“Cybercrime is a systemic risk and I think it is the next black swan event,” the head of the Australian Securities and Investments Commission, Greg Medcraft, told a forum at the end of last month.
That’s just 15 words in which Medcraft squeezed one moral panic and two fashionable but misleading economic concepts.
Catchy, though. Medcraft’s comments were widely reported.
But they demonstrate, once again, how Australian regulators and law enforcement agencies are using the digitisation of the economy as an opportunity for a huge power-grab. More on that in a moment.
Medcraft’s argument is drawn from an unofficial working paper, “Cyber-crime, securities markets and systemic risk”, published mid-last year by the International Organization of Securities Commissions, an association of which ASIC is a member. You can read the paper here.
So, could cybercrime be the next ‘black swan’ event? A black swan (the phrase was coined by the statistician Nassem N. Taleb) is characterised by two things. It is incredibly devastating, and it is incredibly rare. This makes black swan events hard to predict precisely because their probability of occurring is so low.
Crime, whether ‘cyber’ or traditional, does not fit the black swan criteria.
It is not incredibly rare. Financial crime is an already existing, easy-to-quantify, and constant risk.
Nor has it been incredibly devastating. Cybercrime is usually low level. Hackers take down websites, not stock exchanges.
Perhaps they might do worse in the future. But that does not make them a black swan. The very nature of a black swan is that they are unpredictable. You can only recognise them in retrospect.
Nor is cybercrime a ‘systemic risk’. This term refers to the danger that a shock to one institution will have flow-on effects to other institutions in the system. In the Global Financial Crisis, the initial shock was declining house prices, which led to a run on some banks, which spilled over into runs on other banks, and eventually a credit crunch.
It’s plausible to argue that an initial shock could be cybercrime-related. Yet the systemic risk is created by the interconnectedness, not the shock. The worst scenario the International Organization of Securities Commissions can come up with is a cyber-attack on a systemically important institution, or a coordinated attack on a large number of institutions at once. But these are merely more initial shocks.
This might seem a minor objection to Medcraft’s claim. Pedantic, even. It isn’t.
Now that the GFC has passed, financial regulators are quietly changing their approach to regulation. How they see the relationship between micro failures and macro consequences is central to this.
Should regulators try to predict and prevent the crises themselves, as Medcraft seems to argue, or should they instead focus on how the system responds to unforeseeable crises?
Nassem Taleb invented a second famous term: anti-fragility. Anti-fragility describes systems which become stronger when they are stressed. Taleb contrasts this with systems that are simply resilient, designed merely to survive shocks. A resilient system is one which tries to defend itself against known dangers – say, cybercrime. An anti-fragile system is one which accepts uncertainty and is designed to evolve in response.
No surprise then that Greg Medcraft talks about the need for ‘cyber-resilience’. And that makes technology the problem, and ASIC the solution.
Cybercrime is not the bogeyman it is made out to be.
Sure, there is an extraordinary variety of claims about the damage cybercrime does to the economy. Almost all of them are overstated. At Crikey, Bernard Keane has an excellent overview of just how ludicrous these estimates are.
This paper from 2012 finds that traditional crime costs the typical citizen at least a hundred-fold more than computer crime. The paper concludes that the best way to deal with cybercrime is simple law enforcement. Hunt down criminals individually. Throw them in jail. Cybercrime is hardly the sort of policy dilemma that screams black swans and systemic risks.
But not according to the International Organization of Securities Commissions. In its working paper, the black swan event it foresees is a horrifying cyber-catastrophe originally dreamed up by Richard Clarke in his 2010 book Cyber War.
Clarke, a former US counter-terrorism official, warned of a full-blown digital international conflict where cyberwarriors cripple national infrastructure, release chlorine from chemical plants, remotely crash trains, etc, etc, etc.
As Wired magazine put it, Clarke’s prognostications are like “the Book of Revelation re-written for the internet age, with the end-times heralded by the Four Trojan Horses of the Apocalypse”.
Our corporate regulator can’t seriously believe this hyperbolic nonsense. So let’s assume they don’t. Yet that doesn’t give them much credit.
ASIC has a track record of seeking extra powers in response to technological change.
It is the most enthusiastic user of section 313 of the Telecommunications Act, a law that allows it to block (that is, censor) websites from Australian internet users.
And it is one of the big advocates of mandatory data retention, a policy which would force internet service providers to keep records of everything we do online, just in case law enforcement agencies – and regulators – want to look at it in the future.
Medcraft’s dark warnings about cybercrime and black swans need to be seen through this prism: the ongoing battle between government power and digital liberties.
ASIC knows, as all good bureaucracies do, that the best way to get new powers is to massively overstate the problems those powers are supposed to fix. Unfortunately it seems that policymakers are particularly susceptible to technological gobbledygook. Remember the internet filter?
Cybercrime is, undoubtedly, a challenge. But we should be worried when our key regulators, deliberately and explicitly stoke up mindless panic about the impact of new technology.