Those who follow the blog will know that I am skeptical of the government’s ability to construct a regulatory system for enhancing cybersecurity standards. I am often asked, however: “well, then what do you support?” I am pleased to finally have a place to point people to with my answer. In this paper that I co-authored with Steve Bucci and David Inserra, two colleagues at the Heritage Foundation, we outline seven key elements of an effective cyber policy. To be fair, many of them (like better STEM education) are “mom and apple pie” type recommendations. But I did want to single out one aspect of the paper — a call for the development of a cyber insurance and liability system. I first wrote about it for Hoover a couple of years ago and we’ve now expanded on the analysis. Here’s a taste:
When a cyber criminal exploits a vulnerability in a piece of software, such as Adobe Acrobat, to hack into a consumer’s computer and steal valuable financial data, the loss is borne by the consumer, not by the code manufacturer. This is so even if the code writers were objectively negligent or, worse, reckless, and did not even try to find or eliminate the vulnerability.[21]
This state of affairs is, in the long run, unsound. Congress needs to reverse the system of incentives so that costs are borne by those who impose them, not by innocent consumers. To achieve this, the U.S. must arrange the development of a liability system that would require providers of goods and services to pay for any harm caused by their failure to take reasonable protective actions. This would force software manufacturers and Internet service providers to internalize many of the negative costs they now externalize.
We (I) are quite aware that this is a controversial tack to take. I suspect some of my private sector colleagues will be horrified. On the other hand, I think a fluid liability system will breed insurance and, in the end, flexible standards of reasonable conduct. We shall see …