250 likes | 407 Views
Economics of Dependability and Security. Ross Anderson Cambridge University. Financial Times 25/9/5. Infosec now an ‘Arms Race’ no-one can stop ‘Today indeed it seems we have a deficit of computer security. But it seems inevitable that tomorrow we will have too much’
E N D
Economics of Dependability and Security Ross Anderson Cambridge University
Financial Times 25/9/5 • Infosec now an ‘Arms Race’ no-one can stop • ‘Today indeed it seems we have a deficit of computer security. But it seems inevitable that tomorrow we will have too much’ • Decision-makers rely on data ‘systematically skewed in the direction of exaggerated harm and understated cost of prevention’ • ‘Over-protecting ourselves today will cost us tomorrow dearly in the unborn or delayed generations of innovation’ • See www.infosecon.net
Economics and Security • Over the last five years, we have started to apply economic analysis to information security • Economic analysis often explains security failure better then technical analysis! • Information security mechanisms are used increasingly to support business models rather than to manage risk • Economic analysis is critical for understanding competitive advantage • It’s also vital for good public policy on security
Traditional View of Infosec • People used to think that the Internet was insecure because of lack of features – not enough crypto / authentication / filtering • So engineers worked on providing better, cheaper security features – AES, PKI, firewalls … • About 1999, we started to realize that this is not enough
Incentives and Infosec • Electronic banking: UK banks were less liable for fraud then US banks, so they got careless and ended up suffering more fraud and error • Distributed denial of service: viruses now don’t attack the infected machine so much as using it to attack others • Health records: hospitals, not patients, buy IT systems, so they protect hospitals’ interests rather than patient privacy • Why is Microsoft software so insecure, despite its market dominance?
New View of Infosec • Systems are often insecure because the people who could fix them have no incentive to • Bank customers suffer when bank staff get careless about fraud; patients suffer when hospital systems put administrators’ convenience before patent privacy; Amazon’s website suffers when infected PCs attack it • Security is often what economists call an ‘externality’ – like environmental pollution • This may justify government intervention
New Uses of Infosec • Xerox started using authentication in ink cartridges to tie them to the printer • Followed by HP, Lexmark … and Lexmark’s case against SCC (and Dell – US and Europe drifting apart!) • Accessory control now spreading to more and more industries (games, phones, cars, …)
IT Economics and Security 1 • The high fixed/low marginal costs, network effects and switching costs in information industries all tend to lead to dominant-firm markets with big first-mover advantage • So time-to-market is critical • Microsoft philosophy of ‘we’ll ship it Tuesday and get it right by version 3’ is not perverse behaviour by Bill Gates but quite rational • Whichever company had won in the PC OS business would have done the same
IT Economics and Security 2 • When building a network monopoly, it is also critical to appeal to the vendors of complementary products • E.g., application software developers in the case of PC versus Apple, or now of Symbian versus WinCE, or music sites in WMP versus RealPlayer • Lack of security in earlier versions of Windows makes it easier to develop applications • Similarly, choice of security technologies that dump support costs on the user (SSL, PKI, …)
Security and Liability • Why did digital signatures not take off (e.g. SET protocol)? • Industry thought: legal uncertainty. So EU passed electronic signature law • But customers and merchants resisted transfer of liability by bankers for disputed transactions • Customers best to stick with credit cards, as any fraud is the bank’s problem • Similar resistance to phone-based payment – people prefer prepayment plans because of uncertainty, premium-rate rip-offs
Privacy • Most people say they value privacy, but act otherwise • Privacy technology ventures have mostly failed (Zero Knowledge, Securicor, …) • Research – people care about privacy when buying clothes, but not cameras • Analysis – some items relate to personal image , and it’s here that the privacy sensitivity focuses • Issue for mobile phone industry – phone viruses worse for image than PC viruses • See the privacy economics page – at http://www.heinz.cmu.edu/~acquisti/
How are Incentives Skewed? • If you are DirNSA and have a nice new hack on Windows, do you tell Bill? • Tell – protect 300m Americans • Don’t tell – be able to hack 400m Europeans, 1000m Chinese,… • If the Chinese hack US systems, they keep quiet. If you hack their systems, you can brag about it to the President
Skewed Incentives (2) • Within corporate sector, large companies tend to spend too much on security and small companies too little • Research shows adverse selection effect: • The most risk-averse people end up as corporate security managers • More risk-loving people may be sales or engineering staff, or small-business entrepreneurs • Also: due-diligence effects, government regulation, insurance market issues
Economics of Rights Management (1) • What happens when you link a concentrated industry (platforms) with a less concentrated industry (music)? • Varian’s analysis – most of the resulting surplus goes to the platform owner • So don’t be surprised at music industry complaints about Apple, or DG Competition action against WMP
Economics of Rights Management (2) • IRM – Information Rights Management – changes ownership of a file from the machine owner to the file creator • Files are encrypted and associated with rights management information • The file creator can specify that a file can only be read by Mr. X, and only till date Y • Now shipping in Office – and heavily promoted! • What will be the effect on the typical business that uses PCs?
Economics of Rights Management (3) • At present, a company with 100 PCs pays maybe $500 per seat for Office • Remember Shapiro-Varian result – value of software company = total switching costs • So – cost of retraining everyone to use Linux, converting files etc is maybe $50,000 • But once many of the documents can’t be converted without the creators’ permission, the switching cost is much higher • Lock-in is the key
Specific issues for Janet • Janet can threaten to disconnect member organisations, but that’s about it • There is no control at any finer granularity • Like a country with ICBMs but no soldiers • Do you punish a mild diplomatic insult with a 1-in-a-million probability of a nuke?
Janet issues (2) • Janet charges by institution size, as that’s easiest • Downstream, some institutions charge out by bandwidth (e.g. Cambridge). This hits some research, and causes pressure on colleges to block P2P, Skype … • Janet is actually not as bandwidth constrained as a typical ISP – costs are basically upstream but there’s US presence • But: public-sector so risk-averse
Janet Issues (3) • What if bandwidth-hungry departments (like Cambridge Computer Lab) go to NTL or Demon? • Normally ISPs peer with firms of about the same size, but not with firms that could be their customers • Everyone peers with Janet at present • Does this create fragility if some HEIs or even departments opt out?
The Information Society • More and more goods contain software • More and more industries are starting to become like the software industry • The good: flexibility, rapid response • The bad: frustration, poor service • The ugly: monopolies • How will the law evolve to cope?
Property • The enlightenment idea - that the core mission of government wasn’t defending faith, but defending property rights • 18th-19th century: rapid evolution of property and contract law • Realization that these are not absolute! • Abolition of slavery, laws on compulsory purchase, railway regulation, labour contracts, tenancy contracts, …
Intellectual Property • Huge expansion as software etc have become more important - 7+ directives since 1991 • As with `ordinary’ property and contract in about 1850, we’re hitting serious conflicts • Competition law - legal protection of DRM mechanisms leads to enforcement of illegal contracts and breaches of the Treaty of Rome; judgment against Microsoft • Environmental law - recycling of ink cartridges mandated, after printer vendors use crypto to stop it
Intellectual Property (2) • Privacy law – DRM mechanisms collect usage data to segment markets • Trade law – exemption for online services may undermine the Single Market • Employment law – French courts strike down a major’s standard record contract • IPR Enforcement Directive 2 – will criminalize patent infringement and incitement to infringe IP, unlike in the USA where BSA leading push for reduced civil damages in patent cases • With IPRED 1 and Lexmark, may make the EU more hostile to tech innovation than America
Conclusions • More government involvement in info policy, and related issues such as IP, is inevitable • However, policy is often confused and contradictory at all levels • We need to figure out how to balance competing social goals, as we have in the physical world • The specific problem for academic networking is that fifteen years ago, a university was the best place to get online. Not any more. • We need mature economic thinking about risk and about the service provision chain!
More … • WEIS 2006 (Workshop on Economics and Information Security), Cambridge, June 26-28 2006 • Economics and Security Resource Page – www.cl.cam.ac.uk/~rja14/econsec.html (or follow link from my home page) • Foundation for Information Policy Research – www.fipr.org