Economics of Cybersecurity
Brandenburg Institute for Society and Security
Dr. Tim H. Stuchtey is a Geoeconomics Non-Resident Senior Fellow at AICGS. He is the executive director of the Brandenburgisches Institut für Gesellschaft und Sicherheit (BIGS), a homeland security think-tank based in Potsdam, Germany. He is also a Non-Resident Fellow at AICGS and has served as Director of the Business & Economics Program. He works on various issues concerning economic policy, the economy of security, the classic German ‘Ordnungspolitik,’ and the economics of higher education.
Dr. Stuchtey studied economics with a major in international trade and international management and graduated in 1995 from the Westfälische Wilhelms-Universität in Münster. In 2001 he earned a Ph.D. from the Technische Universität Berlin in economics, which he obtained for his work in public finance and higher education policy. He worked as an economist for the German Employers Association and as a university administrator both at Technische and Humboldt-Universität Berlin. He was also the managing director for the Humboldt Institution on Transatlantic Issues, a Berlin-based think tank affiliated with Humboldt-Universität.
He has published a number of articles, working papers, and books on the security industry, homeland and cybersecurity issues, higher education governance and finance and on other questions of the so-called ‘Ordnungspolitik.’
This article was originally published in German at 49security.
The digitization of government agencies is still sluggish. Nevertheless, the questions of who is responsible for protection in cyberspace and where its boundaries run need to be answered.
We are in the midst of a revolution in which digital technology is fundamentally changing a majority of areas of life and economic sectors. Of course, the state and its authorities are also affected by this, even if only to an insufficient extent so far. This also applies to security policy. The coalition agreement between the Social Democrats, Greens, and Free Democrats aims to reduce the backlog in digitization at the federal level. To achieve this, the new German National Security Strategy must set the direction and goals for the area of cybersecurity.
Questions for the National Security Strategy
The digitization of the state, economy, and society is accompanied by the fact that the points of attack in cyberspace are multiplying. This makes it increasingly profitable for criminal as well as state actors. With increasing digitization, the marginal costs of cybercrime and industrial and economic espionage are sinking. For the military, cyberspace adds another dimension in which conflicts are fought. This results in at least five fields that need to be addressed in the national security strategy:
- Provision of protection: What responsibility does the state bear in protecting its citizens, businesses, and institutions from cyberattacks? What responsibility do households and businesses have to protect themselves?
- Producing protection: who produces the protection? The state, the economy?
- Security economy and sovereignty: How important is it for Germany and its companies to have their own cybersecurity capabilities? Or can the need be met from (friendly) foreign countries?
- Externalities: How much must the state intervene in people’s and companies’ freedom of choice in order to guarantee security for everyone?
- Boundaries of responsibility: Where do the geographical boundaries of the German state’s area of responsibility actually lie in cyberspace?
These questions must at least be considered, if not answered, if one wants to formulate a security strategy for Germany that also has significance for the digital space. The following are some thoughts on these five points.
Provision of protection in cyberspace.
As in the physical world, there needs to be an analysis of where the state has responsibility for providing, producing, and funding certain protections in cyberspace. How this should be done has been discussed elsewhere.[i] At its core, however, such an analysis boils down to the fact that protection from cyberattacks has the character of a private or club (collective) good,[ii] especially in the case of private networks. In many areas, therefore, companies and households are responsible for providing and ultimately paying for their own protection. The state has the task of law enforcement, protection against state attacks, and especially to ensure its own ability to function.
Establishing protection: role of the IT security industry
When the fundamental rights of third parties are significantly impaired, it is up to the state to make certain protective services available—and, if necessary, to produce them. This applies, for example, to all offensive actions in cyberspace. However, this does not mean that the state must also produce every cyber tool itself. In the physical world, too, it goes without saying that private companies develop and manufacture the Bundeswehr’s weapons systems. Precisely because digitization is encompassing more and more areas of our lives, a vital and rapidly growing economic sector has also emerged around the topic of cyber security.
Security economy and sovereignty
It is also true for cyberspace that the state and society have an interest in equipping those who are responsible for protection with tools that are as effective as possible and that dominate the adversary. This requires access to the corresponding supply markets. It is a good thing that many powerful cyber security companies come from NATO countries or friendly states such as Australia, Israel, Japan, Taiwan, etc. Corresponding products and services are therefore available on the market.
However, when it comes to services in particular, it is important that sufficiently qualified personnel are also available in Germany. This is one of the main challenges that a security strategy must address. Where will the capable specialists come from to defend German cyberspace? In day-to-day operations, state employers are in competition with private companies, which find it easier to pay competitive wages for sought-after personnel. In addition, in the event of an emergency, a system is needed for activating competent men and women from the entire society for cyber defense (keyword ‘cyber reserve’).
There is currently much discussion about the need for Germany to strive for a higher degree of digital sovereignty for security reasons. Government procurement has a key role to play here. As is true for many things in the digital world, the market for cyber security is also characterized by considerable economies of scale and network effects. Domestic companies with government institutions as customers have an easier time in sales and in reducing average costs. However, it is also true here that a sufficient supply of qualified human capital is the necessary condition for German companies to be successful in competition.
The German armed forces, police, government agencies, and intelligence services should therefore not fret too much if well-trained cybersecurity personnel migrate to the private sector. Rather, it is a contribution by the state to an economically healthy digital economy ecosystem if it trains beyond its own needs. This training effort is certainly more effective in strengthening the digital economy than many an industrial policy approach.
It is, of course, part of entrepreneurial freedom to decide how much one’s own value creation process is digitized. A company must initially bear the associated cyber risks itself. Nevertheless, a lack of protection in cyberspace also poses a risk for third parties that is not fully borne by the originator (‘negative external effects’). Moreover, investments in IT security not only protect the investor but also those who are digitally linked to the investor (‘positive external effects’).
For uninvolved third parties to be protected from negative effects, sufficient regulation is needed to encourage the originators to ensure a minimum level of security in their economic conduct. For example, operators of fifth-generation (5G) mobile networks have an incentive to purchase inexpensive and functioning network technology from countries with which Germany is in systemic competition. In doing so, the security risks associated with the use of such technology are transferred to those who demand the services of the telecommunications networks and lead to corresponding costs for them. Conversely, it is important to support those whose protective services in cyberspace not only protect themselves but also other parts of society. A mixture of requirements and incentives is therefore needed to ensure that digitization does not lead to an intolerable vulnerability of the economy and society. Germany’s resilience in cyberspace and, in particular, its digitized production sites thus depend only in part on state security organizations. The security strategy must take this circumstance into account.
Boundaries of responsibility
Geographical boundaries play little or no role in cyberspace. However, it remains crucial for the question of the responsibility of security authorities. One need only think of the BND Act and its complicated rules on where the foreign intelligence service may monitor whom and how. Applied to business, this raises the question of whether the protection of a German company’s IT systems also applies when, for example, a foreign subsidiary accesses the same internal company network. Or, for example, if a foreign intelligence service attempts to gain access to sensitive data that a German company stores with a foreign cloud provider in Germany and abroad. How far along the value chain of a systemically important German company does the state feel responsible? In the discussion about rare earths and other relevant raw materials, we recognize that sometimes the criticality is highest at the very beginning of the value chain.
Security in cyberspace is even more dependent on the capabilities and availability of the private sector and scarce personnel than in other dimensions (land, sea, air). How Germany gains sufficient access to these capabilities, also and especially in the event of conflict is a topic that the security strategy must address in order to defend freedom and prosperity in the medium term.
[i] Wolfgang Bretschneider, Andreas Freytag, Johannes P. Rieckmann, and Tim Stuchtey, “Sicherheitsverantwortung zwischen Staat und Markt – eine institutionenökonomische Analyse,” ORDO, vol. 70, no. 1, 2019, p. 89-124. https://doi.org/10.1515/ordo-2020-0007
[ii] Club good: Club goods or club collective goods are goods for which there is no rivalry in use between consumers, but those who do not participate in the financing can be excluded from use.