 Strategic Cybersecurity Module 13, Economics, Government Regulation, and Cybersecurity. Once you have completed the readings, lecture, activity, and assessment, you will be able to articulate the difference between public and private goods and how cybersecurity may be conceptualized as both. Explain the need for both the public and private sectors to work together to achieve adequate cybersecurity. Welcome to Strategic Cybersecurity Module 13. In this module, we will focus on economics and government regulation in achieving cybersecurity. It may be surprising to learn that nearly 90% of the critical infrastructure in the country is owned and operated by the private sector. But as this module's readings indicate, the U.S. government plays an important role in helping to protect that infrastructure, including that of telecommunications to ensure the Internet's safe, efficient operation. The combined responsibility of the public and private sectors may seem confusing, and in fact, the private sector seems to have an ever-present suspicion of government assistance. One example of this is found in the readings, with Google's hacking and subsequent request for assistance from the National Security Agency in 2010. Google sought help from the government to identify how its state-of-the-art firewalls were bypassed and asked the National Security Agency to conduct an evaluation of its network's vulnerabilities. Many in Silicon Valley were perplexed by these requests, assuming that such a gigantic technology-driven company as Google would possess far more ability to identify and stop cyber intruders than any government agency. This example highlights not only common biases that many in the private sector have towards government's technological capabilities. It also highlights the advantages of collaboration on part of the public and private sectors to approach cybersecurity more efficiently. It begs the question of why more interaction and coordination does not occur between these sectors. To answer this question, Rosenweig notes that we must first understand the fundamental economics driving cybersecurity. He states that one of the more confusing aspects of cybersecurity is that it may be considered both a public and private good. Some aspects of protecting the information highway, including infrastructure like routers, servers, and computers themselves, are private goods. But information about vulnerabilities within, or threats to, infrastructure may be best supplied by the government as a public good. A primary reason for conceptualizing both threat and vulnerability information as a public good handled by the public sector is that many private sector organizations, such as multinational corporations, are loath to report internal vulnerabilities or breaches. This reluctance from private companies is based on the belief that identifying unlawful cyber intrusions may lead to a loss of consumer confidence and ultimately a decrease in market share. How might government policies positively address this situation? One answer is the creation of public private organizations called information sharing and analysis centers. These centers allow the private sector to share both threat and vulnerability information with the government. With the expectation that the government will mask the attribution of the information before sharing it with other private sector entities. In addition, let's consider the Defense Industrial Base, or DIV. The DIV comprises a consortium of U.S. defense contractors who in many cases are performing highly sensitive or classified work on behalf of the U.S. government. Some cybersecurity analysts see these contractors who join the DIV voluntarily as weak links for cyber intruders because they are not necessarily required to maintain the same level of cybersecurity protection as government agencies. For example, if a small defense contractor is developing a classified technology for the Department of Defense's new F-35 Joint Strike Fighter, a criminal or adversary nation might find it easier to hack the contractor's computer systems instead of the contracting government agencies, since the defense contractor may not be thought to have implemented security measures to the same robust level. To alleviate the likelihood of such weaknesses in the system, DIV members allow their internet service providers to monitor their computer networks with government-supplied threat recognition software. The software provided helps the contractors to protect their networks, although notably the contractors are under no obligation to alert the government if they experience an intrusion. Ideally, a comprised DIV member would alert its information sharing and analysis center so that both the government and other private sector organizations could identify and mitigate serious cyber threats. In the next module, we will look at protection of critical infrastructure. Quiz question one, according to the textbook, which of the following is a classic example of a public good? A, the United States Postal Service, USPS, B, the National Defense, C, the Environmental Protection Agency, EPA, D, Social Security. The answer is B, the National Defense. Quiz question two, true or false? Coordination between the public and private sectors is necessary when it comes to providing robust cyber security. The answer is true. Quiz question three, which of the following best describes why cyber security can be considered both a private and public good? A, some aspects of cyber security, e.g. threat information, are best provided by the government, whereas other aspects are best provided by private companies. B, cyber security requires a common pool resource. C, cyber security is too expensive to be provided solely by the government. D, the assurance problem explains this. The answer is A, some aspects of cyber security, e.g. threat information, are best provided by the government, whereas other aspects are best provided by private companies. The activity for this module asks that you consider this module's descriptions of the Information Sharing and Analysis Center, or ISACs, which provide one way for the private sector and public sector to work effectively in sharing threat and vulnerability information. Create the ISAC most associated with your own work sector, or that you find most interesting. Read about that ISAC and determine whether you feel that it can be effective in its goals.