Some perspectives on Information Security

This paper by Ross Anderson gives an economic perspective on why information security is hard. It talks a little bit about the security of bank teller machines, computer networks, and web sites. Along the way, it makes some really insightful comments about the information economy in general.

"In general, when the party who is in a position to protect a system is not the party who would suffer the result of security failure, then problems may be expected," Anderson writes. This may sound obvious, but if you think about it, there are quite a number of systems in use today where this is the case. Some would argue that the widespread incidence of identity fraud today is a result of such perverse incentive systems. An identity thief ruins the credit rating of the person whose identity he steals, NOT of the bank or credit card company whose lax security allowed the attack to happen in the first place!

Anderson then spends some time discussing economic pressures that lead to insecure systems. He begins by talking about "network externalities" and Metcalfe's Law. Basically this law states that the more people use certain networks, the more valuable the networks become for everyone. For example, "the more merchants take credit cards, the more useful they are to customers, and so more customers will buy them... and the more customers have them, the more merchants will want to accept them." In my opinion, this is almost the guiding principle behind the rise of Microsoft and many other computer companies. Popular technologies tend to get more popular, even if they aren't perfect. Customers get "locked-in" to using a particular technology because of the high cost of switching technologies.

Given all these network externalities, Anderson continues, software companies have a huge incentive to get products out the door quickly, even if that means sacrificing security or stability. In many cases, a rational manager will not want his product to ship later than those of other companies, even if waiting would make his product better.

Companies often use a proprietary, obscure architecture instead of a standard, well-analyzed and tested one. This helps to promote lock-in, and also make differentiated pricing possible. In short, differentiated pricing is when a company prices its product not on its cost, but on its value to the consumer, in order to optimize profit. "This is familiar to the world of air travel," Anderson writes: "you can spend $200 to fly the Atlantic in coach class, $2000 in business class, or $5000 in first." Obviously, it doesn't cost the airline $1800 more to seat a business class passenger than a coach class passenger. But by pricing this way, they can optimize their profit by charging each customer what he can afford to pay, rather than the true value of what he is being sold.

In this context, "digital rights management" schemes start to seem even more sinister. By promoting even more customer lock-in than is currently the case, DRM would allow companies to engage in even more differentiated pricing. This has already happened: one of the first DRM schemes to see the light of day, the CSS scheme which protects DVD movies, was designed to allow movie studios to price movies differently (and release them at different times) in different parts of the world. That is the function of the so-called "region codes."

Anderson then moves on to discuss some peculiarities of information technology itself. The technology favors attack over defense, he maintains, because even if "white hat" security consultants find 100 times the bugs that a lone "black hat" hacker finds, the hacker might only need one bug to compromise the system! "Defending a modern information system can... be likened to defending a large, thinly-populated territory like the nineteenth-century Wild West," he comments. "The men in black hats can strike anywhere, while the men in white hats have to defend everywhere."

The politicization of information security only makes this situation worse. Government agencies engaged in economic intelligence missions have every incentive to use security bugs to spy on foreign nations, and little incentive to fix the bugs. Unless people are aware there is a security problem, successful fixers seldom get credit, while successful attackers always do.

In my opinion, this is only a specific example of a broader phenomenon where doing preventive maintenance on systems often earns you little respect, even if the maintenance is vital. Before Hurricane Katrina, how many voters in New Orleans voted for politicans based on their record of strengthening the levies? Voters are seldom aware of the most important things that politicans do for them; instead, they focus on media circuses and talking points which are of little real consequence.

Anyway, to continue: there are other reasons why information technology buyers often don't get a secure system. They may not be knowledgeable enough to evaluate the system that they are buying. Security certifications often mean little, and, at least in the past, most companies had little in-house security know-how. (Maybe this will improve in the future.)

I should finish with Anderson's conclusion.
In an ideal world, the removal of perverse economic incentives to create insecure systems would de-politicize most issues. Security engineering would then be a matter of rational risk management rather than risk dumping. But as information security is about power and money ­, about raising barriers to trade, segmenting markets and differentiating products, the evaluator should not restrict herself to technical tools like cryptanalysis and information flow, but also apply economic tools such as the analysis of asymmetric information and moral hazard. As fast as one perverse incentive can be removed by regulators, businesses (and governments) are likely to create two more.


At 11:01 AM, Anonymous Anonymous said...

Airline economics are basically always a shaky example. The main reason is because the airline model does not work except on a huge scale. At the very least, you need to be filling a plane of probably a hundred passengers several times a day to get reasonable useage for your very expensive aircraft, expense to hire a pilot, etc. Further, except for very major routes (say New York to London), you need to have a network with connections to fill those planes, which adds another couple orders of magnitude in size. The fact that only big companies can compete makes the entire market very different from say the paper industry. Never mind other oddities like the unusual level of protectionism involved in the airline business. Or the fact that the product is very perishable (if an airline sea goes empty, you can't possibly sell it later).

While DVD region codes are annoying, I think describing them as "sinister" is a bit grandiose.

You seems to switch back and forth about what type of security system you're talking about. Making a generalization about the security of a company server based on the economics of DRM seems a fairly specious way of reasoning.

Also, "in an ideal world" one wouldn't need a security system to begin with. Perhaps this just shows my contempt for anyone who argues more about "the way things should be," rather than about finding a reasonable and practical solution. Not that I have one, just that it gives the complaining some chance of having purpose.

- Ham

At 11:31 AM, Blogger RareCactus said...

Basically the point of this paper is, "why does computer security suck so much"? Yes, technology is hard (let's go shopping!), but in most industries competitive pressures tend to get everyone doing the right thing after a while.

In the computer industry, this has not really happened with security. Companies are still releasing products that they are fully aware may contain lots of security holes. The point of this paper is to analyze the economic reasons why this is happening.

The point of the airline example is just to give an example of a situation where companies are free to charge "what the market can bear" rather than a free price. The fact that the airline industry is unusual in other ways is irrelevant.

Region codes ARE sinister. From the consumer's perspective, there is no good reason why they should exist. All they do is help the movie studios make more profit by charging different amounts of money in different parts of the world. It's differentiated pricing.

I think this paper is very realistic, maybe even to the point of cynicism, about many of these issues. It's easy for people to argue "OMG Microsoft (or some other company) is teh evil!" without understanding that there are very good reasons behind most of their strategies.


Post a Comment

<< Home