By The White House
Information technology (IT) creates enormous value for the U.S. economy.
However, it also exposes U.S. firms, the government sector, and private individuals to new risks that originate and are often effectuated entirely in cyberspace.
Due to the difficulty of identifying and punishing malicious actors, and the ever-greater interconnectedness stemming from the intensified use of the Internet, malicious cyber activity is becoming more and more widespread.
Malicious actors range from lone individuals to highly sophisticated nation-states, and they pose a potential threat to all Americans using any information and communications technologies.
Cybersecurity is a common good.
A firm with weak cybersecurity imposes negative externalities on its customers, employees, and other firms tied to it through partnerships and supply chain relations.
In the presence of externalities, firms would rationally underinvest in cybersecurity relative to the socially optimal level.
Therefore, it often falls to regulators to devise a series of penalties and incentives to increase the level of investment to the desired level.
The marketplace is responding to the growing level of cyber threats.
Firms are increasingly outsourcing cyber protection functions to the blossoming cybersecurity sector.
The emergence of the cyber insurance market helps firms share the risk of cybersecurity compromises.
(Learn More. This vlog looks at the significant increase in cyber-attacks on a global scale and the impact on the growing cyber insurance market. Courtesy of Kemp IT Law and YouTube. Posted on Dec 14, 2017)
However, these positive developments are hampered by firms’ reluctance to share information on past malicious cyber activity directed at them, along with the cyber threats they currently face.
This resistance stems from a variety of concerns, such as the fact that investors will respond negatively, causing the stock price to plunge, that the firm will suffer reputational damage and be exposed to lawsuits and regulatory actions, or that the revelation of potential vulnerabilities could lead to additional cybersecurity exposure.
Despite the regulatory requirement that material cybersecurity events be reported by publicly traded firms, there is a general agreement that underreporting is pervasive.
As a result of this underreporting, the frequencies and costs of various types of malicious cyber activity directed at firms are largely unknown, and this lack of information hampers the ability of all actors to respond effectively and immediately.
(FBN on the legal troubles Equifax is facing over the data breach that may have affected 40 percent of the U.S. population. Courtesy of Fox Business News and YouTube. Posted on Sep 21, 2017)
In addition, the scarcity of information may be slowing down the development of the cyber insurance market.
Further, the use of common technologies among otherwise unrelated firms may impede the development of the cyber insurance market.
Common vulnerabilities in these technologies cause cybersecurity risks to be correlated across firms in complicated and little-understood patterns, which makes it difficult for insurance companies to construct properly diversified portfolios of insured firms.
Continued cooperation between the public and private sectors is the key to effectively managing cybersecurity risks.
The ongoing efforts by the private sector involve making information technology more secure, providing timely defenses to new threats, and further developing platforms for anonymous information sharing on cybersecurity threats.
The government is likewise important in incentivizing cyber protection—for example, by disseminating new cybersecurity standards, sharing best practices, conducting basic research on cybersecurity, protecting critical infrastructures, preparing future employees for the cybersecurity workforce, and enforcing the rule of law in cyberspace.
(Learn More. President Donald Trump discusses executive order to defend against cyber attacks. Courtesy of CNN and YouTube. Posted on Jan 31, 2017)