Computer technology, like the railroad, gives us infrastructure that empowers innovators. The Internet and cloud computing let startups like YouTube and Instagram soar to huge valuations almost overnight, with only a handful of staff. But 21st century tech differs from the 19th century variety in that criminals also build infrastructure, from botnets through malware-as-a-service. There's also dual-use infrastructure, from Tor to bitcoins, with entangled legitimate and criminal applications. So crime can scale too. And even "respectable" infrastructure has disruptive uses. Social media enabled both Barack Obama and Donald Trump to outflank the political establishment and win power; they have also been used to foment communal violence in Asia. How are we to make sense of all this? Is it simply a matter for antitrust lawyers and cybercrime fighters, or do computer scientists have some insights to offer?
For the past twenty years, we have been studying the economics of information security. If Alice guards a system while Bob pays the cost of failure, you can expect trouble. This subject started out with concerns about infrastructure, namely payment card fraud and the insecurity of Windows. It worked on topics from the patch cycle through the behavioural economics of privacy to cybercrime. We learned that many persistent problems are down to misaligned incentives.
We are now realising that when problems scale, infrastructure is usually involved; that we need computer-science insights into scaling as well as economists' insights into incentives; and that both of us have underestimated the role of institutions. We need to understand all this better to put controls at the right level in the stack and to develop better strategies to fight cybercrime. We may also find some new directions as the regulation of technology moves up the political agenda.
Ross Anderson has devoted his career to developing security engineering as a discipline. He was a pioneer of hardware tamper-resistance, API security, peer-to-peer systems, prepayment metering and powerline communications. His other research extends from cryptography through side channels and the safety and privacy of clinical systems to technology policy. He was one of the founders of the discipline of security economics, and is PI of the Cambridge Cybercrime Centre, which collects and analyses data about online crime and abuse. He is a Fellow of the Royal Society and the Royal Academy of Engineering, as well as a winner of the Lovelace Medal – the UK's top award in computing. He holds faculty positions at both Cambridge and Edinburgh universities.