Paul Rosenzweig on Cybersecurity and Public Goods

cyberspace is unique. And the best way to correctly approach fundamental policy questions about the division of authority between government and private actors is to begin with a fundamental analysis of first principles. Those economic principles suggest there is a clear but limited domain in which government action is both appropriate and required: that of fostering the sharing of cybersecurity information. As for the rest of the bundle of cybersecurity goods, we face a wicked problem. Private sector actions will doubtless create externalities that the market cannot account for and that cannot be effectively managed by a self-organizing private sector. But the prospect of government action to correct for those externalities raises the same traditional problems of regulatory capture that attend any government endeavor. More fundamentally, precisely because cyberspace is unique in its rapidly changing and path-breaking nature, we face the almost intractable problem of creating policy too slowly to be of any utility. Ultimately, then, the principle recommendation for government is to treat cyberspace like any patient with an ailment and “first, do no harm.”