Home page logo
/

interesting-people logo Interesting People mailing list archives

Re: pro regulation viewpoint on cyber vulnerabiltiy
From: David Farber <dave () farber net>
Date: Mon, 30 Mar 2009 16:51:23 -0400



Begin forwarded message:

From: Vadim Antonov <avg () kotovnik com>
Date: March 30, 2009 3:27:27 PM EDT
To: David Farber <dave () farber net>
Cc: ip <ip () v2 listbox com>
Subject: Re: [IP] pro regulation viewpoint on cyber vulnerabiltiy


David - for IP, if you wish.

On Mon, 30 Mar 2009, David Farber wrote:

A paper that speaks to market failure is at:
http://www.csis.org/component/option,com_csis_pubs/task,view/id,5370/type,1/

The sad truth is that there is no single documented case of "market
failure" which couldn't be easily traced back to previous non-market
intervention (by government or crime) - and these should be properly
called "government failures", i.e. governments either doing what they
shouldn't do (granting monopolies to politically connected parties,
engaging in social engineering, etc), or failing in their duty to protect
citizens.

Just ask an economist to offer not a plausible theoretical scenario in
which a market failure could occur - but a clear-cut real-life case of
market failure, and then watch him squirming uncomfortably.

Market failure is one of those elusive concepts which everybody seems to
believe in, but which start to shift meaning, twist, and finally evaporate
if a closer scrunity is applied.  Using it as a justification for any
policy is, at best, intellectually dishonest.

When applied to "cybersecurity", the very first assertion that "market has
failed to secure cyberspace" is a plain lie.  Any real security expect
knows that there's no such thing as absolute and perfect security.
Better security comes with price - and this price increases exponentially
if stronger (and rarer) treats are considered.

Thus, securing any real installation requires finding a proper balance
between security and cost - and in many cases that balance is on a side
which any security-conscious person would find quite insecure (just think
how long your front door would hold if someone wants to break in, or how
your windows are totally penetrable with an aid of a brick).  However,
laminated cardboard doors and easily breakable glass windows are
sufficient to deter majority of opportunistic criminals - and defending
against determined thieves would be way too costly given that the chances
that one would pay a visit are rather small.

"Cybersecurity" is no different. Even with broken-by-design security model of Windows/Explorer use of a cheap consumer security product (Norton, etc)
would be quite sufficient to achieve good-enough security.  Nearly all
people who suffered from attacks by hackers simply didn't consider
security of their computers to be important enough to devote 15-20 minutes
and few dozen dollars needed to find a product, buy, and install it.

Well, there are people who don't bother to lock their doors and leave keys
in the ignition locks of their cars - but for some reason there's no
experts calling for federal programs to fix these "market falures".  I
think that is because, without the smoke screen of fancy jargon, any
reasonable person would see inanity of any such proposal.

--vadim





-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault