering with BitTorrent traffic but rather than simply stopping all BitTorrent traffic, Comcast blocked traffic in a far more surreptitious manner. Comcast utilized spoofed peers that would interfere with inter-user transfer that would make transfers incredibly slow or in many cases, simply end them. (cite) Limitation on the use of bandwidth for BitTorrent users is common to many ISPs but Comcast’s manner of impersonating peers and sending peer reset messages was rather unique. (cite)

Now, the impetus for ISPs is clear. One ISP representative stated that “The fact is, P2P is (from my point of view) a plague - a cancer, that will consume all the bandwidth that I can provide. It’s an insatiable appetite.”, while another said that “P2P applications can cripple a network, they’re like leaches. Just because you pay 49.99 for a 1.5-3.0mbps connection doesn’t mean your entitled to use whatever protocols you wish on your ISP’s network without them provisioning it to make the network experience good for all users involved.” (cite) When ISPs have such a large incentive and desire to interfere with traffic, action needs to be taken so that customers are indeed receiving the internet connection they are expecting to receive.

The problem with Comcast’s tactics is not simply that they were interfering with individual’s traffic but the manner in which they were doing so. Comcast appears to have not disclosed what it was doing until it was discovered through independent investigation. Net neutrality has often been thrown around as a solution to such situations. Nevertheless, looking at ISPs recent failure to even show up at a recent conference on net neutrality, forcing net neutrality on ISPs would seem to be a difficult proposition. (cite) As I will argue, rather than mandating some form of net neutrality, it is far important regulation that ISPs are far more transparent in the services they are providing.

With a more transparent system in place, consumers will be better enabled to decide what ISPs best suit their needs. However, better disclosure of information would not only allow consumers to better decide what type of ISP they need but would presumably improve ISPs’ ability to price their plans. Individuals who only use the internet to check their email presumably do not require the same connection that a dedicated file sharer would need. With better price discrimination, more consumers would then presumably purchase internet access. Furthermore, ISPs would be able to extract more revenue from consumers so they too may support such a measure.

Net neutrality is indeed a noble concept but it seems unlikely that it will ever gain the support of the ISPs. More stringent disclosure requirements for ISPs would presumably have a similar effect, while giving individuals more choice.