December 15, 2021
BP Purdy considers the consequences of protectionism in the cyber realm.
More at https://lawliberty.org.
To receive further Cyber Musings, subscribe to the VOLITION ZINE.
Where I am a professor, we’re supposed to check in when we come to campus and then scan the QR code that is outside each building, and even room, that we go into for “COVID-19 contact tracing.” When I questioned the appropriateness of being digitally tracked while we’re on campus, I was told by the head of the campus health center that “this is a different type of tracking.”
Apparently, violations of privacy are fine if they are in the name of public health. While our concerns with cybersecurity are often focused on how criminals may steal our information or how businesses use our data, the most dangerous cybersecurity threat is that of the government. When the government attempts to protect us, it usually makes the knowledge error of intentions that do not equal results.
This cognitive dissonance of governmental knowledge is that governmental action only affects the hoped-for. For example, when governments raise the minimum wage, the hoped-for result is that employees will get paid more and the new base wage will not change how employers manage their employee schedules, payroll, etc. Since the hoped-for is for the market not to respond to governmental action, then that is what the government will assume to be despite evidence to the contrary.
At the same time, if the government desires for the hoped-for result to change how people behave, then it will admit that to be the case, e.g., sin taxes exist to change the behavior of the purported sinner. Thus, the government magically knows when or when not their action will change the behavior of those it rules based on their desire.
This cognitive dissonance of governmental knowledge, or simply the paradox of Hoped-for Knowledge, can also be expressed in terms of microeconomics as homo economicus only acts rationally (updating prior knowledge in Bayesian terms) when the government wants him to do so; otherwise, he acts irrationally. F.A. Hayek delineated in The Use of Knowledge in Society that the price system is a mechanism for communicating information and if the government makes the price more rigid (through laws, regulations, etc.), then less information is gleaned from the price. To emphasize how occult this thinking is, the Hoped-for Knowledge is analogous to carpet bombing a densely populated city and believing that the bombs will only kill one’s enemies while leaving the civilians unscathed. As ridiculous as this is, it is how the government behaves. But the Hoped-for Knowledge itself is not the only problem; the hoped-for results themselves are, too.
Thomas Sowell, while analyzing how knowledge is shared and decisions are made, defines what we will call the Hoped-for Decisions, viz. a fallacy that defines a process by its hoped-for results, rather than the actual characteristic of the decision-making process. Sowell reflects on the dangers of such descriptions since a so-called for-profit business can in fact never make a profit and fail after only a few months. Also, policies such as the minimum wage or sin taxes actually cause the most harm to those that they are trying to help, i.e. the poor. So the hoped-for result is the opposite of the actual result. There is also the common practice of defining political institutions by their hoped-for result such as the Centers for Disease Control, the recently established Cybersecurity and Infrastructure Security Agency (CISA) as part of the Department of Homeland Security, and the newly minted Office of the National Cybersecurity Director.
Given the newness and immediacy of issues regarding cybersecurity, it is an opportune moment to reflect on cybersecurity from the viewpoint of liberty and the actual, rather than the hoped-for, results of governmental action. While the Federal Leviathan has responded in its usual bureaucratic ways (interagency joint task forces; the creation of new governmental entities and positions, regulations; and laws), we can still argue for a cybersecurity policy that avoids the pair of Hoped-for errors by looking to trade-offs rather than solutions. Like a correct governmental response to Covid-19, a correct cybersecurity policy demands a balance between privacy and safety as well as between self-determination and protection.
The purpose of cybersecurity is to protect digital assets from being compromised. The three fundamental goals of cybersecurity form the so-called CIA Triad: confidentiality, integrity, and availability. Confidentiality means that information that is meant to be secret, remains so. For example, if you are banking online, only you should have access to your account. Integrity refers to the information being correct and reliable. Your bank account should accurately reflect your purchases. Availability ensures that the information is available to the right people at the right time. You should be able to access your account information at any time. While these principles are straightforward enough, their implementation often proves challenging.
Just as humans are flawed, so is cybersecurity since it depends on those that set up the system and those that use it. Sometimes data breaches occur due to a flaw in the code and other times due to the negligence of the user, or both. The very thing that benefits us in so many ways, viz. the interconnectivity of computers via the internet, is also what allows criminals, terrorists, and belligerent nation states to cause harm.
In the United States this year, there have already been hundreds of millions of victims of cybercrime and over a thousand data breaches, which has resulted in costs of over a billion dollars. (Another unintended consequence of the governmental response to Covid: the number of data breaches was higher this year for companies that had remote work.) Some of the most notorious recent cybersecurity incidents (all examples of ransomware) are JBS (food), Colonial Pipeline (energy), DC Police (law enforcement), and Scripps (health care). Local governments and other public entities are victims of cyberattacks costing taxpayers millions of dollars. The entities that are attacked by these cybercriminals often feel that they have no choice but to pay the ransom in order to continue their operations or to keep sensitive information from getting out. Not all acquiesce: in the case of the DC Police since they did not pay the 4 million dollar ransom, the cybercriminals released the information that they stole. Russia and China are known to encourage cyberattacks, cybercrime, and cyberterrorism. They both are content to flex their geopolitical muscles by allowing such behavior and participating in cyberbelligerence.
In order to find the optimal trade-offs between cybersecurity and cyberliberty, we must logically and empirically evaluate any governmental cybersecurity proposals with both a grounding in liberty and a proper understanding of knowledge and decisions.
The Liberty Schema
The Empirical Liberty Framework is a two-step process that allows us to evaluate competing rights claims. The framework’s premise is that individual rights have primacy and then the process allows us to consider any infringement on those rights by collective rights using data. The first step is to determine if and how the proposed governmental action infringes upon individual liberties. The second step is to evaluate using statistical evidence if there is justification for any such infringement. Whatever the issues of null hypothesis testing in statistics, this framework has an analogous setup. The null hypothesis is individual liberty and only if there is a preponderance of evidence in favor of even a modest restriction on individual liberty should it be infringed.
From the cautionary tales in Sowell’s Knowledge and Decisions, any governmental action should be incremental and not categorical. The law of unintended consequences states that the actions of people, and in particular the government, have effects that are unintended. A corollary of this law is that the larger the governmental action, i.e., a categorical action, then the larger the unintended consequences. Thus, with rare exceptions such as the Thirteenth Amendment, governments should make incremental adjustments to current law and then evaluate the consequences before continuing with additional modest changes. Incrementalism is important since as Hayek taught us, even the most limited government action reduces the amount of available information and makes it more difficult for an individual or business to make the correct decision. As Jacques Maritain critiqued Machiavelli: the Prince, even if doing evil, can do less evil if forced to act incrementally. Any infringement on individual liberties should happen only with evidence and gradually.
In the case of much of the governmental response to Covid-19, the government was and is neither concerned with liberty nor evidence, but only in categorical dicta by fiat. An example of an incremental change vs. a categorical change is to quarantine only those who are sick with Covid-19 symptoms versus having everyone staying at home to flatten the curve. What complicates the issue with cybersecurity is that individuals, businesses, and the national security of the state all are contending against one another; not merely the state adjudicating between the rights of individuals as in gun control or between individuals and businesses as in the case of Covid-19.
The story so far is that given an issue such as cybersecurity, we reject the Hoped-for Knowledge paradox with the understanding of whatever the government does, it will result in less knowledge for individuals and businesses. We also avoid the Hoped-for Decisions fallacy by considering a proposed policy in terms of its process, not its hoped-for result. The process we will use is the Empirical Liberty Framework, where we only allow incremental changes that infringe upon individual liberty if there is sufficient evidence to do so. We’ll call this trio of ideas the Liberty Schema.
Each day there are a plethora of stories regarding cybersecurity and, in particular, government responses to cybersecurity issues. Due to their number and complexity, we cannot consider any of the proposed government actions in detail here; however, using the Liberty Schema we can offer general guidance on what governments should and should not do. As to the latter, the government should not act with cross-purposes. There is a bill in the House of Representatives that would limit the amount the entities can pay in ransoms to no more than $100,000 while at the same time some want mandated reporting of cybercrimes. If an entity, whether it is a business or an individual, decides to pay a ransom that is more than $100,000, then the likelihood that the crime will be reported to the authorities is negligible. The most important factor in the fight against cybercrime is knowledge of the crime since having unfettered knowledge allows us to react more efficiently against the hackers.
Let’s dwell on the issue of reporting hacks to the government by businesses: should the aforementioned CISA be a partner with businesses or a regulator? This is a particularly thorny issue since the government is dependent on business partners for cybersecurity. But rather than base the decision on the hoped-for result and in an empirical vacuum, the accumulated evidence on governmental regulations needs to be considered and weighed against the rights of the businesses to act in the manner that is best for them via the Liberty Schema. These are questions that must be answered:
Is there evidence that regulations have led to the hoped-for result in the past?
If so, can that type of regulation be applied in this particular situation incrementally while respecting the rights of the businesses?
What are the trade-offs? That is, even if we answer yes to the first two questions, is it worth it?
While we have been primarily considering the relationship between the government and business and individuals, we must mention the relationship between the individual and businesses. Some Big Tech companies profit off their users’ privacy. Milton Freeman’s observation that there’s no such thing as a free lunch applies to social media companies as much as to government programs. While using, say, Facebook does not cost the user any money, the user pays Facebook with access to his data, not a traditional currency, but a currency nevertheless. Even some conservatives, who are typically against monopoly-busting have spoken out in favor of breaking the Big Tech monopolies. Big Tech acts as the extra-constitutional henchmen for the government as we have argued elsewhere. While we are sympathetic to this view to destroy what the Woke Lords of the Silicon Valley have created, we must again return to our first principles of the Liberty Schema to determine if the hoped-for result of protecting people’s privacy and reigning in the Progressive Billionaires will likely occur if companies like Alphabet and Meta are deconstructed like Ma Bell, or even regulated much more modestly.
Statistically, we all have been victims of cybercrime as consumers, business owners, shareholders, or taxpayers. In addition to the unwanted exploitation of our data, we also allow our data to be treated as a commodity by a myriad of companies even if we don’t fully understand the extent that they do so. Additionally, the tax collection, law enforcement, and national security apparatus will look at our data without our permission at the point of a gun. The romantic notion of going off the grid is not pragmatic for the vast majority of us. Thus, in order to find the optimal trade-offs between cybersecurity and cyberliberty, we must logically and empirically evaluate any governmental cybersecurity proposals with both a grounding in liberty and a proper understanding of knowledge and decisions. It is only with an adherence to such a schema that we can have both a free and technologically engaged society.