Cybersecurity: The Cutting Edge Market for Lemons
The U.S. government has been scrambling to expose details about a massive cyber attack on the networking software firm SolarWinds that was detected this past week. The attack is purported to have been carried out by hackers of Russian origin and has already affected nearly 18,000 of the firm’s customer base, composed mostly of corporations in key industries spanning multiple countries. In addition, the breach is known to have infiltrated the departments of State, Treasury, Homeland Security and Commerce, and the National Institutes of Health. It’s clear that the cyber attack was skillfully executed, but how could it be possible for individuals to bypass Einstein, the government’s multibillion-dollar (taxpayer-funded) detection software? According to Thomas Bossert, a cybersecurity head in both the Bush and Trump administrations, the breach is the result of poor design that he and other government officials attribute to a cybersecurity market full of lemons.
Historically, the term “lemon” refers to a car that is defective, most often in the context of vehicles on the used car market. Economist George Akerlof was awarded the 2001 Nobel Prize in Economics for his paper about the effects of asymmetric information on markets and made pre-owned car markets the primary example in his research. Essentially, what he found is that worthless cars, or lemons, can be sold above their value to buyers who cannot be sure of their quality, and this behavior will continue in a manner which ensures that eventually only worthless vehicles are sold. This process characterizes market failure, the point at which a market optimizes in a way that does not maximize social benefit. Recently, discussions about the consistent failure of products in the cybersecurity market, like Einstein, have led experts in the field to consider this idea. Upon closer examination, it’s possible to see that the market for security products closely resembles the kind of asymmetric information market that Akerlof analyzes in his paper.
In a report by Debate Security, an independent organization which seeks to improve the cyber market, it was found that 90% of survey participants considered cybersecurity technology to be ineffective in protecting organizations from cyber attacks. Trust in security technology is already low, and the providers of such technologies have no single way to ensure the efficacy of their products. There are strong effects of information asymmetries at play here, as buyers of security technologies rarely understand how they operate and can’t verify that they will function properly until something goes wrong. Many of the largest security firms assess the effectiveness of their products themselves, leaving outsiders in the dark about their true capabilities. To sell their products, many security providers have resorted to signals meant to reassure buyers that they are purchasing a robust piece of technology. These buying signals often manifest themselves in frivolous software features and flashy marketing campaigns designed purely to increase sales while ignoring the product’s core purpose. These are all telltale signs of a market for lemons and correlate well to Akerlof’s example of used car markets. As technology continues to become more integrated in our everyday lives, protecting sensitive data from both malicious hackers and foreign influence is paramount. The market for lemons in cybersecurity must be fixed, but many professionals in the industry are unsure of how to proceed.
To overcome the issues presented by the defunct cybersecurity market, it’s important to ensure that quality solutions are easy to both buy and sell. One way to ensure that only trustworthy products exist is to implement some kind of independent, transparent assessment that sets industry standards for companies to strive for. This idea sounds effective in theory, but it is hard to implement in practice. Since most cybersecurity firms can already sell their products by signaling alone, most vendors would not be incentivized to adhere to these standards, especially given the existing information asymmetry between buyers and sellers. As a result, most experts now agree that government regulation is the best way to enforce strict quality assurance. This is probably the most effective way to correct the market of lemons in this case, but government involvement in security technology carries its own inherent risks. It’s possible that governments could force companies producing encryption software, for example, to give them a backdoor which would allow them to break the encryption for surveillance purposes. Regardless of which method should be used to enforce quality control, it’s apparent that the development of tested security solutions needs to be incentivized, either through financial benefit or legal protection for first movers. The market for digital security tools is still developing to keep up with new advances in technology, but in order for the market to mature properly, we must first weed out the lemons.
Sources:
https://qrius.com/how-used-cars-sales-explain-the-cybersecurity-market/
https://www.govtechleaders.com/2019/05/23/cybersecurity-is-a-market-for-lemons/