Upload
ngodiep
View
214
Download
0
Embed Size (px)
Citation preview
Cybersecurity, industrial organization, and competition policy
Michael Riordan
Columbia University
7/5/14 CRESSE 2014 1
C
7/5/14 CRESSE 2014 3
Chinese Army Unit Is Seen as Tied to Hacking Against U.S.
New York Times February 18, 2013
Trend toward outsourcing
• Reliance on networks specialized suppliers
• Motivated by cost reduction – Lower labor costs (offshoring)
– Product and process innovation
June 19, 2013 Dusseldorf/DICE workshop 7
“Why U.S. Manufacturing Is Poised for a Comeback (Maybe),” Wall Street Journal, June 1, 2014
7/5/14 CRESSE 2014 8
• the number of factory jobs has
started to rise after plunging for
decades, edging up by about
600,000 over the past four
years to more than 12 million…
• Boston Consulting Group
estimates that China's overall
manufacturing-‐cost advantage
has shrunk to just 4%.…
• companies' desire to produce
goods closer to their
customers…
• Will “re-‐shoring” of manufacturing emphasize
outsourcing or vertical integration?
• How does cybersecurity matter?
7/5/14 MaCCI 2014 9
• Does competition over ideas (as well as prices)
encourage vertical integration?
• Do cybersecurity concerns give new
encouragement to vertical integration?
• Do vertical mergers motivated by cybersecurity
raise competition policy concerns?
7/5/14 MaCCI 2014 10
• Does competition over ideas (as well as prices)
encourage vertical integration? NO
• Do cybersecurity concerns give new
encouragement to vertical integration? YES
• Does vertical integration motivated by
cybersecurity raise competition policy concerns?
TO THE CONTRARY
7/5/14 MaCCI 2014 11
Outline
I. Security interdependence • Riordan (2014) “Notes on Partnership Security,” preliminary draft
II. Vertical integration vs. outsourcing • Loertscher and Riordan (2014), “Oursourcing, Vertical Integration, and
Cost Reduction,” preliminary draft.
III. Industrial organization and competition policy implications • Allain, Chambolle & Rey (2011), “Vertical Integration, Information, and
Foreclosure,” working paper.
7/5/14 CRESSE 2014 12
Part I: Security interdependence
Model Elements • Firms have heterogeneous incentives to take precautions.
• Firms face security risks both from direct attacks and from indirect attacks via business partners.
• More difficult to protect against indirect attacks.
• There is a positive externality of security investments.
7/5/14 CRESSE 2014 13
Companies risking larger losses have an incentive for greater precautions.
x1 x2
α
α
15 7/5/14 CRESSE 2014
θ1
θ2
Simplifying assumptions:
• Composite security
yi = ϕxi with 0 ≤ ϕ ≤ 1 • Diminishing returns to investments
quadratic investment costs
θi not too large
• Well-‐behaved social welfare function
7/5/14 CRESSE 2014 17
Results about cybersecurity:
• Strategic dependence: Best responses curves might slope either upward or downward, depending vulnerability to indirect attacks and the magnitude of expected losses.
• Equilibrium extenalities: There is a unique equilibrium at the intersection of the best response curves.
– If investments are strategic complements, then investments providing less than complete security are deficient relative to the social optimum.
– If investments are strategic substitutes for Firm 1, and expected losses are sufficiently asymmetric, then Firm 1’s investment may be above the socially optimal level.
7/5/14 CRESSE 2014 18
7/5/14 CRESSE 2014 19
Best Responses
Social Best Responses
0.2 0.4 0.6 0.8 1.0
0.2
0.4
0.6
0.8
1.0
Firm 2 Precautions
Firm1Precautions
Strategic Complements Case:Ha=0.9, b=0.6, f=0.4, c=0.1, q1=0.5, q2=0.6L
Part II: Vertical integration vs. outsourcing
Model Elements • Vertical integration occurs in a multilateral supply setting, in
which potential suppliers invest in cost-‐reduction and compete on price.
• Vertical integration creates a preferred supplier.
• A vertically-‐integrated firm sources internally whenever it is cost-‐effective to do so, but cannot control the investment of independent suppliers.
• By distorting sourcing in favor of internal supply, vertical integration creates a tradeoff between avoiding markups and discouraging the investments of independent suppliers.
7/5/14 MaCCI 2014 20
Timing of decisions
Customer
v
Supplier 1
Ψ(x1)
c1~ F(c,x1)
B(c1) or c1
Supplier 2
Ψ(x2)
c2~ F(c,x2)
B(c2)
…. Supplier n
Ψ(xn)
cn~ F(c,xn)
B(cn)
7/5/14 CRESSE 2014 21
Simplifying assumptions:
• Inelastic demand
v = ∞
• Constant marginal cost of design effort
Ψ(x) = ½ x2
• Design effort shifts mean of cost distribution
G(c+x)
• Exponential cost distribution
G(c) = 1-‐ e-‐μ(c-‐β)
7/5/14 CRESSE 2014 22
Results about vertical integration:
• Efficient symmetric equilibrium investments if cost variance is sufficient.
• Vertical integration distorts the sourcing decision and reallocates investments in favor of internal supply.
• Vertical integration is disfavored if there is sufficient upstream competition. – Not too much cost variance
– Sufficient number of potential suppliers
7/5/14 CRESSE 2014 23
Vertical divestiture is profitable if there is enough upstream competition.
7/5/14 CRESSE 2014 24
0.2 0.4 0.6 0.8 1.0
-0.02
-0.01
0.00
0.01
0.02 Procurement cost under vertical integration + Investment cost of integrated supplier + Acquisition price of integrated supplier -‐ Procurement cost under outsourcing
n = 12
n =6
n = 8 n = 10
μ
Part III: Industrial organization implications
Interdependent cybersecurity encourages vertical integration • A vertically integrated firm internalizes the positive externality
of improved security.
• There also may be economies of scope in security.
– A vertically integrated firm exploiting economies of scope might become more vulnerable to attack.
– Still, positive net benefits of internalizing the externality should prevail if selective intervention is possible.
7/5/14 CRESSE 2014 25
Competition policy implications
7/5/14 CRESSE 2014 26
D1 D2
U1 U2
Cf. Allain, Chambolle, and Rey (2011), “Vertical integration, Information, and Foreclosure”
Vertically integrated supplier has poor incentive to prevent internal information leakage, which raises rivals costs.
External cyber-‐espionage threats raise additional security concerns.
7/5/14 CRESSE 2014 27
D1 D2 D3
U1 U2
Improved cybersecurity as an efficiency defense
• Better incentives for security against external threats could outweigh concerns about internal information leakage.
• Economies of scope in the provision of security could improve safeguards against internal breaches: – more effective firewalls; – better access control; – improved monitoring and forensics.
7/5/14 CRESSE 2014 28
Conclusions
• Suppliers compete on ideas as well as price.
• Markup avoidance incentives for vertical integration are counterweighed by an investment discouragement effect.
• Vertical integration internalizes positive externalities in the provision of cybersecurity.
• Improved cybersecurity is a ready-‐made efficiency defense against alleged input foreclosure from a vertical merger.
7/5/14 CRESSE 2014 29
Other Competition Policy Issues
• Collaborations between competitors
• Horizontal mergers
7/5/14 CRESSE 2014 30