more^2 on U.S. should fund R&D for secure Internet protocols, Clarke says

[Dave Farber <dave () farber net>]

------ Forwarded Message
From: Raymcfarld () aol com
Date: Mon, 04 Nov 2002 00:26:23 -0500 (EST)
To: dave () farber net


I think Dave Crocker has partially addressed the problem. Let's home in on
the fundamentals. 

Before we go off spending still more on security technology R&D, we need the
answers to the question "What are the business disincentives that have
resulted in critical infrastuctures not being protected today?" I believe
most of the answers will be found to be non-technical.

Businesses will do what is best for their bottom line. What are the economic
incentives for businesses to deploy security in their products, or provide
it 
in their servcies?  What negative impacts on their bottom line can they
avoid 
by providing secuirty in their product or services?

One of Government's roles is to provide for the economic security of the
country when capitalism fails to do so. Funding technical R&D when there is
little economic incentive for industry to do so is one method. [Long term
and 
fundamental research is usually in this role.] Laws and regulations are
others, such as requiring certain services or products for the benefit of
the 
whole, or laws assigning liability in the event of damages incurred through
use of a product. 

Once we have the answers to the business disincentives, then we can address
the solutions which are industrial based that remove the disincentives, or
Government solutions when there aren't sufficient business solutions. Some
of 
those may even be technical ;-)

To add to the observations made by Dave C;

There is a lot of security technology developed over the past 20 years that
just isn't being used.

Software is one of the few products that you can buy for which the
manufarcturer has no liability should damage occur to you through use of
their product. Telecommunications is one of the few services that you can
purchase which is also exempt from any liability of damage to you as a
result 
of an omission or commission on their part or other damage by a third party
to you as a result of using their service. Result - their is no economic
incentive to protect the bottom line from negatived impacts as a result of
secuirty breaches.

There are no laws or regulations requiring those providing services deemed
critical to secure their facilities. (Even the President's last related
Executive Order only mandates that industry "work with" the Government to
achieve critical infrastructure protection. mIt doesn't require that
critical 
infrastuctures BE protected!)

To my knowledge, their has not been any sustained damage to the stock price
of any company whose product either caused (comission) or did not prevent
(omission) a security breach from occurring, or any company which has
incurred a security breach. Result - no economic incentive to protect the
bottom line from an adverse security related incident.

All (or almost all) security products and services are an additional cost to
the businesses who wish to be secure. Result - there is an economic
disincentive to purchase secure or security related functionality, and to
establish security practices and procedures. Worse, from the preceeding
paragraphs, it not only costs you to add security, there is no significant
economic loss you are  protecting yourself from if you do have it, reflected
through either the stock market or legal liabilities.

So, what are the specific disincentives that have resulted in our critical
infrastuctures from being secure?

Ray


------ End of Forwarded Message

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To unsubscribe or update your address, click
  http://v2.listbox.com/member/?member_id=125275&user_secret=1aa8f2d6

Archives at: http://www.interesting-people.org/archives/interesting-people/