Why Information Security is HardWord下载.docx
《Why Information Security is HardWord下载.docx》由会员分享,可在线阅读,更多相关《Why Information Security is HardWord下载.docx(25页珍藏版)》请在冰点文库上搜索。
liabilitydumpingandthetragedyofthecommons.
2Introduction
Ina1993surveyoffraudagainstautomatictellermachines(ATMs)}2},itwas
foundthatpatternsoffrauddependedonwhowasliableforthem.IntheUSA,
ifacustomerdisputedanATMtransaction,theonuswasonthebanktoprove
thatthecustomerwasmistakenorlying;
thisgaveUSbanksamotivetoprotect
theirsystemsproperly.ButinBritain,NorwayandtheNetherlands,theburden
ofprooflayonthecustomer:
thebankwasrightunlessthecustomercouldprove
itwrong.Sincethiswasalmostimpossible,thebanksinthesecountriesbecame
careless.Eventually,anepidemicofATMfrauddemolishedtheircomplacency.
USbanks,meanwhile,sufferedmuchlessfraud;
althoughtheyactuallyspent
lessmoneyonsecuritythantheirEuropeancounterparts,theyspentitmore
effectively.
Therearemanyotherexamples.Medicalpaymentsystems,thatarepaidfor
byinsurersratherthenbyhealthcareproviders,failtoprotectpatientprivacy
wheneverthisconflictswiththeinsurer'
swishtocollectinformationaboutits
clients.Digitalsignaturelawstransfertheriskofforgedsignaturesfromthebank
thatreliesonthesignature(andthatbuiltthesystem)tothepersonalleged
tohavemadethesignature.CommonCriteriaevaluationsarenotmadebythe
relyingparty,asOrangeBookevaluationswere,butbyacommercialfacility
paidbythevendor.Ingeneral,wherethepartywhoisinapositiontoprotect
asystemisnotthepartywhowouldsuffertheresultsofsecurityfailure,then
problemsmaybeexpected.
Adifferentkindofincentivefailuresurfacedin1999,withdistributeddenial
ofserviceattacksagainstanumberofhigh-profilewebsites.Theseexploita
numberofsubvertedmachinestolaunchalargecoordinatedpacketfloodata
target.Sincemanyofthemfloodthevictimatthesametime,thetrafficismore
thanthetargetcancopewith,andbecauseitcomesfrommanydifferentsources,
itcanbeverydifficulttostop「5}.HalVarianpointedoutthatthiswasalsoa
caseofincentivefailure}13}.Whileindividualcomputerusersmightbehappy
tospend$100onanti-virussoftwaretoprotectthemselvesagainstattack,they
areunlikelytospendeven$1onsoftwaretopreventtheirmachinesbeingused
toattackathirdpartysuchasAmazonorMicrosoft.
Thisisanexampleofwhateconomistsrefertoasthe`TragedyoftheCom-
mons'
「9}.Ifahundredpeasantsgrazetheirsheeponthevillagecommon,then
wheneveranothersheepisaddeditsownergetsalmostthefullbenefitwhilethe
otherninety-ninesufferonlyaverysmalldeclineinthequalityofthegrazing.
Sotheyaren'
tmotivatedtoobject,butrathertoaddanothersheepoftheir
ownandgetasmuchofthegrazingastheycan.Theresultisadustbowl;
and
thesolutionisregulatoryratherthantechnical.Atypicaltenth-centurySaxon
villagehadcommunitymechanismstodealwiththisproblem;
theworldoftom-
putersecuritystilldoesn'
t.Varian'
sproposalisthatthecostsofdistributed
denial-of-serviceattacksshouldfallontheoperatorsofthenetworksfromwhich
thefloodingtrafficoriginates;
theycanthenexertpressureontheirusersto
installsuitabledefensivesoftware,orriskhavingtheirserviceterminatediftheir
machinehostsanattack.
Theseobservationspromptedustolookforotherwaysinwhicheconomics
andcomputersecurityinteract.
3NetworkExternalities
Economistshavedevotedmuchefforttothestudyofnetworkssuchasthose
operatedbyphonecompanies,airlinesandcreditcardcompanies.
Themorepeopleuseatypicalnetwork,themorevaluableitbecomes.The
morepeopleusethephonesystem一ortheInternet一morepeoplethereare
totalktoandsothemoreusefulitistoeachuser.Thisissometimesreferred
toasMetcalfeaslaw.Thisisn'
tlimitedtocommunicationsystems.Themore
merchantstakecreditcards,themoreusefultheyaretocustomers,andsothe
morecustomerswillbuythem;
andthemorecustomershavethem,themore
merchantswillwanttoacceptthem.Theeffectisthatnetworkscangrowvery
slowlyatfirst一creditcardstookalmosttwodecadestotakeoff一butthen,once
positivefeedbackgetsestablished,theycangrowveryrapidly.Thetelegraph,
2
thetelephone,thefaxmachineandmostrecentlytheInternethaveallfollowed
thismodel.
Aswellasthesephysicalnetworks,thesameprinciplesapplytovirtualnet-
workssuchasthecommunityofusersofaparticularsoftwarearchitecture.When
softwaredevelopersstartedtobelievethatthePCwouldoutselltheMac,they
starteddevelopingtheirproductsforthePCfirst,andfortheMaconlylater
(ifatall).ThismadecustomersmorelikelytobuyaPCthanaMac,andthe
resultingpositivefeedbacksqueezedtheMacoutofmostmarkets.Asimilar
effectmadeMicrosoftWordthedominantwordprocessor.
AgoodintroductiontonetworkeconomicsisbyShapiroandVarian}11}.For
ourpresentpurposes,therearethreeparticularlyimportantfeaturesofinforma-
tiontechnologymarkets.
一First,thevalueofaproducttoauserdependsonhowmanyotherusers
adoptit.
一Second,technologyoftenhashighfixedcostsandlowmarginalcosts.The
firstcopyofachiporasoftwarepackagemaycostmillions,butsubsequent
copiesmaycostverylittletomanufacture.Thisisn'
tuniquetoinformation
markets;
it'
salsoseeninbusinesssectorssuchasairlinesandhotels.Inall
suchsectors,pricingatmarginalcostwilltendtodriverevenuessteadily
downtowardsthecostofproduction(whichinthecaseofinformationis
zero).
一Third,thereareoftenlargecoststousersfromswitchingtechnologies,which
leadstolock-in.Suchmarketsmayremainveryprofitable,evenwhere(in-
compatible)competitorsareverycheaptoproduce.Infact,oneofthemain
resultsofnetworkeconomicsisthatthenetpresentvalueofthecustomer
baseshouldequalthetotalswitchingcosts.
Allthreeoftheseeffectstendtoleadto"
winnertakeall"
marketstructures
withdominantfirms.Soitisextremelyimportanttogetintomarketsquickly.
Oncein,avendorwilltrytoappealtocomplementarysuppliers,aswiththe
softwarevendorswhosebandwagoneffectcarriedMicrosofttovictoryoverAp-
ple.Infact,successfulnetworkstendtoappealtocomplementarysupplierseven
morethantousers:
thepotentialcreatorsof"
killerapps"
needtobecourted.
Oncethecustomershaveasubstantialinvestmentincomplementaryassets,they
willbelockedin.Odlyzkoobservesthatmuchofthelackofuser-friendlinessof
bothMicrosoftsoftwareandtheInternetisduetothefactthatbothMicrosoft
andtheInternetachievedsuccessbyappealingtodevelopers.Thesupportcosts
thatMicrosoftdumpsonusers一andinfacteventhecostofthetimewasted
waitingforPCstobootupandshutdown一greatlyexceeditsturnover}10}.
Consultantsoftenexplainthatthereasonadesignbrokeforwhichthey
wereresponsiblewasthat`theclientdidn'
twantasecuresystem,butjustthe
mostsecurityIcouldfitonhisproductinoneweekonabudgetof$10,000'
.
It'
simportanttorealisethatthisisn'
tjustmanagementstupidity.Thehuge
first-moveradvantagesthatcanariseineconomicsystemswithstrongpositive
3
feedbackaretheoriginofthephilosophyof`we'
llshipitonTuesdayandgetit
rightbyversion3'
.Althoughoftenattributedbycynicstoamoralfailingonthe
partofBillGates,thisisperfectlyrationalbehaviourinmanymarketswhere
networkeconomicsapply.
Anothercommoncomplaintisthatsoftwareplatformsareshippedwithlittle
ornosecuritysupport,aswithWindows9598;
andevenwhereaccesscontrol
mechanismsaresupplied,aswithWindowsNT,theyareeasyforapplication
developerstobypass.Infact,theaccesscontrolsinWindowsNTarelargely
irrelevant,asmostapplicationsarewrittentorunwithadministratorprivilege.
Thisisalsoexplainedsimplyfromtheviewpointofnetworkeconomics:
manda-
torysecuritywouldsubtractvalue,asitwouldmakelifemoredifficultforthe
applicationdevelopers.
Networkownersandbuilderswillalsoappealtothedevelopersofthenext
generationofapplicationsbyarrangingforthebulkofthesupportcoststofallon
usersratherthandevelopers一evenifthismakeseffectivesecurityadministration
impractical.Thecurrentcrazeforpublickeycryptographymaysimpli勿some
designs,butithasbeencriticisedforplacinganunreasonableadministrative
burdenonuserswhoareneitherpreparednorwillingtoundertakeit}7}.
4Competitiveapplicationsandcorporatewarfare
Networkeconomicshasmanyothereffectsonsecurityengineering.Ratherthan
usingastandard,wellanalyzedandtestedsolution,companiesoftenprefera
proprietaryobscureoneinordertoincreasecustomerlock-inandincreasethe
investmentthatcompetitors