One of witnesses at the January 16 hearing before the House Committee on Science, Space & Technology (“Is My Data on Healthcare.gov Secure?) was David Kennedy, CEO of TrustedSec LLC. Kennedy describes his firm as engaged in “white-hat hacking”–it is hired by entities that want to know how their computer systems are vulnerable to conventional, “black hat hackers.” They can reduce security threats only if they are armed with this information.
Kennedy’s report submitted to the Committee is certainly eye-opening. However, from an economics perspective the idea that there are both black- and white-hat hackers is revealing. Black-hat hackers exploit vulnerabilities in computer systems to steal money or information for corrupt purposes. Negative externalities arise when third parties are harmed. White-hat hackers use the same techniques but for the private benefit of the computer owner. Positive externalities arise when third parties benefit when black-hat hackers are thwarted. The usual economic analysis of externalities indicates that there are (obviously) too many black-hat hackers, but also far too few white-hat hackers.
Black-hat hackers impose a market failure on private computer systems — or, more accurately, a serious market imperfection; the market rarely if ever fails because private sector entities have powerful incentives to protect their computers and their customers. Indeed, if they choose not to protect their customers, their customers will do business elsewhere. So the magnitude of the market imperfection is kept relatively small, and the compensated work of white-hat hackers keeps it smaller still.
But this is not the case for government computer systems, however, because they tend to have monopoly characteristics. Customers have nowhere to go. The public has no alternative to exposing itself to the risks posed by black-hat hackers. and monopolist government agencies have weak incentives to minimize these risks. If agencies’ systems are compromised by black-hat hackers, they suffer only reputational harm; they cannot go out of business. Moreover, when a monopolist government agency is hacked, the relevant legislature can be expected to increase these agencies’ budgets in hopes of improving informational security. Contrary to the popular adage, failure is an option, and it may be a bureaucratically attractive one. For monopolist government agencies, therefore, the magnitude of likely market imperfection from black-hat hacking may be very large. It may even be so large as to result in actual market failure.
TrustSec’s report is consistent with this analysis:
Based on our findings, we are confident that the security around the application was not appropriately tested prior to release, that the safeguards to protect sensitive information are not in place, and that there are and will continue to be for a significant amount of time serious security concerns with the website unless direct action is taken to address these concerns.
Even more disturbingly,
there are clear indicators that even basic security was not built into the healthcare.gov website.
Regulation is appropriate when monopolies are involved, and healthcare.gov is one of the largest monopolies ever created by government. To overcome its propensity to tolerate serious market imperfection (or even market failure), Congress could have required it to meet the highest, most demanding security standards practiced in the private sector. It did not do so in the Affordable Care Act, but it could remedy that oversight through corrective legislation that incentivizes white-hat hackers to do their best to compromise it.