Public Cybersecurity and Rationalizing Information Sharing
Abstract
Achieving any specific level of cybersecurity inevitably entails making compromises with regard to cost, function, and convenience, as well as trade‑offs
between societal values, such as openness, privacy, freedom of expression, and innovation. In defining regulations and incentives, decisions have to be made about how to balance these trade‑offs while optimizing security outcomes. To further complicate matters, neither technologists nor policymakers have the luxury of starting with a clean slate. Instead they work within the shadows of legacy networks and end systems that are neither secure, nor easily made so. Moreover, current security postures often reflect societal values from a time when dependence on networked information systems was minimal.
A cybersecurity doctrine prescribes a set of goals, a basis for making trade‑ offs among these goals, and various means to achieve the goals. Its utility is determined, in part, by the extent to which it offers a framework for achieving goals without imposing, ignoring, or ruling out possible technical or policy solutions. And the value of cybersecurity doctrines per se is measured by the extent to which they bring clarity to policy questions and proposed incentives.
The Doctrine of Public Cybersecurity has as its goals the production of security and the management of its absence. The doctrine derives from the observation that cybersecurity is non‑rivalrous and non‑excludable and, thus, satisfies the definition of a public good. Cybersecurity is non‑rivalrous, since one user benefiting from the security of a networked system does not diminish the ability of any other user to benefit from the security of that system; it is non‑excludable, because users of a secure system cannot be excluded easily from benefits security brings.
Notice that the Doctrine of Public Cybersecurity targets the collective rather than any single individual’s or entity’s computer, network, or assets. Also, it steers policy makers away from deterrence‑oriented strategies (“doctrines of accountability”) reflected in current criminal law, doing so because deterrence does little to encourage investments in the production of cybersecurity or in managing its absence.
This paper briefly explores how information sharing fits into the Doctrine of Public Cybersecurity and how laws and policies around these activities can be tailored to promote security with limited intrusions on privacy and autonomy. Some in the U.S. and elsewhere have argued that information sharing is an attractive means for supporting cybersecurity; others worry that compromises to societal values (such as privacy) seem inevitable. This paper revisits the Doctrine of Public Cybersecurity in order to shed light on debates about information sharing, by exploring its potential utility, and considering policies to mitigate its impact on other societal values. Its goal is not to advocate for the creation of specific institutions (government or otherwise), but rather to explore the potential utility of information sharing to promote public cybersecurity