This Article identifies and analyzes a previously unrecognized source of positive externalities within cybersecurity, which we term "cybersecurity spillovers". Most commentators have focused on negative externalities and market failures, leading to a pervasive pessimism about the possibility of adequate cybersecurity protections. In response, this Article demonstrates that unique dynamics from the world of cloud computing – most notably, indivisibility – may force cloud service firms to generate spillovers. These spillovers are additional security protections provided to common cloud users: clients who may not have been willing or able to acquire these security services otherwise. Furthermore, this additional source of security offsets some of the most pernicious effects of negative externalities and market failure which commonly plague the cybersecurity ecosystem.
Alongside its descriptive analysis of cybersecurity spillovers, this Article alerts policymakers about potential analytical tools which can be used to identify the most beneficial spillovers. Moreover, it offers recommendations for specific interventions that will promote spillovers and improve the state of cybersecurity generally. In particular, this Article explains that policymakers could promote in divisibility and strengthen spillovers by tailoring liability rules. Such enhanced liability might incentivize premium cloud service clients to demand robust protections across the entire platform. In addition, the Article addresses the relationship between market concentration and spillovers. It provides recommendations for preserving spillovers even without concentration in the market for cloud storage. And finally, the Article suggests how the government's cloud services procurement and tender processes can be utilized to amplify the beneficial effects of spillovers.
© 2022 Brigham Young University Law Review
Mark Verstraete and Tal Zarsky,
47 BYU L. Rev.
Available at: https://digitalcommons.law.byu.edu/lawreview/vol47/iss3/8