From the AEGIS e-Journal, Volume 9 Number 5, May 2006
The Law and Economics of Cybersecurity Edited by Mark F. Grady and Francesco Parisi Cambridge University Press ISBN 0-521-85527-6 320 pages $75 http://www.cambridge.org/catalogue/catalogue.asp?isbn=0521855276 The book contains the following eight very thoughtful papers about computer security in a networked environment. And lets face it if you are connected to the Internet, you’re in a networked environment. ÆGIS, May 2006 17 1. Private versus social incentives in cybersecurity, law and economics Bruce K. Kobayashi 2. A model for when disclosure helps security: what is different about computer and network security? by Peter Swire 3. Peer production of survivable critical infrastructures by Yochai Benkler 4. Cyber security: of heterogeneity and autarchy by Randal C. Picker 5. Network responses to network threats: the evolution into private cyber-security associations by Amitai Aviram 6. The dark side of private ordering for cybersecurity by Neal K. Katyal 7. Holding Internet Service Providers accountable, Doug Lichtman and Eric P. Posner 8. Global cyberterrorism, jurisdiction, and international organization by Joel T. Trachtman. Not one of the papers offers the solution, but, rather, engages the reader in some very thought provoking exercises and what might work depending upon the different environments and the users’ different incentives. For example the type of security features, even the choice between open sources and proprietary security features, can very much depend upon the environment in which you operate. For example, most of us out surfing the Web have found that known suppliers and methods of protecting ourselves against mischief has been the best way. Why? It is tried, tested, and fixed as a result of the shear volume of security breach attempts, past success, and re- engineered defense after a method of breaching the security has been found. However, operating in a military environment, this manner of testing your security and sharing with the world your success and failures may not be as prudent. Based upon the user’s environment, the papers dissect in economic terms tradeoffs in security, regulation, and punishment to deal with the complex issues of choosing an optimal collection of models for private and public sector applications and environments. There are two shortcomings to the book. One regrettable feature is the manner in which several of the papers deal with crime. We, having worked against criminals, studied criminals, and spent way too much time with criminals. Our empirical knowledge tells us that the lens or filter used to deal with the economics of criminal behavior over the internet is naive. The second shortcoming, which we hope the editors will contemplate (we are encouraging this) is the need for a shorter edition of the book in layman’s terms. While the editors of ÆGIS are collectively well versed in programming, ÆGIS, May 2006 18 math, models, and econometrics, the book reviewed presents sufficiently relevant information that is should be share with those less conversant. Valuable information? Yes. Worth the $75.00? Yes. 7. Subscription/Unsubscription/Copyright Information •• ÆGIS is supported and maintained by voluntary efforts. This publication is owned, published, and copyright © 2006 by The LUBRINCO Group Ltd, Inc. and Financial Examinations and Evaluations, Inc. It is edited jointly by Richard Isaacs (RBIsaacs@lubrinco.com) and L. Burke Files (LBFiles@feeinc.com). LUBRINCO provides services in three high-threat areas, too specialized to be dealt-with in-house, that can adversely affect domestic and international bottom lines. • Sarbanes-Oxley Section 404 OPSEC compliance. 1. American businesses lose $300 billion annually to competitive intelligence, economic espionage, and information theft. 2. Sarbanes-Oxley requires internal controls tracking the costs, and impact on valuation, of competitive intelligence, economic espionage, and information theft. o LUBRINCO provides private sector access to OPSEC, the government-standard process for identification, valuation, and protection of intellectual property and critical information from competitive intelligence, economic espionage, and information theft. • International asset location and due diligence. o Location of concealed assets in fraud, theft, and divorce. o Due diligence to prevent fraud and loss in China, Central and Eastern Europe, Central Asia, the offshore financial centers, Latin America, the Caribbean. o Financial fraud and anti-money laundering program development and training for compliance with the US International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001 and the EU Revised Money Laundering Directive of 2001. • Protection of management, staff, and families. o In the high-threat environments of Latin America, Africa, the Mid- East, and Southeast Asia. o When traveling and living overseas. ÆGIS, May 2006 19 o When transporting items of substantial value. LUBRINCO identifies and quantifies threats and vulnerabilities, and their associated risk, then manages the vulnerabilities so you can transfer or live with the residual risk. We prevent disastrous financial loss to your company, and physical harm to you, your family, and your staff. For information on LUBRINCO and its services, or for the archive of all past issues of ÆGIS in PDF format, please go to http://www.lubrinco.com/. Subscription to ÆGIS is available for $15 per year in North America and $20 per year outside of North America. To sign up for a complimentary subscription to ÆGIS or the ÆGIS PDF notification list, go to http://lb.bcentral.com/ex/manage/subscriberprefs?customerid=7768 or send an email to aegis@lubrinco.com. To subscribe to our AvantGo channel, go to http://avantgo.com/channels/_add_channel.pl?cha_id=1773 To be removed from the subscription list, follow the instructions on the mailing you received, or send an e-mail to aegis@lubrinco.com. If you know of anyone else who should be receiving ÆGIS, please send their e-mail address to aegis@lubrinco.com. If there is a topic that you would like to know more about, send it to aegis@lubrinco.com and the editors will consider it as the topic for an article in an upcoming issue. If you would like to submit an article for publication in ÆGIS, send it as an attachment to an e-mail to aegis@lubrinco.com. Submission of an article certifies that (a) all information in the article is in the public record, or (b) that you are authorized to release any personal or corporate proprietary information contained in the article, and (c) that none of the article has previously been copyrighted. The submission of materials for publication in ÆGIS constitutes a license to LUBRINCO, and/or Financial Examinations and Evaluations, Inc, their assigns, associates, or affiliates, to abridge and/or edit said submission, and to copyright and publish/republish any submitted materials in whatever written and/or electronic form they may choose. If you would like to go beyond normal fair-use in reproducing articles from this issue of ÆGIS, you may do so freely as long as appropriate source, copyright, accreditation, and link to the LUBRINCO Web site is included. This should be in the form ÆGIS, May 2006 20
Article Title, from the May 2006 ÆGIS (© 2006 LUBRINCO & FEE), to be found at http://www.lubrinco.com/. ÆGIS is a forum for the exchange of information, ideas, operating styles, theories, and related topics for corporate managers who make decisions about threats typically outside the expertise available in-house, yet which have the potential to affect their company’s domestic and international bottom lines. Nothing appearing in ÆGIS should be construed as legal advice. The information provided is “general information,” not “specific advice.” The solution to any problem is highly dependent upon the precise facts involved. Thus, before making any reliance upon anything said here, you should consult with an appropriately skilled professional. Opinions expressed by contributors are not necessarily endorsed by the publisher, and may be presented to encourage a dialogue among subscribers. The publisher and any re-publisher cannot be held responsible for any loss incurred as a result of the application of any information published in ÆGIS. Please be safe, and be smart.