GEEKONOMICS

What Combating Obesity in the U.S. Can Teach Us About Software Assurance

A majority of Americans (an estimated 60 percent or more) are fat. Fully 30 percent are obese; that is, obese individuals are more than 30 percent heavier than what is considered healthy for a person’s ratio of height and weight.  In a recent article by the Wall Street Journal, Cost of Treating Obesity Soars, the estimated cost of treating obesity-related diseases such as cancer, diabetes, and stroke may be as high as $147 billion in 2008 alone. Ooomph.

Shows like Dance Your Ass Off and The Biggest Loser, are, pardon the metaphor, largely eye candy for television audiences; a saccharine representation of the plight of being fat and what you could do if only you too had a dedicated gym, personal trainer, and strictly controlled menus and workout regimes – many of the things most people, including the participants, lack in everyday life.  The high transactional cost of severe interventions makes for great TV, but is simply not sustainable outside the studio.

In light of the growing obesity problem, Thomas Frieden, the director for the Center for Disease Control (CDC) has set the direction of preventing and combating obesity more aggressively for the United States. The CDCs actions are important because studies show that if Americans do not alter current eating behaviors, as much as 90 percent of Americans could be overweight or obese by 2030. “The numbers underscore the urgent need for deeper interventions in society and the environment that will make it easier for people to maintain normal weight,” Mr. Frieden stated at a conference on obesity in Washington, D.C. (as reported by WSJ).

Mr. Frieden’s probable “interventions” include:

• A penny-an-ounce tax on sugar-sweetened drink (arguably the biggest contributor to obesity).
• Requiring restaurants to post calorie counts on menus.
• Instituting smaller portion-sizes in venues such as government offices, and
• Requiring physical education in schools (almost 30 percent of American children are overweight).

The first two are most interesting to me from a software assurance perspective; namely, how do you alter the behavior of a populace that has shown a propensity towards creating large negative externalities (and I do mean, “large”).

In the case of obesity, the negative externality is the gargantuan healthcare-related costs associated with caring for, well, gargantuan people. In the case of software assurance, the negative externality is the gargantuan costs associated with manufacturing and consumption of insecure software (estimates range upwards of $100 billion or more).

So how do you change individual behavior on a significant enough scale such that large negative externalities are corrected?

The first technique is to raise the private cost of the behavior, which the "penny-an-ounce" tax attempts to accomplish. Mr. Frieden argues that a 10 percent price increase on sugared beverages could reduce consumption by as much as 7.8 percent. The penny-an-ounce taxation model is the same approach used in preventing and combating tobacco use. In fact, California recently raised taxes on cigarettes by 150 percent. This is an attempt to raise the private cost of the behavior and has two effects:

• High taxation dis-incentives current and would-be smokers. While it doesn’t deter them completely, it does make the behavior monstrously expensive.

• It pays for the negative externalities (the social costs, such as hospitalization) created by smokers that smoke regardless of the expense.

Imagine if we employed a similar flat taxation model for software? Say, a penny-per-thousand-lines-of-code (or penny-per-KLOC) tax model. This would increase the price of software, such as Microsoft Windows XP with an estimated 30 million lines of code, by at least $300. A hefty sum indeed. But think about the consequences:

• High-taxation would disincentivize the creation of “bloat code,” reducing the tendency of software manufacturers to add features and complexity to software and thus reduce the likelihood of introducing vulnerabilities.

• It pays for the negative externalities (the social costs) created by people who insist on making and buying insecure software.

But the word “tax” in America has always been a four-letter word, so an “obvious tax” on sugared drinks or software vulnerabilities, like that on smoking, raises the hackles of most everyone.

The more interesting model, and the one I tend to like, is the coaxing model. The coaxing model is alluring because instead of relying on regulations that limit, replace, or burden free-market transactions, as a direct taxation intervention promises, a coaxing model (which is more frequently implemented in America than Europe) gently pushes markets to address public needs and reward actions that will almost certainly help dealing with core issues. One such example in combating obesity is requiring restaurants to post calorie counts on menus; the second intervention proposed by Mr. Frieden. 

On July 1st, my home state of California began enforcing just such a requirement. The reason: people tend to underestimate the calorie content of food. The California menu-labeling law requires chain restaurants with 20 or more branches to post calorie counts on their menus. As reported by The Economist on July 23rd, Kelly Brownell of Yale’s Rudd Center for Food Policy and Obesity, stated, “you have labels on your clothes to tell you what’s in it and where it’s made,” you should have it for your food also.

The interesting consequence is that where menu-labeling has gone into effect (California, New York, Oregon, Maine, and Massachusetts) it has substantially altered the behavior of restaurant chains; now restaurants offer better options for lower calorie foods, smaller portions, and healthier items where previously they did not (or did not aggressively innovate to do so).

In turn, menu-labeling has made it easier for customers to make better decisions regarding nutrition, thus altering their behavior and potentially mitigating the large negative externalities of weight gain. According to The Economist:

“National chains like Starbucks, McDonald’s, Denny’s and Dunkin’ Donuts have all introduced less calorific items since menu labeling went into effect …Changes in consumer taste, [the chains] say, not menu labeling, are the reason for these changes. But worries about having to print supersize calorie counts on their menus may have played some part [my emphasis]. The proof is in the reduced-fat pudding.”

Indeed, making calorie counts obvious has altered behavior in the food service market; such is the power of making visible that which is hidden or obscure. Mr. Frieden’s approach through the CDC would likely advocate making menu-labeling a national requirement rather than State-dependent.

Now, imagine if Microsoft, Apple, or Google had to print vulnerability counts on their software packaging? Oh, I know printing vulnerability counts is a silly idea, but what would happen if we made software assurance, or the lack thereof, obvious to customers? What might be the effect?

I argue that it would be generally positive, altering the behavior of both producers and consumers of software. If clothing and food have labels “telling you what’s in it and where it’s made,“  which in turn compels positive changes in the respective markets, then maybe we should strongly consider it for software also.

People tend to underestimate the calorie content of food, this much is true. But they also tend to underestimate the security of their software. Speak with the typical Apple follower, and they will likely insist that Apple is more secure than Microsoft, even when Apple’s vulnerabilities have been skyrocketing since 2006 (according to an 2008 IBM X-Force Trend report Apple took top spot, surpassing Microsoft in percentage of vulnerability disclosures).

In short, labeling helps overcome cognitive biases to a far better extent than people’s gut feelings, approximations, or, ahem, blind adoption of vendor assertions and savvy marketing campaigns. A labeling regime, whether for food, clothing, or software is also gentler than full-fledged regulation; it nudges and coaxes markets toward better behaviors and rewards us all. Whether it is addressing a national crisis of obesity, or the national crisis of software insecurity, labeling is certainly a more effective approach than the saccharine approaches so far.

We in cybersecurity have our own version of Dance Your Ass Off, it’s called PCI, FISMA, HIPAA, and just about any other compliance mandate that requires wild, almost unnatural gyrations by its participants along with vigilant monitoring by experts and auditors alike. The sad fact is, just as in Dance Your Ass Off, most particpants will come up short, embarrassingly short. And while it can be argued that contestants at least showed some improvement by their involvement, it makes for great theater, but not much else, leaving the rest of us to scratch our heads wondering, “do we have go through all that for a speck of improvement?!?”  I hope not.

Why Adobe promotes cybercrime.

The Last Watchdog recently posted an interesting article:

Adobe surpasses Microsoft as favorite hacker’s target

To quote:

On Dec. 31, 2008, a well-intentioned researcher posted this report on Adobe’s “Bug and Issue Management System” (BIMS) web page. The researcher described how invoking a Flash video clip playback in Flash Player, under certain parameters, caused his Web browser to crash.

In more innocent times, this would’ve been a normal beta testing scenario: user reports glitch in a cool new feature; vendor updates. But in today’s world of teeming cybercrime, one man’s glitch is another man’s exploitable zero-day flaw.

While BIMS helps Adobe keep an open dialogue with users, the web site also “gives cyber criminals a convenient place to look for vulnerabilities they can exploit,” says Purewire researcher Paul Royal. “Here you can find bugs that cause crashes, and any bug that can cause a crash can potentially also be used to execute code arbitrarily.”

This article illustrates Broken Windows in action:

• "one man's glitch is another man's exploitable zero-day flaw." 
• "any bug that can cause a crash can potentially also be used to execute code arbitrarily."

Of course, I'm referring to the Theory of Broken Windows, proposed by George Kelling and James Wilson. The Theory states that small elements of disorder (like a broken window), if not addressed, leads to greater elements of disorder even crime. What Kelling and Wilson observed as a trend towards disorder in the physical space of communities and neighborhoods, I contend also applies to cyberspace, namely:

Seemingly small elements of disorder (like a software glitch) invite greater elements of disorder (like arbitrary code execution), even cybercrime (you are free to cite any news story from years past as example).

The grand irony in this situation is that hackers do not "break" windows in cyberspace; that is, hackers did not break Adobe's software, hackers simply discover software defects software manufacturers failed to detect themselves before shipping their products. In other words, our software products arrive in our computer systems already broken - already loaded with broken windows - thus directly contributing to the sense of disorder in cyberspace and the growing trend in cybercrime. Adobe is but one example highlighted by this article; Apple, Oracle, Microsoft and many other software manufacturers have given us legion more.

Byron Acohido, the author of The Last Watchdog article, infers that in today's world of "teeming cybercrime" these seemingly small bugs now incur large consequences. But I argue otherwise, small bugs are not now more devastating because of teeming cybercrime, cybercrime has become teeming precisely because of small software bugs...these small broken windows of cyberspace that communicate a message of disorder and thus invites greater elements of disorder, even cyber criminals. So to be explicit: Adobe's glitches invite cybercrime, and so does Apple's, Microsoft's, Oracle's and many others. We collectively scratch our heads wondering how cybercrime got so out of control; the Theory of Broken Windows offers one possible, if not outright compelling, explanation. 

Using the Theory of Broken Windows as a solution framework then, small elements of disorder must be reduced as much as possible in cyberspace; that is, the supply of software vulnerabilities must be drastically reduced by software manufacturers in order to combat the more dangerous and insidious elements of cybercrime. The onus is on software manufacturers - all of them - not on security products, not on security practitioners, and certainly not on cybersecurity compliance mandates. Recognizing this as a key leverage point in the battle for a safe cyberspace is critical to our success (and our national interest). 

Byron Acohido goes on to state, "Adobe has replaced Microsoft as professional cybercriminals’ favorite target." Unless software development practices dramatically change, they won't be the last.

I'll be speaking live with Paul Asadoorian on PaulDotCom, a weekly podcast show dedicated to the latest cybersecurity news, on July 16, 2009.

Geekonomics with David Rice

The live stream will be active around 18:45 EDT (6:45 PM Eastern). Recording of the  live show should begin around 19:00 EDT (times are estimates).

Live stream(s) can be found at:

Ustream: PaulDotCom UStream Channel

Icecast: PaulDotCom Radio

Chris Wysopal's recent blog post, which is excellent by the way (Nation State Cyberwarfare Reality Check), elicited the following response over at innismir.net (part of Chris's post is included to maintain context): 

[Chris]: It is time to stop thinking about computer security as a castle wall and moat problem and to start looking at it as an ecosystem problem. We can’t secure our networks or those of our allies by building bigger walls any more than the President of the United States can keep our air clean for government workers by enacting tougher emmision standards for US government vehicles. It is a global problem that requires a global solution.

There has been no global cooperation to date to help the average computer user keep his or her computer secure. Yet we talk about keeping car emmisions down. But the effect of both is similar. In a shared environment, be it the water and air or an information infrastructure. Each individual user contributes to the health of the system.

[innismir]: I think the analogy he uses is great, but not for the reason he uses it for. We talk a lot about “keeping emissions down” and the government pushes lofty goals about reducing so-called “carbon footprints”, but the main reason we don’t see everyone driving subcompacts that get 35 miles per gallon is because very few people want them. The public, as a whole, wants their 6000 SUX that looks dead sexy and has a top speed of $BIGNUM MPH. 8.2MPG? Runs on baby seal blood? Who cares?

This is a good exchange, and I couldn't resist weighing in on it because it touches on something close to my heart: economic incentives. Innismir is correct insofar that people opt not to drive sub-compacts because they "want" something else: buyers want much bigger vehicles.  This is, in fact, what markets do: they give us what we want, not necessarily what we need.

But people's "wants" do not exist in a vacuum. The "wants" live within an incentives framework that either promotes or inhibits certain behaviors. In fact, because of relatively low U.S. gas prices (in comparison with the UK, for instance) and tax incentives for purchasing trucks or SUVs over a certain weight, the "want" of a big vehicle is promoted in the U.S. while inhibiting the "need" for low-emissions subcompacts.

In other words, it makes more sense from a buyer's perspective in the US to buy a bigger vehicle because the incentive structure rewards that behavior. If gas prices were allowed to rise to $10/gallon and a broader tax burden was placed on all non-subcompacts (much like the gas-guzzler tax on the Hummer, only more general), the incentive to "buy big" would gradually ebb. So the "want" for a big vehicle would be partially transformed into a new "want" for smaller, more fuel-efficient cars (so long as people felt they were better off for buying the smaller car). And it just so happens this "want" would be more aligned with the "need" for reducing the social and environmental costs (known as negative externalities) of car ownership.

Of course, I've ignored cultural propensities (the U.S. loves cars) and safety considerations (people believe bigger cars are safer even though data shows otherwise), but these too act as incentives which promote or inhibit certain purchasing behaviors. I've just chosen not to discuss these in detail.

In the context of software then, there is no incentive to reduce "vulnerability emissions" by software manufactuers nor is there an incentive for buyers to avoid purchasing software with plenty of bugs and defects. Buyers want "big" software; that is, software with a bevy of features even though this dramatically increases the likelihood of latent defects and vulnerabilities. Because of this demand for "big" software, software manufacturers are happy to supply it. There is no incentive to do otherwise. 

So demanding that software manufacturers make "smaller" software would be as silly as demanding car manufacturers make smaller cars if the incentives framework has not been altered to promote such behavior.  

Chris and I are like-minded when it comes to the issue of insecure software. We need strong emissions standards against vulnerability emissions and those with the largest GDP will have the greatest impact. For instance, my home state of California has some of the most stringent emissions standards in the world for vehicles. It's a "local" requirement that has global impact primarily because of the power of the California consumer (and the fact that even with our heads screwed on backwards due to our budget fiasco, we're still the 8th largest GDP in the world).  GDP matters. Imagine if California enacted a similar emissions requirement regarding vulnerability emissions in software? Oh, I know the details of such a requirement are messy, but what I'm focusing on here is the incentive. Without leveraging the buying power of consumers, and without properly aligning the incentives in the market, we won't get the security we need nor attain the global impact we desire.

That's something to think about...

Yesterday, Google announced its plans to release its own operating system, named Chrome. Based on this action, it is safe to say that Google has lost its way as a company. Rather than signaling itself as a frenetic innovator, the introduction of a Google OS is tantamount to a cake-handed reach for whatever the company doesn’t do at this point. The most innovative thing about Google right now is that it's name does not spell M-I-C-R-O-S-O-F-T. Google is trying to be everything for everyone…and therein lays its glaring lack of leadership. Do we really need another operating system with all its requisite care and feeding?

For all the company’s exposition about cloud computing and on-demand applications, a Google OS at this point in time is the sign of a wildly successful internet company flailing wildly. YouTube, a recent acquisition by Google, has an estimated burn rate of over $1.2 million per day. Shareholders should be sickened by this, but are not. One could only imagine the burn rate of a major, enterprise-ready operating system (assuming the Google OS is offered free, which is likely). Yet, Google's pronouncement is met with such hype (“Google drops a nuclear bomb on Microsoft”, and “Clash of the Titans”) it’s obvious that Google is not the only one that has lost its way; so have we.

No doubt Google’s OS will be shiny, sexy, embedded with all sorts of stuff we really don’t need, and loaded with incredibly innovative solutions for no recognizable problems. Chrome, Google’s recently introduced internet browser, is entirely underwhelming, with it’s most remarkable “innovation” being automatic patching updates every 5 hours. This hardly bodes well for a Google operating system.

Google should not name its OS “Chrome.” A better name might be "Fonzie."