The Journal of Contingencies and Crisis Management has published a new article by IGP's Michel van Eeten and Johnannes Bauer, Emerging Threats to Internet Security: Incentives, Externalities and Policy Implications.
Somewhere around 10% of all machines connected to the Internet are thought to be infected with malicious software. This has allowed the emergence of so-called 'botnets'– networks of sometimes millions of infected machines that are remotely controlled by malicious actors. Botnets are mostly used for criminal purposes, but they also enable large-scale failures that might even reach disastrous proportions. We explain the rise of botnets as the outcome of the incentive structures of market players and present new empirical evidence on these incentives. The resulting externalities require some form of voluntary or government-led collective action. Our findings have implications for the controversial debate on the appropriate policy measures, where two perspectives on cybersecurity fight for dominance: national security and law enforcement.
The paper, based in part on numerous interviews conducted with network operators, is particularly useful for cutting through the often analytically empty cybersecurity dialogue. Using a marginal security (law enforcement) vs. precluded-event security (national security) framework, the authors identify why the issue of botnets leads to such controversy when it comes to policy responses.