GEEKONOMICS

Chris Wysopal's recent blog post, which is excellent by the way (Nation State Cyberwarfare Reality Check), elicited the following response over at innismir.net (part of Chris's post is included to maintain context): 

[Chris]: It is time to stop thinking about computer security as a castle wall and moat problem and to start looking at it as an ecosystem problem. We can’t secure our networks or those of our allies by building bigger walls any more than the President of the United States can keep our air clean for government workers by enacting tougher emmision standards for US government vehicles. It is a global problem that requires a global solution.

There has been no global cooperation to date to help the average computer user keep his or her computer secure. Yet we talk about keeping car emmisions down. But the effect of both is similar. In a shared environment, be it the water and air or an information infrastructure. Each individual user contributes to the health of the system.

[innismir]: I think the analogy he uses is great, but not for the reason he uses it for. We talk a lot about “keeping emissions down” and the government pushes lofty goals about reducing so-called “carbon footprints”, but the main reason we don’t see everyone driving subcompacts that get 35 miles per gallon is because very few people want them. The public, as a whole, wants their 6000 SUX that looks dead sexy and has a top speed of $BIGNUM MPH. 8.2MPG? Runs on baby seal blood? Who cares?

This is a good exchange, and I couldn't resist weighing in on it because it touches on something close to my heart: economic incentives. Innismir is correct insofar that people opt not to drive sub-compacts because they "want" something else: buyers want much bigger vehicles.  This is, in fact, what markets do: they give us what we want, not necessarily what we need.

But people's "wants" do not exist in a vacuum. The "wants" live within an incentives framework that either promotes or inhibits certain behaviors. In fact, because of relatively low U.S. gas prices (in comparison with the UK, for instance) and tax incentives for purchasing trucks or SUVs over a certain weight, the "want" of a big vehicle is promoted in the U.S. while inhibiting the "need" for low-emissions subcompacts.

In other words, it makes more sense from a buyer's perspective in the US to buy a bigger vehicle because the incentive structure rewards that behavior. If gas prices were allowed to rise to $10/gallon and a broader tax burden was placed on all non-subcompacts (much like the gas-guzzler tax on the Hummer, only more general), the incentive to "buy big" would gradually ebb. So the "want" for a big vehicle would be partially transformed into a new "want" for smaller, more fuel-efficient cars (so long as people felt they were better off for buying the smaller car). And it just so happens this "want" would be more aligned with the "need" for reducing the social and environmental costs (known as negative externalities) of car ownership.

Of course, I've ignored cultural propensities (the U.S. loves cars) and safety considerations (people believe bigger cars are safer even though data shows otherwise), but these too act as incentives which promote or inhibit certain purchasing behaviors. I've just chosen not to discuss these in detail.

In the context of software then, there is no incentive to reduce "vulnerability emissions" by software manufactuers nor is there an incentive for buyers to avoid purchasing software with plenty of bugs and defects. Buyers want "big" software; that is, software with a bevy of features even though this dramatically increases the likelihood of latent defects and vulnerabilities. Because of this demand for "big" software, software manufacturers are happy to supply it. There is no incentive to do otherwise. 

So demanding that software manufacturers make "smaller" software would be as silly as demanding car manufacturers make smaller cars if the incentives framework has not been altered to promote such behavior.  

Chris and I are like-minded when it comes to the issue of insecure software. We need strong emissions standards against vulnerability emissions and those with the largest GDP will have the greatest impact. For instance, my home state of California has some of the most stringent emissions standards in the world for vehicles. It's a "local" requirement that has global impact primarily because of the power of the California consumer (and the fact that even with our heads screwed on backwards due to our budget fiasco, we're still the 8th largest GDP in the world).  GDP matters. Imagine if California enacted a similar emissions requirement regarding vulnerability emissions in software? Oh, I know the details of such a requirement are messy, but what I'm focusing on here is the incentive. Without leveraging the buying power of consumers, and without properly aligning the incentives in the market, we won't get the security we need nor attain the global impact we desire.

That's something to think about...

David Rice at GOVCERT.NL 2008: Geekonomics - incentives for sustainable cybersecurity from GOVCERT.NL on Vimeo.

Yesterday, Google announced its plans to release its own operating system, named Chrome. Based on this action, it is safe to say that Google has lost its way as a company. Rather than signaling itself as a frenetic innovator, the introduction of a Google OS is tantamount to a cake-handed reach for whatever the company doesn’t do at this point. The most innovative thing about Google right now is that it's name does not spell M-I-C-R-O-S-O-F-T. Google is trying to be everything for everyone…and therein lays its glaring lack of leadership. Do we really need another operating system with all its requisite care and feeding?

For all the company’s exposition about cloud computing and on-demand applications, a Google OS at this point in time is the sign of a wildly successful internet company flailing wildly. YouTube, a recent acquisition by Google, has an estimated burn rate of over $1.2 million per day. Shareholders should be sickened by this, but are not. One could only imagine the burn rate of a major, enterprise-ready operating system (assuming the Google OS is offered free, which is likely). Yet, Google's pronouncement is met with such hype (“Google drops a nuclear bomb on Microsoft”, and “Clash of the Titans”) it’s obvious that Google is not the only one that has lost its way; so have we.

No doubt Google’s OS will be shiny, sexy, embedded with all sorts of stuff we really don’t need, and loaded with incredibly innovative solutions for no recognizable problems. Chrome, Google’s recently introduced internet browser, is entirely underwhelming, with it’s most remarkable “innovation” being automatic patching updates every 5 hours. This hardly bodes well for a Google operating system.

Google should not name its OS “Chrome.” A better name might be "Fonzie."

As we await selection of the Cybersecurity Coordinator, I've had time to ruminate on what I hope he/she would focus upon. The following are what I believe should be top-of-mind for the new Cybersecurity Coordinator:

1. Focus on market incentives. There should not only be incentives for protecting customer data (we've beat that dead horse long enough), but also incentives for software manufacturers to end their long-standing practice of unrestrained vulnerability dumping onto downstream market participants. Incentivize the creation of secure software through a customer-centric signaling mechanism similar to other labeling regimes such as auto-safety, fuel-efficiency, energy-efficiency, etc. If the market cannot "see" security, the market cannot effectively price or supply security.  Government acquisition dollars are simply not enough in this situation. Without using the lever of private consumption, which dwarfs government spending by a factor of 5 to 1, the U.S. response in cyberspace will be flaccid and half-baked.

2. Make cyber security a public safety issue. Cybersecurity should be less a law-and-order problem and more a public safety issue. It is tempting and comforting to think that law enforcement (or even the military) can address malicious behavior on the Internet. It can do a degree, but not nearly to the level sufficient enough to disincentivize cyber criminals on a broad scale.  Software "runs" our lives. As such, software must be suitable to the task and not endanger citizens through insufficient security design and implementation. A public-safety perspective allows us to focus on incentivizing the few thousand software executives we know by name to make better software rather than on disincentivizing the untold numbers of anonymous attackers located around the globe.

3.  Be wary of unintended consequences. As bad as our national cybersecurity might be to date, it can actually get a lot worse if we fail to consider the outcomes. The Payment Card Industry (PCI) standard is but one example of making cybersecurity worse, not better. Prescriptive mandates such as these create an incentive to "race to the bottom" where organizations seek the quickest, least expensive method of becoming compliant. Compliance does not equal security. In other words, prescriptive mandates create the unintended consequences of actually worsening security by nature of the incentive to cut corners and costs; to fill a checkbox rather than confront risk. Prescriptive mandates do not allow the market to aspire to higher security, only burden it further with complexity and expense. The new cybersecurity coordinator should focus on results and desired outcomes rather than on specific controls, rules, or mandates. These are are all lagging indicators of risk and are not forward focused. Focus on results and outcomes and let the market figure out the best way to achieve them.

Excerpts from the speech:

THE PRESIDENT: We meet today at a transformational moment -- a moment in history when our interconnected world presents us, at once, with great promise but also great peril...cyberspace -- is a world that we depend on every single day.  It's our hardware and our software, our desktops and laptops and cell phones and Blackberries that have become woven into every aspect of our lives... cyberspace is real.  And so are the risks that come with it.

It's the great irony of our Information Age -- the very technologies that empower us to create and to build also empower those who would disrupt and destroy.  And this paradox -- seen and unseen -- is something that we experience every day...It's been estimated that last year alone cyber criminals stole intellectual property from businesses worldwide worth up to $1 trillion.

In short, America's economic prosperity in the 21st century will depend on cybersecurity.

Amen, and amen.

Full text of the speech is at: REMARKS BY THE PRESIDENT ON SECURING OUR NATION'S CYBER INFRASTRUCTURE

Video is at: President Obama on Cybersecurity

Patrick Gray over at Risky.Biz recorded my closing plenary at AUSCERT 2009 (duration: ~40 minutes).

To quote:

The following is a recording of David Rice's talk at AusCERT's 2009 conference. David is a sensational public speaker. Risky.Biz actually podcasted his keynote from the GovCERT conference in the Netherlands last year...Enjoy!

RB2: AusCERT podcast: David Rice on customer centric signalling

Go directly to audio mp3.

Ira Winkler posted a pointed and thoughtful article on ComputerWorld:

It's time for the FTC to investigate Mac security

To quote:

...Apple gives people the false impression that they don't have to worry about security if they use a Mac. And perhaps because the company is invested in fostering that impression, Apple is grossly negligent in fixing problems. The proof-of-concept code [mentioned earlier in the article] is proof that Apple has not provided a fix for a vulnerability that was identified six months ago. There is no excuse for that.

Apple has exuberantly criticized Microsoft for the security vulnerabilities of its products. The fact is, though, that that criticism is grossly misplaced. For its part, Microsoft has been extremely disciplined in ignoring Apple's advertisements.

The current Mac commercials specifically imply that Windows PCs are vulnerable to viruses and Macs are not. I can't disagree that PCs are frequent victims of viruses and other attacks, but so are Macs. In fact, the first viruses targeted Macs. Apple itself recommended in December 2008 that users buy antivirus software. It quickly recanted that statement, though, presumably for marketing purposes.

It certainly could not have been for real security reasons. A ZDNet summary of 2007 vulnerabilities showed that there were five times more vulnerabilities for Mac OS than for all types of Windows PC operating systems.

How can Apple get away with this blatant disregard for security? I have come to the conclusion that ...the FTC must investigate Apple's advertising claims with regard to security...

Please read the full article.

I know many in the security community seem to be in a state of immaculate rapture about the Federal Desktop Core Configuration (FDCC), a standard configuration of 300 security-related computer settings for Microsoft Windows XP and Vista, especially since Bruce Schneier actually brought attention to it in his May 6 blog post. And for good reason.

The argument is that, by and through the leverage of U.S. government buying power (Microsoft must ship this configuration to Federal Agencies in order to comply with federal purchasing requirements) cyber security will be positively influenced. Government computer systems will be better (and more consistently) protected, and because the configuration standard is free and publicly available, private sector organizations might also benefit.

Anyone employing this standard, especially Federal Agencies, is likely save a significant amount of money (some estimates place savings at $100 million or more). Standardized systems are easier to manage and patch, and thus easier and less expensive to protect. To a degree this is all true and accurate. It seems hard to argue against the federal government not positively influencing cyber security via their buying power because, gosh, the federal government has just so much damn money. While Federal buyer power is indeed important, is it not nearly as important – or influential – as some seem to assume.

Simply put, if federal purchasing power was not enough to significantly alter safety in auto market, or or toxins in the agricultural market, or pollution in the industrial market, or efficiency in the energy market, then federal buying power is not likely going to be sufficient to influence cyber security in any significant manner either.

The reasoning is simple.

U.S. Government buyer power represents 19.9% of U.S. GDP (in 2008). This is actually quite small given the immensity of the U.S. Government (Canada's governmental expenditure as a percentage of GDP is 48% and it is barely half the size of the U.S. government). Even if one references earlier times in the 1950s and 1960s when U.S. Government spending was upwards of 25%...this amount was still not enough to influence auto manufacturers to make safer cars; this despite $329 billion of government spending on constructing safer highways and multiple large-scale buying contracts between government and auto manufacturers to make safer cars for government employees. In the end, auto manufactures were still producing deadly cars.

So even at 25% GDP, U.S. government buyer power was insufficient to compel auto manufacturers to make safer cars on a large enough scale to stop the carnage that was occurring on U.S. highways (no matter how safe those “networks” were designed under the new Interstate system).  Even government expenditures of 43% GDP, which is the Australian government’s yearly expenditure, were insufficient to positively influence auto manufacturers selling in that country. Instead, the Australian government too had to resort to a similar 5-star, consumer-oriented safety rating system employed by the NHTSA in the United States.

Why the failure of government spending to influence markets?

Government expenditure in many respects simply cannot compare to the influence of private consumption – the power of the everyday consumer. In the US, this power is substantial. Private consumption represents 70% of US GDP. In the EU, private consumption accounts for 60% of EU GDP.

In short, expecting too much from government spending power is a mistake, especialy in cyber security. It is a dangerous philosophical cul-de-sac in which too much trust and hope can lead to national disaster. Government buying power simply cannot compare to the raw influence of private consumption. The consumer needs to be brought into the battle of cyber security by leveraging their buying power to influence software manufacturers to make better, more secure software. To do that that requires a consumer-centric signaling mechanism.

My favorite to reference is the NHTSA 5-star rating system, but one choose from similar labeling regimes for energy efficiency, fuel efficiency, or even organic food. It doesn’t matter. Labels coordinate and inform consumers on a scale not possible through private contracts, individual initiatives, or coordinated attempts by sectors, industries, or governments. We need a consumer-centric labeling regime for software security. A labeling regime, no matter how imperfect one might be, is an important and necessary component for national and economic security in a software-driven civilization.

Government spending will not be enough for cyber security because the breadth and depth of the problem is so immense…larger than anything we’ve ever faced. Government spending will certainly affect some positive change, to be sure, but not nearly as much as we need, or hope for.

Two recent posts on Apple security deserve attention:

• Is Apple Feeling the Security Pinch? (BNET, May 14, 2009)

• Prediction: Apple will recomend security software (CNET News, May 6, 2009)

To quote the first article (Feeling the Pinch):

...Apple has long encouraged a mythological image of perfection by presenting products as self-contained black boxes that should be, as much as possible, wholly a product of Apple. But the image has been cracking of late, and the company’s own actions show tacit, if not explicit, acknowledgment.

When it comes to security, Apple certainly has its defenders who largely argue for the company’s effectiveness by pointing to what hasn’t happened. For example, I recently had an email exchange with a technology journalist who has never had a security problem with Macs. However, up to that point, he had also never used antivirus software on his system. Nothing showed up when he finally did, but I saw this as an example of selective attention. That feature is a big one among a class of Apple loyalists (and I’m not putting said unnamed journalist into this camp) that I call Defenders of the One True Technology, or DOTTies — a term hardly limited to Apple-devotees..

But even if the Appe DOTTies are reluctant to look at external evidence, they might pay attention to Apple’s recent activities. A big one earlier this week was Apple Patch Day, which included 67 Mac OS X and Safari vulnerabilities...[and hired] Ivan Krstic a big name in security who developed the Bitfrost system at age 21.

Apple recognizes its own security weaknesses, even if the DOTTies don’t. ...Apple knows it needs more attention to security as it gains market share in various areas, even if it won’t [publicly] say so. Apple will just buy some company or product, incorporate it, and pretend that it was there all the time.

To quote the second article (Prediction):

Within the next 18 months, Apple will begin recommending that Macintosh users install Internet security software on all systems...Now I realize that this statement is blasphemy to dedicated Mac users, so let me start with a few qualifying statements. I am not comparing Mac OS with Windows, or Apple with Microsoft, and my prediction should not be interpreted as an attack on Apple, its developers, or the security of its code.

The truth is that all sophisticated software contains vulnerabilities and Mac-based malicious code is nothing new...The company and Macintosh users should not fight this trend--doing so would only increase risk and help cybercriminals.

Senior citizens often hark back to a time when people left their house unlocked and left their car keys in the ignition. Now they lock their doors for safety. Apple, along with Mac users, should prepare for a similar transition. Given the state of cybersecurity today, pragmatism should trump romanticism.

Well stated.

Now, if only Apple could make security as sexy and sleek as their products...that would be innovative.

For Immediate Release

Monterey, CA - April 2009 - The U.S. Cyber Consequences Unit (US-CCU) named David Rice Consulting Director for Policy Reform. Mr. Rice, an  internationally-recognized cyber security expert, brings to the  position a decade of experience as an advisor to commercial sector leaders and securing critical government and military networks. Mr.  Rice is one of the key figures shaping current discussions of public  policies involving cyber security and is fluent in the technical and policy issues facing U.S. and American interests. His 2008 critically acclaimed book "Geekonomics: The Real Cost of Insecure Software" is highly influential and informs decision makers worldwide.

Scott Borg, Director and Chief Economist of US-CCU, says, "David Rice’s ability to combine a deep understanding of security technology with a wide-ranging grasp of the economic and policy dimensions makes him a terrific addition to the US-CCU team.  What’s more, David is willing to argue the other side in debates with US-CCU heavy weights, like Warren Axelrod and John Bumgarner.  This takes an enormous amount of self-assurance as well as a nimble mind.  David will be immensely valuable in helping the US-CCU to explore all aspects of the emerging cyber-security issues.”
 
The US-CCU, a non-profit research institute, provides reports and briefings about the strategic and economic consequences of possible cyber-attacks and cyber-assisted physical attacks directly to the U.S. government, all critical infrastructure industries, and, limited only by security considerations, the public. Mr. Rice's research and participation in national level policy discussions regarding the risk and implications of cyber security will contribute to the U.S. Cyber Consequences Unit's efforts and further development of U.S. national cyber policy.

For more information please visit http://www.usccu.us/.