[Cryptography] Schneier's Internet Security Agency - bad idea because we don't know what it will do
Ian G
iang at iang.org
Sat Feb 25 10:26:27 EST 2017
(cryptopolitics)
Bruce Schneier has recently published an impassioned plea for a United
States Federal Internet Security Agency, which would likely gain control
of civilian cryptography, among many other munitions. The essay is
impassioned, it is much longer than his normal 2 pagers, which signals
something - belief, preparedness, foundation?
http://nymag.com/selectall/2017/01/the-internet-of-things-dangerous-future-bruce-schneier.html
Poignantly, the link in the Crypto-gram was broken, use the above one.
You should read it, but let me summarise.
Schneier's basic argument is that the Internet of Things is becoming too
big and too dangerous to be ignored. He uses the metaphor of building
an Internet-sized robot, which I think is a great picture of something
too big and dangerous to ignore any more.
As we're all agreed, security is hard, and the market has failed to
solve it. Therefore, Schneier suggests, we need a non-market solution.
Which is, by implication, a government agency.
Quite fairly, he points out that the US government isn't structured to
deal with this because the problem is spread across too many departments.
Where he is quite right is that the problem will be seriously considered
at USG level - we already know that Trump's impressive list of executive
orders included one on cyber-security, and people close to the USG are
reaching out for ideas.
These are claims I think we can agree on: that the IoT trainwreck to be
is on the tracks and picking up speed, and the USG is going to do something.
But then, concluding that a government agency is the solution to this
does not follow. For three reasons, in increasing fundamentality:
1. Bringing it all under one roof doesn't work, and that goes
especially for the USG, which famously always fails to coordinate. For
cynical example, it has about 15 intelligence agencies, and its attempts
to unify them all post-911 just resulted in the creation of another
intelligence agency. For other example which Schneier highlights,
Americans are still paying for the problem of DHS which was basically
that solution - bring the problem of securing the 'homeland' under one roof.
2. I think we can agree that the market hasn't solved the problem. But
it is a fallacy that this implies the government has to then step in.
As a matter of objective reality, governments can't solve some problems,
and governments can make some problems worse. Which is why we have bad
wars and bad legislation, something that even Schneier admits with DCMA.
Unconvinced? Look at what the DHS/CBP has done with the so-called
muslim ban: they are now searching people's phones and other devices
for 'expressions (un)aligned to US values' or some such nonsense. This
is damage done, spilt milk, but let me cry out the reasons:
1/ the security community is upset, which means we will now start
thinking about 'duress' devices which will further complicate everyone's
life. Also, nobody in the field will want to work with DHS/CBP on this
for fear of tarring their reputation.
2/ Worse, all the people who actually do want to harm others (e.g.
terrorists but also murderers, fraudsters, baby-snatchers, whoever) now
know about it, and will not bring compromising devices across the
border. Or they'll start creating legends - and if you think about it,
the more nefarious you are, the easier it is to create a legend, and the
harder it is for the border guard to see it's a legend.
So the only consistent, predictable outcome is that searching devices
will harm innocent people - companies and individuals that have their
hardware compromised by CBP must now replace them because of security
breach, and reset any compromised passwords. Corrupt or prejudiced
officers will be empowered. People will be slowed down.
This negative signal to the world can never be repaired! Worse, it will
make Americans absolutely unsafer because by using the tool, CBP has
destroyed its efficacy in most all the useful cases and made it harmful
in most all the non-useful cases. It might not be absolutely the worst
thing DHS could have done, but it's got a place in the top 10.
3. The final and fundamental reason why this is wrong comes down to
thinking about who knows what to do, which is known in economic circles
as the market(s) in insufficient information.
In the now-canonical paper "The Market for Lemons," George Akerlof
argued that when the buyer does not know the quality of a used car, the
direct sales market does not clear, and institutions arise to solve that
problem: used-car warranties, sales yards with brand, regulations, etc.
Akerlof shared the Nobel Prize for this paper, so the insight is widely
accepted as being useful - but the Market for Lemons was premised on one
important caveat, that the seller knew what the state of the car was.
This critical point becomes much clearer if you consider the works of
the other two papers cited in that year's Nobel Prize.
Rothschild and Stiglitz wrote on the market for insurance, which they
identified as the reverse of Lemons - the insurer being the seller did
not know the quality of the goods, whereas the buyer did know the state
of what he was trying to insure. A mirror image, if you like, and
together, economists called these markets in asymmetric information. As
/Lemons/ was such a powerful metaphor, I called this the market for /Limes/.
But as we are logical people, we know that where there is an asymmetry,
there are two other choices. There is not only the case where both
buyer and seller know, there is also a null case - where neither buyer
nor the seller know the quality of the good. In this case, there is no
information - a mirror doesn't work when the light is off.
Which brings us to Spence, the third laureate of that year, who showed
that in a market where neither side knows the quality of the good,
_signals_ can emerge to guide us, but they can be as false as they are
truthful. Indeed that was part of his argument - a good signal is one
that can be interpreted by both sides, but could be interpreted
incorrectly by one or even both sides.
Spence doesn't dispute Akerlof's claim that institutions arise, and
indeed his first example was the undergraduate degree, a very clear
institution. What he disputes is that the signal of the institution is
correct in some objective manner - he shows that under some
circumstances of inadequate feedback over quality, the institution can
sustain without any reference to quality.
That is, we all believe in the institution because it turns out we don't
know what the problem is, and we are happier passing our responsibility
off somehow. E.g., to another party; in the market for undergrad
degrees, everyone passes off the quality argument to someone else: the
student to the university & employer, the university to the student and
employer, and the employer to the student and the university. This
works, is sustainable, but has no quality anywhere in the argument. So
quality drifts...
And so it is with a government agency for all of Internet
cybersecurity. We can all believe in it, and we can all pass on the
responsibility for the signal to someone else. See where I'm going
here? The government will pass on the responsibility for absence of
success to someone else: its people aren't the experts, terrorists
aren't playing doggy with phones any more, the APTs are smarter than us,
the Russians are interfering with our democracy again, etc, etc.
And one thing that government agencies are objectively good at is saying
that more money will solve the problem. So more money will be thrown at
the problem, guaranteeing that the institution will sustain, while the
responsibility for success will be necessarily handed on to next year's
patsy.
The fundamental problem here is that we don't have a solution. We can
outline the problem, but there is no solution in sight that fits the
general needs. And, if we create a government agency without having
that solution in sight, we'll just be creating another problem.
Remember DHS? They are now a problem, they are now arguing against the
cybersecurity of your phone, and we still no closer to a coherent
concept of "border control."
Schneier's argument relies, in a sense, on asking the question: what's
the least bad thing we could do, when we don't know what to do?
Schneier says that the market has failed, and what we do with market
failure is create a government agency to implement a solution to the
problem.
But what's that solution? Cybersecurity is not like airplanes or cars
or radio spectrum - for all of those 'market failures' we have a clearly
delineated and standardised solution: careful design, crash-test
dummies or auctions.
I say that creating a government agency will objectively create a new
problem, because government agencies are good at growing in uncertainty,
and we haven't got a solution to hand to this agency, only more
problems, more uncertainty, and more potential for big agency spends.
Curiously, we - the security industry - have been sitting on this
controversy for some time. Is the market for security one of Lemons, in
which case an institution can objectively find a solution to market
failure, or is it a market for Silver Bullets, in which case
institutions can exist but their existence says little or nothing about
the problem? And it's been a tough intellectual puzzle, if it was that
easy, we'd have agreed by now. There's even a Workshop on Economics &
Information Security, and it hasn't resolved the Lemons debate, nor come
up with a clear plan to solve the wider problem of the economics of
information security - which makes for a nice problem to have, if you're
an academic. We might ponder whether institutions like WEIS sustain
because they are the institutional solutions in Akerlof's model, or
because they're the signals in Spence's model? Poignancy all around.
So let me propose an objective test. Let's say this: if we can put a
random or otherwise independently chosen group of experts in a room, and
they can come to consensus on a solution, then we're in a market for
Lemons - an institution can arise, and they've chosen it for trial.
In the alternate, if the experts can't come to consensus, we're in a
market for silver bullets.
What happens in a market for silver bullets? Once all the dust settles,
I suggest that an institution arises, but it arises because of the money
- the solution is the one that supports the biggest lobbiest. Industry
wins, but the user does not.
Basically, the one with the most influence - paid or otherwise - gets
their solution mandated.
Who might that be? RSA? Symantec? Boeing? SANS? NIST? NSA?
BlackRock? CIA? We can't tell right now because bidding hasn't started
- We can't predict who's going to reach deeper and further into the
pocket for the lobbying. But I am predicting that an agency solution
will go to that entity that pays for the most influence.
Is that how we're going to solve cybersecurity? I don't think so - but,
and I think Schneier is right on this - we're going to find out. I
think the desperation for a solution will cause the cries for a new,
single cross-government agency will rise.
I say - resist.
As of now, we are, and so is Pres. Trump. Not only did the leaked draft
of a cybersecurity executive order not suggest anything like an agency,
it was the first EO to be delayed and deferred. POTUS appears to have
got that message at least - we don't know what to do, so best bet right
now is to do nothing impetuous, and ask for more research.
https://www.theregister.co.uk/2017/02/09/trump_cybersecurity_order_becomes_report_extravaganza/
Let's see who's right.
I'd urge you all to choose sides on this, because our Internet - our
security, our crypto, our institution - hangs in the balance. Choose
sides. Prove me wrong. Because it's a damn sight better if you can
prove me wrong than the alternate.
iang, seller of silver bullets, voodoo spells, snake oil and other charms
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170225/2d1cfd29/attachment.html>
More information about the cryptography
mailing list