The security of communication networks and databases has become a main element of national security and economic competitiveness. Constant growth in information systems, financial technology and e-commerce has improved efficiency and pushed economic growth. This growth has also made our society dependent on networked digital technologies and digital structures and devices, which facilitate, enhance and scale most modern human endeavors. Consequently, the biggest digital service providers have become omnipotent, critical players in our economy that operate essential services and control how and where data is collected, stored and handled. Recent attacks on information infrastructures such as the US election system, which was designated a Critical Infrastructure in need of protection in 2017, as well as security breaches at institutions including key digital service providers, have caused concerns about these institutions’ stability and standing. The breaches showed that, in addition to a technical solution, a system-wide approach is needed to address these issues.
One particularly important aspect of such an approach relates to the elevated probability of some kind of failure, or disastrous malfunctioning, of key digital service providers, their services or their products, as a result of cyberattacks. This paper focuses on such potential failures or malfunctionings of non-financial institutions and of omnipotent, global digital service providers in particular, a scenario referred to here as ‘Too-Big-to-Fail 2.0’, by way of an analogy to financial failures that can cause massive damage to society. The paper sheds light on this relatively unappreciated risk by comparing it to the (i) attempts of the Dodd-Frank Act to stop financial institutions from shifting the risks of ‘too-big-to-fail’ externalities to society; and (ii) laws protecting Critical Infrastructures.
The paper explains why addressing Too-Big-to-Fail 2.0 has not yet become a political and societal priority. First, digital service providers are technology companies, which, many believe, are shaped by market forces such that they fail and succeed in equal measure without producing negative ripple effects on the economy or society. Second, technology giants are not as carefully regulated as banks because differently from banks, they do not take insured deposits backed by the government. Third, even heavily regulated financial institutions have not been required until recently to focus on cybersecurity. Finally, some believe that there is no point in worrying about Too-Big-to-Fail 2.0 as it is difficult to prepare for theoretical unknowns. Despite these arguments, however, the paper contends that given the factors outlined in the Critical Service Provider list of criteria, such as size, business involvement in multiple industry sectors, and impact on technology, the economy, and cyber-social systems, Too-Big-to-Fail 2.0 is a valid concern.
Recognizing this problem, in my paper, I argue that any regulation of this unappreciated risk and elevated probability of some kind of failure should be greatly inspired by a recent EU directive that deals with digital service providers.
Relying on this inspiration directive, the paper serves as a call for action, arguing that, based on recent regulation, as well as other factors, key digital service providers should be defined as Critical Service Providers given their importance to our economy and society, and need to improve their risk management.Next, the paper calls for the design of a new systematic approach, resembling to a limited extent that of the Dodd-Frank Act, to understand which entities qualify as Critical Service Providers and why they should have enhanced risk management procedures. Additionally, it proposes certain criteria to ground such an approach. Finally, I suggest that the companies designated as Critical Service Providers should be subject to some type of supervisory scrutiny, which would be the product of a collaborative private-public initiative and result in better risk management and internalizing.
Nizan Geslevich Packin is an Assistant Professor of Law at City University of New York, Baruch College - Zicklin School of Business.