[Infowarrior] - Schneier: It's the Economy, Stupid

Thu Jun 29 08:33:24 EDT 2006

It's the Economy, Stupid

By Bruce Schneier|
02:00 AM Jun, 29, 2006

http://www.wired.com/news/columns/1,71264-0.html

I'm sitting in a conference room at Cambridge University, trying to
simultaneously finish this article for Wired News and pay attention to the
presenter onstage.

I'm in this awkward situation because 1) this article is due tomorrow, and
2) I'm attending the fifth Workshop on the Economics of Information
Security, or WEIS: to my mind, the most interesting computer security
conference of the year.

The idea that economics has anything to do with computer security is
relatively new. Ross Anderson and I seem to have stumbled upon the idea
independently. He, in his brilliant article from 2001, "Why Information
Security Is Hard -- An Economic Perspective" (.pdf), and me in various
essays and presentations from that same period.

WEIS began a year later at the University of California at Berkeley and has
grown ever since. It's the only workshop where technologists get together
with economists and lawyers and try to understand the problems of computer
security.

And economics has a lot to teach computer security. We generally think of
computer security as a problem of technology, but often systems fail because
of misplaced economic incentives: The people who could protect a system are
not the ones who suffer the costs of failure.

When you start looking, economic considerations are everywhere in computer
security. Hospitals' medical-records systems provide comprehensive
billing-management features for the administrators who specify them, but are
not so good at protecting patients' privacy. Automated teller machines
suffered from fraud in countries like the United Kingdom and the
Netherlands, where poor regulation left banks without sufficient incentive
to secure their systems, and allowed them to pass the cost of fraud along to
their customers. And one reason the internet is insecure is that liability
for attacks is so diffuse.

In all of these examples, the economic considerations of security are more
important than the technical considerations.

More generally, many of the most basic security questions are at least as
much economic as technical. Do we spend enough on keeping hackers out of our
computer systems? Or do we spend too much? For that matter, do we spend
appropriate amounts on police and Army services? And are we spending our
security budgets on the right things? In the shadow of 9/11, questions like
these have a heightened importance.

Economics can actually explain many of the puzzling realities of internet
security. Firewalls are common, e-mail encryption is rare: not because of
the relative effectiveness of the technologies, but because of the economic
pressures that drive companies to install them. Corporations rarely
publicize information about intrusions; that's because of economic
incentives against doing so. And an insecure operating system is the
international standard, in part, because its economic effects are largely
borne not by the company that builds the operating system, but by the
customers that buy it.

Some of the most controversial cyberpolicy issues also sit squarely between
information security and economics. For example, the issue of digital rights
management: Is copyright law too restrictive -- or not restrictive enough --
to maximize society's creative output? And if it needs to be more
restrictive, will DRM technologies benefit the music industry or the
technology vendors? Is Microsoft's Trusted Computing initiative a good idea,
or just another way for the company to lock its customers into Windows,
Media Player and Office? Any attempt to answer these questions becomes
rapidly entangled with both information security and economic arguments.

WEIS encourages papers on these and other issues in economics and computer
security. We heard papers presented on the economics of digital forensics of
cell phones (.pdf) -- if you have an uncommon phone, the police probably
don't have the tools to perform forensic analysis -- and the effect of stock
spam on stock prices: It actually works in the short term. We learned that
more-educated wireless network users are not more likely to secure their
access points (.pdf), and that the best predictor of wireless security is
the default configuration of the router.

Other researchers presented economic models to explain patch management
(.pdf), peer-to-peer worms (.pdf), investment in information security
technologies (.pdf) and opt-in versus opt-out privacy policies (.pdf). There
was a field study that tried to estimate the cost to the U.S. economy for
information infrastructure failures (.pdf): less than you might think. And
one of the most interesting papers looked at economic barriers to adopting
new security protocols (.pdf), specifically DNS Security Extensions.

This is all heady stuff. In the early years, there was a bit of a struggle
as the economists and the computer security technologists tried to learn
each others' languages. But now it seems that there's a lot more synergy,
and more collaborations between the two camps.

I've long said that the fundamental problems in computer security are no
longer about technology; they're about applying technology. Workshops like
WEIS are helping us understand why good security technologies fail and bad
ones succeed, and that kind of insight is critical if we're going to improve
security in the information age.

- - -
Bruce Schneier is the CTO of Counterpane Internet Security and the author of
Beyond Fear: Thinking Sensibly About Security in an Uncertain World. You can
contact him through his website. 