517-5 Yhtomit

abcity84
EmergingThreatstoInternetSecurity.pdf
Home>Law homework help>517-5 Yhtomit

Emerging Threats to Internet Security: Incentives, Externalities and Policy Implications

Michel van Eeten* and Johannes M. Bauer**

*Faculty of Technology, Policy and Management, Delft University of Technology, P.O. Box 5015, 2600GA, Delft, The Netherlands. E-mail: m.j.g.vaneeten@tudelft.nl **Department of Telecommunication, InformationStudies, and Media; Quello Center for Telecommunication Management and Law, Michigan State University, 417 Communication Arts and Sciences, East Lansing, MI, 48824-1212, USA. E-mail: bauerj@msu.edu

Somewhere around 10% of all machines connected to the Internet are thought to be

infected with malicious software. This has allowed the emergence of so-called ‘botnets’ –

networks of sometimes millions of infected machines that are remotely controlled by

malicious actors. Botnets are mostly used for criminal purposes, but they also enable

large-scale failures that might even reach disastrous proportions. We explain the rise of

botnets as the outcome of the incentive structures of market players and present new

empirical evidence on these incentives. The resulting externalities require some form of

voluntary or government-led collective action. Our findings have implications for the

controversial debate on the appropriate policy measures, where two perspectives on

cybersecurity fight for dominance: national security and law enforcement.

1. Introduction

T he Internet – sometimes referred to as the ‘most

complex machine ever built’ (Lemon, 2006) – has

achieved a remarkable track record in terms of relia-

bility and disaster resistance. We have yet to witness

the first large-scale ‘blackout’ of the Internet as a

network. Charles Perrow, not exactly the most opti-

mistic of risk researchers, recently summarized this

track record as consisting of ‘only small, sporadic

failures that are more annoying than consequential’

(2007, p. 277). He holds up the Internet as a blueprint

for other critical infrastructures. Of course, there are

occasional reports of backbone connection failures in

geographical regions that have limited connections to

the rest of the world. While painful for those in the

affected regions, these events are considered marginal

in comparison with the overall size of the network and

its traffic.

Other assessments, however, strike quite a different

tone. In fact, there are those who claim that a digital

Pearl Harbour is about to strike. If recent security

research is correct, about 10-20% of all connected

machines are currently used for attacking the Internet

(BBC News, 2007; House of Lords, 2007; Weber, 2007).

The fact that the owners of these machines do not

know their machines are compromised by malicious

software – so-called ‘malware’ – is actually part of the

problem. Malware may be distributed and used in many

ways, including email messages, USB devices, infected

websites, malicious advertising, and browser vulnerabil-

ities (Jakobsson & Zulfikar, 2008).

The massive number of compromised machines

currently connected to the Internet has allowed the

& 2009 Blackwell Publishing Ltd.

Journal of Contingencies and Crisis Management Volume 17 Number 4 December 2009

emergence of so-called ‘botnets’ – networks of thou-

sands or even millions of infected machines that are

remotely controlled by a ‘botnet herder’ and used to

launch malicious attacks. These botnets enable mal-

icious actors to trigger large-scale failures that might

even reach disastrous proportions.

The examples of such attacks are numerous. In April

and May 2007, members of a Kremlin-backed youth

movement used a variety of botnets to effectively

disconnect the country of Estonia – ‘the most wired

country in Europe’, according to Wired.com – from the

Internet (Davis, 2007; Kirk, 2008; Clover, 2009). NATO

was called in for assistance.

In September 2007, the chief security officer of

VeriSign, the company that operates the .com and

.net registries, said that the Distributed Denial-of-

Service (DDoS) attacks on their servers were growing

fast and if these attacks succeeded, they would ‘effec-

tively shut down the Internet’ (Espiner, 2007). At an

earlier occasion, he called the predicted size of the

upcoming attacks ‘the Katrina of Internet storms’

(Anonymous, 2006). The registries are part of the

Domain Name System (DNS)– a set of critical Internet

resources that translate domain names into the IP

addresses needed for Internet communications. An-

other part of the DNS, the so-called root name servers

at the top of the hierarchy, have also been under

increasingly powerful attacks since 2002 (ICANN,

2007).

In July 2008, preceding a Russian military invasion,

botnets were used to render Georgian governmental

and news websites inoperable (Markoff, 2008). During

the prolonged attacks, some of the victims moved their

operations to other locations. One newspaper set up a

Blogspot account, which is hosted on Google’s massive

infrastructure and therefore more resilient to attacks.

Other sites moved to Estonia, which offered to help

after having suffered a similar fate. One security expert

observed that Georgia was in effect ‘cyberlocked’, as it

relied heavily on connections to the rest of the world

that ran through hostile territory – i.e., Russia (Shacht-

man, 2008).

Botnets are predominantly used for criminal pur-

poses rather than for terrorist or military attacks. They

are currently the main vehicle for global spam distribu-

tion, for hosting phishing websites to attack financial

institutions, for click fraud, for denial-of-service attacks

that try to extract ransom from their victims, and other

forms of perpetration (OECD, 2009). Estimates of the

total annual damage of Internet security incidents vary

wildly, but often run into the tens of billions of US

dollars per year for the United States alone (e.g., US

GAO, 2007) – typically the range of impacts that we

associate with a disaster.

The boundary between crime and national security

is, however, increasingly blurred. The attacks in Estonia

and Georgia demonstrate that it is difficult to tell who is

behind an attack: private individuals, organizations or

nation states. More importantly, these attacks em-

ployed existing botnets set up for criminal purposes

to attack nation states, turning a problem of crime into

one of national security. This has profound implications.

When criminal resources are powerful enough for

successful attacks on national security, the range of

attackers and threats expands dramatically. A US Gen-

eral in charge of ‘offensive and defensive cyber opera-

tions’ said: ‘We can have a bored 16-year-old do damage

to our networks. It is not just the nation state that you

worry about. You worry about activities from an

individual to an organization like al-Qaeda to a nation

state’ (Sevastopulo, 2008).

In a technical sense, the attacks on Estonia and

Georgia were modest in size. The effects were so

severe because of the limited connectivity of both

countries. Given the large-scale criminal computing

infrastructure currently available, it is not difficult to

see how such attacks could be scaled up to a level that

worries countries with more advanced Internet infra-

structure. To compare: the Estonia attacks were esti-

mated to have cost a few thousand US dollars, should

they have been executed through rented botnets (Lesk,

2007). In other words, even with limited financial

means, large-scale attacks appear possible. It turns

out to be very difficult to identify who is behind the

attacks, as evidenced by the recent attacks on US

governmental resources coming out of Chinese net-

works (Reid, 2007). They could be state-sponsored

or not.

These developments have given rise to a wide range

of predictions about future disasters, including, but not

limited to: massive crime waves that thwart the growth

of the online economy; sweeping DDoS attacks render-

ing critical Internet resources inoperable; malware

pandemics that, like the large worm outbreaks of the

early 2000s, cause widespread damage to businesses

around the world; targeted attacks by terrorists or

enemy states that cause large-scale disruption of power

grids, communication networks and banking systems

(e.g., CSIS, 2008).

In the United States, as elsewhere, cyber security has

recently moved to the top of the policy agenda.

President Obama has announced a new military com-

mand for cyberspace within the Pentagon, as well as a

White House office responsible for coordinating pri-

vate sector and government defenses against the daily

cyber attacks mounted against the United States

(White House 2009). Such attacks are largely con-

ducted by hackers though sometimes foreign govern-

ments are suspected to be involved (Sanger & Shanker,

2009).

At the centre of many scenarios leading to such

potential future disasters are botnets – in other words,

222 Michel van Eeten and Johannes M. Bauer

Journal of Contingencies and Crisis Management

Volume 17 Number 4 December 2009 & 2009 Blackwell Publishing Ltd.

the millions of infected machines of home and business

users. This paper sets out to explore the causes of

these risks and asks how to deal with them in light of

potential future disasters. To explore the causes, we

identify the incentives of end users and Internet Service

Providers (ISPs) when dealing with infected machines.

This approach builds on a dominant theoretical devel-

opment in the field of information security, which

employs economic concepts to understand security

failures. We find that the incentives under which end

users and ISPs operate explain the emergence of

botnets and thus generate information security pro-

blems for society at large. A large part of these

problems constitutes an ‘externality’, a cost imposed

on stakeholders by the actions of other stakeholders,

for which they have no recourse to compensation. The

concluding part of the paper addresses the question of

how to deal with these externalities. Two fundamentally

different regimes of security are possible: precluded-

event security and marginal security. Some polices to

address the risk of future disasters are compatible with

both regimes, while others will require painful decisions

with potentially disastrous consequences either way.

2. Security risks and incentives

What is causing the rise of botnets? One frequently

given answer points to the design flaws and vulnerabil-

ities that are ubiquitous in the software running current

Internet-connected devices. For example, many have

blamed the poor security performance of Microsoft

Windows, the dominant platform for PCs (e.g., Perrow,

2007). But over the past years, the response to this

question has changed. Rather than explaining security

threats as technological problems, they are increasingly

understood as the outcomes of incentive structures.

‘Over the past six years, people have realized that

security failure is caused at least as often by bad

incentives as by bad design’ (Anderson & Moore,

2006, p. 610). Incentives are the factors that agents,

be it individual decision-makers or organizations, take

into account when making decisions. Incentives can be

positively related to an objective such as information

security or they may be negatively related (‘disincen-

tive’). Agents make their decisions based on their

objectives, preferences, and constraints, which, in

turn, are shaped by the incentives perceived as relevant

in a situation.

Many instances of what could be conceived as

security failures are in fact the outcome of rational

economic decisions, based on the private costs and

benefits of security as perceived by the actors during

the timeframe considered in those decisions. As secur-

ity is costly, rational players will accept a certain level of

security breaches. However, there is an additional

aspect to the security issue. If the incentives of the

players in the value net do not properly reflect the social

costs and benefits of their security decisions, for

example, because of externalities or public good as-

pects of security investments, such privately rational

decisions will systematically deviate from the social

optimum. Insufficiently low security investments may

manifest in slower diffusion rates of IT uses and the

associated opportunity costs to society. They may also

become visible as security failures, where an actor

makes a security decision that imposes costs on other

actors in the value network of information services,

which were not taken into account in the originating

decision.

We can see the power of incentive structures around

security threats everywhere. Consider the spreading of

viruses and other malware, for example. During the

second part of the 1990s, when the scale of virus

dissemination was rapidly increasing and countless

end users (home, corporate, governmental) were af-

fected, many ISPs argued that virus protection was the

responsibility of end users. The computer was their

property, after all. ISPs further argued that they could

not scan traffic coming through their e-mail servers

because that would invade the privacy of end users. Mail

messages were also considered property of end users.

Around 2001, this started to change, partly due to the

growth of broadband and always-on connections. The

distribution of viruses and worms had increased ex-

ponentially and now the ISPs’ infrastructure was suc-

cumbing to the load, requiring potentially significant

investment in network expansion. Facing these poten-

tial costs, ISPs radically shifted their position in re-

sponse. Within a few years, a majority started to scan

incoming e-mail traffic and to delete traffic identified as

malignant. Apparently, message filtering had become a

lower-cost solution than infrastructure expansion. De

facto ISPs reinterpreted the various property rights

associated with email – e.g. regarding ownership of

the message.

The rise of botnets is also tied to a specific set of

incentives. We explore these incentives for end users

and ISPs – the former because they own most of the

compromised machines that are recruited into botnets,

the latter because they are a critical intermediary that

connects end users to the wider network and, as such,

could mitigate the security threats posed by infected

machines. This analysis is based on the findings of

a qualitative empirical field study. In the course of

2007, a team of researchers from the Delft University

of Technology and Michigan State University conducted

41 in-depth interviews with 57 professionals of

organizations operating in networked computer envir-

onments that are confronted with malware. Intervie-

wees represented a stratified sample of professionals

from different industry segments (e.g., hardware,

Emerging Threats to Internet Security 223

& 2009 Blackwell Publishing Ltd.

Journal of Contingencies and Crisis Management

Volume 17 Number 4 December 2009

software, service providers, and users) in six countries

(Australia, Germany, the Netherlands, United Kingdom,

France, and the United States). Moreover, we inter-

viewed experts involved in the governance of informa-

tion security issues such as Computer Emergency

Response Teams and regulatory agencies. Based on

this unique and rich data, we identified and analysed

the consequences of the incentives relevant for key

players. 1

3. End users

Modern malware authors go to great lengths to mini-

mize the impact of their code on the infected machine.

Whereas the viruses and worms of several years ago

would typically visibly disrupt the compromised ma-

chine itself, the current generation of malware not only

obscures its presence, but is often used to attack third

parties, rather than the infected host itself. This means

that the machine’s owner often has little incentive to

remediate this security problem, should s/he even be

aware of it. These incentives vary greatly with the type

of end user (businesses of different size, individual end

users), with some user opening security holes in the

value chain.

Large businesses (firms with 250 and more employ-

ees) are a heterogeneous group. Many large business

users have adopted risk assessment tools to make

security decisions (Gordon and Loeb 2004). Their

diligence will vary with size and possibly other factors

such as the specific products and services provided.

One particularly interesting industry is financial service

providers. This is a rather diverse sector, encompassing

different types of banks, credit card companies, mutual

funds, insurance companies, and many others. The rules

for each of these players differ in detail. Focusing

predominantly on merchant banks, Van Eeten and

Bauer (2008) concluded that these financial service

providers are to a considerable degree able to manage

risks emanating from their customer relations. How-

ever, they need to make choices balancing enhanced

security and the growth of their electronic business. In

principle, they could use highly secure platforms to

conduct ecommerce transactions. However, such an

approach would likely have detrimental effects on users

as it decreases the convenience of conducting business.

Financial organizations thus face a trade-off between

higher security and migrating transactions to cost-

saving electronic platforms. Many financial service pro-

viders offer compensation for losses incurred by their

customers from phishing or other fraudulent actions as

part of this overall security decision. This practise aligns

the incentives of the financial service provider with the

goal of improved security (as weaker security would

mean higher compensation costs), but it does not

generate appropriate incentives for individual users

(who will be held harmless by the banks). Businesses

other than financial service providers may often not be

in a position to manage externalities associated with

their clients. Therefore, more significant deviations

between private incentives and social effects may exist,

resulting in a sub-optimally low level of security invest-

ment by these firms.

Two other groups of players that deserve mentioning

are small and medium enterprise (SMEs, typically de-

fined as enterprises with fewer than 250 employees,

including microenterprises) and residential users.

Although this is a large and diverse group, these players

are in several respects similar. Like other participants,

they work under multiple and potentially conflicting

incentives. Unlike larger businesses that may be able to

employ information security specialists, either in-house

or via outsourced services, many SMEs and residential

users have insufficient resources to prevent or respond

to sophisticated types of attacks. Many residential users,

likewise underestimate their exposure and overestimate

their efficacy in dealing with risks despite an increasing

awareness of security threats (LaRose, Rifon, Liu, & Lee,

2005). Despite these similarities, one can assume that, in

general, businesses will employ a more deliberate,

instrumentally rational form of reasoning when making

security decisions. At the same time, even if end users

were to have a correct understanding of their exposure,

they may opt for a suboptimally low level of protection

because the benefits of security expenses will to a

considerable degree flow to other users (who benefit

from reduced exposure to security threats).

Individual businesses and users may suffer from the

perception that their own risk exposure is low, espe-

cially if others protect their machines, the well-known

free rider phenomenon. On the other hand, given

increased information, a growing number of users in

this category is aware of the threat of being exposed by

breaches of information security. Thus, they realize to a

certain extent that they are the recipients of ‘incoming’

externalities. Overall, one can expect that on average

these classes of users will not be full free riders.

Whereas some individuals and SMEs may over-invest,

there is evidence that most will not invest in security at

the level required by the social costs of information

security breaches (Kunreuther & Heal, 2003). This

conclusion is corroborated by the observation that

many individual users do not purchase security services,

do not even use them when offered for free by an ISP

or a software vendor, and turn off their firewalls and

virus scanners regularly if they slow down certain uses,

such as gaming.

In sum, end users in the aggregate spend too little on

security; their decisions therefore enable the growth of

botnets, which impose costs on virtually every other

actor in the network. We now turn to the issue of how

224 Michel van Eeten and Johannes M. Bauer

Journal of Contingencies and Crisis Management

Volume 17 Number 4 December 2009 & 2009 Blackwell Publishing Ltd.

ISPs are confronted with the consequences of the

security problems generated by their customers.

4. ISPs

Over the past years, it has turned out to be extremely

difficult to improve the security of end users. Given the

enduring problems around end user security and its

effects on the wider network, it seems inevitable that

attention would shift to other players in the ecosystem.

The role of ISPs in improving Internet security has been

a particular focus of recent debates.

While term ISP is used to cover a variety of

businesses, typically ISPs are defined as providers that

offer individuals and organizations access to the Inter-

net. Many ISPs offer related services to their customers,

which is why the term sometimes refers to hosting

providers and content providers. We have focused our

analysis primarily on ISPs as access providers.

What incentives do ISPs have to reduce the problem

of malware? One view is: very few, if any. Recently, the

UK House of Lords Science and Technology Commit-

tee published a report which states (House of Lords,

2007, p. 30): ‘At the moment, although ISPs could easily

disconnect infected machines from their networks,

there is no incentive for them to do so. Indeed, there

is a disincentive, since customers, once disconnected,

are likely to call help-lines and take up the time of call-

centre staff, imposing additional costs on the ISP’.

Notwithstanding such claims, most ISPs are in fact

increasing their efforts to fight malware. A survey from

the EU’s European Network and Information Security

Agency (ENISA) found that 75% of ISPs report that they

quarantine infected machines (ENISA, 2006). This figure

does not include any indication of the scale at which

ISPs are quarantining infected machines – a point to

which we return in a moment. All ISPs we interviewed

described substantial efforts in the fight against mal-

ware, even though they are operating in highly compe-

titive markets and most countries do not have

governmental regulations requiring them to do so. All

of them were taking measures that were unheard of

only a few years ago. Most of the interviewees dated

this change to around 2003, when it became obvious

that it was in the ISPs own interest to deal with end

user insecurity, even though legally it was not their

responsibility. Several incentives help explain why the

ISPs see these efforts as being in their own interest.

4.1. Costs of customer support and abuse management

A key incentive for ISPs is the cost of customer support

and abuse management. A security officer of a smaller

ISP said: ‘The main [security-related] cost for ISPs is

customer calls’. The same view was expressed in minor

variations by several other interviewees. A medium-

sized ISP reported costs of 8 euros on average for an

incoming call to their customer center while an out-

going call – for example, to contact a customer

regarding an infected machine – was estimated to 16

euros. The costs for email contact were similar. The

incentive here is that security incidents generate cus-

tomer calls, thus quickly driving up the costs of

customer care. The ISPs may not be formally respon-

sible for the customers’ machines; in reality many

customers call their ISP whenever there is a problem

with their Internet access. Regardless of the subsequent

response of the ISP, these calls increase their costs. An

interviewee at a large ISP emphasized that the customer

support desk was a substantial cost for the company

and that the number of calls was driven up by infections

of their customers’ machines. Almost all of the ISP’s

outgoing security-related calls had to do with malware.

Similar to customer contact, dealing with abuse

notifications drives up costs because it requires trained

staff. Tolerating more abuse on the network raises the

number of notifications that the ISPs receives. Abuse

notifications can come through different channels, most

notably through email sent to the abuse desk – typically

abuse@provider.com – and through the informal net-

works of trusted security professionals that exist across

ISPs, CSIRTs and related organizations. The latter carry

more weight, as they come from known and trusted

sources, but all have to be dealt with in some form.

Many of these notifications are automated. Several ISPs

reported using the so-called AOL Feedback Loop,

which sends notifications of any emails that are re-

ported as spam by AOL recipients back to the admin-

istrator of the originating IP address.

As with customer complaints, not all malware infec-

tions will result in abuse notifications. One ISP reported

internal research into the degree in which notifications

adequately represented the size of the security pro-

blems on their networks. The company found that only

a small percentage of the compromised machines it saw

on its network showed up in the notifications. Still, ISPs

notifying each other of security problems is an impor-

tant mechanism. In fact, in some cases, they are critical.

For the interviewed ISPs, customer contact and

abuse notifications constituted a positive incentive to

invest in security both at the network level and at the

customer level. One medium-sized ISP estimated it was

spending 1–2% of its overall revenue on security-

related customer support and abuse management.

This also helps to understand why more and more

ISPs are offering ‘free’ security software or ‘free’

filtering of email – that is, the costs of these services

are included in the subscription rate. One ISP described

how about four years ago the company started offering

Emerging Threats to Internet Security 225

& 2009 Blackwell Publishing Ltd.

Journal of Contingencies and Crisis Management

Volume 17 Number 4 December 2009

virus filters for email as a paid service, but soon

thereafter decided to provide them for ‘free’: ‘After 6

months, all ISPs [offered these paid security services],

so it was no longer a unique selling point. Plus, we could

not get more than 10% of our customers to buy the

service . . . We did not actually do the math, but we

figured that by offering it to all our customers within

the current rate, we would be better off . . .. We already

paid the AV licence. If people have the option to pay for

it or not to pay for it, they do not’.

There is another way of responding to these incen-

tive mechanisms, however: Don’t respond to abuse

notifications and avoid customer contact altogether.

This attitude does save the ISP direct costs related to

security. Indeed, there is a class of so-called ‘rogue ISPs’

doing exactly this. However, non-response also has

negative repercussions such as the direct and indirect

costs of being blacklisted, which make it a less attractive

strategy for legitimate ISPs.

4.2. Costs of blacklisting

Blacklisting is a loosely used term typically referring to

ISP’s practice of using so-called DNS Blacklists (DNSBL)

to filter incoming traffic. Mail servers, for example, may

be configured to refuse mail coming from specific IP

addresses, IP ranges or whole networks listed on a

DNSBL. Virtually all ISPs nowadays use blacklists. There

is a wide variety of blacklists available and ISPs may use

them in different combinations. Most of the lists are run

by volunteers and are free of charge to the user (though

their operations may be funded through external

sources). Each DNSBL has its own criteria for including

an IP address in the list and its own procedure for

getting an address off the list. Spamhaus, an interna-

tional non-profit organization funded through sponsors

and donations, maintains several well-known blacklists

– though they prefer the term block lists – which

they claim are used to protect over 600 million user

inboxes. 2

Blacklisting provides an incentive to invest in security

because it ties in with the incentives mentioned earlier.

It directly impacts the ISP’s business model. A security

officer at a large ISP explained that the expectation of

being blacklisted led to a much more proactive ap-

proach to remove bots from the network, including the

purchase of equipment that automates the process of

identifying infected machines on the network. That ISP

contacted around 50 customers per day and, if a

customer did not resolve the problem, the connection

was suspended. When asked how they got the business

side of the company to approve this policy, he an-

swered: ‘They hated it at first. But at the end of the day,

the media fallout by being cut off by AOL and MSN was

too big. The big ISPs, they use very aggressive [DNSBL]

listings. They take out whole IP ranges. We used to be

hit hard and entire ranges of our IP addresses were

blacklisted’.

Various levels of blacklisting are used to incite a

response from an ISP. At the lower end, we find

blacklisting of individual IP addresses, i.e., an individual

customer. This has ‘exactly zero impact on the ISP’, said

a security expert. Only when the number of blacklisted

IP addresses starts to accumulate might it get the ISP’s

attention. Blacklisting IP ranges and blacklisting out-

bound mail servers are more powerful incentives. The

most extreme form is the blacklisting of an entire

network, i.e., all IP addresses of an ISP. This is only

used against ‘gray’ and ‘rogue’ ISPs who do not act

against spam.

4.3. Costs of brand damage and reputation effects

The ‘media fallout’ mentioned by the interviewee points

to a more general concern with brand damage that was

mentioned by many interviewees as an incentive to

invest in security. With few exceptions, these ISPs want

to present themselves as responsible businesses (Arbor

Networks, 2007) providing safe services for their

customers. A related incentive is the reputational

benefits of offering security services. It is unclear how

strong this incentive is. Even if customers care about

security, most will find it very difficult to assess the

security performance of one ISP relative to its compe-

titors. Nevertheless, the more significant finding here is

that whether ISPs really care about bad publicity or not,

being blacklisted has direct effects on their operating

costs as well as their quality of service. The latter may in

fact drive customers away. As one industry insider

described it: ‘A high cost action is to investigate each

complaint rigorously. A different kind of high cost

action is to do nothing’.

4.4. Costs of infrastructure expansion

An incentive that was more difficult to gauge, is the

effect of malware on the capital expenditures of the ISP

– that is, the need to invest in infrastructure and

equipment as more spam or malware comes through

the network. ISPs have two principal options: to expand

the network and accommodate the additional traffic or

to invest in defensive measures such as filters. A

rational ISP will chose the least-cost approach, which

could be a hybrid strategy, combining accommodating

and defensive investment. A recent survey found that

botnet-based denial of service attacks are growing

faster in size than the ISPs are expanding their network

– to the worry of the ISPs (Arbor Networks, 2007).

226 Michel van Eeten and Johannes M. Bauer

Journal of Contingencies and Crisis Management

Volume 17 Number 4 December 2009 & 2009 Blackwell Publishing Ltd.

Interestingly, malware-related infrastructure expen-

ditures – apart from the costs of security equipment –

were mostly seen as unimportant during our inter-

views. The interviewees may be suffering from the ‘the

fallacy of the near’. ISP employees dealing with security-

related issues mention customer contact as their

biggest cost because they are focused on the security

budget, which includes the abuse desk as well as

security-related customer support. To them the infra-

structure cost ‘is just a number their accountant writes

on a check every month’. However, infrastructure is a

major overall cost for any ISP, so any effect of malware

on capital expenditures could potentially outstrip other

expenditures. These costs do not gradually increase

with the amount of malware and spam, but rather as a

step function when capacity runs out. It is very difficult

to relate these expenditures, decided upon by other

parts of the organization, back to specific traffic pat-

terns of spam and malware infections. In terms of

incentives, however, this lack of awareness implies

that infrastructure cost is not a strong driver of the

attempts of ISPs to reduce the impact of malware.

4.5. Benefits of maintaining reciprocity

An incentive that was mentioned by all interviewees is

related to the informal networks of trusted security

personnel across ISPs, CSIRTS and related organiza-

tions – which we mentioned earlier. When describing

how their organization responded to security incidents,

interviewees would refer to personal contacts within

this trust network that enabled them, for example, to

get another ISP to quickly act on a case of abuse. These

contacts are reciprocal. They are also contacted about

abuse in their own network and are expected to act on

that information. To maintain reciprocity, an ISP has to

treat abuse complaints seriously, which is costly. The

more abuse takes place on its network, the more other

contacts in the network will ask for intervention.

Maintaining reciprocity not only establishes the informal

network as a security resource, it also reduces the

likelihood of being hit with blacklisting or other coun-

termeasures. As one interviewee explained: ‘What

enforces security on a service provider is threats

from other service providers’. One ISP security officer

told us that the informal contacts imply cost savings.

Less staff time is needed to deal with the fallout of a

security incident – e.g., going through time-consuming

procedures to get off blacklists – and to deal with

customer support.

4.6. Costs of security measures

So far we have discussed incentives that reinforce the

benefits of security for ISPs with regard to malware.

The incentive structure is mixed, however, and includes

disincentives as well. An obvious disincentive is the

costs of additional security measures. Typically, the

tradeoff is between the direct costs of additional

measures which are visible in the short term versus

the more diffuse costs caused by increasing security

problems, such as customer support and abuse manage-

ment. We should mention, however, that the ISP’s

decisions often were not shaped by formal economic

assessments or detailed analysis of their own cost

structures. As one insider phrased it, ‘ISPs very much

drive by the seat of their pants. Except for a very few of

the largest ones, they are not actually examining the

figures’.

4.7. Legal risks and constraints

Another disincentive is related to legal constraints.

During the interviews, the European ISPs had different

answers to the question of how much manoeuvering

space the ‘mere conduit’ provision of the EU E-Com-

merce Directive allowed them. Monitoring their net-

work more closely for security reasons could

potentially lead to liability issues. If the ISP’s monitoring

reveals, for example, file sharing traffic of pirated

materials, they may be forced to act upon this informa-

tion to avoid claims from owners of intellectual prop-

erty rights and organizations representing them.

In some EU countries, interviewees reported that

privacy regulations that potentially treat IP addresses as

private data had led their legal departments to set

boundaries which limited the ability of security staff to

track malicious activity on their network – for example

with regard to tracking individual IP addresses. One

interviewee reported that security staff sometimes was

not allowed to use information on malicious activity

detected on the network. Some legal experts argued

that these legal risks are non-existent, that they are

based on an incorrect understanding of current legisla-

tion. While that might be true, the reality is that the

ISPs’ legal departments tend to be rather risk averse in

dealing with this ambiguity. The transaction costs of

clarifying these issues are, ceteris paribus, an obstacle

to higher security.

4.8. Cost of customer acquisition

Other disincentives are closely related to the incentives

we discussed earlier. An interviewee at a large ISP

mentioned concern about brand damage as the reason

why the business side of the company initially opposed

blocking port 25 on their network, a security measure

to curb outgoing spam traffic: Management did not

want to inconvenience customers. Anything that might

turn people away is a problem, because the cost of

Emerging Threats to Internet Security 227

& 2009 Blackwell Publishing Ltd.

Journal of Contingencies and Crisis Management

Volume 17 Number 4 December 2009

acquisition of new customers is high. The burden of

proof fell on the security staff to convince management

that the proposed measures were protecting the brand.

4.9. An overall assessment

The balance between incentives and disincentives will

vary depending on the ISP. On the whole, recent years

have witnessed increased efforts by ISPs in dealing

with malware, even in the absence of regulation or

other forms of public oversight. The incentive mechan-

isms we discussed strengthen the ISP’s interest to

internalize at least some security externalities originat-

ing from their customers as well as from other ISPs.

In short, the current incentive structure seems to

reward better security performance for legitimate

market players – though it is sensible to keep in mind

that in many countries price competition is intense,

which is a disincentive with regards to security, other

things equal.

Some of the security-enhancing incentives discussed

above work as disincentives under different business

models than those of the ISPs we interviewed. Another

business model is sometimes referred to as ‘rogue ISP’

or ISPs that are, in the words of one interviewee,

‘decidedly grey’. These attract customers precisely

because of their lax security policies (a recent example

is Triple Fiber Network of San Jose, California, shut

down by the U.S. Federal Trade Commission in June

2009). While these ISPs have more disincentives for

improving security than the ones we interviewed, they

are not fully immune against some of the security-

enhancing incentives we discussed earlier, most notably

blacklisting. An additional incentive for non-responsive

ISPs is the pressure put on them by their upstream

providers – the ISP ‘who feeds them the Internet’, as

one respondent phrased it – or by the providers with

whom the ISP exchanges traffic at peering points. In an

ISP were de-peered, the disconnected ISP would have

to buy transit service for its traffic, and therefore incur

much higher operating costs.

How, then, to explain the rise of botnets? There are

two important factors that limit the extent to which

ISPs mitigate the security externalities generated by

their customers. First, ISPs see and respond to only a

fraction of the infected machines. Second, even if an ISP

were technically able to identify and isolate most of the

infected machines, the customer support and other

costs of such a comprehensive approach are currently

prohibitive. We briefly discuss these factors.

The ISPs only deal with these malware problems in

so far as they themselves suffer consequences from the

end user behaviour, e.g., by facing the threat that a

significant part of their network gets blacklisted. Only a

few percent of all infected machines show up in abuse

notifications and get acted upon. One interviewee

called this ‘the 2% rule’. A related issue is that the

incentives of ISPs do not reflect the whole range of

current malware threats. ISPs are predominantly sensi-

tive to malware that manifests itself in ways that makes

their customers call in, leads to abuse notifications or

that causes problems with blacklisting. That means

spam proxies and DDoS attacks attract attention and

raise costs, while spyware, for example, does not:

‘People get infected and it is very difficult to track

them. Spam and DDoS is noticeable at the network

level. But spyware stays on the computer, quietly

collecting data’. Others have argued that many ISPs

are failing to prohibit the forging or spoofing of IP

addresses by hosts as well as failing to filter outgoing

traffic from IP addresses they are not authorized to

originate from.

Those security problems that are noticeable for the

ISP will not always get addressed, either. Several ISPs

mentioned ‘thresholds’ of malware effects, which

needed to be crossed, before the company would act

on an infected machine of a customer. Even then, the

situation is often anything but straightforward. ‘The

issue is, how do you help the people that are infected,

given the current state of the security products in the

market place? We see the traffic, we know there’s

something wrong, but how do you find what it is with

the current products? It’s very hard . . . about 85–90%

of the malware is not recognized by AV products,

because a small change is enough to dodge the signa-

ture’.

Several ISPs explained that they were at some stage

of implementing technology that would automate the

process of monitoring malicious behavior on their

network and quarantining the infected machines. While

such technologies help to scale up the ISPs response, it

also brings into focus a critical bottleneck: the costs of

customer support would become prohibitive if all

infected machines would be quarantined. A security

officer at a large ISP estimated that the number of

customers affected at any time would be in the tens of

thousands. While this number might go down over time

as network security improves, it was obvious that

management would not accept the enormous cost

impacts of such a measure.

Typically, the number of machines that are isolated on

a daily basis is relatively modest – tens or, for large ISPs,

perhaps hundreds of machines. At this scale, the effort

is effective in that it reduces the ISP’s problems with

abuse and blacklisting. But compared to estimates of

the total number of infections on each network, these

efforts look rather pale. One security expert was highly

critical of the effectiveness of the efforts by ISPs:

‘Unless they are contacting more than 10% of their

customer base on a monthly basis, they are effectively

taking no action’.

228 Michel van Eeten and Johannes M. Bauer

Journal of Contingencies and Crisis Management

Volume 17 Number 4 December 2009 & 2009 Blackwell Publishing Ltd.

In short, whereas the combined incentive structures

of end users and ISPs may reduce the problems, they

nonetheless allow the emergence of large-scale bot-

nets, which generate security externalities for the rest

of society that, for the most part, go unmitigated.

5. Implications for policy

The potential for future disasters has given rise to an

increasingly controversial debate on the appropriate

policy response. Until now, government polices have

focused on user awareness campaigns, better interna-

tional collaboration among law enforcement agencies,

public-private information sharing and better data col-

lection on security problems. While useful, these

measures have proven to be ineffective to reduce the

threats posed by botnets.

The last few years has witnessed a controversial

debate over new policy options. Proponents of an

economic approach to Internet security have advocated

measures like publishing data on the security perfor-

mance of ISPs, introducing product liability for software

vendors, regulating minimum security standards for

hardware vendors, and imposing statutory fees on

ISPs that do not act against compromised machines

(e.g., Anderson, Böhme, Clayton, & Moore, 2008).

All of these measures set out to re-align the market

incentives to internalize or mitigate security external-

ities, so as to enhance Internet security. While these

proposals are an important and innovative contribution

to moving beyond the current ineffective policies, there

are many possible complications associated with most

of these measures. Researchers in this area have a

tendency to treat issues of institutional design as rather

trivial. That is to say, they assume that the models

indicate what market design is optimal, that this design

can be brought into existence at will and that actors

will behave according to the model’s assumptions. If the

past decade of economic reforms – including privatiza-

tion, liberalization and deregulation of information

and communication industries – and economic crisis

has taught us anything, it is that designing markets

is highly complicated and sensitive to the specific

context in which the market is to function. It cannot

be based on formal theoretical models alone. Institu-

tional design requires an in-depth empirical understand-

ing of current institutional structures and their effects

on outcomes.

If this debate was not already complicated enough,

botnets are increasingly portrayed as a threat to

national security (e.g., CSIS, 2008). Rather than treating

them as a versatile tool for criminal activity, which has

been the dominant approach up until now, the threat

environment is extended to include botnets as an

important weapon for military and terrorist purposes.

These perspectives are not mutually exclusive. In fact,

the national security perspective readily subsumes the

threats posed by crime, only to argue that there are

even worse scenarios to take into account.

To a certain extent both perspectives can be correct

at the same time. Incidents like those in Georgia and

Estonia inextricably combine criminal resources and

terrorist purposes. What makes the overlap so proble-

matic, however, is that they lead to very different and

conflicting policies, both in terms of goals as well as

means.

The law enforcement perspective acknowledges that

it is economically rational to tolerate certain level of

insecurity. All markets are afflicted with a certain level

of crime. The costs of higher security have to be

weighed against the benefits. This can lead to counter-

intuitive outcomes. A brief example will have to suffice

(for a more detailed discussion, see Van Eeten & Bauer,

2008). For several years, there have been ongoing and

successful malware-based attacks against banks and

credit card companies. It would not be difficult or

necessarily very costly for financial institutions to raise

the security of online payment services. The problem is

that the opportunity costs are estimated to be much

higher than the fraud that is prevented through such

measures. The financial institutions have a strong

incentive to increase their online transaction volume

– banks because of cost savings associated with having

customers conduct transactions online rather than

through other channels; credit card companies because

each transactions earns them a fee. Any security

measure that would raise the threshold for consumers

to use these services would reduce these benefits.

Financial institutions have found that it is currently

more efficient to compensate the losses of customers

who are a victim of fraud, rather than increase the

security in ways that would impede the usability of

these services. Society as a whole also benefits from

these substantial efficiency gains, as long as financial

institutions can compensate the actual damage while

still improving their profits. In short, from this perspec-

tive, the goal of policies should be to reach the optimal

level of insecurity in light of the actual damage and

the costs, including opportunity costs, of reducing

it further. The way to find these levels is to make

sure the market incentives are aligned appropriately.

This logic assumes without further examination that all

risks are appropriately accounted for by the stake-

holders.

Contrast this to the national security approach.

Here, not actual damage is leading, but potential

damage – where potential typically implies thinking in

terms of worst-case scenarios. And the worst-case

scenarios are pretty bleak – as in massive economic

and social destabilization. So bleak, in fact, that the only

possible response is to prevent such events. Where

Emerging Threats to Internet Security 229

& 2009 Blackwell Publishing Ltd.

Journal of Contingencies and Crisis Management

Volume 17 Number 4 December 2009

fighting crime allows for trial and error, national

security has to prepare for the worst. Where fighting

crime can look at averages or a run of cases, ensuring

national security has to meet every last threat. Of

course, the current status quo is by no means prepared

for the worst. No wonder, then, that proponents of this

view are quick to call the, up until now dominant,

governance model of self-regulation a failure and dis-

miss ‘the market’ for having failed to ensure security.

A closely related argument is to point out that cyber

security is a public good, which implies that without

government intervention, it will not be produced (e.g.,

Lewis, 2005). Of course, law enforcement also implies

government involvement, but the subtext here is that

the government needs to step up and intervene in much

more consequential ways.

Underlying these two approaches are two different

views on what it means to ensure security. The

difference between them is analogous to a critical

distinction from the field of reliability theory, namely

between marginal reliability and precluded-event relia-

bility. Adapting these two approaches to the realm of

cyber security, we can see why the issue of botnets

leads to such controversy when it comes to their

implications for policy (see Table 1).

Both approaches imply their own problems. Treating

botnets as a problem of national security tends to

militarize issues that, so far, primarily concern organiza-

tions and individuals, not nations. It subordinates the

interests of these organizations and individuals to

rather unbounded notions of national interests. To

put it differently, rather than interventions based on

actual costs and benefits of (in)security for societal

actors, the interventions would be driven by the

potential costs to society of attacks that have not yet

occurred. The word ‘benefits’ is missing from the last

part of that sentence because they rarely seem to play a

role in national security when considering policy op-

tions. Yet, we know that there are dramatic benefits

associated with precisely those properties of the Inter-

net that have made it so vulnerable.

In more general terms, this argument has been

developed by Zittrain (2008, p. 8). It is precisely the

ability of current PCs to run ‘arbitrary code’ that make

them a generative technology while at the same time

rendering them vulnerable to malicious code. He states:

‘[T]he same qualities that led to [the success of the

Internet and general-purpose PCs] are causing [them]

to falter. This counterrevolution would push main-

stream users away from the generative Internet that

fosters innovation and disruption, to an appliancized

network that incorporates some of the most powerful

features of today’s Internet while greatly limiting its

innovative capacity – and, for better or worse, heigh-

tening its regulability’. Not without hyperbole, he calls

this scenario ‘the end of the Internet’.

On the other hand, the Achilles’ heel of an approach

based on marginal security, is the scenarios of low

probability and high consequence. Given the depen-

dence of all aspects of global society on the Internet and

electronic communications in general, widespread and

extended failure would have catastrophic conse-

quences. That such a pervasive failure or technological

terrorism has not yet happened and has a low prob-

ability complicates the formulation of a response. Like

other events with a low but non-trivial probability, it

could be considered a ‘black swan’ event (Taleb, 2007).

Cost–benefit analysis of such catastrophic events would

help in shaping more rational responses but it is

extremely difficult. Complications include the choice

of an appropriate time horizon, the quantification of the

risk in question, problems of monetizing a wide range of

qualitative impacts, and the determination of social

discount rates applied to monetized future events

(Posner, 2004). Nonetheless, devising an overall Inter-

net security policy would greatly benefit from such an

exercise.

Even if such a broad assessment of the costs and

benefits of cyber security will need additional work, it is

possible to ask whether decentralized stakeholder deci-

sions are the most effective way of dealing with the

problem. The case studies in Van Eeten and Bauer (Van

Eeten & Bauer, 2008) have revealed many instances in

which the responses of individual players in the ICT value

net are only partially effective at best. Whereas feedback

mechanisms, such as blacklisting and reputation effects,

are working, in many cases they are insufficient to

internalize the costs and broader societal risks into

Table 1. Marginal and Precluded-Event Security

Variable Marginal security Precluded-event security

Context Efficiency Social dread Risk Localized Widely distributed Damage Actual damage Potential damage Standards Average or run of cases Every last case Learning Trial-and-error learning Formal learning with limited trial and error Calculation Marginal (variable cost) Non-fungible (fixed requirement) Orientation Retrospectively measured Prospectively focused Control Probabilistic Deterministic

Adapted from Roe and Schulman (2008, p. 53).

230 Michel van Eeten and Johannes M. Bauer

Journal of Contingencies and Crisis Management

Volume 17 Number 4 December 2009 & 2009 Blackwell Publishing Ltd.

private security decisions. This internalization is most

effective in cases where specific services are at work and

most costs and benefits are borne by the parties involved,

as discussed in the case of financial institutions. Even in

those cases, though, the costs of achieving a desired level

of security are increased by actions or omissions by

players in other segments of the value chain.

Over the next few years, as the new security policies

for the Internet take shape, a balance will have to be

struck between these competing approaches. Interna-

lization by individual players is more difficult in the

generative areas of the Internet that provide general-

purpose platforms for a plethora of applications and

services. In these cases, both benefits and costs of

actions are disseminated widely and a matching of social

costs and benefits via individual decisions is unlikely.

Such balancing is also unlikely in the case of catastrophic

risks that might affect cyberspace. Some form of

collective action may hence be needed to augment

the existing resilience of the Internet. However, great

care has to be undertaken that any such measure does

no inadvertently reduce the existing level of resilience.

The challenge will be to find ways to enhance security

while protecting the aspects of the Internet that are

fuelling its innovative prowess. Ways to improve the

security of the core infrastructure are well known but

will not be implemented unless some form of collective

agreement is found and enacted. Likewise, complemen-

tary ways to strengthen the legal and regulatory

environment to more effectively act against perpetra-

tors will likely be needed. In all these cases, carefully

designed policies might be able to improve the incen-

tives of the players to make decisions closer aligned

with a societal optimum.

Notes

1. See Van Eeten and Bauer (2008) for the full report and

OECD (2009), in particular Part II.

2. It should be noted at this point that blacklisting, while

potentially powerful, has drawn its own criticisms –

regarding, among other things, vigilantism of blacklist

operators, listing false positives, the collateral damage

that may come with blacklisting certain IP addresses or

ranges, and the financial motives of some list operators.

Furthermore, blacklists have been subject to legal chal-

lenges. Spammers were, for example, on occasion suc-

cessful in obtaining court verdicts against being blacklisted

Bangeman (2006) and Heidrich (2007). Here, we focus on

how blacklisting works as an incentive for ISPs.

References

Anderson, R., Böhme, R., Clayton, R. and Moore, T. (2008),

Security Economics and the Internal Market, European

Network and Information Security Agency (ENISA), Crete.

Available at http://www.enisa.europa.eu/act/sr/reports/

econ-sec/economics-sec (accessed 14 October 2009).

Anderson, R. and Moore, T. (2006), ‘The Economics of

Information Security’, Science, Volume 314, pp. 610–613.

Anonymous (2006), ‘Internet faces new attacks,’ International

Herald Tribune, 16 March 2006. Available at http://www.iht.

com/articles/2006/03/16/business/net.php (accessed 14

October 2009).

Arbor Networks (2007), Worldwide Infrastructure Security Report,

Volume III. Available at http://www.arbornetworks.com/report

Bangeman, E. (2006), Court Likely to Order ICANN to Suspend

Spamhaus’ Domain, Ars Technica. Available at http://arstech

nica.com/news.ars/post/20061009-7938.html (accessed 14

October 2009).

BBC News (2007), ‘Google searches web’s dark side,’ BBC

News. Available at http://news.bbc.co.uk/2/hi/technology/

6645895.stm (accessed 14 October 2009).

Clover, C. (2009), ‘Kremlin-backed group behind Estonia

cyber blitz,’ The Financial Times. Available at http://

www.ft.com/cms/s/0/57536d5a-0ddc-11de-8ea3-0000779fd

2ac.html (accessed 14 October 2009).

CSIS (2008), Securing Cyberspace for the 44th Presidency: A

Report of the CSIS Commission on Cybersecurity for the 44th

Presidency. Available at http://csis.org/files/media/csis/pubs/

081208_securingcyberspace_44.pdf (accessed 14 October

2009).

Davis, J. (2007), ‘Hackers Take Down the Most Wired

Country in Europe,’ Wired Magazine 15. Available at

http://www.wired.com/politics/security/magazine/15-09/ff_

estonia (accessed 14 October 2009).

ENISA (2006), Provider Security Measures Part 1: Security and

Anti-Spam Measures of Electronic Communication Service

Providers – Survey, European Network and Information

Security Agency, Crete. Available at http://www.enisa.

europa.eu/act/it/oar/anti-spam-measures/studies/provider-

security-measures-1/ (accessed 14 October 2009).

Espiner, T. (2007), VeriSign: DoS Attack Could Shut Down

Internet, ZDNet.co.uk. Available at http://news.zdnet.

co.uk/security/0,1000000189,39289635,00.htm (accessed

14 October 2009).

Gordon, L. A. and Loeb, M. P. (2004), ‘The Economics of

Information Security Investment’, in Camp, L. J. and Lewis,

S. (eds), Economics of Information Security, Kluwer Academic

Publishers, Dordrecht, pp. 105–128.

Heidrich, J. (2007), IP-Blacklisting zur Spam-Abwehr kann re-

chtswidrig sein. Heise Online. Available at http://www.heise.

de/newsticker/meldung/97568 (accessed 14 October 2009).

House of Lords (2007), Science and Technology Committee, 5th

Report of Session 2006–2007, Personal Internet Security,

Volume I: Report, Authority of the House of Lords, London.

Available at http://www.publications.parliament.uk/pa/

ld200607/ldselect/ldsctech/165/165i.pdf (accessed 14 Oc-

tober 2009).

ICANN (2007), Factsheet: DNS attack. ICANN Blog. Availa-

ble at http://blog.icann.org/2007/03/factsheet-dns-attack/

(accessed 14 October 2009).

Jakobsson, M. and Zulfikar, R. (eds.) (2008), Crimeware: Under-

standing New Attacks and Defenses, Addison-Wesley Profes-

sional, Upper Saddle River, NJ.

Emerging Threats to Internet Security 231

& 2009 Blackwell Publishing Ltd.

Journal of Contingencies and Crisis Management

Volume 17 Number 4 December 2009

Kirk, J. (2008), Student fined for attack against Estonian Web site,

InfoWorld. Available at http://www.infoworld.com/article/08

/01/24/Student-fined-for-attack-against-Estonian-Web-site_1.

html (accessed 14 October 2009).

Kunreuther, H. and Heal, G. (2003), ‘Interdependent Security’,

Journal of Risk and Uncertainty, Volume 26, Number 2, pp.

231–249. LaRose, R., Rifon, N., Liu, S. and Lee, D. (2005), Understanding

Online Safety Behavior: A Multivariate Model, International

Communication Association, New York. Available at http://

www.msu.edu/�isafety/papers/ICApanelmult21.htm (ac- cessed 14 October 2009).

Lemon, S. (2006), Ten security Trends Worth Watching,

NetworkWorld. Available at http://www.networkworld.

com/news/2006/101806-hitb-ten-security-trends-worth.

html (accessed 14 October 2009).

Lesk, M. (2007), ‘The New Front Line: Estonia Under Cyber

Assault’, IEEE Security and Privacy, Volume 5, Number 4, pp.

76–79.

Lewis, J.A. (2005), ‘Aux Armes, Citoyens: Cyber Security and

Regulation in the United States’, Telecommunications Policy,

Volume 29, Number 11, pp. 821–830.

Markoff, J. (2008), ‘Cyber Attack Preceded Invasion: Georgia’s

Web Infrastructure Hit, But Was it Russia?’ Chicago Tribune.

Available at http://archives.chicagotribune.com/2008/aug/

13/business/chi-cyber-war_13aug13 (accessed 14 October

2009).

OECD (2009), Computer Viruses and Other Malicious Software,

Organisation for Economic Co-operation and Develop-

ment, Paris.

Perrow, C. (2007), The Next Catastrophe: Reducing Our Vulner-

abilities to Natural, Industrial, and Terrorist Disasters, Princeton

University Press, Princeton, NJ.

Posner, R.A. (2004), Catastrophe: Risk and Response, Oxford

University Press, New York, NY.

Reid, T. (2007) China’s cyber army is preparing to march on

America, says Pentagon, Times Online. Available at http://

technology.timesonline.co.uk/tol/news/tech_and_web/the_

web/article2409865.ece (accessed 14 October 2009).

Roe, E. and Schulman, P. (2008), High Reliability Management:

Operating on the Edge, Stanford University Press, Palo Alto.

Sanger, D.E. and Shanker, T. (2009), ‘Pentagon Plans New Arm

to Wage Cyberspace Wars,’ New York Times. Available

at http://www.nytimes.com/2009/05/29/us/politics/29cyber.

html?_r=3&ref=us (accessed 14 October 2009).

Sevastopulo, D. (2008), ‘US Military Raises Alarm on Cyber

Attacks,’ The Financial Times. Available at http://www.

ft.com/cms/s/0/6fc0b3a4-efc7-11dc-8a17-0000779fd2ac.html

(accessed 14 October 2009).

Shachtman, N. (2008), Estonia, Google Help ‘Cyberlocked’ Geor-

gia, Wired.com. Available at http://www.wired.com/danger

room/2008/08/civilge-the-geo/ (accessed 14 October

2009).

Taleb, N.N. (2007), The Black Swan: The Impact of the Highly

Improbable, Random House, New York, NY.

US GAO (2007), Cybercrime: Public and Private Entities Face

Challenges in Addressing Cyber Threats, United States Gov-

ernment Accountability Office, Washington, D.C. Available

at http://www.gao.gov/new.items/d07705.pdf (accessed 14

October 2009).

Van Eeten, M. and Bauer, J.M. (2008), Economics of Malware:

Security Decisions, Incentives and Externalities, OECD STI

Working Paper 2008/1. OECD, Paris. Available at http://

www.oecd.org/dataoecd/53/17/40722462.pdf (accessed 14

October 2009).

Weber, T. (2007), ‘Criminals ‘may overwhelm the web’, BBC News.

Available at http://news.bbc.co.uk/2/hi/business/6298641.stm

(accessed 14 October 2009).

Zittrain, J. (2008), The Future of the Internet: And How to Stop It,

Allen Lane, London.

232 Michel van Eeten and Johannes M. Bauer

Journal of Contingencies and Crisis Management

Volume 17 Number 4 December 2009 & 2009 Blackwell Publishing Ltd.

/
/