PART 4

(Part 3)

7. FACTORS IN DETERMINING THE LEVEL OF PIGOVIAN TAXES AND SOME UNTRADITIONAL SIDES TO THIS MARKET

With Pigovian taxes as the leading candidate for the best fitting corrective mechanism, we must now turn to developing a better understanding of the costs of damage. Graphically speaking, social consumption-costs are expressed by the difference between the two demand curves — the higher of which is the private demand and the lower of which is the social demand. First, we tackle the scope of damage, by considering the impacted sides. Then, we will describe the characteristics of an attack, by investigating the different decisions made by an adversary. Lastly, we will try to numerically quantify the costs of the resulting damage.

7.1. SCOPE OF DAMAGE

A successful DDoS attack will disrupt the virtual (online) presence of any individual, organization or company. The scope of damage, and therefore the scope of cost, could be determined only by identifying each impacted party. The size of the target is not the main cost- determining factor, but rather the level of virtual dependency. For example, one’s ability to socialize online has one value, while an individual’s career as an online-star (e.g. YouTube star) has a different value. Similarly, disrupting the virtual presence of an e-commerce business (Amazon.com for example) or an online betting firm pales in magnitude when compared to the attack seen on the Dyn DNS, which had its impact on the whole east-coast internet- infrastructure. The web, from that perspective, is viewed not only as additional marketplace, but, for some, as the sole market place, as well. The damage to individuals, businesses or organizations is proportionally related to the level of their online dependency. This is the traditional consensus around Cybercrime in general, and DDoS attacks are no different.

In determining the damages there are three key considerations: revenue loss, reputational damage and recovery costs [6]. At the same time, given that our concern is society as a whole, and not only the revenue-generating parties, we are obligated to add the damage imposed on random individuals seeking to use the virtual world for their own benefit. Calculating revenue loss and recovery costs is relatively straight forward, but, reputational damage, the intangible among them, can be more complicated to calculate. Nevertheless, reputation and business-image should not be treated any differently and should always be included in any such calculations. In the era of online presence and the general technology race, the reputational price of failing to provide an online business interface, translates directly into revenue loss. One common example for such reputational damage would be changes to credit and insurance ratings due to a reputation drop, originating from large-scale cyber-attacks.

7.2. CHARACTERISTICS OF AN ATTACK

Another important dimension we have to account for are the characteristics of an attack. Most DDoS attacks involve three major parts, which are determined by the acting adversary — attack volume, attack downtime and attack frequency. Any interested adversary, looking to initiate attack, can find a range of possibilities in these three categories on the dark net and, as previously discussed, a basic attack could be executed for a fairly low budget.

Volume refers to the amount of communication that is directed towards the victim, in an effort to overwhelm its service. While different services can deal with varying volumes of attack, some maximum capacity exists for all, regardless of their level of sophistication. Just like with other Cybersecurity attacks, mitigation efforts are growing in direct relation to attacker capabilities. Fifteen years ago, an attack of about 100 Giga Bytes (of data sent) per second (Gbps) would have been capable of exhausting the resources for any average-sized service. In the last four years, attack volume kept rising, mostly due to the perpetrators’ abilities to utilize unprotected IoT machines. From 2013 to 2017 around a dozen attacks managed to pass the 400 Gbps threshold, reaching right-below 1Tbps (Tera Byte Per Second). This was the case with the Dyn DNS attack and the attacks following this event [7]. Attack downtime refers to the length of the outage of the various services disrupted by the attack. Length can vary significantly according to attacker abilities, budget and the service used. In the recent trends of purchasing DDoS attacks as a service, where adversaries hire automatic bots (robots) to launch attacks (via a pool of vulnerable machines), these have varied between few hours and a handful of days [6]. Attack frequency refers to the number of attack repetitions. The practice of repeating an attack is common and helps to subvert mitigation practices, as well as test the network and assess its response.

One implication of the of choices available to the adversary in how an attack is constructed, using the factors above, is that the overall damage (and therefore costs) can be assumed to rise at a proportional rate to the number of unprotected IoT devices. It could be argued that having the ability to attack with 200 Gbps of communications becomes redundant when a victim’s service could be exhausted with only 100 Gbps. But, since an attack could be structured in multiple ways, to leverage all the available resources to provide longer down-time or repetitions over multiple days, the additional 100 Gbps can be put to use to challenge the various mitigation attempts.

7.3. COSTS OF DAMAGE

Quantifying the damage to determine the costs inflicted by an attack presents a real challenge, with many limitations originating in the many factors the must be considered. As such, multiple approaches could be used. This paper will first look at the challenges facing any quantification effort, then outline a one such process and its results. Quantifying the damage will, first of all, depend on all the above-described variations in the scope and characteristics of an attack and introduces three main challenges. The first challenge is the source of the available information, which is primarily generated by security firms or their research arms. As a result, some bias should be assumed when considering information from these sources. The second challenge lies in the fact that the damage consideration, in most cases, focuses on down-time for businesses of various types and sizes; however, the focus of this paper is the social cost as a whole, including the damage imposed on third parties, like the average service consumer. In other words, we are interested in accounting for a person’s inability to share family pictures on Facebook.com or to read information on-line for a school paper. DDoS attacks reduce what could be termed the ‘private virtual-existence’ utility, a precise calculation of which is yet to be developed. The third challenge relates to the actual parameters of the calculations. Among the multiple research papers and reports to be found exist only few common parameters to allow an appropriate results comparison. For example, costs per attack, in one report will include the short-term and long-term ramifications of an attack. For other reports, costs will account for only short-term revenue loss (during down-time only). Similarly, some will account for intangible damage like reputation, while others, might avoid following this route. As such, trying to estimate costs by cross analyzing conclusions from multiple reports presents a real challenge.

Looking into popular reports analyzing DDoS attacks provides some rough estimates. The duration of attacks primarily ranges from one hour to a week, while the costs range from a several tens of thousands, up to a half a million per attack. Of-course, as described before, the provided ranges are relevant only for business related costs (tangible or intangible). Estimation of overall social costs, would require considerations of all impacted parties including those outside the business realm.

Estimating the costs of damage is essential to establishing a tax frame. Any efficient taxation will look to equate the tax payment to the amount assumed for the costs of damage. A common tool used to estimate such tax is the Marginal External Cost, which equals the probability of an attack times the extra cost imposed by a given device. This, in principle, should be built into the purchase price of any device. Of course, given the complexity of calculating the true cost, per device especially, such an estimate remains a challenge. To some extent, if no appropriate frame for cost estimation could be established and taxation falls short in providing efficiency, quantity regulation should be considered as well. In the end, efficiency is the goal and the most efficient structure to pull the market back to its efficient equilibrium should win.

8. ADDITIONAL ASPECTS OF THE IoT MARKET

The market for IoT devices could be viewed as an untraditional market given its many unusual characteristics. Some of these characteristics were mentioned previously. For example, how intangible the consumption of this product, as it is done through online communications, or the mixed nature of traditional good and information good involved in IoT — as hardware and software could hardly be analyzed apart from each other. There are some additional, untraditional, aspects worth mentioning here: the role a manufacturer plays in this market failure, the extensive role Internet Service Providers (ISPs) have in overseeing and maintaining networks, as well as the potential existence of positive externalities in a market where individuals rely on communications. This is especially important, since a true efficiency- achieving process requires a thorough consideration of all market characteristics, traditional and untraditional.

First, we discuss the role a manufacturer plays in this market. In identifying the type of externalities, created by the IoT market, we mentioned that regardless of the classification of the externalities, some amount of responsibility falls on the manufacturers. To discuss this responsibility, an additional dimension to this market should be reviewed. The market for IoT devices, just like many other technology markets, is subject to a market failure that is not as obvious at first — asymmetry of information (when one transaction party holds information the other is not aware of), especially in the context of security. Simply put, the buyer is not fully aware of some of the security elements incorporated in the use of the machine purchased. The seller, of course, has no incentive to fix this asymmetry, unless the market changes or some other force intervenes to create incentives for the seller. In the IoT market, the asymmetry of information results in ‘security lemons.’ In fact, most technology markets face the problems of insufficient knowledge around privacy and security risks. As a result of the fact that this is not an IoT-specific issue, the appropriate solution to this asymmetry belongs to a larger discussion around the economics of Cybersecurity, which is beyond the scope of the topics covered here, but is a key topic for further discussion. After all, even if the market were to internalize ‘security lemons’ to be reflected in the price, society will still incur the cost of the additional externalities.

Another aspect to consider in this market is the role of ISP providers, the organizations responsible for all aspects involved in connecting individuals, companies and organizations to the Internet. Larger ISPs, like AT&T and Verizon, own the physical infrastructure required to make these connections, while smaller ISPs lease this infrastructure in order to provide service in various areas. To some degree, this structure is similar to the structure of a traditional telephone service. While ISPs do not always have visibility into the actual content of the communications, as some of it is encrypted, they always have significant visibility into the routes and the volume of data flowing through their system. By sampling and then modeling some behavioral standards, ISPs could, potentially, determine the characteristics of an attack, flag them as an anomaly and drop the resulting communications, essentially stopping an attack.

Given the extensive involvement ISPs have in providing the tools and infrastructure, their position should be viewed in a special light. With the right incentives (subsidy payments), from the public sector, ISPs could provide some policing over the routes of communication. ISPs, in this approach, provide positive externalities to society by identifying and mitigating attacks. Subsidy payments would be used in such a case to ensure that no loss is imposed on the ISPs, given the reduction costs they would incur. While this solution could be helpful in fighting some forms of DDoS attacks, there are challenges. The ISP’s exact role and its power over the content of communications are currently a topic of hot debate. Discussions around net-neutrality and the sales of browsing histories to advertisers derive, to some extent, from some recent political shifts and the resulting regulatory re-classifications of ISPs [8], [9]. One more aspect of getting ISPs involved in the security discussions, relates to their extensive role in a sector where a lack of competition exists. For many years demands are made to open the communication market to additional competition in order to allow penetration of new companies and improve overall service. Encouraging, giving or mandating that ISPs take on an additional role to police for DDoS attacks, might be like adding oil to a fire.

At this point, one important note regarding DDoS mitigating solutions by private parties has to be made. Private markets offer multiple solutions for mitigating DDoS attacks. Most of these solutions look to identify communication behavior anomalies, in the form of mass communications — the basic characteristic of DDoS attacks. Detected anomalies are compared with the content of the packets communicated, in order to identify the exact type of communication used. The goal is to correctly classify the unusual behavior for these types of massages and ignore these communication attempts, rather than treat them as legitimate ones. While these solutions exist, and could help in mitigating attacks, these mitigation strategies are beyond the scope of this paper, as they don’t provide any remedy to society as a whole and companies, or any other defender, would still need to pay the additional price imposed by IoT owners — the mitigation costs.

At this point, positive externalities should be considered, given the nature of relying on peers for security. As discussed before, externalities can be negative or positive, depending on the type of additional effect they have on individuals and society. For example, strong security for some machines participating in an automated ecosystem, could potentially provide benefits to all participating parties. Here, just like with negative externalities, some impact is imposed on third parties who are not involved in initiating these externalities. Two possible examples could be autonomous cars and Blockchain technology. The first is the ability of machines to maneuver cars by analyzing all available information through constant monitoring of the surroundings. The second, is a technology that distributes data records across many independent participants, as a measure of secure record storing. In both examples, we can assume a direct relationship between the level of ‘trust’ a party assigns to each participant and the verification process it has to go through when analyzing information coming from these participants. Greater trust, in participating nodes (due to better security) could be translated directly to a reduction in efforts expended on verification. If the system assumes that all the data received from a participating node is trustworthy, it could skip verification algorithms and improve efficiency. In order to support the positive network effect, subsidy payments to the externality providers should be considered, similar to what can be found in other positive externality scenarios.

9. CONCLUSION

This paper has provided, an in-depth analysis of the IoT market from the perspective of traditional Economics in order to assess the negative externality generated by this market: supporting DDoS attacks. This paper suggests is that Pigovian taxes are the likeliest candidate for a successful intervention, as long as the appropriate cost frame is constructed. Having looked at the cybersecurity considerations, the Economics of market failures, damage calculations and possible solutions, two major forces can be seen as playing key roles: On one side, the unprecedented damage that could be generated by a successful attack, on the other side the relative ease with which such attack could be accomplished. While such a situation seems almost certain to end badly, some strategies can be employed. Pigovian taxes could provide the possible remedy and looking towards ISPs to leverage their access could provide some solution as well. Lastly, it is important that we consider one final corrective action, an old but often effective strategy: education. Whether this takes the form of a Public Service Announcement (PSA), labeling requirements, or a myriad of other tactics in this realm, the need for quantity or monetary regulations, could be limited or even eliminated by implementing an effective and appropriate education policy. Perhaps the greatest challenge to this is that the government has to, first of all, educate itself and then its citizens to appropriately adapt to the rapidly reshaping reality of our ever more sophisticated technological world.

SOURCES

1. https://securelist.com/analysis/quarterly-malware-reports/77412/ddos-attacks-in-q4-2016/
2. https://www.europol.europa.eu/activities-services/main-reports/internet-organised-crime-threat-assessment-iocta-2016
3. https://www.linux.com/news/event/open-source-leadership-summit/2017/3/bruce-schneier-new-security-threats-internet-things
4. https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
5. https://securelist.com/analysis/publications/77784/the-cost-of-launching-a-ddos-attack/
6. https://media.kaspersky.com/en/business-security/it-security-risks-survey-2015.pdf
7. https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q4-2016-state-of-the-internet-security-report.pdf
8. https://arstechnica.com/information-technology/2017/03/how-isps-can-sell-your-web-history-and-how-to-stop-them/
9. https://freedom-to-tinker.com/2017/04/03/dissecting-the-likely-forthcoming-repeal-of-the-fccs-privacy-rulemaking/