Too-Big-to-Fail 2.0? Digital Service Providers as Cyber-Social Systems
53 Pages Posted: 19 Jun 2017 Last revised: 31 Mar 2019
Date Written: June 17, 2017
The security of communication networks and databases has become a main element of national security and economic competitiveness. Constant growth in information systems, financial technology and e-commerce has improved efficiency and pushed economic growth. This growth has also made our society dependent on networked digital technologies and digital structures and devices, which facilitate, enhance and scale most modern human endeavors. Consequently, the biggest digital service providers, such as Facebook, Google, Amazon, Apple and Microsoft, have become omnipotent, critical players in our economy that operate essential services and control how and where data is collected, stored and handled. Recent attacks on information infrastructures such as the U.S. election system, which was designated a Critical Infrastructure in need of protection in 2017, as well as security breaches at institutions including key digital service providers, have caused concerns about these institutions’ stability and standing. The breaches showed that in addition to a technical solution, a system-wide approach is needed to address these issues.
One particularly important aspect of such an approach relates to the elevated probability of some kind of failure, or disastrous malfunctioning, of key digital service providers, their services or their products, as a result of using cyber tools. This Article focuses on such potential failures or malfunctionings of non-financial institutions and of omnipotent, global digital service providers in particular, a scenario referred to here as Too-Big-to-Fail 2.0, by way of an analogy to financial failures that can cause massive damage to society. The Article sheds light on this relatively unappreciated risk by comparing it to the (i) attempts of the Dodd-Frank Act to stop financial institutions from shifting the risks of “too-big-to-fail” externalities to society, and (ii) laws protecting Critical Infrastructures. The Article is also greatly inspired by a recent EU directive that deals with digital service providers. The Article serves as a call for action, arguing that, based on these comparisons and recent regulation, as well as other factors, key digital service providers should be defined as Critical Service Providers given their importance to our economy and society, and need to improve their risk management.
The Article explains why addressing Too-Big-to-Fail 2.0 has not yet become a political and societal priority. First, digital service providers are technology companies, which, many believe, are shaped by market forces such that they fail and succeed in equal measure without producing negative ripple effects on the economy or society. Second, technology giants are not as carefully regulated as banks because differently from banks, they do not take insured deposits backed by the government. Third, even heavily regulated financial institutions have not been required until recently to focus on cybersecurity. Finally, some believe that there is no point in worrying about Too-Big-to-Fail 2.0 as it is difficult to prepare for theoretical unknowns. Despite these arguments, however, the Article contends that given the factors outlined in the Critical Service Provider list of criteria, such as size, business involvement in multiple industry sectors, and impact on technology, the economy, and cyber-social systems, Too-Big-to-Fail 2.0 is a valid concern.
Recognizing this problem, the Article then calls for the design of a new systematic approach, resembling to a limited extent that of the Dodd-Frank Act, to understand which entities qualify as Critical Service Providers and why they should have enhanced risk management procedures. The Article proposes certain criteria to ground such an approach. Finally, the Article suggests that the companies designated as Critical Service Providers should be subject to some type of supervisory scrutiny, which would be the product of a collaborative private-public initiative and result in better risk management and internalizing.
Suggested Citation: Suggested Citation