Should an Internet Tax Pay for Cybersecurity?

This week, Microsoft's Vice President of Trustworthy Computing, Scott Charney, argued that an Internet tax may be a good solution for paying for cybersecurity. Since then, net neutrality advocates and Microsoft critics have called this a terrible idea. They argue that software designers themselves should pay for their own security measures and worry such a tax would reduce Internet usage, and consequently, information availability. I don't think that an Internet tax is quite as insane an idea as opponents would suggest, however. It could work.

First, the problem is worth explaining. Economics would consider cybersecurity a "public good." That means its consumption does not reduce its availability to others and no one would be excluded from enjoying it. One obvious similar example would be national security. All citizens enjoy its benefits without reducing its availability.

How do we pay for national security? Through taxes. The problem with public goods is that there isn't really a market for them. Since everyone benefits from their existence, no particular consumers are willing to buy them. As a result, no producers would be able to create a profitable business selling them. That's why the government often steps in to create this market: if they force all people to pay a share, then the market can exist.

In a similar way, the government could create a tax for cybersecurity. A general tax would be another option to consider, if people are worried about the disincentive from using the Internet created by a tax specific to its usage. Yet, shouldn't taxes be aligned to benefit? Let's say there's an Amish person who does not use the Internet. Why should he pay the tax so that those who do use the Internet to benefit? Moreover, if I use the Internet more than the average person, shouldn't I pay more for the security I get? The probability of identity theft or virus infection increases through accessing more websites and making more online purchases.

So criticisms like this (from a discussion in Computer World) don't make much sense to me:

"The idea of a general Net tax is a horrible idea," said John Pescatore, Gartner's security analyst. "Why not a tax on all retail goods for a standard antishoplifting service all merchants would have to use?"

This analogy is a little strange, since with cybersecurity the users benefit, not the web sites or software companies, while with shoplifting the merchants get the benefit, not the customers. So let me try to think of a better example where those paying for the tax actually benefit. How's this: why not tax all airline tickets to pay for a minimum standard security service all airports would have to use?

In fact, this is exactly what we have today. It's called the September 11 Security Fee. That was instituted to pay for the ramped up airport security measures in response to the terrorist attacks. It consists of $2.50 per flight. In this case, others may also benefit from the security, like those working in buildings that now won't be flown into by terrorists. But (assuming the security measures actually work) the benefit to fliers is particularly clear and direct. Moreover, these fees were created to only cover airport-specific expenditures. The U.S. government obviously does a lot more homeland security than just hiring TSA workers and buying x-ray machines. The other stuff is paid through general tax revenue.

Most opponents of a tax would say that software companies should be responsible for paying, since it's their responsibility to develop a safe product. Indeed, some criticize Microsoft for advocating a tax as an excuse to spend less of their own money developing safer software. But it really doesn't matter: if software designers pay, then they'll just pass that cost to consumers anyway.

Yet, a tax would ensure that consumers don't suffer from software companies who are tempted to cut corners and spend less on cybersecurity than they should, so to sell a cheaper product. Sure, it will make Internet usage more expensive, but it should. Those who benefit from this cybersecurutiy should be responsible for its price tag.