Tag: regulation

Some Thinking on “Cyber”

Last week, I had the opportunity to testify before the House Science Committee’s Subcommittee on Technology and Innovation on the topic of “cybersecurity.” I have been reluctant to opine on it because of its complexity, but I did issue a short piece a few months ago arguing against government-run cybersecurity. That piece was cited prominently in the White House’s “Cyberspace Policy Review” and – blamo! – I’m a cybersecurity expert.

Not really – but I have been forming some opinions at a high level of generality that are worth making available. They can be found in my testimony, but I’ll summarize them briefly here.

First, “cybersecurity” is a term so broad as to be meaningless. Yes, we are constructing a new “space” analogous to physical space using computers, networks, sensors, and data, but we can no more secure “cyberspace” in its entirety than we can secure planet Earth and the galaxy. Instead, we secure the discrete things that are important to us – houses, cars, buildings, power lines, roads, private information, money, and so on. And we secure these things in thousands of different ways. We should secure “cyberspace” the same way – thousands of different ways.

By “we,” of course, I don’t mean the collective. I mean that each owner or controller of a prized thing should look out for its security. It’s the responsibility of designers, builders, and owners of houses, for exmple, to ensure that they properly secure the goods kept inside. It’s the responsibility of individuals to secure the information they wish to keep private and the money they wish to keep. It is the responsibility of network operators to secure their networks, data holders to secure their data, and so on.

Second, “cyber” threats are being over-hyped by a variety of players in the public policy area. Invoking “cyberterrorism” or “cyberwar” is near-boilerplate in white papers addressing government cybersecurity policy, but there is very limited strategic logic to “cyberwarfare” (aside from attacking networks during actual war-time), and “cyberterrorism” is a near-impossibility. You’re not going to panic people – and that’s rather integral to terrorism – by knocking out the ATM network or some part of the power grid for a period of time.

(We weren’t short of careless discussions about defending against “cyber attack,” but L. Gordon Crovitz provided yet another example in yesterday’s Wall Street Journal. As Ben Friedman pointed out, Evgeny Morozov has the better of it in the most recent Boston Review.)

This is not to deny the importance of securing digital infrastructure; it’s to say that it’s serious, not scary. Precipitous government cybersecurity policies – especially to address threats that don’t even have a strategic logic – would waste our wealth, confound innovation, and threaten civil liberties and privacy.

In the cacophony over cybersecurity, an important policy seems to be getting lost: keeping true critical infrastructure offline. I noted Senator Jay Rockefeller’s (D-WV) awesomely silly comments about cybersecurity a few months ago. They were animated by the premise that all the good things in our society should be connected to the Internet or managed via the Internet. This is not true. Removing true critical infrastructure from the Internet takes care of the lion’s share of the cybersecurity problem.

Since 9/11, the country has suffered significant “critical-infrastructure inflation” as companies gravitate to the special treatments and emoluments government gives owners of “critical” stuff. If “criticality” is to be a dividing line for how assets are treated, it should be tightly construed: If the loss of an asset would immediately and proximately threaten life or health, that makes it critical. If danger would materialize over time, that’s not critical infrastructure – the owners need to get good at promptly repairing their stuff. And proximity is an important limitation, too: The loss of electric power could kill people in hospitals, for example, but ensuring backup power at hospitals can intervene and relieve us of treating the entire power grid as “critical infrastructure,” with all the expense and governmental bloat that would entail.

So how do we improve the state of cybersecurity? It’s widely believed that we are behind on it. Rather than figuring out how to do cybersecurity – which is impossible – I urged the committee to consider what policies or legal mechanisms might get these problems figured out.

I talked about a hierarchy of sorts. First, contract and contract liability. The government is a substantial purchaser of technology products and services – and highly knowledgeable thanks to entities like the National Institutes of Standards and Technology. Yes, I would like it to be a smaller purchaser of just about everything, but while it is a large market actor, it can drive standards and practices (like secure settings by default) into the marketplace that redound to the benefit of the cybersecurity ecology. The government could also form contracts that rely on contract liability – when products or services fail to serve the purposes for which they’re intended, including security – sellers would lose money. That would focus them as well.

A prominent report by a working group at the Center for Strategic and International Studies – co-chaired by one of my fellow panelists before the Science Committee last week, Scott Charney of Microsoft – argued strenuously for cybersecurity regulation.

But that begs the question of what regulation would say. Regulation is poorly suited to the process of discovering how to solve new problems amid changing technology and business practices.

There is some market failure in the cybersecurity area. Insecure technology can harm networks and users of networks, and these costs don’t accrue to the people selling or buying technology products. To get them to internalize these costs, I suggested tort liability rather than regulation. While courts discover the legal doctrines that unpack the myriad complex problems with litigating about technology products and services, they will force technology sellers and buyers to figure out how to prevent cyber-harms.

Government has a role in preventing people from harming each other, of course, and the common law could develop to meet “cyber” harms if it is left to its own devices. Tort litigation has been abused, and the established corporate sector prefers regulation because it is a stable environment for them, it helps them exclude competition, and they can use it to avoid liability for causing harm, making it easier to lag on security. Litigation isn’t preferable, and we don’t want lots of it – we just want the incentive structure tort liability creates.

As the distended policy issue it is, “cybersecurity” is ripe for shenanigans. Aggressive government agencies are looking to get regulatory authority over the Internet, computers, and software. Some of them wouldn’t mind getting to watch our Internet traffic, of course. Meanwhile, the corporate sector would like to use government to avoid the hot press of market competition, while shielding itself from liability for harms it may cause.

The government must secure its own assets and resources – that’s a given. Beyond that, not much good can come from government cybersecurity policy, except the occassional good, long blog post.

Morozov vs. Cyber-Alarmism

I’m no information security expert, but you don’t have to be to realize that an outbreak of cyber-alarmism afflicts American pundits and reporters.

As Jim Harper and Tim Lee have repeatedly argued (with a little help from me), while the internet created new opportunities for crime, spying, vandalism and military attack, the evidence that the web opens a huge American national security vulnerability comes not from events but from improbable what-ifs. That idea is, in other words, still a theory. Few pundits bother to point out that hackers don’t kill, that cyberspies don’t seem to have stolen many (or any?) important American secrets, and that our most critical infrastructure is not run on the public internet and thus is relatively invulnerable to cyberwhatever. They never note that to the extent that future wars have an online component, this redounds to the U.S. advantage, given our technological prowess.  Even the Wall Street Journal and New York Times recently published breathless stories exaggerating our vulnerability to online attacks and espionage.

So it’s good to see that the July/ August Boston Review has a terrific article by Evgeny Morozov taking on the alarmists. He provides not only a sober net assessment of the various worries categorized by the vague modifier “cyber” but even offers a theory about why hype wins.

Why is there so much concern about “cyber-terrorism”? Answering a question with a question: who frames the debate? Much of the data are gathered by ultra-secretive government agencies—which need to justify their own existence—and cyber-security companies—which derive commercial benefits from popular anxiety. Journalists do not help. Gloomy scenarios and speculations about cyber-Armaggedon draw attention, even if they are relatively short on facts.

I agree.

Administration Reform Plan Misses the Mark

The Obama Administration is presenting a misguided, ill-informed remake of our financial regulatory system that will likely increase the frequency and severity of future financial crises. While our financial system, particularly our mortgage finance system, is broken, the Obama plan ignores the real flaws in our current structure, instead focusing on convenient targets.

Shockingly, the Obama plan makes no mention of those institutions at the very heart of the mortgage market meltdown – Fannie Mae and Freddie Mac. These two entities were the single largest source of liquidity for the subprime market during its height. In all likelihood, their ultimate cost to the taxpayer will exceed that of TARP, once TARP repayments have begun. Any reform plan that leaves out Fannie and Freddie does not merit being taken seriously.

Instead of addressing our destructive federal policies aimed at extending homeownership to households that cannot sustain it, the Obama plan calls for increased “consumer protections” in the mortgage industry. Sadly, the Administration misses the basic fact that the most important mortgage characteristic that is determinate of mortgage default is the borrower’s equity. However, such recognition would also require admitting that the government’s own programs, such as the Federal Housing Administration, have been at the forefront of pushing unsustainable mortgage lending.

While the Administration plan recognizes the failure of the credit rating agencies, it appears to misunderstand the source of that failure: the rating agencies’ government-created monopoly. Additional disclosure will not solve that problem. What is needed is an end to the exclusive government privileges that have been granted to the rating agencies. In addition, financial regulators should end the outsourcing of their own due diligence to the rating agencies.

The Administration’s inability to admit the failures of government regulation will only guarantee that the next failures will be even bigger than the current ones.

Week in Review: Health Care Battles, Pay Caps and North Korean Prisoners

Will Obama Raise Middle-Class Taxes to Fund Health Care?

President Obama is promoting an expansion in federal health care spending, and Democratic leaders are scrambling to find ways to pay for it. The plan is expected to cost about $1.5 trillion over the next decade, but the administration has promised that health care legislation won’t add to already huge federal budget deficits. In a new paper, Cato scholars Michael D. Tanner and Chris Edwards argue that expanding government health care will likely involve huge tax increases on the middle class.

Tanner warns of “Obamacare” to come, saying that Obama’s new health care plan will give “government control over one-sixth of the U.S. economy, and over some of the most important, personal, and private decisions in Americans’ lives.” Don’t miss Tanner’s in-depth analysis of the new health care plan that is making its way through Congress, which “would dramatically transform the American health care system in a way that would harm taxpayers, health care providers, and — most importantly — the quality and range of care given to patients.”

A part of the plan would include “public option” (read: government-run) health care, which would allow the government to compete against private health care providers. Tanner says it would be the first step toward wiping out the private insurance market as we know it:

Regardless of how it is structured or administered, such a plan would have an inherent advantage in the marketplace because it would ultimately be subsidized by taxpayers. It could, for instance, keep its premiums artificially low or offer extra benefits, then turn to the U.S. Treasury to cover any shortfalls. Consumers would naturally be attracted to the lower-cost, higher-benefit government program.

…It is unlikely that any significant private insurance market could continue to exist under such circumstances. America would be firmly on the road to a single-payer health care system with all the dangers that presents. That would be a disaster for American taxpayers, physicians, and—most importantly—patients.

Treasury Seeks to Control Executive Pay Across the Private Sector

Fox Business reports, “The Treasury Department on Wednesday took new steps to rein in executive compensation, saying the Obama Administration would introduce legislation that could create stricter limits on pay; it also appointed an official to head up efforts on the issue.”

In a 2008 Policy Analysis Ira T. Kay and Steven Van Putten explain the misconceptions many people have about executive pay, and why the market is a better arbiter than any bureaucrat in Washington:

Such populist sentiments are often based on misunderstandings about the role of corporate executives in the economy and the vigorous competition that exists for these highly skilled leaders. In the past, federal regulatory efforts based on such misunderstandings have generated unintended consequences, which have damaged the economy and hurt the ability of the market for executives to self-regulate over time.

The labor market for executives and the associated pay levels are already subject to high levels of regulation. Indeed, U.S. corporations are subject to more stringent executive pay disclosure requirements than corporations anywhere else in the world. Before additional regulatory and legislative efforts are unleashed, policymakers should examine the rationale for current pay structures and the strong links between executive pay and corporate performance.

In a Washington Times op-ed, Alan Reynolds says efforts to cap executive pay are wholly misguided:

Congressional hearings to barbecue Wall Street executives are as fun as a circus, but with more clowns. Presidential politics is now taking such political distractions to a lower level.

…Most top executives who were actually in charge during the craze of overinvestment in mortgage-backed securities have been fired. Executives who are fired are not in a position to be “giving themselves” anything.

In reality, top executives are mainly paid by accumulating a big stockpile of company stock and stock options. Estimates of annual CEO pay that Congress and the press have been focusing on look as high as they do only because of the high value of restricted stock or stock options at the time.

Writing in 2007 (before the first round of major bailouts), Cato scholars Jerry Taylor and Jagadeesh Gokhale took it a step further: “Pay Bosses More!”:

Excessive executive compensation harms no one but perhaps the stockholders who put up with it. And stockholders put up with it because there’s good reason to believe that sizable CEO compensation packages help – not harm – corporate performance, which redounds to their benefit, and that of the firms’ workers.

Companies pay workers what they must to deliver their products and services to the market, and supply and demand establishes executive compensation packages the same way it establishes consumer prices. Any overcompensation comes out of the firm’s bottom line – at a loss to the shareholders, not the workers.

North Korea Sentences Two U.S. Journalists to 12 Years Hard Labor

Two American journalists were convicted of entering North Korea illegally while on assignment, and exhibiting “hostility toward the Korean people.” This week, a North Korean court sentenced them to 12 years in a labor prison.

Cato scholar Doug Bandow comments:

Washington should publicly downplay the controversy and present the issue to the Kim regime as a humanitarian matter. The Obama administration should indicate its willingness to open a broader dialogue with North Korea, but indicate that positive results will be possible only if Pyongyang responds with cooperation instead of confrontation. Releasing the two journalists obviously would provide evidence of the former.

Regrettably, Laura Ling and Euna Lee are political pawns. As such, Washington’s best strategy to achieve their release is to simultaneously reduce their perceived value to Pyongyang and ease tensions between the U.S. and North Korea. Patience may be the Obama administration’s highest virtue and Ling’s and Lee’s greatest hope.

In a Cato Daily Podcast, Bandow discusses what can be done for the American prisoners, and how the U.S. government should react.

Injustice of State Subsidies

My colleague Chris Edwards made a good point yesterday in his post on the injustice of federal subsidies.  The wrangling between the states to haul in the federal largesse is wasteful, and getting worse.  But the underlying issue in the article Chris cites — a state using taxpayer money to lure a company away from another state — is another wasteful activity that is all too common.

Instead of competing with other states to attract industry by lowering taxes and reducing regulations, it seems most state governors prefer a politically opportunistic method I call “press release economics.”  Here’s how it works:

A state “economic development” agency offers an out-of-state company (or even an out-of-country company) tax breaks and/or direct subsidies to locate some or all of its business operations in that state.  Most likely, the business would have located there anyhow due to myriad factors including demographics, transportation logistics, and workforce capabilities.  Sometimes several states will engage in a “bidding war” to get a business to set up shop within their borders.  The governor of the “winning” state will then issue a press release citing the new jobs and capital his administration has just brought to the state.  The locating company usually tells the press that the winning state’s package helped seal the deal.  The company and the governor’s press staff then typically arrange a photo-op at an orchestrated ground-breaking ceremony for the new facilities.

If a state is already bleeding jobs, as is often the case in the current economy, such press releases and photo-ops can be a political coup.  Moreover, the governor will have given up, or foregone, relatively little in tax revenue in comparison to, say, cutting the state corporate income tax.  This also leaves the governor with more money to spend on various vote-buying programs. I’m picking on governors, but the legislature generally prefers the press-release economics route for similar reasons.  And if you’re a governor, why risk the headache of engaging the legislature in a fight over reducing corporate taxes, unemployment taxes, or any other tax — including personal income taxes and sales taxes — that effect industry when you can take the easy win?

Am I too cynical?  Actually, I had first-hand experience with this issue when I worked in state government.  My suggestion that the governor eliminate or reduce the state’s high corporate income tax rate, and “pay for it” — at least in part — by getting rid of the state’s corporate welfare apparatus, was routinely ignored for the reasons I cited above.  That one would be hard-pressed to find support among the economics profession for the state corporate welfare give-away game means little to the majority of policymakers and their minions who naturally favor short-term political gain over long-term economic gain.  That other companies already located within the state are stuck paying the regular tax rate, and are thus put at a competitive disadvantage, is a secondary or non-concern as well.

Another issue that I won’t delve into here is the fact that these giveaways often blow up in a state’s face when the locating company ends up not producing the jobs it promised and/or it relocates to another state or country after pocketing the free taxpayer money.  Anyhow, journalists should be on the lookout for more press-release economics schemes coming from the states as revenues remain tight and politicians become desperate to demonstrate they’re “doing something.”  Journalists should examine a state’s tax structure when a taxpayer giveaway is announced to see if perhaps the governor is masking economic-unfriendly fiscal policies.

Note: South Carolina Gov. Mark Sanford proposed late last year to do exactly what I recommended: eliminate the state’s corporate income tax, offset in part by the elimination of corporate tax incentives.  There is hope.

The Quiet War against School Choice

First, the Democrats in Washington for all intents and purposes killed the District of Columbia’s proven voucher program, but did it with Ninja-like stealth. The weapons: Nearly impossible reauthorization requirements, late Friday announcements, and politically expedient promises to keep kids currently attending good schools from being very publicly booted.

Now it’s Milwaukee’s turn. The new Democratic majority in Madison is on its way to cutting the value of individual vouchers while raising public school per-pupil expenditures, and even worse, is larding new regulations on private schools participating in the choice program. Perhaps the most ridiculous proposed reg: Requiring all participating private schools with student bodies that are more than 10 percent limited English proficient to provide  a “bilingual-bicultural education program.” As if one of the major benefits of choice isn’t that parents can choose such programs if they think they are best for their kids, and can select something else if they don’t! But, of course, political decisions aren’t primarily about what parents want and kids need.

Thankfully, there is a resistance forming to the assault in Milwaukee, with choice advocates now refusing to remain quiet after naively doing so when they were told that fighting back would only make things worse. The choice-supporting national media is also speaking up. But one can’t help but fear that it may be too little, too late.

Prosperity in Washington

 The current Attorney General, Eric Holder, left DC’s Covington and Burling to return to the Justice Department, where he held a senior post during the Clinton years.  Holder’s mission is to supposedly ”rein in the free market excesses of the last eight years.”  Bush’s people are done with their own crackdown and are now returning to DC’s big law firms to warn their client business firms about the coming crackdown by Holder’s prosecutors.  This is sorta like the GOP legislators who are now trying to lodge complaints about Obama’s spending.  Despite the rhetoric, both sides aggrandize federal power and then enrich themselves (pdf) while advising businesspeople on how to comply with myriad regulations  from the alphabet agencies.

For related Cato work, go here and here.