Duncan's Reflections

The theme of last week was that no one governs the Internet. So that begs the question, “How do you stop people from doing bad things on the Internet?” Assume, for the purposes of this post, that people agree on what constitutes a “bad thing”. In class, Jonathan Zittrain outlined three methods of dealing with crime in general: prevention (stopping it from happening), rule and sanction (punishing it when it does happen), and resilience (mitigating damage). When pursuing these strategies there are different methods employed: laws, social norms, technology/architecture, and manipulation of markets spring to mind. I’m a fan of markets, so let’s talk about that.

If you want to stop people from smoking cigarettes, taxing it into oblivion will over time reduce the number of people who smoke (even adjusting for chemical dependence). What is a cyber analog? If someone really wants, they can download digital files from the Internet, and it’s hard to track down and stop everyone who does that. But, as Steve Jobs said, you’re working for less than minimum wage. It’s just such a hassle to download all those songs yourself, especially at a rate that won’t be noticed, when a Spotify subscription will give you access to the same songs. Or take CryptoLocker or other phishing. If you make your system harder to penetrate, hackers will develop better malware. But if you keep on doing it, hackers have to work harder and harder for the same payoff, making it less worth it for them to run scams. Eventually, they’ll stop because it just won’t be worth it. I think in a lot of economically motivated cybercrime, market manipulation may be the way to go in reducing it.

Market regulation has its limits. Ideological agents don’t respond to economic incentives in the ways you would expect them to. This can take two main forms: states and individuals. States have more resources and so are harder to prevent, but assuming you can trace the attack (which may not be as hard as people think) they respond better to rule and sanction because they can’t just disappear into the shadows. The sole remaining group is ideologically motivated individuals. But this has been a problem with terrorism forever. The strategy so far seems to be prevention and resilience. Try and make your systems secure enough to keep out most two-bit hackers and resilient enough (through backups and such) to survive most attacks. The really scary thing is when states fund cyberterrorist groups. That’s an unsolved problem with traditional security, but is perhaps exacerbated by the digital world. Maybe we should figure it out.