Breach and the economics of demerit goods

A recent report by the security technology firm Symantec laid out the rate card for online hacked and stolen goods- from a few pennies for a compromised account ID and password, to several thousands of dollars for tools and for-hire guns to perform corporate hacks.

While amusing at the outset, and a confirmation of the fact that rabble rousers and the mafia, especially from Russia and the former Soviet states, do more brisk business through online pornography and cyber crime than through real world hassles of the smuggling of physical goods, it is also alarming. Are Indian mafia following suit? We are still debating the bhais and dons of our underworld and how they had wreaked havoc in the decades past. They moved from gold biscuits to petroleum to drugs to real estate. But it is unclear whether they have gone online. In a recent conversation with a senior technology editor, he commented that there is no indication yet that Indian mafia has taken to cyber crime, but seeing the spoils that could be had, will they remain far behind?

Representational image. AFP

Representational image. AFP

The clear economics behind cyber crime asks for a look into the demand and supply of demerit goods.

Defining a demerit good:

A demerit good is defined as something that produces social harm, though like all real life situations, it depends on the perspective with which a good is looked at. Sugar is a merit good from the perspective of the food and confectionary industry and the billions of people with a sweet tooth. Yet when considered from the lens of growing obesity in populations around the world, much of which can be attributed to excessive consumption of processed foods and refined sugar, suddenly it becomes a demerit good.

The same is the case with hacking. Till a few years ago, many hackers started with tinkering online and moved onto showcasing their mettle through denial of service attacks, defacing websites, and accessing protected data. Then came the hacktivists and many have now become legend. They sit on the fence of what is legal today, but could change the shape of how individuals and governments deal with the digital world tomorrow. Are Snowden or Assange villains to be castigated, or heroes to be emulated?

During research for my book Breach, a cyber thriller, every ethical hacker in India I spoke with was curious to know how I would portray hackers. Hacking is misunderstood, many claimed, and that much of what they did was driven by the fervor to highlight security holes or challenge the accepted notions of freedom of speech and right to information. At the same time, when I spoke with those leading the business side of cyber security, there was always a question mark. Lot of work was commissioned on trust, but could they ever be sure if the hacker crossed the line or not? Clearly, there is a dilemma.

Amrita Chowdhury

Amrita Chowdhury

Demand and supply of cyber crime

The rate card mentioned in the Symantec report indicates that the cyber underground, usually hosted on the anonymous Tor network, offers the price of per unit of stolen email account at $0.50-$10 for 1000 units, down from the earlier rate US$4-$30 per unit in 2009. Clearly there is an oversupply and shift in the supply curve has caused the prices to fall down.

Today, the online world abounds with mercenaries. These cyber thugs, whether self-employed entrepreneurs or available for hire tech goons, can steal data or proprietary information, siphon off money, engage in cyber stalking or even terrorism, or supply a wide variety of hacking tools and techniques to enable others. They aren’t out there to prove a point. Proprietary information, such as the intellectual property for a new medicine as in my book Breach, can be sold for huge sums of money in the murky domain.

Bringing down the consumption of demerit goods

Usage of a demerit good can be decreased either by curtailing demand or by reducing supply. The answers might be not be as clear cut when it comes to cyber crime goods (tools, malware, apps) or services (knowhow, expertise, time).

(a) Reducing supply

In the case of a demerit good such as narcotics, there is divided opinion on what is the best recourse. Governments ban drugs or make its supply a punishable offence. Cigarettes are available, but usage is restricted to certain spaces. The Internet given its very spread across porous organisational or national boundaries presents a different problem.

Society could be completely restrictive in what online behaviours and freedoms are allowed. But no one wants to live in a totalitarian environment, especially in a democracy. Moreover, spatial restrictions are tough to implement for online goods. For example, a hacker sitting in Pakistan could purchase tools in the US and target data stored in the cloud, on a server located physically in India, using a hopping connection via Romania. Every country has a different approach to cyber crime.

(b) Reducing demand

Demand for demerit goods such as alcohol can be regulated by strict licensing policies and higher taxation to discourage over consumption. Public education and awareness campaigns can educate individuals of the risks of anything from consumption of tobacco or sugar.

Given that much of the cyber crime occurs below the radar, it is impossible to use taxation or licensing as a method to curtail it. Awareness is important. India is one of top ten countries for incidence of cyber crime. But neither consumers nor companies are as sensitised to the matter as they should be. Media is trying to spread awareness, especially on hacking or cyber bullying targeting consumers. Law firms such as Anand & Anand and Pawan Duggal & Associates are trying to increase the understanding of cyber technologies and crime amid the police and the judiciary. Efforts such as Mumbai Cyber Safety Week bring together multiple stakeholders with an interest in cyber security.

While cyber crime, like all demerit goods, will always find its perpetrators and takers creating a shadowy economy that crisscrosses international boundaries and defies detection, it needs to be looked at from the lens of total cost to society. Given the rise in economic, reputational or goodwill losses, it is essential that we continue to discourage and punish cyber crimes.

The first step will be being honest or courageous enough to admit that it is happening within our country, company or home.

Amrita Chowdhury is the author of Breach, a cyber thriller, and Faking It, an art crime thriller. She has worked as an engineer, business strategist and publisher.


Published Date: Dec 30, 2014 12:53 pm | Updated Date: Dec 30, 2014 01:27 pm