Paul Rosenzweig of Lawfare is excited by a Wired Magazine article by Nathan Bruschi concerning a proposal for Cyber Bonds. Here’s Nathan:
Catastrophe bonds solve this problem [of catastrophes such as hurricanes] by securitizing the risk and passing it on to a wide pool of investors. The bonds pay handsome coupons to investors in seasons when natural disasters don’t happen, and liquidate the investment principal to pay for damages in seasons when they do.
A similar framework for Cyber Bonds would have three parts. First, each country would identify which companies and infrastructure are systemically important to the economy, and compel those entities to buy standardized cyber insurance policies. These companies would pay premiums into a national insurance pool from which damage claims for cyber attacks would be drawn. Second, each country would then securitize its insurance pool on the private market, creating country-specific Cyber Bonds. Third, at the next round of international cyber security talks, each country would agree to buy an untradable basket of each others’ Cyber Bonds and hold them in their sovereign wealth funds that pay out pensions and stabilize government spending. (The equivalent for the US would be the Social Security Trust Fund.) Each basket would comprise Cyber Bonds from every country of the world and be weighted toward each country’s unique historical adversaries. Excess Cyber Bonds and investment-grade variants would be made available for investors to buy and trade on the secondary markets.
Much like a mortgage-backed security, each Cyber Bond would pay out a fraction of the total income generated by the pool of insurance contracts and lose principal in case of insolvency.
Basically, as the article explains, all the countries interested in security from cyber attacks would sign a treaty obligating them to buy the cyber bonds of their historical enemies. When an attack occurs, not only would the country suffering the attack feel pain, but so would the alleged enemies, because they would not receive their dividends, and might be in danger of losing their investment capital: basically, if country A cyber-attacks country B, not only would A not get the dividends they would normally receive, but their own investment capital would be lost to their enemy.
It has a certain poetry to it, a certain balance to the system that will hold a lot of attraction for the technical community.
But there’s a lot to wonder about here. There’s the verification that an attack has occurred, that the damages to be recompensed are such and such, etc. Then there’s the strategic question: just how much does it take to make a country hesitant to initiate an attack? Here’s Nathan:
This system would change the calculus for countries like Russia, whose cyber operations currently operate largely unchecked. Before launching an attack against a foreign company, Vladimir Putin would have to worry about erasing billions of dollars from his own country’s pension funds, possibly leading to riots in the streets.
That’s a lot of money – if you can persuade them to put it up. However, Nathan explains that once the Cyber Bonds are active, then there’s an incentive to be part of the treaty – because otherwise your cyber assets are operating without a net. It also assumes the supremacy of the financial principle, which I think is a result of the capitalist system; what about those folks who do not treat financial motivation as a primary influence, but rather secondary, tertiary, or even worse? Not everyone shares the same value system – just ask the North Koreans. For example, if a leader’s prestige underlies his position, and his prestige is tied to a successful cyber attack, that attack may happen regardless of the cost to the Cyber Bonds held by that country.
But what makes me most nervous (given that I’m a simple software engineer and have little knowledge of international efforts of most any kind) was this toss-off statement:
Securitized insurance began with catastrophe bonds engineered in the wake of Hurricane Andrew in 1992. Hurricanes, like cyber attacks, are expensive to insure conventionally given that claims are not independent and often catastrophic.
I worry that an incident basically uninfluenceable by humanity is not the equivalent of an incident that is the result of the machinations of the human mind. One has no motivations, the other is the essential result of motivations, good or ill. How will these differences affect the proposed mechanism? I think those differences would have to be elucidated and their impact on the mechanism better understood. In essence, I worry about the unintended consequence.
