"Market Failures"

[Dave Aitel via Dailydave <dailydave () lists aitelfoundation org>]

If you were at a talk at Defcon this year in the Policy track, you probably
heard someone talk about how they, as a government official, are there to
address "market failures". And immediately you thought: This is a load of
nonsense.

Because that government official is not allowed to, and has no intentions
of, addressing any market failures whatsoever. If the Government was going
to address market failures, they'd have to find some way to convince every
cloud provider from making their security features the upsell on the
Platinum package. They'd have to talk about how trying to get into
different markets means every social media company faces huge pressures to
put Indian spies on their network.

Obviously you know, as someone who did not emerge from under a rock into
the security community yesterday, that the answer to having a malicious
insider on your network is probably some smart segmentation, which we call
"Zero Trust" now.

But Zero Trust is expensive! And most social media companies are not
exactly profitable as the great monster known as TikTok has eaten every
eyeball in every market because the very concept of having people
explicitly choose who their friends are is outdated now.

In fact, as everyone is pointing out, almost all companies you know are in
this position! They're cutting costs by sending jobs overseas while
spending huge amounts of money propping up their stock prices and paying
their executives to sell them to a dwindling market of buyers. Private
Equity companies spend every effort on squeezing the last dollar out of old
enterprise software by exploiting the lock-in they have on small
businesses.

And as critical as Twitter is, we have the exact same dynamic with our
privatized water and power companies - who have no plans to make strategic
investments in security or anything really - which is why on public calls
you can hear them humiliating themselves asking Jen Easterly to absorb the
entire costs of their security programs.

The ideal practice for all of these companies is to offload their costs
onto the taxpayer, which is why instead of investing in security, they cry
for the FBI to go collect their bitcoin from whatever ransomware crews are
on their network this week using offensive cyber operations that themselves
cost the government an order of magnitude more than the bitcoin is worth.

As you're sitting in that Defcon talk, listening to someone from government
talk about how they only want to regulate with the "input of industry" or
something, you have to wonder: if this is every company we know, maybe the
market failure isn't just how hard it is to buy a good security product
because they all abuse the copyright system to avoid any kind of
performance transparency. Maybe it's also how hard it is to SELL a good
security product because every single company is trying to cut their budget
to the exact minimum amount that will allow them to tell the FBI they did
their best, and the FBI needs to go out there and pick up their slack.

-dave

_______________________________________________
Dailydave mailing list -- dailydave () lists aitelfoundation org
To unsubscribe send an email to dailydave-leave () lists aitelfoundation org