Cybersecurity’s Conundrum

I’ve uploaded my new paper on cybersecurity, Conundrum, to SSRN, and welcome feedback on it. The paper is coming out in volume 96 of the Minnesota Law Review next year. The abstract is below. In addition, the paper makes a few points that are at once common sense and heretical:

  • Experience with natural disasters and terrorist attacks demonstrates that the Net is resilient.
  • Apocalyptic predictions regarding cyberthreats are popular, yet wildly overblown.
  • Attribution is very difficult on the Net. This makes deterrence hard, and strongly suggests we should focus on resilience and recovery, not prevention and retribution. Changing the Internet’s design to enhance attribution, though, risks destroying the village to save it.
  • We can deter cyberattacks not by threatening an overwhelming response to them, but by minimizing their effectiveness. (Hat tip: Jane Yakowitz)
  • There are difficult trade-offs in securing against different threats. Creating inefficiency in information storage – basically, redundancy – mitigates against attacks like denial of service efforts, but may worsen the threat of espionage.
  • We need a theory of cybersecurity to guide legal and policy efforts. The paper proposes one oriented around information.


Cybersecurity is a conundrum. Despite a decade of sustained attention from scholars, legislators, military officials, popular media, and successive presidential administrations, little if any progress has been made in augmenting Internet security. Current scholarship on cybersecurity is bound to ill-fitting doctrinal models. It addresses cybersecurity based upon identification of actors and intent, arguing that inherent defects in the Internet’s architecture must be remedied to enable attribution. These proposals, if adopted, would badly damage the Internet’s generative capacity for innovation. Drawing upon scholarship in economics, animal behavior, and mathematics, this Article takes a radical new path, offering a theoretical model oriented around information, in distinction to the near-obsession with technical infrastructure demonstrated by other models. It posits a regulatory focus on access and alteration of data, and on guaranteeing its integrity. Counterintuitively, it suggests that creating inefficient storage and connectivity best protects user capabilities to access and alter information, but this necessitates difficult tradeoffs with preventing unauthorized interaction with data. The Article outlines how to implement inefficient information storage and connectivity through legislation. Lastly, it describes the stakes in cybersecurity debates: adopting current scholarly approaches jeopardizes not only the Internet’s generative architecture, but also key normative commitments to free expression on-line.

One Response to “Cybersecurity’s Conundrum”

  1. A very interesting, if not somewhat overly intellectual read. :) I definitely agree with you on multiple fronts. In fact I published a brief research paper on a very similar topic last year. While you are more addressing internet security, my paper looks at the effects of malware on personal computing devices and what OEMs and Operating system creators can do to reduce the impact of threats. I basically come at it from the angle of making it so easy to restore a PC (through proper partitioning) that getting a malware infection becomes only a minor nuisance that can be easily overcome by the typical home user. Of course, throw away virtual environments are also very effective at negating the impact of malware on a user. In case you are interested, I put my paper up on my blog at