Re: pro regulation viewpoint on cyber vulnerabiltiy

[David Farber <dave () farber net>]

Begin forwarded message:

From: Ed Biebel <edward () biebel net>
Date: March 30, 2009 5:45:38 PM EDT
To: dave () farber net
Subject: Re: [IP] Re: pro regulation viewpoint on cyber vulnerabiltiy

Vadim makes a thought-proviking analogy but I think he fails to look  
deep enough to see how the market has responded in the case of home  
security.

Admittedly the home is not very secure in real terms but most  
homeowners have layers of security.  The majority of money is kept off- 
site in a bank.  Tangible valuables are stored in low cost safety- 
deposit boxes at a bank or similar secure facility.  Replaceable  
property is insured making its loss an inconveniece at best.  I  
jointly share the cost with my neighbors to provide roving security  
patrols in the form of my local police department to augment my  
personal safety.  This patrol will respond within minutes should my  
"perimeter defenses be breached" and will escalate their response  
until the problem is solved.  It is not perfect but it also not just a  
pane of glass between me and the evil-doers.

 It seems that very few of these other layers exist in the computing  
market.  Should my PC be breached and my financial data be lost, my  
accounts looted, my life savings evaporated, there is insurance  
product to provide a safety net and no additional defenses I can buy  
at reasonable cost (or at a shared cost) to protect myself.

In many ways, this is one of the best arguments for companies like  
Google that provide security with the "cost" shared among a large  
population.  A number of LGBT blogs have come under DDoS attacks this  
week and many that are self-hosted or hosted on small providers have  
been compromised.  One blogger commented that was why he did not move  
his blog from blogger.  He figures Google has a much better chance of  
defending against attack than he does alone.

Ed


On Mon, Mar 30, 2009 at 4:51 PM, David Farber <dave () farber net> wrote:


Begin forwarded message:

From: Vadim Antonov <avg () kotovnik com>
Date: March 30, 2009 3:27:27 PM EDT
To: David Farber <dave () farber net>
Cc: ip <ip () v2 listbox com>
Subject: Re: [IP] pro regulation viewpoint on cyber vulnerabiltiy


David - for IP, if you wish.


On Mon, 30 Mar 2009, David Farber wrote:

A paper that speaks to market failure is at:
http://www.csis.org/component/option,com_csis_pubs/task,view/id,5370/type,1/

The sad truth is that there is no single documented case of "market
failure" which couldn't be easily traced back to previous non-market
intervention (by government or crime) - and these should be properly
called "government failures", i.e. governments either doing what they
shouldn't do (granting monopolies to politically connected parties,
engaging in social engineering, etc), or failing in their duty to  
protect
citizens.

Just ask an economist to offer not a plausible theoretical scenario in
which a market failure could occur - but a clear-cut real-life case of
market failure, and then watch him squirming uncomfortably.

Market failure is one of those elusive concepts which everybody seems to
believe in, but which start to shift meaning, twist, and finally  
evaporate
if a closer scrunity is applied.  Using it as a justification for any
policy is, at best, intellectually dishonest.

When applied to "cybersecurity", the very first assertion that "market  
has
failed to secure cyberspace" is a plain lie.  Any real security expect
knows that there's no such thing as absolute and perfect security.
Better security comes with price - and this price increases  
exponentially
if stronger (and rarer) treats are considered.

Thus, securing any real installation requires finding a proper balance
between security and cost - and in many cases that balance is on a side
which any security-conscious person would find quite insecure (just  
think
how long your front door would hold if someone wants to break in, or how
your windows are totally penetrable with an aid of a brick).  However,
laminated cardboard doors and easily breakable glass windows are
sufficient to deter majority of opportunistic criminals - and defending
against determined thieves would be way too costly given that the  
chances
that one would pay a visit are rather small.

"Cybersecurity" is no different. Even with broken-by-design security  
model
of Windows/Explorer use of a cheap consumer security product (Norton,  
etc)
would be quite sufficient to achieve good-enough security.  Nearly all
people who suffered from attacks by hackers simply didn't consider
security of their computers to be important enough to devote 15-20  
minutes
and few dozen dollars needed to find a product, buy, and install it.

Well, there are people who don't bother to lock their doors and leave  
keys
in the ignition locks of their cars - but for some reason there's no
experts calling for federal programs to fix these "market falures".  I
think that is because, without the smoke screen of fancy jargon, any
reasonable person would see inanity of any such proposal.

--vadim





-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com





-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com