I’ve uploaded my new paper on cybersecurity, Conundrum, to SSRN, and welcome feedback on it. The paper is coming out in volume 96 of the Minnesota Law Review next year. The abstract is below. In addition, the paper makes a few points that are at once common sense and heretical:
- Experience with natural disasters and terrorist attacks demonstrates that the Net is resilient.
- Apocalyptic predictions regarding cyberthreats are popular, yet wildly overblown.
- Attribution is very difficult on the Net. This makes deterrence hard, and strongly suggests we should focus on resilience and recovery, not prevention and retribution. Changing the Internet’s design to enhance attribution, though, risks destroying the village to save it.
- We can deter cyberattacks not by threatening an overwhelming response to them, but by minimizing their effectiveness. (Hat tip: Jane Yakowitz)
- There are difficult trade-offs in securing against different threats. Creating inefficiency in information storage – basically, redundancy – mitigates against attacks like denial of service efforts, but may worsen the threat of espionage.
- We need a theory of cybersecurity to guide legal and policy efforts. The paper proposes one oriented around information.
Cybersecurity is a conundrum. Despite a decade of sustained attention from scholars, legislators, military officials, popular media, and successive presidential administrations, little if any progress has been made in augmenting Internet security. Current scholarship on cybersecurity is bound to ill-fitting doctrinal models. It addresses cybersecurity based upon identification of actors and intent, arguing that inherent defects in the Internet’s architecture must be remedied to enable attribution. These proposals, if adopted, would badly damage the Internet’s generative capacity for innovation. Drawing upon scholarship in economics, animal behavior, and mathematics, this Article takes a radical new path, offering a theoretical model oriented around information, in distinction to the near-obsession with technical infrastructure demonstrated by other models. It posits a regulatory focus on access and alteration of data, and on guaranteeing its integrity. Counterintuitively, it suggests that creating inefficient storage and connectivity best protects user capabilities to access and alter information, but this necessitates difficult tradeoffs with preventing unauthorized interaction with data. The Article outlines how to implement inefficient information storage and connectivity through legislation. Lastly, it describes the stakes in cybersecurity debates: adopting current scholarly approaches jeopardizes not only the Internet’s generative architecture, but also key normative commitments to free expression on-line.
Filed under: Anonymity, badware, Computer crime, Encryption, First Amendment, Intermediaries, international, Internet & Society, ISP, Microsoft, Minnesota, national security, Privacy, Scholarship, Security, Software