Cybersecurity,  industrial  organization,  and  competition  policy  

Michael  Riordan  

Columbia  University  

7/5/14   CRESSE  2014   1  

7/5/14   CRESSE  2014   2  

C    

7/5/14   CRESSE  2014   3  

Chinese  Army  Unit  Is  Seen  as  Tied  to  Hacking  Against  U.S.  

             New  York  Times                February  18,  2013  

7/5/14   CRESSE  2014   4  

7/5/14   CRESSE  2014   5  

7/5/14   CRESSE  2014   6  

Trend  toward  outsourcing  

•  Reliance  on  networks  specialized  suppliers    

•  Motivated  by  cost  reduction  –  Lower  labor  costs  (offshoring)    

–  Product  and  process  innovation  

June  19,    2013   Dusseldorf/DICE  workshop   7  

“Why  U.S.  Manufacturing  Is  Poised  for  a  Comeback  (Maybe),”  Wall  Street  Journal,  June  1,  2014    

7/5/14   CRESSE  2014   8  

•  the  number  of  factory  jobs  has  

started  to  rise  after  plunging  for  

decades,  edging  up  by  about  

600,000  over  the  past  four  

years  to  more  than  12  million…  

•  Boston  Consulting  Group  

estimates  that  China's  overall  

manufacturing-­‐cost  advantage  

has  shrunk  to  just  4%.…  

•  companies'  desire  to  produce  

goods  closer  to  their  

customers…  

•  Will  “re-­‐shoring”  of  manufacturing  emphasize  

outsourcing  or  vertical  integration?  

•  How  does  cybersecurity  matter?  

7/5/14   MaCCI  2014   9  

• Does  competition  over  ideas  (as  well  as  prices)  

encourage  vertical  integration?  

• Do  cybersecurity  concerns  give  new  

encouragement  to  vertical  integration?  

• Do  vertical  mergers  motivated  by  cybersecurity  

raise  competition  policy  concerns?  

7/5/14   MaCCI  2014   10  

• Does  competition  over  ideas  (as  well  as  prices)  

encourage  vertical  integration?    NO  

• Do  cybersecurity  concerns  give  new  

encouragement  to  vertical  integration?    YES  

• Does  vertical  integration  motivated  by  

cybersecurity  raise  competition  policy  concerns?    

TO  THE  CONTRARY  

 

7/5/14   MaCCI  2014   11  

Outline  

I.  Security  interdependence  •  Riordan  (2014)  “Notes  on  Partnership  Security,”  preliminary  draft  

II.  Vertical  integration  vs.  outsourcing  •  Loertscher  and  Riordan  (2014),  “Oursourcing,  Vertical  Integration,  and  

Cost  Reduction,”  preliminary  draft.  

III.  Industrial  organization  and  competition  policy  implications  •  Allain,  Chambolle  &  Rey  (2011),  “Vertical  Integration,  Information,  and  

Foreclosure,”  working  paper.  

7/5/14   CRESSE  2014   12  

Part  I:    Security  interdependence  

Model  Elements    •  Firms  have  heterogeneous  incentives  to  take  precautions.  

•  Firms  face  security  risks  both  from  direct  attacks  and  from  indirect  attacks  via  business  partners.  

•  More  difficult  to  protect  against  indirect  attacks.  

•  There  is  a  positive  externality  of  security  investments.    

7/5/14   CRESSE  2014   13  

Risk  is  a  function  of  threat,  vulnerability,  and  consequences.  

x  

α  

14  7/5/14   CRESSE  2014  

θ  

Companies  risking  larger  losses  have  an  incentive  for  greater  precautions.    

x1  x2  

α  

α  

15  7/5/14   CRESSE  2014  

θ1  

θ2  

Cybersecurity  is  interdependent.  

x2  α  

α  

β   y2  

16  7/5/14   CRESSE  2014  

θ2  x1  

θ1  

y1  

Simplifying  assumptions:  

•  Composite  security  

 yi  =  ϕxi        with    0  ≤  ϕ  ≤  1    •  Diminishing  returns  to  investments  

 quadratic  investment  costs    

 θi    not  too  large    

•  Well-­‐behaved  social  welfare  function  

   

7/5/14   CRESSE  2014   17  

Results  about  cybersecurity:  

•  Strategic  dependence:    Best  responses  curves  might  slope  either  upward  or  downward,  depending  vulnerability  to    indirect  attacks  and  the  magnitude  of  expected  losses.    

•  Equilibrium  extenalities:    There  is  a  unique  equilibrium  at  the  intersection  of  the  best  response  curves.  

–  If  investments  are  strategic  complements,  then  investments  providing  less  than  complete  security  are  deficient  relative  to  the  social  optimum.  

–  If  investments  are  strategic  substitutes  for  Firm  1,  and  expected  losses  are  sufficiently  asymmetric,  then  Firm  1’s  investment  may  be  above  the  socially  optimal  level.  

7/5/14   CRESSE  2014   18  

7/5/14   CRESSE  2014   19  

Best Responses

Social Best Responses

0.2 0.4 0.6 0.8 1.0

0.2

0.4

0.6

0.8

1.0

Firm 2 Precautions

Firm1Precautions

Strategic Complements Case:Ha=0.9, b=0.6, f=0.4, c=0.1, q1=0.5, q2=0.6L

Part  II:    Vertical  integration  vs.  outsourcing  

Model  Elements    •  Vertical  integration  occurs  in  a  multilateral  supply  setting,  in  

which  potential  suppliers  invest  in  cost-­‐reduction  and  compete  on  price.  

•  Vertical  integration  creates  a  preferred  supplier.  

•  A  vertically-­‐integrated  firm  sources  internally  whenever  it  is  cost-­‐effective  to  do  so,  but  cannot  control  the  investment  of  independent  suppliers.        

•  By  distorting  sourcing  in  favor  of  internal  supply,  vertical  integration  creates  a  tradeoff  between  avoiding  markups  and  discouraging  the  investments  of  independent  suppliers.  

7/5/14   MaCCI  2014   20  

Timing  of  decisions  

Customer  

v  

Supplier  1  

Ψ(x1)  

c1~  F(c,x1)  

B(c1)  or  c1  

Supplier  2  

Ψ(x2)  

c2~  F(c,x2)  

B(c2)  

….   Supplier  n  

Ψ(xn)  

cn~  F(c,xn)  

B(cn)  

7/5/14   CRESSE  2014   21  

Simplifying  assumptions:  

•  Inelastic  demand  

 v  =  ∞  

•  Constant  marginal  cost  of  design  effort  

 Ψ(x)  =  ½  x2  

•  Design  effort  shifts  mean  of  cost  distribution  

 G(c+x)  

•  Exponential  cost  distribution  

 G(c)  =  1-­‐  e-­‐μ(c-­‐β)  

7/5/14   CRESSE  2014   22  

Results  about  vertical  integration:  

•  Efficient  symmetric  equilibrium  investments  if  cost  variance  is  sufficient.  

•  Vertical  integration  distorts  the  sourcing  decision  and  reallocates  investments  in  favor  of  internal  supply.    

•  Vertical  integration  is  disfavored  if  there  is  sufficient  upstream  competition.  –  Not  too  much  cost  variance  

–  Sufficient  number  of  potential  suppliers  

7/5/14   CRESSE  2014   23  

Vertical  divestiture  is  profitable  if  there  is  enough  upstream  competition.  

7/5/14   CRESSE  2014   24  

0.2 0.4 0.6 0.8 1.0

-0.02

-0.01

0.00

0.01

0.02 Procurement  cost  under  vertical  integration  +  Investment  cost  of  integrated  supplier  +  Acquisition  price  of  integrated  supplier  -­‐  Procurement  cost  under  outsourcing    

n  =  12  

n  =6  

n  =  8  n  =  10  

μ  

Part  III:    Industrial  organization  implications  

Interdependent  cybersecurity  encourages  vertical  integration    •  A  vertically  integrated  firm  internalizes  the  positive  externality  

of  improved  security.  

•  There  also  may  be  economies  of  scope  in  security.  

–  A  vertically  integrated  firm  exploiting  economies  of  scope  might  become  more  vulnerable  to  attack.  

–  Still,  positive  net  benefits  of  internalizing  the  externality  should  prevail  if  selective  intervention  is  possible.  

7/5/14   CRESSE  2014   25  

Competition  policy  implications  

7/5/14   CRESSE  2014   26  

D1   D2  

U1   U2  

Cf.    Allain,  Chambolle,  and  Rey  (2011),  “Vertical  integration,  Information,  and  Foreclosure”  

Vertically  integrated  supplier  has  poor  incentive  to  prevent  internal  information  leakage,  which  raises  rivals  costs.  

External  cyber-­‐espionage  threats  raise  additional  security  concerns.    

7/5/14   CRESSE  2014   27  

D1   D2   D3  

U1   U2  

Improved  cybersecurity  as  an  efficiency  defense      

•  Better  incentives  for  security  against  external  threats  could  outweigh  concerns  about  internal  information  leakage.  

•  Economies  of  scope  in  the  provision  of  security  could  improve    safeguards  against  internal  breaches:  – more  effective  firewalls;  –  better  access  control;  –  improved    monitoring  and  forensics.    

7/5/14   CRESSE  2014   28  

Conclusions  

•  Suppliers  compete  on  ideas  as  well  as  price.  

•  Markup  avoidance  incentives  for  vertical  integration  are  counterweighed  by  an  investment  discouragement  effect.  

•  Vertical  integration  internalizes  positive  externalities  in  the  provision  of  cybersecurity.  

•  Improved  cybersecurity  is  a  ready-­‐made  efficiency  defense  against  alleged  input  foreclosure  from  a  vertical  merger.  

7/5/14   CRESSE  2014   29  

Other  Competition  Policy  Issues  

•  Collaborations  between  competitors  

 

•  Horizontal  mergers  

7/5/14   CRESSE  2014   30  

Thank  you!  

7/5/14   CRESSE  2014   31