Eli Dourado, Andrea Castillo | Jun 22, 2015
This paper will review the laws and standards governing federal cybersecurity policy and will highlight how overlapping responsibilities and unclear lines of authority have accompanied increasing rates of federal information security failures. The paper will then describe how these systemic cybersecurity weaknesses demonstrate the federal government to be an especially poor candidate for managing national systems, and it will explain the shortcomings of a top-down, technocratic approach.
Eli Dourado, Andrea Castillo | Jun 22, 2015
After briefly outlining the current cybersecurity information sharing proposals, we will examine the performance of the many similar programs that the federal government has operated for years. The government’s inability to properly implement previous information sharing systems even internally, along with its ongoing failures to secure its own information systems, casts doubt on the viability of proposed government-led information sharing initiatives to improve the nation’s cybersecurity. We will then examine the flawed assumptions that underlie information sharing advocacy before exploring solutions that can comprehensively address the nation’s cybersecurity vulnerabilities.
Eli Dourado, Andrea Castillo | Apr 17, 2014
This paper will describe the current dynamic provision of cybersecurity and explain how a technocratic solution like the Cybersecurity Framework could weaken this process and ultimately undermine cybersecurity.
Adam Thierer | Jan 25, 2013
This paper will consider the structure of fear appeal arguments in technology policy debates and then outline how those arguments can be deconstructed and refuted in both cultural and economic contexts. Several examples of fear appeal arguments will be offered with a particular focus on online child safety, digital privacy, and cybersecurity. The various factors contributing to “fear cycles” in these policy areas will be documented.
Sean Lawson | Dec 19, 2012
Cybersecurity proponents often rely upon cyber-doom scenarios as a key tactic for calling attention to prospective cyber-threats. This essay critically examines cyber-doom scenarios by placing them into a larger historical context, assessing how realistic they are, and drawing out the policy implications of relying upon such tales. It draws from relevant research in the history of technology, military history, and disaster sociology to examine some of the key assertions and assumptions of cyber-doom scenarios. It argues that cyber-doom scenarios are the latest manifestation of fears about “technology-out-of-control” in Western societies, that they are unrealistic, and that they encourage the adoption of counter-productive, even dangerous policies. The paper concludes by offering alternative principles for the formulation of cybersecurity policy.
Eli Dourado | Jun 19, 2012
ISPs have borne significant costs to reduce malware, despite their lack of formal legal liability. Informal institutions perform much better than a regime of formal indirect liability. The fact that legal polycentricity is more widespread than is often recognized should affect law and economics scholarship.

Testimony & Comments

Research Summaries & Toolkits

Expert Commentary

Jul 04, 2015

For years, cybersecurity hawks have painted grim pictures of a "cyber Pearl Harbor," when sophisticated hackers will be able to infiltrate and commandeer critical U.S. networks to wreak whatever havoc they choose. Yet for some reason, when the most advanced cyber-espionage malware known was discovered on American systems, the usually indefatigable "tough on cyberterror" crowd was quiet.
May 10, 2015

CISA actually bucks the usual liberty/security trade-off, because it threatens our civil liberties without meaningfully improving cybersecurity—and could potentially even weaken it. We should dump this Trojan and focus on developing bottom-up, collaborative security practices that will actually work.
May 07, 2015

The federal government must get its own house in order before such comprehensive information sharing measures like CISA could be even technically feasible. But CISA would be a failure even if managed by the most well-managed government systems because it seeks to impose a technocratic structure on a dynamic system. Effective reform will promote a self-organizing “collaborative security approach” as outlined by groups like the Internet Society, an international nonprofit devoted to Internet policy and technology standards. Cybersecurity provision is too important a problem to be inadequately addressed by measures that will fail to improve security.
Apr 27, 2013

Evgeny Morozov’s latest book, To Save Everything, Click Here, follows the same blueprint as his first book, 2011’s The Net Delusion. He takes the over-zealous ramblings of a handful of Internet evangelists, suggests that Pollyannas like them are all around us, and then argues, implausibly, that their very ideas threaten to undermine our culture or humanity in some fashion. Along the way, he doles out generous heapings of unremitting, snarky scorn.
Feb 22, 2013

Now that President Obama has acted on cyber-security, Congress doesn’t need to. Yet guided by their worst impulses – to extend protections to business, or to exert bureaucratic control – members of Congress will insist that it is imperative they get in on the action. If they do, they will undoubtedly be saddling us with a host of unintended consequences that we will come to regret later.
Feb 21, 2013

While you might drive an Audi and shop at Ikea, you likely can’t even think of a European Internet company. Some would argue that the EU’s strict privacy regulations inhibit Internet entrepreneurship in the continent, but there seems to be something else going on since they don’t seem to keep U.S. firms from doing business there. Well, just barely.


This weeks’ charts use data from the Office of Management and Budget’s (OMB) FY 2014 Federal Information Security Management Act (FISMA) compliance report to display the agency share, type, and number of reported federal information security incidents for FY 2014 and over time.



Eli Dourado | January 21, 2015
Eli Dourado discusses the rate of cybersecurity breaches in federal agencies, arguing for a private sector-led cybersecurity framework.

Recent Events

Cybersecurity is a hot topic on Capitol Hill. But what exactly does cybersecurity entail? An issue this large encompasses many elements: what is the real threat? What is its scope? Who is at risk? Who is the most suited to defend against the threat?

Media Clippings

Adam Thierer | Jun 24, 2013
"High technology companies are among the fastest growing lobbying shops in Washington," said Adam Thierer.
Jerry Brito | Jul 12, 2012
Jerry Brito cited discussing current cybersecurity concerns.
Eli Dourado | Jul 06, 2012
Eli Dourado explains how the United States can combat new threats to a free and open web.
Adam Thierer | Jun 28, 2012
Adam Thierer comments on Federal Communications Commission (FCC) Commissioner Robert McDowell's recent speech.
Jerry Brito | Jun 27, 2012
Jerry Brito cited discussing the possible effects of revisions to the UN's global telecommunications treaty.
' '