INTERNET INTERMEDIARIES

One of the most promising areas of security economics research has concentrated on Internet intermediaries. These entities provide the Internet’s basic infrastructure and platforms, and enable communications and transactions between third parties and services.

Intermediary markets are highly concentrated because of network effects and eco­nomics of scale. Network effects, as previously explained, reflect the increasing value of a service as more users adopt it. Economies of scale are cost advantages that firms gain due to their size. In many markets - for instance search engines, participative platforms or certificate authorities - a handful of companies control large market shares, sometimes up to 80 or 90 percent of the revenues or user base (Noam, 2009). Some of the largest Internet intermediaries are among the world’s top firms and well-known brands - for example, Google, Facebook, eBay, Amazon, Apple and Microsoft.

Intermediaries raise interesting governance issues. They are in some sense gatekeepers

Source: Perset (2010).

Figure 13.1 Internet intermediary roles

of the Internet economy with direct access to end users. They become de facto stand­ardization bodies and their mundane technical choices frequently have more profound effects on outcomes than formal Internet governance structures (Van Eeten and Mueller, 2012).

13.5.1 Internet Service Providers

Internet service providers (ISPs) are companies that connect subscribers to the global Internet. ISPs come in different sizes - from small regional ISPs to multinational tier 1 networks. There are several thousand ISPs worldwide but the 200 largest ones serve about 80 percent of broadband and mobile Internet markets (Van Eeten et al., 2010). Since ISPs have access to their subscribers’ Internet traffic they are affected by and involved in policy debates on privacy protection, network neutrality, copyright enforce­ment, infrastructure resilience, the blocking of malware, and the disruption of botnets.³ In many countries ISPs have historically been regulated in a less intrusive fashion than traditional telecommunications companies. In the USA they were historically classified as ‘information service providers’ and in other countries as value-added service provid­ers. As part of these legal arrangements, they were shielded from liability for traffic carried on their networks as long as they followed certain required business practices (e.g., notice and take-down procedures).⁴ We shall focus this section on the role and incentives of ISPs with regard to malware and botnets as some of the most pernicious cybersecurity threats.

Bots are computers infected with malware that puts them under remote control by attackers. The attackers may directly harm the owners of these machines through fraud or extortion. They may also combine infected computers into botnets of varying size or rent them out to other criminals. In either case they become platforms to launch attacks on other parts of the Internet and therefore are a serious problem for the whole Internet ecosystem. Numerous botnets remain active despite more than a decade of counter­vailing measures. Depending on whether one differentiates according to the malware families used or by the number of different attackers using them, their number ranges between tens and thousands. The largest botnets may at peak consist of millions of bots (Symantec, 2015).

The security community has had some success in seizing control over botnets through both technical infiltration and apprehension of the command and control infrastructure (Fryer et al., 2013). However, a key problem that remains is cleaning up the infected machines. Clayton (2011) contemplates alternative approaches to clean-up and concludes it might make sense for governments to subsidize ISPs or other third parties to clean up malware on end user machines. In the same vein, there have been calls to treat botnets by employing a public health approach. In this framework, a ‘cybersecurity health agency’ would provide education, monitoring (e.g., infections and intrusion trends), epidemi­ology (e.g., malware analysis), immunization (e.g., patch coordination), and incident response (Kelley and Camp, 2012; Sullivan, 2012).

Van Eeten et al. (2010) evaluated the role and incentives of ISPs in botnet mitigation by comparing spam-bots in 200 ISPs between 2005 and 2009. They found that large retail ISPs are indeed effective control points but that the number of infected machines per subscriber differs significantly among ISPs. This difference was relatively stable over time, suggesting that systematic differences exist in ISP policies and management practices as well as among users.

13.5.1 Hosting Providers

Hosting providers are organizations that operate servers used by customers to make content and services available to the Internet. Many hosting providers are also regis­trars: entities that sell and register domain names. As with virtually all services on the Internet, these businesses are abused by criminals. Phishing sites, command-and-control servers for botnets, and the distribution of child pornography, malware and spam all require such services. Like ISPs, hosting providers can thus play a key role in fighting cybercrime. Much of the criminal activity runs on compromised servers of legitimate customers but some run on servers rented by the criminals themselves. In either case, the hosting provider typically becomes aware of the problem only after being notified of the abuse. Responses to abuse reports vary widely, ranging from vigilant to slow to negligent (Stone-Gross et al., 2009; Canali et al., 2013; Bradbury, 2014).

While there is a wealth of research on security issues in hosting infrastructure, only a fraction has been done from an economic perspective. Moore and Clayton (2007) have studied hosting provider incentives to take down phishing sites. They found evidence for a ‘clued-up’ effect: it took time before a provider became aware and incentivized enough to start taking down sites. Once that effect occurred, takedown speed rapidly increased and stayed at this improved level. In a follow up study, Moore and Clayton (2009) expanded the research to other forms of Internet content and various notice and takedown regimes. The findings show that requester’s incentives outweigh other factors in predicting take­down speed including the content, penalty, and evasion technology. Another study by Vasek and Moore (2012) looked at the responses of hosting providers to notifications of sites that were compromised with malware. It found that notifications that included com­prehensive technical data of the detected problem were more likely to trigger takedown action on the side of the providers. This might be related to the competing incentives of providers: they do not want to disrupt service to their customers, while also protecting them and others from the negative consequences of compromised security. Extensive evi­dence helps them to legitimate countermeasures with regard to their customers.

The overall effects of takedown actions seem limited. Criminal activity might be con­centrated at some providers or registrars. Getting those providers to act can dramatically reduce the level of abuse in those networks, but the attackers are prepared for this and merely migrate their activities to other providers (Levchenko et al., 2011; Liu et al., 2011). The result is a game of whack-a-mole. Organizing collective action against criminal activities in the hosting sector is made more difficult because this market is not nearly as consolidated at many other online markets.

13.5.2 Payment Service Providers and Certificate Authorities

Payment and other financial service providers (FSPs) are no strangers to attacks. Annual global losses from financial fraud amount to billions of dollars (Anderson et al., 2013). At the same time, these intermediaries have benefited tremendously from the growth of online payments, and in relative terms, fraud has been stable or diminishing (Financial Fraud Action UK, 2015). This is because they have become good at detecting fraud while maintaining convenience, for instance by profiling credit card transactions in real time in their back-end systems, rather than imposing additional security measures on the users directly. One advantage they have is that calculating the monetary gains and losses of certain trade-offs is easier for them than for other sectors. For example, after a data breach credit card issuers can calculate the relative cost of replacing cards or refund­ing victims of fraudulent cases (Graves et al., 2014). The FSPs have also been helped - perhaps paradoxically - by legal regimes in the USA and some European countries that limited the liability of consumers in cases of fraud. The burden of proof for fraud was put on the FSPs who actually had the capability to do something about it (Van Eeten and Bauer, 2008). In short, financial service providers are in a position to internalize some of the externalities in the sector and thus absorb and mitigate the sector-wide costs of fraud.⁵

Related to payment providers and e-commerce platforms are certificate authorities (CAs) - organizations that issue digital certificates. Such credentials are intended to enable secure online communications, assuring confidentiality and integrity of informa­tion and transactions. A series of high-profile breaches at CAs in recent years, most notably the breach and bankruptcy of DigiNotar in 2011, brought to light serious weak­nesses in the current system (Arnbak and Van Eijk, 2012). Vratonjic et al. (2013) looked at how Transport Layer SecurityZSecure Sockets Layer (TLS/SSL) certificates are deployed on the top one million websites and found many misconfigurations. Durumeric et al. (2013) gathered all digital certificates in use on the public web and found hundreds of CAs with the authority to issue certificates that are recognized by browsers. If any of these CAs were to be breached, certificates could be maliciously issued for any other website, a serious negative externality. Arnbak et al. (2014) used the same data to cal­culate the market shares of CAs and connect them with their prices. Surprisingly, they found the market share of the most expensive CAs was much larger than cheaper CAs for identical certificates. This observation points to information asymmetries that create advantages for the largest players. A technical fix to the protocols is required, but their adoption is complicated as long as CAs benefit from the status quo. Other intermediar­ies, however, such as browser vendors and top websites, could play a role in pushing for new standards.

13.5.3 Search Engines and Participative Platforms

Search engines, portals and participative platforms are used to find content and connect to others. While these intermediaries have explored many different business models in the last decades, the market has converged on a business model in which users receive services for free while revenues are generated from targeted advertising. This develop­ment is driven by a combination of network effects and the ‘economics of attention’: in a world abundant with information, the scarcest resource is the attention of users (Shapiro and Varian, 1998). These platforms fight for user attention (Davenport and Beck, 2001). Since the marginal cost of information is close to zero, offering services at a low price or free is an economically rational strategy as it maximizes the size of the potential audience. Key players combine ‘free’ with a variety of nudging techniques to keep users on the platform (an interesting glimpse into this is the controversial study by Kramer et al., 2014 on changing the emotional content of Facebook newsfeeds to see how it effects users). Creating a revenue stream via advertisement is, of course, not new: broadcasting and newspapers have used the model for decades. The key difference is that targeted advertis­ing can extract higher value (Goldfarb and Tucker, 2011).

In terms of cybersecurity, these platforms overall seem to internalize costs to keep their users satisfied. Just to illustrate, Google has a dedicated team to protect users against state-sponsored attacks (Grosse, 2012). This is not done out of nicety but as a com­petitive necessity: MySpace lost to Facebook partially as a result of increased spam and abuse on its network (Dredge, 2015). Another example is handling ‘click fraud’. When a bot imitates a legitimate user clicking an ad to generate revenue, the advertisers and the platforms are harmed financially and by the erosion of confidence. Chen et al. (2012) suggest that platforms will likely pay the costs of click fraud investigations, thus inter­nalizing some of the costs to the system at large. Schneier (2012) draws an analogy with ‘feudal security’ in the past: platforms provide users with security in exchange for alle­giance. This approach has some benefits but it also comes with serious risks particularly with regard to privacy. Evidence of this tension is visible in how the platforms balance the interests of users and advertisers: Facebook Connect is preferred by many websites as a federated identity and password system over alternatives because of the user details it shares (Landau and Moore, 2012).

13.6