Friday, April 30, 2010

Cybersecurity: Can vs Will, a question of economics.

I read an article on a panel held at an event hosted by the Center for National Policy in Washington which asked the question: "Who can do a better job of protecting us from cyberthreats: private companies like Google, or Uncle Sam?"

While this is a good question, one that I think is more important is "Who will do a better job of protecting us?" (Or perhaps, "Who is us - the company or the American people?")

In my mind it's a question of what the entity's motivation is. In the case of companies, that motivation is driven by economics.

I'm sure companies will slowly but surely do a better job of protecting what is important to them and their financial well being - e.g. trade secrets and other vital data. But what protecting what isimportant to me? Increasingly our data is in the hands of companies and the consequences of their losing this data to a cyberattack fall not with the companies, but with the person whom the data is about.

Economics says it only makes sense for a company to put a reasonable fraction of the potential damage to the company that would result from that loss of something into it's protection. That's fine, but what if that thing has much more value to someone else, such as my medical records in the hands of my local hospital? If their systems get hacked and my records get stolen, really it's of little harm to them directly, but it's of great consequence to me.

This is where government has to play a role through regulation and setting standards. As with Sarbanes-Oxley we need to hold companies to higher standards not because it's in the best interest of the company, but because others are harmed when the company fails to act properly.