Coercion in cybersecurity: What public health models reveal.

Insights from public health theory and practice have been put forward as elements of doctrine to inform theory and policy frameworks for cybersecurity. Analogies between public health and cybersecurity are superficially appealing but fail on closer examination in two distinct ways: the "publicness" of the goods in question, and the readiness of the relevant actors and institutions to exert and accept coercive authority. This article assesses the analogy in depth, starting with a review of foundational arguments from public goods theory. I demonstrate how policy choices not technological ground truths have configured many cybersecurity "goods" or goals as public goods. I then assess the public goods provision problem in context by examining the history of important public health challenges and responses. I argue that this framing presents difficult choices regarding the use of coercive power to supply public goods. These are choices that public health officials have largely settled, but that internet society and the technology community have not because the requirements are counter-cultural to basic mindsets in those communities. Pushing past cultural resistance around the idea of "coercion in the interests of security" does not fully determine any specific cybersecurity policy outcome, but it does force a more straightforward assessment of what tradeoffs are at stake. The level of coercion that public policy will have to grapple with for cybersecurity goals is higher than generally understood.