Interesting People mailing list archives
more^2 on U.S. should fund R&D for secure Internet protocols, Clarke says
From: Dave Farber <dave () farber net>
Date: Mon, 04 Nov 2002 02:49:33 -0500
------ Forwarded Message From: Raymcfarld () aol com Date: Mon, 04 Nov 2002 00:26:23 -0500 (EST) To: dave () farber net I think Dave Crocker has partially addressed the problem. Let's home in on the fundamentals. Before we go off spending still more on security technology R&D, we need the answers to the question "What are the business disincentives that have resulted in critical infrastuctures not being protected today?" I believe most of the answers will be found to be non-technical. Businesses will do what is best for their bottom line. What are the economic incentives for businesses to deploy security in their products, or provide it in their servcies? What negative impacts on their bottom line can they avoid by providing secuirty in their product or services? One of Government's roles is to provide for the economic security of the country when capitalism fails to do so. Funding technical R&D when there is little economic incentive for industry to do so is one method. [Long term and fundamental research is usually in this role.] Laws and regulations are others, such as requiring certain services or products for the benefit of the whole, or laws assigning liability in the event of damages incurred through use of a product. Once we have the answers to the business disincentives, then we can address the solutions which are industrial based that remove the disincentives, or Government solutions when there aren't sufficient business solutions. Some of those may even be technical ;-) To add to the observations made by Dave C; There is a lot of security technology developed over the past 20 years that just isn't being used. Software is one of the few products that you can buy for which the manufarcturer has no liability should damage occur to you through use of their product. Telecommunications is one of the few services that you can purchase which is also exempt from any liability of damage to you as a result of an omission or commission on their part or other damage by a third party to you as a result of using their service. Result - their is no economic incentive to protect the bottom line from negatived impacts as a result of secuirty breaches. There are no laws or regulations requiring those providing services deemed critical to secure their facilities. (Even the President's last related Executive Order only mandates that industry "work with" the Government to achieve critical infrastructure protection. mIt doesn't require that critical infrastuctures BE protected!) To my knowledge, their has not been any sustained damage to the stock price of any company whose product either caused (comission) or did not prevent (omission) a security breach from occurring, or any company which has incurred a security breach. Result - no economic incentive to protect the bottom line from an adverse security related incident. All (or almost all) security products and services are an additional cost to the businesses who wish to be secure. Result - there is an economic disincentive to purchase secure or security related functionality, and to establish security practices and procedures. Worse, from the preceeding paragraphs, it not only costs you to add security, there is no significant economic loss you are protecting yourself from if you do have it, reflected through either the stock market or legal liabilities. So, what are the specific disincentives that have resulted in our critical infrastuctures from being secure? Ray ------ End of Forwarded Message ------------------------------------- You are subscribed as interesting-people () lists elistx com To unsubscribe or update your address, click http://v2.listbox.com/member/?member_id=125275&user_secret=1aa8f2d6 Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more^2 on U.S. should fund R&D for secure Internet protocols, Clarke says Dave Farber (Nov 03)