GEEKONOMICS

In my previous post, I discussed the first of five discussion points related to Stuart Hart’s book Capitalism at the Crossroads. The first discussion point was:

Pollution was assumed to be part of the industrialization process

To summarize, Mr. Hart argues that, until the 1970s, American society as a whole tolerated pollution as an inevitable part of industrial progress and that the stink and grime created by industry was interpreted by many as “the smell of money,” rather than understand it for what it actually was: the smell of waste and poor management.

I argued the current state of cyber space is in the same predicament. The tribulations created by poorly written, insecure software are tolerated by hundreds of millions of computer users and are largely understood to be “just the way it is” with technology. Bugs, even serious vulnerabilities, are considered inevitable just as industrial pollution was thought to be inevitable. Jokes about bad software are legion (see Barry Schuler and The Colbert Report), but the consequences of bad software are quite dire. The "stink” in cyber space created by bug-riddled software is not the smell of progress or technological evolution, but, to borrow from Hart, is the smell of waste and poor management on the part of software manufacturers.

Which brings the discussion to the second point on our list:

Too often, command-and-control regulations prescribed specific treatment technologies without regard to their efficiency or cost-effectiveness.

In our panic to forestall the blood letting of U.S. computer systems, command-and-control style requirements have been placed on computer system owners that prescribe specific treatment technologies (such as requiring firewalls, anti-virus, intrusion detection systems, desktop configurations, etc) while omitting requirements for software manufacturers to reduce vulnerability emissions. Worse, there seems to be no serious thought regarding the efficiency or cost-effectiveness of these specific treatments.

• Anti-virus by itself may be inexpensive, but 80% of new threats go undetected by current anti-virus technologies. There is a reason why anti-virus is cheap (and some say "dead").

• Line-speed firewalls can be had for less the $5,000 USD, but firewalls are now all but transparent to attacker traffic. Firewalls merely represent a pallid boundary separating the people we can catch (the employee “insider”) from everyone else we most likely will never catch (any remote attacker).

• Desktop configurations are relatively inexpensive to produce organically compared to other security technologies, but are difficult to maintain for any extended period of time and can be considered uncomfortably brittle in real-world environments. Configuration mandates also create a perverse incentive for software manufactures. The more configurable a product is made, the more potential liabiltiy is shifted away from manufacturers onto customers. As configurability increases, the likelihood that configuration will be and remain consistent dramactically decreases.

• Penetration testing is a popular and recommended practice that gives a snap shot of network and system vulnerabilities. It is also arguably the least effective of all security practices because a constant stream of new vulnerabilities are supplied by software manufacturers on a daily basis. The relevance of a penetration test goes to zero within hours of completion.

In aggregate, the expense and effort of deploying robust security architecture is overwhelming for many, if not all, organizations. Given the cyber security trend information (which shows quite clearly we have a disaster on our hands), one could strongly argue the current approach to cyber security as a whole is sorely misguided and deals mainly with pollution “at the end of the pipe” of the software manufacturing process.

As Mr. Hart observes:

By the late 1980s, it had become clear that preventing pollution and other negative impacts was usually a much cheaper and more effective approach than trying to clean up the mess after it had already been made.

It appears the current US approach in cyber space has not applied this lesson. Instead of preventing the pollution of bad software at the source, the U.S. is trying to clean up the mess after it has already been made…at tremendous expense and questionable effectiveness. Such a reactive posture on the part of the U.S. dooms computer system owners (i.e., every organization not stuck in the Stone Age) to potentially decades of onerous regulations that treat the symptoms of bad software rather than bad software itself.

Unfortunately, pollution-control solutions like firewalls, anti-virus, etc., can never improve efficiency or produce revenue for organizations; they can only add cost. This added cost acts as a disincentive for computer system owners to deploy as many security products as cyber security experts would like (or regulations require). Compliance mandates (whether PCI, HIPAA or all the other flavors) are often perceived by organizations to be risks in and of themselves to be managed separately from concerns about “security.” Most obvious however, is that mandating these pollution-control devices does little to actually remove bad software from the environment; only obscure its prevalence. Adding to the mess is that software manufacturers do not pay the costs of their behavior (releasing vulnerabilities into the environment), thus there is very little reduction in total vulnerability emissions.

The situation then, is bleak:

• Computer system owners are faced with unsustainable costs of widely deploying pollution control devices as well as burdened with unrealistic expectations about their likely successfulness in doing so.

• Software manufacturers as a whole are not confronted with incentives to reduce vulnerability emissions.

• The "stink" gets worse.

An adjustment is clearly needed.  Preventing vulnerability emissions at the source is critical to changing the game, not mandating upon the general populace wider, deeper, and more articulated deployments of pollution control devices and/or practices. Preventing vulnerability emissions at the source is a promising path simply because we haven’t tried it. But it is more than that. The prevention approach has worked in almost every field where it has been engaged. In contrast, dealing with issues “at the end of the pipe” has repeatedly led to failure as Mr. Hart's book chronicles. It is difficult to imagine how this approach might somehow magically work for cyber security.

It is also difficult to imagine why so many sneer at the concept of regulating the software market directly when regulation is so readily and, some might say, gleefully applied to computer system owners. New audit checklists, and the potential to enforce them, are celebrated with wild exuberance by the cyber security community...but to what end? Is the core issue that we really just need to re-work our security checklists and how strictly and on whom they are enforced? Worse, the type of regulation applied to computer system owners is exactly the kind of regulation everyone says they prefer not to have: prescriptive, command-and-control regulation.

The dissonance is almost deafening.

In the next post, I will discuss in more detail what “good” regulation might look like for the software market and address our third discussion point:

[Manufacturers] attitude tended to be reactive – they would do only the bare minimum necessary to avoid legal sanction.

Till next time…