517-6 yhtomit
abcity84
Emergingthreatstointernetsecurity-2.pdf
See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/228129939
Emerging Threats to Internet Security: Incentives, Externalities and Policy Implications
Article in Journal of Contingencies and Crisis Management · November 2009
DOI: 10.1111/j.1468-5973.2009.00592.x
CITATIONS
13
READS
192
2 authors:
Some of the authors of this publication are also working on these related projects:
MALPAY View project
REMEDI3S View project
Michel van Eeten
Delft University of Technology
91 PUBLICATIONS 1,125 CITATIONS
SEE PROFILE
Johannes M. Bauer
Michigan State University
116 PUBLICATIONS 957 CITATIONS
SEE PROFILE
All content following this page was uploaded by Johannes M. Bauer on 28 September 2017.
The user has requested enhancement of the downloaded file.
Emerging Threats to Internet Security: Incentives, Externalities and Policy Implications
Michel van Eeten* and Johannes M. Bauer**
*Faculty of Technology, Policy and Management, Delft University of Technology, P.O. Box 5015, 2600GA, Delft, The Netherlands. E-mail: [email protected] **Department of Telecommunication, InformationStudies, and Media; Quello Center for Telecommunication Management and Law, Michigan State University, 417 Communication Arts and Sciences, East Lansing, MI, 48824-1212, USA. E-mail: [email protected]
Somewhere around 10% of all machines connected to the Internet are thought to be
infected with malicious software. This has allowed the emergence of so-called ‘botnets’ –
networks of sometimes millions of infected machines that are remotely controlled by
malicious actors. Botnets are mostly used for criminal purposes, but they also enable
large-scale failures that might even reach disastrous proportions. We explain the rise of
botnets as the outcome of the incentive structures of market players and present new
empirical evidence on these incentives. The resulting externalities require some form of
voluntary or government-led collective action. Our findings have implications for the
controversial debate on the appropriate policy measures, where two perspectives on
cybersecurity fight for dominance: national security and law enforcement.
1. Introduction
T he Internet – sometimes referred to as the ‘most
complex machine ever built’ (Lemon, 2006) – has
achieved a remarkable track record in terms of relia-
bility and disaster resistance. We have yet to witness
the first large-scale ‘blackout’ of the Internet as a
network. Charles Perrow, not exactly the most opti-
mistic of risk researchers, recently summarized this
track record as consisting of ‘only small, sporadic
failures that are more annoying than consequential’
(2007, p. 277). He holds up the Internet as a blueprint
for other critical infrastructures. Of course, there are
occasional reports of backbone connection failures in
geographical regions that have limited connections to
the rest of the world. While painful for those in the
affected regions, these events are considered marginal
in comparison with the overall size of the network and
its traffic.
Other assessments, however, strike quite a different
tone. In fact, there are those who claim that a digital
Pearl Harbour is about to strike. If recent security
research is correct, about 10-20% of all connected
machines are currently used for attacking the Internet
(BBC News, 2007; House of Lords, 2007; Weber, 2007).
The fact that the owners of these machines do not
know their machines are compromised by malicious
software – so-called ‘malware’ – is actually part of the
problem. Malware may be distributed and used in many
ways, including email messages, USB devices, infected
websites, malicious advertising, and browser vulnerabil-
ities (Jakobsson & Zulfikar, 2008).
The massive number of compromised machines
currently connected to the Internet has allowed the
& 2009 Blackwell Publishing Ltd.
Journal of Contingencies and Crisis Management Volume 17 Number 4 December 2009
emergence of so-called ‘botnets’ – networks of thou-
sands or even millions of infected machines that are
remotely controlled by a ‘botnet herder’ and used to
launch malicious attacks. These botnets enable mal-
icious actors to trigger large-scale failures that might
even reach disastrous proportions.
The examples of such attacks are numerous. In April
and May 2007, members of a Kremlin-backed youth
movement used a variety of botnets to effectively
disconnect the country of Estonia – ‘the most wired
country in Europe’, according to Wired.com – from the
Internet (Davis, 2007; Kirk, 2008; Clover, 2009). NATO
was called in for assistance.
In September 2007, the chief security officer of
VeriSign, the company that operates the .com and
.net registries, said that the Distributed Denial-of-
Service (DDoS) attacks on their servers were growing
fast and if these attacks succeeded, they would ‘effec-
tively shut down the Internet’ (Espiner, 2007). At an
earlier occasion, he called the predicted size of the
upcoming attacks ‘the Katrina of Internet storms’
(Anonymous, 2006). The registries are part of the
Domain Name System (DNS)– a set of critical Internet
resources that translate domain names into the IP
addresses needed for Internet communications. An-
other part of the DNS, the so-called root name servers
at the top of the hierarchy, have also been under
increasingly powerful attacks since 2002 (ICANN,
2007).
In July 2008, preceding a Russian military invasion,
botnets were used to render Georgian governmental
and news websites inoperable (Markoff, 2008). During
the prolonged attacks, some of the victims moved their
operations to other locations. One newspaper set up a
Blogspot account, which is hosted on Google’s massive
infrastructure and therefore more resilient to attacks.
Other sites moved to Estonia, which offered to help
after having suffered a similar fate. One security expert
observed that Georgia was in effect ‘cyberlocked’, as it
relied heavily on connections to the rest of the world
that ran through hostile territory – i.e., Russia (Shacht-
man, 2008).
Botnets are predominantly used for criminal pur-
poses rather than for terrorist or military attacks. They
are currently the main vehicle for global spam distribu-
tion, for hosting phishing websites to attack financial
institutions, for click fraud, for denial-of-service attacks
that try to extract ransom from their victims, and other
forms of perpetration (OECD, 2009). Estimates of the
total annual damage of Internet security incidents vary
wildly, but often run into the tens of billions of US
dollars per year for the United States alone (e.g., US
GAO, 2007) – typically the range of impacts that we
associate with a disaster.
The boundary between crime and national security
is, however, increasingly blurred. The attacks in Estonia
and Georgia demonstrate that it is difficult to tell who is
behind an attack: private individuals, organizations or
nation states. More importantly, these attacks em-
ployed existing botnets set up for criminal purposes
to attack nation states, turning a problem of crime into
one of national security. This has profound implications.
When criminal resources are powerful enough for
successful attacks on national security, the range of
attackers and threats expands dramatically. A US Gen-
eral in charge of ‘offensive and defensive cyber opera-
tions’ said: ‘We can have a bored 16-year-old do damage
to our networks. It is not just the nation state that you
worry about. You worry about activities from an
individual to an organization like al-Qaeda to a nation
state’ (Sevastopulo, 2008).
In a technical sense, the attacks on Estonia and
Georgia were modest in size. The effects were so
severe because of the limited connectivity of both
countries. Given the large-scale criminal computing
infrastructure currently available, it is not difficult to
see how such attacks could be scaled up to a level that
worries countries with more advanced Internet infra-
structure. To compare: the Estonia attacks were esti-
mated to have cost a few thousand US dollars, should
they have been executed through rented botnets (Lesk,
2007). In other words, even with limited financial
means, large-scale attacks appear possible. It turns
out to be very difficult to identify who is behind the
attacks, as evidenced by the recent attacks on US
governmental resources coming out of Chinese net-
works (Reid, 2007). They could be state-sponsored
or not.
These developments have given rise to a wide range
of predictions about future disasters, including, but not
limited to: massive crime waves that thwart the growth
of the online economy; sweeping DDoS attacks render-
ing critical Internet resources inoperable; malware
pandemics that, like the large worm outbreaks of the
early 2000s, cause widespread damage to businesses
around the world; targeted attacks by terrorists or
enemy states that cause large-scale disruption of power
grids, communication networks and banking systems
(e.g., CSIS, 2008).
In the United States, as elsewhere, cyber security has
recently moved to the top of the policy agenda.
President Obama has announced a new military com-
mand for cyberspace within the Pentagon, as well as a
White House office responsible for coordinating pri-
vate sector and government defenses against the daily
cyber attacks mounted against the United States
(White House 2009). Such attacks are largely con-
ducted by hackers though sometimes foreign govern-
ments are suspected to be involved (Sanger & Shanker,
2009).
At the centre of many scenarios leading to such
potential future disasters are botnets – in other words,
222 Michel van Eeten and Johannes M. Bauer
Journal of Contingencies and Crisis Management
Volume 17 Number 4 December 2009 & 2009 Blackwell Publishing Ltd.
the millions of infected machines of home and business
users. This paper sets out to explore the causes of
these risks and asks how to deal with them in light of
potential future disasters. To explore the causes, we
identify the incentives of end users and Internet Service
Providers (ISPs) when dealing with infected machines.
This approach builds on a dominant theoretical devel-
opment in the field of information security, which
employs economic concepts to understand security
failures. We find that the incentives under which end
users and ISPs operate explain the emergence of
botnets and thus generate information security pro-
blems for society at large. A large part of these
problems constitutes an ‘externality’, a cost imposed
on stakeholders by the actions of other stakeholders,
for which they have no recourse to compensation. The
concluding part of the paper addresses the question of
how to deal with these externalities. Two fundamentally
different regimes of security are possible: precluded-
event security and marginal security. Some polices to
address the risk of future disasters are compatible with
both regimes, while others will require painful decisions
with potentially disastrous consequences either way.
2. Security risks and incentives
What is causing the rise of botnets? One frequently
given answer points to the design flaws and vulnerabil-
ities that are ubiquitous in the software running current
Internet-connected devices. For example, many have
blamed the poor security performance of Microsoft
Windows, the dominant platform for PCs (e.g., Perrow,
2007). But over the past years, the response to this
question has changed. Rather than explaining security
threats as technological problems, they are increasingly
understood as the outcomes of incentive structures.
‘Over the past six years, people have realized that
security failure is caused at least as often by bad
incentives as by bad design’ (Anderson & Moore,
2006, p. 610). Incentives are the factors that agents,
be it individual decision-makers or organizations, take
into account when making decisions. Incentives can be
positively related to an objective such as information
security or they may be negatively related (‘disincen-
tive’). Agents make their decisions based on their
objectives, preferences, and constraints, which, in
turn, are shaped by the incentives perceived as relevant
in a situation.
Many instances of what could be conceived as
security failures are in fact the outcome of rational
economic decisions, based on the private costs and
benefits of security as perceived by the actors during
the timeframe considered in those decisions. As secur-
ity is costly, rational players will accept a certain level of
security breaches. However, there is an additional
aspect to the security issue. If the incentives of the
players in the value net do not properly reflect the social
costs and benefits of their security decisions, for
example, because of externalities or public good as-
pects of security investments, such privately rational
decisions will systematically deviate from the social
optimum. Insufficiently low security investments may
manifest in slower diffusion rates of IT uses and the
associated opportunity costs to society. They may also
become visible as security failures, where an actor
makes a security decision that imposes costs on other
actors in the value network of information services,
which were not taken into account in the originating
decision.
We can see the power of incentive structures around
security threats everywhere. Consider the spreading of
viruses and other malware, for example. During the
second part of the 1990s, when the scale of virus
dissemination was rapidly increasing and countless
end users (home, corporate, governmental) were af-
fected, many ISPs argued that virus protection was the
responsibility of end users. The computer was their
property, after all. ISPs further argued that they could
not scan traffic coming through their e-mail servers
because that would invade the privacy of end users. Mail
messages were also considered property of end users.
Around 2001, this started to change, partly due to the
growth of broadband and always-on connections. The
distribution of viruses and worms had increased ex-
ponentially and now the ISPs’ infrastructure was suc-
cumbing to the load, requiring potentially significant
investment in network expansion. Facing these poten-
tial costs, ISPs radically shifted their position in re-
sponse. Within a few years, a majority started to scan
incoming e-mail traffic and to delete traffic identified as
malignant. Apparently, message filtering had become a
lower-cost solution than infrastructure expansion. De
facto ISPs reinterpreted the various property rights
associated with email – e.g. regarding ownership of
the message.
The rise of botnets is also tied to a specific set of
incentives. We explore these incentives for end users
and ISPs – the former because they own most of the
compromised machines that are recruited into botnets,
the latter because they are a critical intermediary that
connects end users to the wider network and, as such,
could mitigate the security threats posed by infected
machines. This analysis is based on the findings of
a qualitative empirical field study. In the course of
2007, a team of researchers from the Delft University
of Technology and Michigan State University conducted
41 in-depth interviews with 57 professionals of
organizations operating in networked computer envir-
onments that are confronted with malware. Intervie-
wees represented a stratified sample of professionals
from different industry segments (e.g., hardware,
Emerging Threats to Internet Security 223
& 2009 Blackwell Publishing Ltd.
Journal of Contingencies and Crisis Management
Volume 17 Number 4 December 2009
software, service providers, and users) in six countries
(Australia, Germany, the Netherlands, United Kingdom,
France, and the United States). Moreover, we inter-
viewed experts involved in the governance of informa-
tion security issues such as Computer Emergency
Response Teams and regulatory agencies. Based on
this unique and rich data, we identified and analysed
the consequences of the incentives relevant for key
players. 1
3. End users
Modern malware authors go to great lengths to mini-
mize the impact of their code on the infected machine.
Whereas the viruses and worms of several years ago
would typically visibly disrupt the compromised ma-
chine itself, the current generation of malware not only
obscures its presence, but is often used to attack third
parties, rather than the infected host itself. This means
that the machine’s owner often has little incentive to
remediate this security problem, should s/he even be
aware of it. These incentives vary greatly with the type
of end user (businesses of different size, individual end
users), with some user opening security holes in the
value chain.
Large businesses (firms with 250 and more employ-
ees) are a heterogeneous group. Many large business
users have adopted risk assessment tools to make
security decisions (Gordon and Loeb 2004). Their
diligence will vary with size and possibly other factors
such as the specific products and services provided.
One particularly interesting industry is financial service
providers. This is a rather diverse sector, encompassing
different types of banks, credit card companies, mutual
funds, insurance companies, and many others. The rules
for each of these players differ in detail. Focusing
predominantly on merchant banks, Van Eeten and
Bauer (2008) concluded that these financial service
providers are to a considerable degree able to manage
risks emanating from their customer relations. How-
ever, they need to make choices balancing enhanced
security and the growth of their electronic business. In
principle, they could use highly secure platforms to
conduct ecommerce transactions. However, such an
approach would likely have detrimental effects on users
as it decreases the convenience of conducting business.
Financial organizations thus face a trade-off between
higher security and migrating transactions to cost-
saving electronic platforms. Many financial service pro-
viders offer compensation for losses incurred by their
customers from phishing or other fraudulent actions as
part of this overall security decision. This practise aligns
the incentives of the financial service provider with the
goal of improved security (as weaker security would
mean higher compensation costs), but it does not
generate appropriate incentives for individual users
(who will be held harmless by the banks). Businesses
other than financial service providers may often not be
in a position to manage externalities associated with
their clients. Therefore, more significant deviations
between private incentives and social effects may exist,
resulting in a sub-optimally low level of security invest-
ment by these firms.
Two other groups of players that deserve mentioning
are small and medium enterprise (SMEs, typically de-
fined as enterprises with fewer than 250 employees,
including microenterprises) and residential users.
Although this is a large and diverse group, these players
are in several respects similar. Like other participants,
they work under multiple and potentially conflicting
incentives. Unlike larger businesses that may be able to
employ information security specialists, either in-house
or via outsourced services, many SMEs and residential
users have insufficient resources to prevent or respond
to sophisticated types of attacks. Many residential users,
likewise underestimate their exposure and overestimate
their efficacy in dealing with risks despite an increasing
awareness of security threats (LaRose, Rifon, Liu, & Lee,
2005). Despite these similarities, one can assume that, in
general, businesses will employ a more deliberate,
instrumentally rational form of reasoning when making
security decisions. At the same time, even if end users
were to have a correct understanding of their exposure,
they may opt for a suboptimally low level of protection
because the benefits of security expenses will to a
considerable degree flow to other users (who benefit
from reduced exposure to security threats).
Individual businesses and users may suffer from the
perception that their own risk exposure is low, espe-
cially if others protect their machines, the well-known
free rider phenomenon. On the other hand, given
increased information, a growing number of users in
this category is aware of the threat of being exposed by
breaches of information security. Thus, they realize to a
certain extent that they are the recipients of ‘incoming’
externalities. Overall, one can expect that on average
these classes of users will not be full free riders.
Whereas some individuals and SMEs may over-invest,
there is evidence that most will not invest in security at
the level required by the social costs of information
security breaches (Kunreuther & Heal, 2003). This
conclusion is corroborated by the observation that
many individual users do not purchase security services,
do not even use them when offered for free by an ISP
or a software vendor, and turn off their firewalls and
virus scanners regularly if they slow down certain uses,
such as gaming.
In sum, end users in the aggregate spend too little on
security; their decisions therefore enable the growth of
botnets, which impose costs on virtually every other
actor in the network. We now turn to the issue of how
224 Michel van Eeten and Johannes M. Bauer
Journal of Contingencies and Crisis Management
Volume 17 Number 4 December 2009 & 2009 Blackwell Publishing Ltd.
ISPs are confronted with the consequences of the
security problems generated by their customers.
4. ISPs
Over the past years, it has turned out to be extremely
difficult to improve the security of end users. Given the
enduring problems around end user security and its
effects on the wider network, it seems inevitable that
attention would shift to other players in the ecosystem.
The role of ISPs in improving Internet security has been
a particular focus of recent debates.
While term ISP is used to cover a variety of
businesses, typically ISPs are defined as providers that
offer individuals and organizations access to the Inter-
net. Many ISPs offer related services to their customers,
which is why the term sometimes refers to hosting
providers and content providers. We have focused our
analysis primarily on ISPs as access providers.
What incentives do ISPs have to reduce the problem
of malware? One view is: very few, if any. Recently, the
UK House of Lords Science and Technology Commit-
tee published a report which states (House of Lords,
2007, p. 30): ‘At the moment, although ISPs could easily
disconnect infected machines from their networks,
there is no incentive for them to do so. Indeed, there
is a disincentive, since customers, once disconnected,
are likely to call help-lines and take up the time of call-
centre staff, imposing additional costs on the ISP’.
Notwithstanding such claims, most ISPs are in fact
increasing their efforts to fight malware. A survey from
the EU’s European Network and Information Security
Agency (ENISA) found that 75% of ISPs report that they
quarantine infected machines (ENISA, 2006). This figure
does not include any indication of the scale at which
ISPs are quarantining infected machines – a point to
which we return in a moment. All ISPs we interviewed
described substantial efforts in the fight against mal-
ware, even though they are operating in highly compe-
titive markets and most countries do not have
governmental regulations requiring them to do so. All
of them were taking measures that were unheard of
only a few years ago. Most of the interviewees dated
this change to around 2003, when it became obvious
that it was in the ISPs own interest to deal with end
user insecurity, even though legally it was not their
responsibility. Several incentives help explain why the
ISPs see these efforts as being in their own interest.
4.1. Costs of customer support and abuse management
A key incentive for ISPs is the cost of customer support
and abuse management. A security officer of a smaller
ISP said: ‘The main [security-related] cost for ISPs is
customer calls’. The same view was expressed in minor
variations by several other interviewees. A medium-
sized ISP reported costs of 8 euros on average for an
incoming call to their customer center while an out-
going call – for example, to contact a customer
regarding an infected machine – was estimated to 16
euros. The costs for email contact were similar. The
incentive here is that security incidents generate cus-
tomer calls, thus quickly driving up the costs of
customer care. The ISPs may not be formally respon-
sible for the customers’ machines; in reality many
customers call their ISP whenever there is a problem
with their Internet access. Regardless of the subsequent
response of the ISP, these calls increase their costs. An
interviewee at a large ISP emphasized that the customer
support desk was a substantial cost for the company
and that the number of calls was driven up by infections
of their customers’ machines. Almost all of the ISP’s
outgoing security-related calls had to do with malware.
Similar to customer contact, dealing with abuse
notifications drives up costs because it requires trained
staff. Tolerating more abuse on the network raises the
number of notifications that the ISPs receives. Abuse
notifications can come through different channels, most
notably through email sent to the abuse desk – typically
[email protected] – and through the informal net-
works of trusted security professionals that exist across
ISPs, CSIRTs and related organizations. The latter carry
more weight, as they come from known and trusted
sources, but all have to be dealt with in some form.
Many of these notifications are automated. Several ISPs
reported using the so-called AOL Feedback Loop,
which sends notifications of any emails that are re-
ported as spam by AOL recipients back to the admin-
istrator of the originating IP address.
As with customer complaints, not all malware infec-
tions will result in abuse notifications. One ISP reported
internal research into the degree in which notifications
adequately represented the size of the security pro-
blems on their networks. The company found that only
a small percentage of the compromised machines it saw
on its network showed up in the notifications. Still, ISPs
notifying each other of security problems is an impor-
tant mechanism. In fact, in some cases, they are critical.
For the interviewed ISPs, customer contact and
abuse notifications constituted a positive incentive to
invest in security both at the network level and at the
customer level. One medium-sized ISP estimated it was
spending 1–2% of its overall revenue on security-
related customer support and abuse management.
This also helps to understand why more and more
ISPs are offering ‘free’ security software or ‘free’
filtering of email – that is, the costs of these services
are included in the subscription rate. One ISP described
how about four years ago the company started offering
Emerging Threats to Internet Security 225
& 2009 Blackwell Publishing Ltd.
Journal of Contingencies and Crisis Management
Volume 17 Number 4 December 2009
virus filters for email as a paid service, but soon
thereafter decided to provide them for ‘free’: ‘After 6
months, all ISPs [offered these paid security services],
so it was no longer a unique selling point. Plus, we could
not get more than 10% of our customers to buy the
service . . . We did not actually do the math, but we
figured that by offering it to all our customers within
the current rate, we would be better off . . .. We already
paid the AV licence. If people have the option to pay for
it or not to pay for it, they do not’.
There is another way of responding to these incen-
tive mechanisms, however: Don’t respond to abuse
notifications and avoid customer contact altogether.
This attitude does save the ISP direct costs related to
security. Indeed, there is a class of so-called ‘rogue ISPs’
doing exactly this. However, non-response also has
negative repercussions such as the direct and indirect
costs of being blacklisted, which make it a less attractive
strategy for legitimate ISPs.
4.2. Costs of blacklisting
Blacklisting is a loosely used term typically referring to
ISP’s practice of using so-called DNS Blacklists (DNSBL)
to filter incoming traffic. Mail servers, for example, may
be configured to refuse mail coming from specific IP
addresses, IP ranges or whole networks listed on a
DNSBL. Virtually all ISPs nowadays use blacklists. There
is a wide variety of blacklists available and ISPs may use
them in different combinations. Most of the lists are run
by volunteers and are free of charge to the user (though
their operations may be funded through external
sources). Each DNSBL has its own criteria for including
an IP address in the list and its own procedure for
getting an address off the list. Spamhaus, an interna-
tional non-profit organization funded through sponsors
and donations, maintains several well-known blacklists
– though they prefer the term block lists – which
they claim are used to protect over 600 million user
inboxes. 2
Blacklisting provides an incentive to invest in security
because it ties in with the incentives mentioned earlier.
It directly impacts the ISP’s business model. A security
officer at a large ISP explained that the expectation of
being blacklisted led to a much more proactive ap-
proach to remove bots from the network, including the
purchase of equipment that automates the process of
identifying infected machines on the network. That ISP
contacted around 50 customers per day and, if a
customer did not resolve the problem, the connection
was suspended. When asked how they got the business
side of the company to approve this policy, he an-
swered: ‘They hated it at first. But at the end of the day,
the media fallout by being cut off by AOL and MSN was
too big. The big ISPs, they use very aggressive [DNSBL]
listings. They take out whole IP ranges. We used to be
hit hard and entire ranges of our IP addresses were
blacklisted’.
Various levels of blacklisting are used to incite a
response from an ISP. At the lower end, we find
blacklisting of individual IP addresses, i.e., an individual
customer. This has ‘exactly zero impact on the ISP’, said
a security expert. Only when the number of blacklisted
IP addresses starts to accumulate might it get the ISP’s
attention. Blacklisting IP ranges and blacklisting out-
bound mail servers are more powerful incentives. The
most extreme form is the blacklisting of an entire
network, i.e., all IP addresses of an ISP. This is only
used against ‘gray’ and ‘rogue’ ISPs who do not act
against spam.
4.3. Costs of brand damage and reputation effects
The ‘media fallout’ mentioned by the interviewee points
to a more general concern with brand damage that was
mentioned by many interviewees as an incentive to
invest in security. With few exceptions, these ISPs want
to present themselves as responsible businesses (Arbor
Networks, 2007) providing safe services for their
customers. A related incentive is the reputational
benefits of offering security services. It is unclear how
strong this incentive is. Even if customers care about
security, most will find it very difficult to assess the
security performance of one ISP relative to its compe-
titors. Nevertheless, the more significant finding here is
that whether ISPs really care about bad publicity or not,
being blacklisted has direct effects on their operating
costs as well as their quality of service. The latter may in
fact drive customers away. As one industry insider
described it: ‘A high cost action is to investigate each
complaint rigorously. A different kind of high cost
action is to do nothing’.
4.4. Costs of infrastructure expansion
An incentive that was more difficult to gauge, is the
effect of malware on the capital expenditures of the ISP
– that is, the need to invest in infrastructure and
equipment as more spam or malware comes through
the network. ISPs have two principal options: to expand
the network and accommodate the additional traffic or
to invest in defensive measures such as filters. A
rational ISP will chose the least-cost approach, which
could be a hybrid strategy, combining accommodating
and defensive investment. A recent survey found that
botnet-based denial of service attacks are growing
faster in size than the ISPs are expanding their network
– to the worry of the ISPs (Arbor Networks, 2007).
226 Michel van Eeten and Johannes M. Bauer
Journal of Contingencies and Crisis Management
Volume 17 Number 4 December 2009 & 2009 Blackwell Publishing Ltd.
Interestingly, malware-related infrastructure expen-
ditures – apart from the costs of security equipment –
were mostly seen as unimportant during our inter-
views. The interviewees may be suffering from the ‘the
fallacy of the near’. ISP employees dealing with security-
related issues mention customer contact as their
biggest cost because they are focused on the security
budget, which includes the abuse desk as well as
security-related customer support. To them the infra-
structure cost ‘is just a number their accountant writes
on a check every month’. However, infrastructure is a
major overall cost for any ISP, so any effect of malware
on capital expenditures could potentially outstrip other
expenditures. These costs do not gradually increase
with the amount of malware and spam, but rather as a
step function when capacity runs out. It is very difficult
to relate these expenditures, decided upon by other
parts of the organization, back to specific traffic pat-
terns of spam and malware infections. In terms of
incentives, however, this lack of awareness implies
that infrastructure cost is not a strong driver of the
attempts of ISPs to reduce the impact of malware.
4.5. Benefits of maintaining reciprocity
An incentive that was mentioned by all interviewees is
related to the informal networks of trusted security
personnel across ISPs, CSIRTS and related organiza-
tions – which we mentioned earlier. When describing
how their organization responded to security incidents,
interviewees would refer to personal contacts within
this trust network that enabled them, for example, to
get another ISP to quickly act on a case of abuse. These
contacts are reciprocal. They are also contacted about
abuse in their own network and are expected to act on
that information. To maintain reciprocity, an ISP has to
treat abuse complaints seriously, which is costly. The
more abuse takes place on its network, the more other
contacts in the network will ask for intervention.
Maintaining reciprocity not only establishes the informal
network as a security resource, it also reduces the
likelihood of being hit with blacklisting or other coun-
termeasures. As one interviewee explained: ‘What
enforces security on a service provider is threats
from other service providers’. One ISP security officer
told us that the informal contacts imply cost savings.
Less staff time is needed to deal with the fallout of a
security incident – e.g., going through time-consuming
procedures to get off blacklists – and to deal with
customer support.
4.6. Costs of security measures
So far we have discussed incentives that reinforce the
benefits of security for ISPs with regard to malware.
The incentive structure is mixed, however, and includes
disincentives as well. An obvious disincentive is the
costs of additional security measures. Typically, the
tradeoff is between the direct costs of additional
measures which are visible in the short term versus
the more diffuse costs caused by increasing security
problems, such as customer support and abuse manage-
ment. We should mention, however, that the ISP’s
decisions often were not shaped by formal economic
assessments or detailed analysis of their own cost
structures. As one insider phrased it, ‘ISPs very much
drive by the seat of their pants. Except for a very few of
the largest ones, they are not actually examining the
figures’.
4.7. Legal risks and constraints
Another disincentive is related to legal constraints.
During the interviews, the European ISPs had different
answers to the question of how much manoeuvering
space the ‘mere conduit’ provision of the EU E-Com-
merce Directive allowed them. Monitoring their net-
work more closely for security reasons could
potentially lead to liability issues. If the ISP’s monitoring
reveals, for example, file sharing traffic of pirated
materials, they may be forced to act upon this informa-
tion to avoid claims from owners of intellectual prop-
erty rights and organizations representing them.
In some EU countries, interviewees reported that
privacy regulations that potentially treat IP addresses as
private data had led their legal departments to set
boundaries which limited the ability of security staff to
track malicious activity on their network – for example
with regard to tracking individual IP addresses. One
interviewee reported that security staff sometimes was
not allowed to use information on malicious activity
detected on the network. Some legal experts argued
that these legal risks are non-existent, that they are
based on an incorrect understanding of current legisla-
tion. While that might be true, the reality is that the
ISPs’ legal departments tend to be rather risk averse in
dealing with this ambiguity. The transaction costs of
clarifying these issues are, ceteris paribus, an obstacle
to higher security.
4.8. Cost of customer acquisition
Other disincentives are closely related to the incentives
we discussed earlier. An interviewee at a large ISP
mentioned concern about brand damage as the reason
why the business side of the company initially opposed
blocking port 25 on their network, a security measure
to curb outgoing spam traffic: Management did not
want to inconvenience customers. Anything that might
turn people away is a problem, because the cost of
Emerging Threats to Internet Security 227
& 2009 Blackwell Publishing Ltd.
Journal of Contingencies and Crisis Management
Volume 17 Number 4 December 2009
acquisition of new customers is high. The burden of
proof fell on the security staff to convince management
that the proposed measures were protecting the brand.
4.9. An overall assessment
The balance between incentives and disincentives will
vary depending on the ISP. On the whole, recent years
have witnessed increased efforts by ISPs in dealing
with malware, even in the absence of regulation or
other forms of public oversight. The incentive mechan-
isms we discussed strengthen the ISP’s interest to
internalize at least some security externalities originat-
ing from their customers as well as from other ISPs.
In short, the current incentive structure seems to
reward better security performance for legitimate
market players – though it is sensible to keep in mind
that in many countries price competition is intense,
which is a disincentive with regards to security, other
things equal.
Some of the security-enhancing incentives discussed
above work as disincentives under different business
models than those of the ISPs we interviewed. Another
business model is sometimes referred to as ‘rogue ISP’
or ISPs that are, in the words of one interviewee,
‘decidedly grey’. These attract customers precisely
because of their lax security policies (a recent example
is Triple Fiber Network of San Jose, California, shut
down by the U.S. Federal Trade Commission in June
2009). While these ISPs have more disincentives for
improving security than the ones we interviewed, they
are not fully immune against some of the security-
enhancing incentives we discussed earlier, most notably
blacklisting. An additional incentive for non-responsive
ISPs is the pressure put on them by their upstream
providers – the ISP ‘who feeds them the Internet’, as
one respondent phrased it – or by the providers with
whom the ISP exchanges traffic at peering points. In an
ISP were de-peered, the disconnected ISP would have
to buy transit service for its traffic, and therefore incur
much higher operating costs.
How, then, to explain the rise of botnets? There are
two important factors that limit the extent to which
ISPs mitigate the security externalities generated by
their customers. First, ISPs see and respond to only a
fraction of the infected machines. Second, even if an ISP
were technically able to identify and isolate most of the
infected machines, the customer support and other
costs of such a comprehensive approach are currently
prohibitive. We briefly discuss these factors.
The ISPs only deal with these malware problems in
so far as they themselves suffer consequences from the
end user behaviour, e.g., by facing the threat that a
significant part of their network gets blacklisted. Only a
few percent of all infected machines show up in abuse
notifications and get acted upon. One interviewee
called this ‘the 2% rule’. A related issue is that the
incentives of ISPs do not reflect the whole range of
current malware threats. ISPs are predominantly sensi-
tive to malware that manifests itself in ways that makes
their customers call in, leads to abuse notifications or
that causes problems with blacklisting. That means
spam proxies and DDoS attacks attract attention and
raise costs, while spyware, for example, does not:
‘People get infected and it is very difficult to track
them. Spam and DDoS is noticeable at the network
level. But spyware stays on the computer, quietly
collecting data’. Others have argued that many ISPs
are failing to prohibit the forging or spoofing of IP
addresses by hosts as well as failing to filter outgoing
traffic from IP addresses they are not authorized to
originate from.
Those security problems that are noticeable for the
ISP will not always get addressed, either. Several ISPs
mentioned ‘thresholds’ of malware effects, which
needed to be crossed, before the company would act
on an infected machine of a customer. Even then, the
situation is often anything but straightforward. ‘The
issue is, how do you help the people that are infected,
given the current state of the security products in the
market place? We see the traffic, we know there’s
something wrong, but how do you find what it is with
the current products? It’s very hard . . . about 85–90%
of the malware is not recognized by AV products,
because a small change is enough to dodge the signa-
ture’.
Several ISPs explained that they were at some stage
of implementing technology that would automate the
process of monitoring malicious behavior on their
network and quarantining the infected machines. While
such technologies help to scale up the ISPs response, it
also brings into focus a critical bottleneck: the costs of
customer support would become prohibitive if all
infected machines would be quarantined. A security
officer at a large ISP estimated that the number of
customers affected at any time would be in the tens of
thousands. While this number might go down over time
as network security improves, it was obvious that
management would not accept the enormous cost
impacts of such a measure.
Typically, the number of machines that are isolated on
a daily basis is relatively modest – tens or, for large ISPs,
perhaps hundreds of machines. At this scale, the effort
is effective in that it reduces the ISP’s problems with
abuse and blacklisting. But compared to estimates of
the total number of infections on each network, these
efforts look rather pale. One security expert was highly
critical of the effectiveness of the efforts by ISPs:
‘Unless they are contacting more than 10% of their
customer base on a monthly basis, they are effectively
taking no action’.
228 Michel van Eeten and Johannes M. Bauer
Journal of Contingencies and Crisis Management
Volume 17 Number 4 December 2009 & 2009 Blackwell Publishing Ltd.
In short, whereas the combined incentive structures
of end users and ISPs may reduce the problems, they
nonetheless allow the emergence of large-scale bot-
nets, which generate security externalities for the rest
of society that, for the most part, go unmitigated.
5. Implications for policy
The potential for future disasters has given rise to an
increasingly controversial debate on the appropriate
policy response. Until now, government polices have
focused on user awareness campaigns, better interna-
tional collaboration among law enforcement agencies,
public-private information sharing and better data col-
lection on security problems. While useful, these
measures have proven to be ineffective to reduce the
threats posed by botnets.
The last few years has witnessed a controversial
debate over new policy options. Proponents of an
economic approach to Internet security have advocated
measures like publishing data on the security perfor-
mance of ISPs, introducing product liability for software
vendors, regulating minimum security standards for
hardware vendors, and imposing statutory fees on
ISPs that do not act against compromised machines
(e.g., Anderson, Böhme, Clayton, & Moore, 2008).
All of these measures set out to re-align the market
incentives to internalize or mitigate security external-
ities, so as to enhance Internet security. While these
proposals are an important and innovative contribution
to moving beyond the current ineffective policies, there
are many possible complications associated with most
of these measures. Researchers in this area have a
tendency to treat issues of institutional design as rather
trivial. That is to say, they assume that the models
indicate what market design is optimal, that this design
can be brought into existence at will and that actors
will behave according to the model’s assumptions. If the
past decade of economic reforms – including privatiza-
tion, liberalization and deregulation of information
and communication industries – and economic crisis
has taught us anything, it is that designing markets
is highly complicated and sensitive to the specific
context in which the market is to function. It cannot
be based on formal theoretical models alone. Institu-
tional design requires an in-depth empirical understand-
ing of current institutional structures and their effects
on outcomes.
If this debate was not already complicated enough,
botnets are increasingly portrayed as a threat to
national security (e.g., CSIS, 2008). Rather than treating
them as a versatile tool for criminal activity, which has
been the dominant approach up until now, the threat
environment is extended to include botnets as an
important weapon for military and terrorist purposes.
These perspectives are not mutually exclusive. In fact,
the national security perspective readily subsumes the
threats posed by crime, only to argue that there are
even worse scenarios to take into account.
To a certain extent both perspectives can be correct
at the same time. Incidents like those in Georgia and
Estonia inextricably combine criminal resources and
terrorist purposes. What makes the overlap so proble-
matic, however, is that they lead to very different and
conflicting policies, both in terms of goals as well as
means.
The law enforcement perspective acknowledges that
it is economically rational to tolerate certain level of
insecurity. All markets are afflicted with a certain level
of crime. The costs of higher security have to be
weighed against the benefits. This can lead to counter-
intuitive outcomes. A brief example will have to suffice
(for a more detailed discussion, see Van Eeten & Bauer,
2008). For several years, there have been ongoing and
successful malware-based attacks against banks and
credit card companies. It would not be difficult or
necessarily very costly for financial institutions to raise
the security of online payment services. The problem is
that the opportunity costs are estimated to be much
higher than the fraud that is prevented through such
measures. The financial institutions have a strong
incentive to increase their online transaction volume
– banks because of cost savings associated with having
customers conduct transactions online rather than
through other channels; credit card companies because
each transactions earns them a fee. Any security
measure that would raise the threshold for consumers
to use these services would reduce these benefits.
Financial institutions have found that it is currently
more efficient to compensate the losses of customers
who are a victim of fraud, rather than increase the
security in ways that would impede the usability of
these services. Society as a whole also benefits from
these substantial efficiency gains, as long as financial
institutions can compensate the actual damage while
still improving their profits. In short, from this perspec-
tive, the goal of policies should be to reach the optimal
level of insecurity in light of the actual damage and
the costs, including opportunity costs, of reducing
it further. The way to find these levels is to make
sure the market incentives are aligned appropriately.
This logic assumes without further examination that all
risks are appropriately accounted for by the stake-
holders.
Contrast this to the national security approach.
Here, not actual damage is leading, but potential
damage – where potential typically implies thinking in
terms of worst-case scenarios. And the worst-case
scenarios are pretty bleak – as in massive economic
and social destabilization. So bleak, in fact, that the only
possible response is to prevent such events. Where
Emerging Threats to Internet Security 229
& 2009 Blackwell Publishing Ltd.
Journal of Contingencies and Crisis Management
Volume 17 Number 4 December 2009
fighting crime allows for trial and error, national
security has to prepare for the worst. Where fighting
crime can look at averages or a run of cases, ensuring
national security has to meet every last threat. Of
course, the current status quo is by no means prepared
for the worst. No wonder, then, that proponents of this
view are quick to call the, up until now dominant,
governance model of self-regulation a failure and dis-
miss ‘the market’ for having failed to ensure security.
A closely related argument is to point out that cyber
security is a public good, which implies that without
government intervention, it will not be produced (e.g.,
Lewis, 2005). Of course, law enforcement also implies
government involvement, but the subtext here is that
the government needs to step up and intervene in much
more consequential ways.
Underlying these two approaches are two different
views on what it means to ensure security. The
difference between them is analogous to a critical
distinction from the field of reliability theory, namely
between marginal reliability and precluded-event relia-
bility. Adapting these two approaches to the realm of
cyber security, we can see why the issue of botnets
leads to such controversy when it comes to their
implications for policy (see Table 1).
Both approaches imply their own problems. Treating
botnets as a problem of national security tends to
militarize issues that, so far, primarily concern organiza-
tions and individuals, not nations. It subordinates the
interests of these organizations and individuals to
rather unbounded notions of national interests. To
put it differently, rather than interventions based on
actual costs and benefits of (in)security for societal
actors, the interventions would be driven by the
potential costs to society of attacks that have not yet
occurred. The word ‘benefits’ is missing from the last
part of that sentence because they rarely seem to play a
role in national security when considering policy op-
tions. Yet, we know that there are dramatic benefits
associated with precisely those properties of the Inter-
net that have made it so vulnerable.
In more general terms, this argument has been
developed by Zittrain (2008, p. 8). It is precisely the
ability of current PCs to run ‘arbitrary code’ that make
them a generative technology while at the same time
rendering them vulnerable to malicious code. He states:
‘[T]he same qualities that led to [the success of the
Internet and general-purpose PCs] are causing [them]
to falter. This counterrevolution would push main-
stream users away from the generative Internet that
fosters innovation and disruption, to an appliancized
network that incorporates some of the most powerful
features of today’s Internet while greatly limiting its
innovative capacity – and, for better or worse, heigh-
tening its regulability’. Not without hyperbole, he calls
this scenario ‘the end of the Internet’.
On the other hand, the Achilles’ heel of an approach
based on marginal security, is the scenarios of low
probability and high consequence. Given the depen-
dence of all aspects of global society on the Internet and
electronic communications in general, widespread and
extended failure would have catastrophic conse-
quences. That such a pervasive failure or technological
terrorism has not yet happened and has a low prob-
ability complicates the formulation of a response. Like
other events with a low but non-trivial probability, it
could be considered a ‘black swan’ event (Taleb, 2007).
Cost–benefit analysis of such catastrophic events would
help in shaping more rational responses but it is
extremely difficult. Complications include the choice
of an appropriate time horizon, the quantification of the
risk in question, problems of monetizing a wide range of
qualitative impacts, and the determination of social
discount rates applied to monetized future events
(Posner, 2004). Nonetheless, devising an overall Inter-
net security policy would greatly benefit from such an
exercise.
Even if such a broad assessment of the costs and
benefits of cyber security will need additional work, it is
possible to ask whether decentralized stakeholder deci-
sions are the most effective way of dealing with the
problem. The case studies in Van Eeten and Bauer (Van
Eeten & Bauer, 2008) have revealed many instances in
which the responses of individual players in the ICT value
net are only partially effective at best. Whereas feedback
mechanisms, such as blacklisting and reputation effects,
are working, in many cases they are insufficient to
internalize the costs and broader societal risks into
Table 1. Marginal and Precluded-Event Security
Variable Marginal security Precluded-event security
Context Efficiency Social dread Risk Localized Widely distributed Damage Actual damage Potential damage Standards Average or run of cases Every last case Learning Trial-and-error learning Formal learning with limited trial and error Calculation Marginal (variable cost) Non-fungible (fixed requirement) Orientation Retrospectively measured Prospectively focused Control Probabilistic Deterministic
Adapted from Roe and Schulman (2008, p. 53).
230 Michel van Eeten and Johannes M. Bauer
Journal of Contingencies and Crisis Management
Volume 17 Number 4 December 2009 & 2009 Blackwell Publishing Ltd.
private security decisions. This internalization is most
effective in cases where specific services are at work and
most costs and benefits are borne by the parties involved,
as discussed in the case of financial institutions. Even in
those cases, though, the costs of achieving a desired level
of security are increased by actions or omissions by
players in other segments of the value chain.
Over the next few years, as the new security policies
for the Internet take shape, a balance will have to be
struck between these competing approaches. Interna-
lization by individual players is more difficult in the
generative areas of the Internet that provide general-
purpose platforms for a plethora of applications and
services. In these cases, both benefits and costs of
actions are disseminated widely and a matching of social
costs and benefits via individual decisions is unlikely.
Such balancing is also unlikely in the case of catastrophic
risks that might affect cyberspace. Some form of
collective action may hence be needed to augment
the existing resilience of the Internet. However, great
care has to be undertaken that any such measure does
no inadvertently reduce the existing level of resilience.
The challenge will be to find ways to enhance security
while protecting the aspects of the Internet that are
fuelling its innovative prowess. Ways to improve the
security of the core infrastructure are well known but
will not be implemented unless some form of collective
agreement is found and enacted. Likewise, complemen-
tary ways to strengthen the legal and regulatory
environment to more effectively act against perpetra-
tors will likely be needed. In all these cases, carefully
designed policies might be able to improve the incen-
tives of the players to make decisions closer aligned
with a societal optimum.
Notes
1. See Van Eeten and Bauer (2008) for the full report and
OECD (2009), in particular Part II.
2. It should be noted at this point that blacklisting, while
potentially powerful, has drawn its own criticisms –
regarding, among other things, vigilantism of blacklist
operators, listing false positives, the collateral damage
that may come with blacklisting certain IP addresses or
ranges, and the financial motives of some list operators.
Furthermore, blacklists have been subject to legal chal-
lenges. Spammers were, for example, on occasion suc-
cessful in obtaining court verdicts against being blacklisted
Bangeman (2006) and Heidrich (2007). Here, we focus on
how blacklisting works as an incentive for ISPs.
References
Anderson, R., Böhme, R., Clayton, R. and Moore, T. (2008),
Security Economics and the Internal Market, European
Network and Information Security Agency (ENISA), Crete.
Available at http://www.enisa.europa.eu/act/sr/reports/
econ-sec/economics-sec (accessed 14 October 2009).
Anderson, R. and Moore, T. (2006), ‘The Economics of
Information Security’, Science, Volume 314, pp. 610–613.
Anonymous (2006), ‘Internet faces new attacks,’ International
Herald Tribune, 16 March 2006. Available at http://www.iht.
com/articles/2006/03/16/business/net.php (accessed 14
October 2009).
Arbor Networks (2007), Worldwide Infrastructure Security Report,
Volume III. Available at http://www.arbornetworks.com/report
Bangeman, E. (2006), Court Likely to Order ICANN to Suspend
Spamhaus’ Domain, Ars Technica. Available at http://arstech
nica.com/news.ars/post/20061009-7938.html (accessed 14
October 2009).
BBC News (2007), ‘Google searches web’s dark side,’ BBC
News. Available at http://news.bbc.co.uk/2/hi/technology/
6645895.stm (accessed 14 October 2009).
Clover, C. (2009), ‘Kremlin-backed group behind Estonia
cyber blitz,’ The Financial Times. Available at http://
www.ft.com/cms/s/0/57536d5a-0ddc-11de-8ea3-0000779fd
2ac.html (accessed 14 October 2009).
CSIS (2008), Securing Cyberspace for the 44th Presidency: A
Report of the CSIS Commission on Cybersecurity for the 44th
Presidency. Available at http://csis.org/files/media/csis/pubs/
081208_securingcyberspace_44.pdf (accessed 14 October
2009).
Davis, J. (2007), ‘Hackers Take Down the Most Wired
Country in Europe,’ Wired Magazine 15. Available at
http://www.wired.com/politics/security/magazine/15-09/ff_
estonia (accessed 14 October 2009).
ENISA (2006), Provider Security Measures Part 1: Security and
Anti-Spam Measures of Electronic Communication Service
Providers – Survey, European Network and Information
Security Agency, Crete. Available at http://www.enisa.
europa.eu/act/it/oar/anti-spam-measures/studies/provider-
security-measures-1/ (accessed 14 October 2009).
Espiner, T. (2007), VeriSign: DoS Attack Could Shut Down
Internet, ZDNet.co.uk. Available at http://news.zdnet.
co.uk/security/0,1000000189,39289635,00.htm (accessed
14 October 2009).
Gordon, L. A. and Loeb, M. P. (2004), ‘The Economics of
Information Security Investment’, in Camp, L. J. and Lewis,
S. (eds), Economics of Information Security, Kluwer Academic
Publishers, Dordrecht, pp. 105–128.
Heidrich, J. (2007), IP-Blacklisting zur Spam-Abwehr kann re-
chtswidrig sein. Heise Online. Available at http://www.heise.
de/newsticker/meldung/97568 (accessed 14 October 2009).
House of Lords (2007), Science and Technology Committee, 5th
Report of Session 2006–2007, Personal Internet Security,
Volume I: Report, Authority of the House of Lords, London.
Available at http://www.publications.parliament.uk/pa/
ld200607/ldselect/ldsctech/165/165i.pdf (accessed 14 Oc-
tober 2009).
ICANN (2007), Factsheet: DNS attack. ICANN Blog. Availa-
ble at http://blog.icann.org/2007/03/factsheet-dns-attack/
(accessed 14 October 2009).
Jakobsson, M. and Zulfikar, R. (eds.) (2008), Crimeware: Under-
standing New Attacks and Defenses, Addison-Wesley Profes-
sional, Upper Saddle River, NJ.
Emerging Threats to Internet Security 231
& 2009 Blackwell Publishing Ltd.
Journal of Contingencies and Crisis Management
Volume 17 Number 4 December 2009
Kirk, J. (2008), Student fined for attack against Estonian Web site,
InfoWorld. Available at http://www.infoworld.com/article/08
/01/24/Student-fined-for-attack-against-Estonian-Web-site_1.
html (accessed 14 October 2009).
Kunreuther, H. and Heal, G. (2003), ‘Interdependent Security’,
Journal of Risk and Uncertainty, Volume 26, Number 2, pp.
231–249. LaRose, R., Rifon, N., Liu, S. and Lee, D. (2005), Understanding
Online Safety Behavior: A Multivariate Model, International
Communication Association, New York. Available at http://
www.msu.edu/�isafety/papers/ICApanelmult21.htm (ac- cessed 14 October 2009).
Lemon, S. (2006), Ten security Trends Worth Watching,
NetworkWorld. Available at http://www.networkworld.
com/news/2006/101806-hitb-ten-security-trends-worth.
html (accessed 14 October 2009).
Lesk, M. (2007), ‘The New Front Line: Estonia Under Cyber
Assault’, IEEE Security and Privacy, Volume 5, Number 4, pp.
76–79.
Lewis, J.A. (2005), ‘Aux Armes, Citoyens: Cyber Security and
Regulation in the United States’, Telecommunications Policy,
Volume 29, Number 11, pp. 821–830.
Markoff, J. (2008), ‘Cyber Attack Preceded Invasion: Georgia’s
Web Infrastructure Hit, But Was it Russia?’ Chicago Tribune.
Available at http://archives.chicagotribune.com/2008/aug/
13/business/chi-cyber-war_13aug13 (accessed 14 October
2009).
OECD (2009), Computer Viruses and Other Malicious Software,
Organisation for Economic Co-operation and Develop-
ment, Paris.
Perrow, C. (2007), The Next Catastrophe: Reducing Our Vulner-
abilities to Natural, Industrial, and Terrorist Disasters, Princeton
University Press, Princeton, NJ.
Posner, R.A. (2004), Catastrophe: Risk and Response, Oxford
University Press, New York, NY.
Reid, T. (2007) China’s cyber army is preparing to march on
America, says Pentagon, Times Online. Available at http://
technology.timesonline.co.uk/tol/news/tech_and_web/the_
web/article2409865.ece (accessed 14 October 2009).
Roe, E. and Schulman, P. (2008), High Reliability Management:
Operating on the Edge, Stanford University Press, Palo Alto.
Sanger, D.E. and Shanker, T. (2009), ‘Pentagon Plans New Arm
to Wage Cyberspace Wars,’ New York Times. Available
at http://www.nytimes.com/2009/05/29/us/politics/29cyber.
html?_r=3&ref=us (accessed 14 October 2009).
Sevastopulo, D. (2008), ‘US Military Raises Alarm on Cyber
Attacks,’ The Financial Times. Available at http://www.
ft.com/cms/s/0/6fc0b3a4-efc7-11dc-8a17-0000779fd2ac.html
(accessed 14 October 2009).
Shachtman, N. (2008), Estonia, Google Help ‘Cyberlocked’ Geor-
gia, Wired.com. Available at http://www.wired.com/danger
room/2008/08/civilge-the-geo/ (accessed 14 October
2009).
Taleb, N.N. (2007), The Black Swan: The Impact of the Highly
Improbable, Random House, New York, NY.
US GAO (2007), Cybercrime: Public and Private Entities Face
Challenges in Addressing Cyber Threats, United States Gov-
ernment Accountability Office, Washington, D.C. Available
at http://www.gao.gov/new.items/d07705.pdf (accessed 14
October 2009).
Van Eeten, M. and Bauer, J.M. (2008), Economics of Malware:
Security Decisions, Incentives and Externalities, OECD STI
Working Paper 2008/1. OECD, Paris. Available at http://
www.oecd.org/dataoecd/53/17/40722462.pdf (accessed 14
October 2009).
Weber, T. (2007), ‘Criminals ‘may overwhelm the web’, BBC News.
Available at http://news.bbc.co.uk/2/hi/business/6298641.stm
(accessed 14 October 2009).
Zittrain, J. (2008), The Future of the Internet: And How to Stop It,
Allen Lane, London.
232 Michel van Eeten and Johannes M. Bauer
Journal of Contingencies and Crisis Management
Volume 17 Number 4 December 2009 & 2009 Blackwell Publishing Ltd.
View publication statsView publication stats
