What a Tailor Can Teach Us About Insecure Software
Insecure software, and indeed the security products we use to protect software from exploitation, hurt our economic progress. Not only does it hurt the economic progress of the United States, but the rest of the world as well. This might sound nonsensical and hyperbolic at first. It is not. It is simple economics.
In Geekonomics, I argue that software vulnerabilities are the broken windows of cyberspace. Broken windows are significant in the eyes of criminologists. A broken window, if left unrepaired, sends a message of disorder into the community. This message of disorder invites greater elements of disorder and can, in the end, invite more serious forms of crime. As such, neighborhood decline is less a function of financial misfortune or poverty, and more a function of inattention and sloppiness. Even poor neighborhoods, if the community is attentive, can experience a lower incidence of crime than neighborhoods that are less attentive.
Software creates the global neighborhood of cyberspace. Small elements of disorder in software (like software bugs), lead to greater elements of disorder (like exploitation of vulnerabilities), which ultimately lead to more serious forms of crime (like cyber crime and cyber espionage). Historically, software manufacturers have not been liable for broken windows (software defects) even though software applications have been, and are continually shipped with an unknown number of latent and preventable weaknesses. Software does not “break” in use as do physical products. Software is shipped by the manufacturer already broken (with the extent of the “brokenness” discovered at some later unknown time).
In other words, software buyers, far from purchasing the equivalent of a shiny new home, are in fact purchasing a fixer-upper where the number of broken windows in the new home is unknown both to the buyer and the manufacturer. In the story of software, our computers are broken even before we purchase them. We are buying into disorder and thus creating more of it. Aggressively patching software weaknesses does not inhibit the message of disorder in any meaningful way because software manufacturers release a continuously new stream of preventable software defects into the global stream of commerce almost on a daily basis. This is a shame. It is also far from the entire story.
Broken windows are also significant in the eyes of economists, if not more so. As I argue in this article, insecure software, and indeed the security products we use to protect insecure software from exploitation, hurt our economic well-progress. Not only does it hurt the economic progress of the United States, but the rest of the world as well.
By way of explanation, let me share a short story:
One day in a small village, a teenager throws a rock through the window of a local bakery and runs off before anyone can catch him. The shop keeper comes storming out, furious at the vandalism. His yelling attracts the attention of his fellow villagers, who at first are as displeased as the shop keeper at the event. After everyone has calmed down a bit, the more optimistic among the villagers remind everyone that this event, in a way, has an upside. If it were not for broken windows, the glass maker in the local village would not be necessary. After all, if broken windows never occurred, who would remain in the glass business? This event makes business for the glass maker. If a new windows costs $100, the baker must pay the glass maker exactly that amount to get the window fixed. This in turn means the glass maker has $100 to spend on other items with other merchants, thus those merchants have money to spend on yet more items with yet more merchants, and so on and so on. In fact, the broken window has a cascading effect that benefits the whole village. While the crowd remains largely displeased over the teenager’s actions, it may be, the villagers reluctantly conclude, that the teenager has created some good. If this were the villagers reasoning, they might come to see the teenager as a benefactor, as opposed to a public nuisance.
This story may be a tad simplistic, but it has a point. Economists like stories such as this because what a story may lack in complicated detail, the story more than makes up for in illumination.
The reasoning of the villagers in this story is the same erroneous reasoning applied to natural disasters such as Hurricane Andrew. In essence, this line of reasoning concludes that disaster actually benefits the economy. Disaster is not necessarily understood as a nuisance. The more optimistic among the population try to look for some good out of the event and conclude that the extra spending because of the disaster actually benefits somebody and is thus good for the economy.
The massive destruction of Hurricane Andrew meant thousands upon thousands of homes needed to be repaired or rebuilt, subsequently creating work for thousands of people and new invoices for thousands of replacement refrigerators, cars, windows, roofs, and so on. The additional purchasing and employment is thought to ultimately help the economy. Yet, like the village story above, this simply is not true. Let’s find out why.
The reasoning about the broken window in the village, or the massive destruction caused by Hurricane Andrew, is correct insofar that the event did in fact create more business. In the case of the village, the glass maker needed to make another window for which the baker was required to pay him. In the case of Andrew, builders needed to build or repair homes for which home owners were required to pay them. This much is obvious. What is less obvious is that victims in both cases will be out the money (either in direct payments or insurance premiums) they intended to spend on something else. This is bad.
In the case of the baker, he will be out $100 that perhaps he was hoping to spend on something else, such as a new suit. Instead of having an unbroken window and a new suit, the baker will now have a fixed window and no suit. Because the baker is a member of the village, the village has now lost a new suit that it would otherwise have, and therefore the village is just that much poorer.
What has happened here is not so much that the baker has paid the glass maker, but the baker has not paid the tailor. The tailor, having no demand to make suits, does not make any. Something of additional value that could have been created is not. An opportunity is lost. Demand is foreclosed and need takes it place.
The suit the baker could have purchased now cannot because $100 has gone to fix the broken window. In short, the glass maker’s gain of business is simply the tailor’s loss of business. Though a broken window has been fixed, no new benefit has been added to the village as a whole because the broken window has precluded the new suit.
If broken windows became common enough in the village, demand for new suits, or new washing machines, or new TVs will never arise. The money that could have been used to fulfill a demand has now been diverted to satisfy a need. The village will be just that much poorer.
The villagers, like the news media in the case of Hurricane Andrew, only see two parties in the transaction of the broken window, when in fact there are many more. The villagers only see the baker and the glass maker. The news media only sees home owners and builders. The villagers do not see the tailor because the tailor will now not enter the picture. The tailor is forgotten from the equation precisely because there will now be no demand for something he makes. The tailor is invisible but no less real.
As the message of Geekonomics attempts to convey, the real cost of something is not what we pay, but what we have to give up in order to get it. In the case of the baker, he had to give up a new suit to fix his window. He lost $100 as well as his new suit. As a result, the village is worse off. The victims of Hurricane Andrew are in the same position. Victims of Andrew are spending to reclaim what was lost, not purchasing new items in addition to what was already possessed. Victims now have a fixed house and no new suit, so to speak. In other words, the victims of Andrew were spending extravagantly just to run in place, not to create demand for new items of value. The “village” is worse off because of it.
Against this background, then, is the story of insecure software and the security products we purchase to protect insecure software from exploitation. As Geekonomics argues, software vulnerabilities are the broken windows of cyberspace. Vulnerabilities communicate an unmistakable message of disorder in global digital neighborhood. This disorder imposes a significant cost in terms of cyber crime and cyber espionage; yet, this cost is only the tip of the iceberg.
Unlike the young teenager in the village story cyber attackers do not break windows; attackers discover windows broken by the manufacturer. Once discovered, cyber attackers then use the defect to exploit the software and all information it protects. In other words, cyber attackers do not throw rocks and thus create broken windows. Broken windows come with the product upon receipt.
Nonetheless, broken windows (software vulnerabilities) must be fixed, just like the baker must fix his broken window if he is to send a message of care and attention about his shop. Who likes to visit a run down bakery or any disheveled food establishment? But because a broken window must be fixed, something else must be given up to fix it.
Insecure software must be patched (or better yet, never produced in the first place). While the patch might be free, the process of patching is not. The greater the number of computers under your control, the more difficult it becomes to keep everything patched. Patching becomes quite expensive.
But insecure software must not only be religiously patched, but protected from exploitation because new, unknown vulnerabilities are discovered every day for which no patches might yet exist. In fact, software is full of latent defects. You, nor the manufacturer, have any idea about how many broken windows a given piece of software actual contains. Therefore, software must not only be patched, it must also be protected with a fantastical panoply of security products like intrusion detection, firewalls, anti-virus, and so on.
The $65 spent on a single instance of anti-virus, the $3000 spent on a network firewall, or the $254 per machine spent on patching software, means exactly that amount of money cannot be spent on something else. Software buyers, like survivors of Hurricane Andrew, or the village baker, are spending just to run in place. This is bad. And not entirely accurate.
In reality, software buyers are not running in place. Software manufactures release a relentless stream of software defects into the global stream of commerce. Cyber crime and cyber espionage are increasing at astounding rates despite massive expenditures to forestall the increase. Software buyers are spending frantically only to lose ground. This is not only bad; this is disastrous.
When software buyers purchase insecure software and security products to protect insecure software from exploitation, other things of value will not be created because buyers no longer have the extra money to purchase them. Instead of having high-quality, secure software and a new suit, software buyers now have patched or protected software and no new suit, no new TV, no new DVD player, no new car, and so on. This makes the “global village” just that much poorer. Insecure software, and the security architectures we use to protect it, is far more expensive than we can ever imagine.
Just ask the tailor.
Comments