Peter T. Leeson Department of Economics West Virginia University
Christopher J. Coyne Department of Economics Hampden-Sydney College
Abstract This paper considers various classes of computer hackers, with a special emphasis on fame-driven versus profit-driven hackers. We use simple economic analysis to examine how each of these hacking “markets” work. The resulting framework is employed to evaluate current U.S. policy aimed at reducing the threat of computer hacking and shows that this policy is largely effective. We consider policy adjustments consistent with the insights of the framework provided as a means of strengthening cyber security.
We thank Peter Boettke, Tony Carilli and Tyler Cowen for helpful comments and suggestions. The financial support of the Critical Infrastructure Project, the Earhart Foundation and the Oloffson Weaver Fellowship is also gratefully acknowledged.
*
1 Introduction
In the digital age cyber security is perhaps the most important form of security individuals must be concerned with. Banks, schools, hospitals, businesses, governments and virtually every other modern institution you can think of stores and organizes its information electronically. This means that all of your most sensitive information—from credit card numbers and checking accounts, to medical records and phone bills—is accessible for viewing, stealing, or manipulating to anyone with a PC, an Internet connection, and some computer know-how. The increasingly computer-based world is increasingly vulnerable to malevolent computer hackers. While we know little about these shadowy hackers we have a very clear picture of the damage they do. In 2003, hacker-created computer viruses alone cost businesses $55 billion—nearly double the damage they inflicted in 2002 (SecurityStats.com 2004). In 2000 the total cost of all hack attacks to the world economy was estimated at a staggering $1.5 trillion (PricewaterhouseCoopers 2000). In a 2004 survey of American companies and government agencies conducted by the Computer Security Institute, over half of respondents indicated a computer security breach in the past 12 months and 100 percent of respondents indicated a Web site related incident over the same period (CSI 2004). If anything these figures probably understate the volume of hacker-related security breaches. Firms, especially financial institutions, are extremely reluctant to report hacker-related break-ins for fear of how this may affect customers’ and stockholders’ impressions of their security. In the survey of American businesses
conducted jointly by CSI and the FBI, nearly 50 percent of firms that experienced system intrusion over the last year stated that they did not report this intrusion to anyone. The
2
primary reason cited for this was the perceived negative impact on company image or stock (CSI 2004: 13-14), and similar findings have been corroborated by others (see for instance, United Nations 1994; Schell et al 2002: 40). What can we say about the enigmatic community of computer hackers and what can we do about the cost these hackers impose? This paper uses simple economic analysis to try and better understand the phenomenon of hacking. In particular we are interested in creating a framework for analyzing hacking that is policy relevant. Towards this end we divide the community of hackers into three classes separated by motivation. The first class consists of “good” hackers. These hackers illegally break into computer systems but voluntarily share security weaknesses with those in charge of these systems. The second class of hackers is fame-driven. This class constitutes a dangerous subculture of unethical hacking in which members seek infamy and the accolades of their cohort by breaking into the electronically stored information of vulnerable parties and wreaking havoc. The third group of hackers is “greedy.” These hackers are not motivated by considerations of