The Burden of Cybersecurity
Every October is Cyber Security Awareness Month, and this is the fourth year of its celebration. US government agencies dedicated to cybersecurity will be undertaking “comprehensive outreach campaign to empower all Americans and businesses to take steps to secure their part of cyberspace”, and will be seeking to “raise awareness of the growing need to protect our nation’s critical infrastructures and key resources from cyber threats and vulnerabilities.”
Beyond promoting awareness, an important question for cybersecurity policy is: who bears the responsibility (and cost) for it?
There are various players involved, many noted above - the government (international, national, local, inter-governmental), businesses, the public - as well as academia and institutions. In the latter, I would include private-public parnterships, such as the U.S. Computer Emergency Readiness Team (US-CERT), non-profits like National Cyber Security Alliance, and others. Each or these actors have their own capabilities and self interest, which in part determine their roles in cybersecurity.
Cybersecurity threats span a range as well, from the mundane to the highly consequential. Assessing and prioritizing these risks is a challenge, as it can affect different actors differently, and at different levels. The threat and risk therefore also affect actors interests (and investments) in cybersecurity.
There are a variety of roles and responsibilities inherent in cybersecurity. Developing security software, conducting research, responding to threats or attacks, planning for and mitigating events, education and awareness - these are all parts of the puzzle. For each of these functions, there are costs, which impact the dynamics between the actors, and the cybersecurity burdens they bear.
Because of the interconnected nature of the Internet, the range of cyber risks and security roles cybersecurity cannot simply be ‘stovepiped’ within its respective domains. The threats, and responses, can spillover across all nodes, and thus require integration. Nonetheless, as with security in the real world, it also takes individual vigilance to keep intruders out of one’s own backdoor. Herein exists a contrast between economic security and national security which could be seen as a measure of the balance between the responsibilities of government, and that of others. Further, consistent with previous literature in our class, there are some who seek and support greater governmental involvement, while other sectors are strongly opposed and dubious of that.
In developing my paper and as a continuing theme in this blog, I intend to examine the U.S. policy as it pertains to these issues of burdens and responsibilities in cybersecurity, the dynamics between the actors, instances of ‘burden shifting’ and coopting between the actors, and how this compares to the structure or institution of cybersecurity elsewhere (i.e. Europe, or a particular nation).