Tag: assets

Housing Bailouts: Lessons Not Learned

The housing boom and bust that occurred earlier in this decade resulted from efforts by Fannie Mae and Freddie Mac — the government sponsored enterprises with implicit backing from taxpayers — to extend mortgage credit to high-risk borrowers. This lending did not impose appropriate conditions on borrower income and assets, and it included loans with minimal down payments. We know how that turned out.

Did U.S. policymakers learn their lessons from this debacle and stop subsidizing mortgage lending to risky borrowers? NO. Instead, the Federal Housing Authority lept into the breach:

The FHA insures private lenders against defaults on certain home mortgages, an inducement to make such loans. Insurance from the New Deal-era agency has enabled lending to buyers who can’t make a big down payment or who want to refinance but have little equity. Most private lenders have sharply curtailed credit to those borrowers.

In the past two years, the number of loans insured by the FHA has soared and its market share reached 23% in the second quarter, up from 2.7% in 2006, according to Inside Mortgage Finance. FHA-backed loans outstanding totaled $429 billion in fiscal 2008, a number projected to hit $627 billion this year.

And what is the result of this surge in FHA insurance?

The Federal Housing Administration, hit by increasing mortgage-related losses, is in danger of seeing its reserves fall below the level demanded by Congress, according to government officials, in a development that could raise concerns about whether the agency needs a taxpayer bailout.

This is madness. Repeat after me: TANSTAAFL (There ain’t no such thing as a free lunch).

C/P Libertarianism, from A to Z

Some Thinking on “Cyber”

Last week, I had the opportunity to testify before the House Science Committee’s Subcommittee on Technology and Innovation on the topic of “cybersecurity.” I have been reluctant to opine on it because of its complexity, but I did issue a short piece a few months ago arguing against government-run cybersecurity. That piece was cited prominently in the White House’s “Cyberspace Policy Review” and – blamo! – I’m a cybersecurity expert.

Not really – but I have been forming some opinions at a high level of generality that are worth making available. They can be found in my testimony, but I’ll summarize them briefly here.

First, “cybersecurity” is a term so broad as to be meaningless. Yes, we are constructing a new “space” analogous to physical space using computers, networks, sensors, and data, but we can no more secure “cyberspace” in its entirety than we can secure planet Earth and the galaxy. Instead, we secure the discrete things that are important to us – houses, cars, buildings, power lines, roads, private information, money, and so on. And we secure these things in thousands of different ways. We should secure “cyberspace” the same way – thousands of different ways.

By “we,” of course, I don’t mean the collective. I mean that each owner or controller of a prized thing should look out for its security. It’s the responsibility of designers, builders, and owners of houses, for exmple, to ensure that they properly secure the goods kept inside. It’s the responsibility of individuals to secure the information they wish to keep private and the money they wish to keep. It is the responsibility of network operators to secure their networks, data holders to secure their data, and so on.

Second, “cyber” threats are being over-hyped by a variety of players in the public policy area. Invoking “cyberterrorism” or “cyberwar” is near-boilerplate in white papers addressing government cybersecurity policy, but there is very limited strategic logic to “cyberwarfare” (aside from attacking networks during actual war-time), and “cyberterrorism” is a near-impossibility. You’re not going to panic people – and that’s rather integral to terrorism – by knocking out the ATM network or some part of the power grid for a period of time.

(We weren’t short of careless discussions about defending against “cyber attack,” but L. Gordon Crovitz provided yet another example in yesterday’s Wall Street Journal. As Ben Friedman pointed out, Evgeny Morozov has the better of it in the most recent Boston Review.)

This is not to deny the importance of securing digital infrastructure; it’s to say that it’s serious, not scary. Precipitous government cybersecurity policies – especially to address threats that don’t even have a strategic logic – would waste our wealth, confound innovation, and threaten civil liberties and privacy.

In the cacophony over cybersecurity, an important policy seems to be getting lost: keeping true critical infrastructure offline. I noted Senator Jay Rockefeller’s (D-WV) awesomely silly comments about cybersecurity a few months ago. They were animated by the premise that all the good things in our society should be connected to the Internet or managed via the Internet. This is not true. Removing true critical infrastructure from the Internet takes care of the lion’s share of the cybersecurity problem.

Since 9/11, the country has suffered significant “critical-infrastructure inflation” as companies gravitate to the special treatments and emoluments government gives owners of “critical” stuff. If “criticality” is to be a dividing line for how assets are treated, it should be tightly construed: If the loss of an asset would immediately and proximately threaten life or health, that makes it critical. If danger would materialize over time, that’s not critical infrastructure – the owners need to get good at promptly repairing their stuff. And proximity is an important limitation, too: The loss of electric power could kill people in hospitals, for example, but ensuring backup power at hospitals can intervene and relieve us of treating the entire power grid as “critical infrastructure,” with all the expense and governmental bloat that would entail.

So how do we improve the state of cybersecurity? It’s widely believed that we are behind on it. Rather than figuring out how to do cybersecurity – which is impossible – I urged the committee to consider what policies or legal mechanisms might get these problems figured out.

I talked about a hierarchy of sorts. First, contract and contract liability. The government is a substantial purchaser of technology products and services – and highly knowledgeable thanks to entities like the National Institutes of Standards and Technology. Yes, I would like it to be a smaller purchaser of just about everything, but while it is a large market actor, it can drive standards and practices (like secure settings by default) into the marketplace that redound to the benefit of the cybersecurity ecology. The government could also form contracts that rely on contract liability – when products or services fail to serve the purposes for which they’re intended, including security – sellers would lose money. That would focus them as well.

A prominent report by a working group at the Center for Strategic and International Studies – co-chaired by one of my fellow panelists before the Science Committee last week, Scott Charney of Microsoft – argued strenuously for cybersecurity regulation.

But that begs the question of what regulation would say. Regulation is poorly suited to the process of discovering how to solve new problems amid changing technology and business practices.

There is some market failure in the cybersecurity area. Insecure technology can harm networks and users of networks, and these costs don’t accrue to the people selling or buying technology products. To get them to internalize these costs, I suggested tort liability rather than regulation. While courts discover the legal doctrines that unpack the myriad complex problems with litigating about technology products and services, they will force technology sellers and buyers to figure out how to prevent cyber-harms.

Government has a role in preventing people from harming each other, of course, and the common law could develop to meet “cyber” harms if it is left to its own devices. Tort litigation has been abused, and the established corporate sector prefers regulation because it is a stable environment for them, it helps them exclude competition, and they can use it to avoid liability for causing harm, making it easier to lag on security. Litigation isn’t preferable, and we don’t want lots of it – we just want the incentive structure tort liability creates.

As the distended policy issue it is, “cybersecurity” is ripe for shenanigans. Aggressive government agencies are looking to get regulatory authority over the Internet, computers, and software. Some of them wouldn’t mind getting to watch our Internet traffic, of course. Meanwhile, the corporate sector would like to use government to avoid the hot press of market competition, while shielding itself from liability for harms it may cause.

The government must secure its own assets and resources – that’s a given. Beyond that, not much good can come from government cybersecurity policy, except the occassional good, long blog post.

Bank ‘Stress Tests’ Need Transparency

As the bank stress tests are released, it is vital that the public receive specific and detailed information on each financial institution.  The Administration’s and the Federal Reserve’s continued policy of attempting to disguise the differing health of each bank has been a failure.  What is best for the taxpayer and the investing public is sufficient information to separate the good banks from the bad.

For those institutions which lack sufficient capital to remain solvent, they should seek private capital or else be closed and resolved.  Too many taxpayer dollars have already been wasted keeping alive failed institutions.  The Administration’s policy of keeping failed institutions on taxpayer-financed life-support only serves to retard the market’s ability to move assets away from those who do not, or cannot, make productive use of them toward those who can.  It is time to remember that the unparalleled wealth-creating engine of the market depends as much on allowing failure as it does in encouraging success.

Banks passing the stress tests should be allowed and encouraged to re-pay their TARP funds as soon as possible, and with no additional strings attached.  More importantly, the Administration should use any returned TARP funds to pay-down the increasing government debt, rather than be diverted to bailing-out other failed companies.