Cybersecurity and Moral Hazard
Our everyday lives are enmeshed, often invisibly, with connected technologies, making the security of those devices and the data they carry increasingly important. Yet our institutions have largely failed to address these technologies’ cybersecurity risks. And that is in large part because they have failed to address—and have even exacerbated—the moral hazard inherent in making and selling connected technologies.
Currently, technology manufacturers, sellers, and service providers are richly rewarded for innovations that bring security risks, while technology users bear the bulk of the costs associated with those risks, including the nearly inevitable exploitation of their data. Technology manufacturers furthermore are positioned to understand and reduce those risks in ways technology users are not. And so technology manufacturers face a moral hazard: They must decide whether to make (or later fail to support) devices having risks that would be costly or impossible to eliminate for users—when those users will likely pay the same to them regardless.
Our institutions’ support for technology innovation over product maintenance indulges rather than combats this moral hazard, especially in the low-margin business of connected devices and the Internet of Things (IoT). These failures are also due to our tendency toward technological ubiquity, the unclear—and often unhealthy—relationships between technology manufacturer and user, the inherent complexity of technology, and the network effects inherent to connected technologies. This Article argues that this moral hazard leads to increased cybersecurity risks and will only be addressed when these categories, and their corresponding risks and costs, are properly accounted for. The Article proposes changes to reduce the informational asymmetry between technology manufacturers and users, to better train software engineers to identify and resolve cybersecurity vulnerabilities, and to push companies to provide more secure devices, even or especially when cybersecurity risks are difficult or impossible to quantify.