Chris Wysopal's recent blog post, which is excellent by the way (Nation State Cyberwarfare Reality Check), elicited the following response over at innismir.net (part of Chris's post is included to maintain context):
[Chris]: It is time to stop thinking about computer security as a castle wall and moat problem and to start looking at it as an ecosystem problem. We can’t secure our networks or those of our allies by building bigger walls any more than the President of the United States can keep our air clean for government workers by enacting tougher emmision standards for US government vehicles. It is a global problem that requires a global solution.
There has been no global cooperation to date to help the average computer user keep his or her computer secure. Yet we talk about keeping car emmisions down. But the effect of both is similar. In a shared environment, be it the water and air or an information infrastructure. Each individual user contributes to the health of the system.
[innismir]: I think the analogy he uses is great, but not for the reason he uses it for. We talk a lot about “keeping emissions down” and the government pushes lofty goals about reducing so-called “carbon footprints”, but the main reason we don’t see everyone driving subcompacts that get 35 miles per gallon is because very few people want them. The public, as a whole, wants their 6000 SUX that looks dead sexy and has a top speed of $BIGNUM MPH. 8.2MPG? Runs on baby seal blood? Who cares?
This is a good exchange, and I couldn't resist weighing in on it because it touches on something close to my heart: economic incentives. Innismir is correct insofar that people opt not to drive sub-compacts because they "want" something else: buyers want much bigger vehicles. This is, in fact, what markets do: they give us what we want, not necessarily what we need.
But people's "wants" do not exist in a vacuum. The "wants" live within an incentives framework that either promotes or inhibits certain behaviors. In fact, because of relatively low U.S. gas prices (in comparison with the UK, for instance) and tax incentives for purchasing trucks or SUVs over a certain weight, the "want" of a big vehicle is promoted in the U.S. while inhibiting the "need" for low-emissions subcompacts.
In other words, it makes more sense from a buyer's perspective in the US to buy a bigger vehicle because the incentive structure rewards that behavior. If gas prices were allowed to rise to $10/gallon and a broader tax burden was placed on all non-subcompacts (much like the gas-guzzler tax on the Hummer, only more general), the incentive to "buy big" would gradually ebb. So the "want" for a big vehicle would be partially transformed into a new "want" for smaller, more fuel-efficient cars (so long as people felt they were better off for buying the smaller car). And it just so happens this "want" would be more aligned with the "need" for reducing the social and environmental costs (known as negative externalities) of car ownership.
Of course, I've ignored cultural propensities (the U.S. loves cars) and safety considerations (people believe bigger cars are safer even though data shows otherwise), but these too act as incentives which promote or inhibit certain purchasing behaviors. I've just chosen not to discuss these in detail.
In the context of software then, there is no incentive to reduce "vulnerability emissions" by software manufactuers nor is there an incentive for buyers to avoid purchasing software with plenty of bugs and defects. Buyers want "big" software; that is, software with a bevy of features even though this dramatically increases the likelihood of latent defects and vulnerabilities. Because of this demand for "big" software, software manufacturers are happy to supply it. There is no incentive to do otherwise.
So demanding that software manufacturers make "smaller" software would be as silly as demanding car manufacturers make smaller cars if the incentives framework has not been altered to promote such behavior.
Chris and I are like-minded when it comes to the issue of insecure software. We need strong emissions standards against vulnerability emissions and those with the largest GDP will have the greatest impact. For instance, my home state of California has some of the most stringent emissions standards in the world for vehicles. It's a "local" requirement that has global impact primarily because of the power of the California consumer (and the fact that even with our heads screwed on backwards due to our budget fiasco, we're still the 8th largest GDP in the world). GDP matters. Imagine if California enacted a similar emissions requirement regarding vulnerability emissions in software? Oh, I know the details of such a requirement are messy, but what I'm focusing on here is the incentive. Without leveraging the buying power of consumers, and without properly aligning the incentives in the market, we won't get the security we need nor attain the global impact we desire.
That's something to think about...
Comments