The security of communication networks and databases has become a main element of national security and economic competitiveness. Constant growth in information systems, financial technology, and e-commerce has improved efficiency and pushed economic growth. This growth has also made our society dependent on networked digital technologies and digital structures and devices, which facilitate, enhance, and scale most modern human endeavors. Consequently, the biggest digital service providers have become omnipotent, critical players in our economy that operate essential services and control how and where data is collected, stored, and handled. Recent attacks on information infrastructures such as the U.S. election system, which was designated a Critical Infrastructure in need of protection in 2017, as well as security breaches at institutions including key digital service providers, have caused concerns about these institutions' stability and standing. The breaches showed that in addition to a technical solution, a system-wide approach is needed to address these issues. One particularly important aspect of such an approach relates to the elevated probability of some kind of failure, or disastrous malfunctioning, of key digital service providers-their services or their products-as a result of cyberattacks. This Article focuses on such potential failures or malfunctionings of nonfinancial institutions and of omnipotent, global digital service providers in particular, a scenario referred to here as “Too-Big-To-Fail 2.0,” by way of an analogy to financial failures that can cause massive damage to society. The Article sheds light on this relatively unappreciated risk by comparing it to the (i) attempts of the Dodd-Frank Act to stop financial institutions from shifting the risks of too-big-to-fail externalities to society and (ii) laws protecting Critical Infrastructures. The Article is also greatly inspired by a recent European Union (EU) directive that deals with digital service providers. The Article serves as a call for action, arguing that, based on these comparisons and recent regulation, as well as other factors, key digital service providers should be defined as “Critical Service Providers” given their importance to our economy and society, and need to improve their risk management. The Article explains why addressing Too-Big-To-Fail 2.0 has not yet become a political and societal priority. First, digital service providers are technology companies, which, many believe, are shaped by market forces such that they fail and succeed in equal measure without producing negative ripple effects on the economy or society. Second, technology giants are not as carefully regulated as banks because unlike banks, they do not take insured deposits backed by the government. Third, even heavily regulated financial institutions have not been required until recently to focus on cybersecurity. Finally, some believe that there is no point in worrying about Too-Big-To-Fail 2.0 as it is difficult to prepare for theoretical unknowns. Despite these arguments, however, the Article contends that given the factors outlined in the Critical Service Provider list of criteria, such as size, business involvement in multiple industry sectors, and impact on technology, the economy, and cyber-social systems, Too-Big-To-Fail 2.0 is a valid concern. Recognizing this problem, the Article then calls for the design of a new systematic approach, resembling to a limited extent that of the Dodd-Frank Act, to understand which entities qualify as Critical Service Providers and why they should have enhanced risk management procedures. The Article proposes certain criteria to ground such an approach. Finally, the Article suggests that the companies designated as Critical Service Providers should be subject to some type of supervisory scrutiny, which would be the product of a collaborative private-public initiative and result in better risk management and internalizing.
|Number of pages
|Indiana Law Journal
|Published - 2018
Bibliographical notePublisher Copyright:
© 2018 The Trustees of Indiana University. All rights reserved.
ASJC Scopus subject areas