<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>(cryptopolitics)</p>
<p>Bruce Schneier has recently published an impassioned plea for a
United States Federal Internet Security Agency, which would likely
gain control of civilian cryptography, among many other
munitions. The essay is impassioned, it is much longer than his
normal 2 pagers, which signals something - belief, preparedness,
foundation?</p>
<p><a class="moz-txt-link-freetext"
href="http://nymag.com/selectall/2017/01/the-Internet-of-things-dangerous-future-bruce-schneier.html">http://nymag.com/selectall/2017/01/the-internet-of-things-dangerous-future-bruce-schneier.html</a></p>
<p>Poignantly, the link in the Crypto-gram was broken, use the above
one. You should read it, but let me summarise.<br>
</p>
<p>Schneier's basic argument is that the Internet of Things is
becoming too big and too dangerous to be ignored. He uses the
metaphor of building an Internet-sized robot, which I think is a
great picture of something too big and dangerous to ignore any
more.</p>
<p>As we're all agreed, security is hard, and the market has failed
to solve it. Therefore, Schneier suggests, we need a non-market
solution. Which is, by implication, a government agency.</p>
<p>Quite fairly, he points out that the US government isn't
structured to deal with this because the problem is spread across
too many departments.</p>
<p>Where he is quite right is that the problem will be seriously
considered at USG level - we already know that Trump's impressive
list of executive orders included one on cyber-security, and
people close to the USG are reaching out for ideas.</p>
<p>These are claims I think we can agree on: that the IoT
trainwreck to be is on the tracks and picking up speed, and the
USG is going to do something.</p>
<p><br>
</p>
<p>But then, concluding that a government agency is the solution to
this does not follow. For three reasons, in increasing
fundamentality:</p>
<p>1. Bringing it all under one roof doesn't work, and that goes
especially for the USG, which famously always fails to
coordinate. For cynical example, it has about 15 intelligence
agencies, and its attempts to unify them all post-911 just
resulted in the creation of another intelligence agency. For
other example which Schneier highlights, Americans are still
paying for the problem of DHS which was basically that solution -
bring the problem of securing the 'homeland' under one roof.</p>
<p>2. I think we can agree that the market hasn't solved the
problem. But it is a fallacy that this implies the government has
to then step in. As a matter of objective reality, governments
can't solve some problems, and governments can make some problems
worse. Which is why we have bad wars and bad legislation,
something that even Schneier admits with DCMA.</p>
<p>Unconvinced? Look at what the DHS/CBP has done with the
so-called muslim ban: they are now searching people's phones and
other devices for 'expressions (un)aligned to US values' or some
such nonsense. This is damage done, spilt milk, but let me cry
out the reasons:</p>
<p> 1/ the security community is upset, which means we will now
start thinking about 'duress' devices which will further
complicate everyone's life. Also, nobody in the field will want
to work with DHS/CBP on this for fear of tarring their reputation.</p>
<p> 2/ Worse, all the people who actually do want to harm others
(e.g. terrorists but also murderers, fraudsters, baby-snatchers,
whoever) now know about it, and will not bring compromising
devices across the border. Or they'll start creating legends -
and if you think about it, the more nefarious you are, the easier
it is to create a legend, and the harder it is for the border
guard to see it's a legend.<br>
</p>
<p>So the only consistent, predictable outcome is that searching
devices will harm innocent people - companies and individuals that
have their hardware compromised by CBP must now replace them
because of security breach, and reset any compromised passwords.
Corrupt or prejudiced officers will be empowered. People will be
slowed down.<br>
</p>
<p>This negative signal to the world can never be repaired! Worse,
it will make Americans absolutely unsafer because by using the
tool, CBP has destroyed its efficacy in most all the useful cases
and made it harmful in most all the non-useful cases. It might
not be absolutely the worst thing DHS could have done, but it's
got a place in the top 10.<br>
</p>
<p><br>
</p>
<p>3. The final and fundamental reason why this is wrong comes down
to thinking about who knows what to do, which is known in economic
circles as the market(s) in insufficient information.</p>
<p>In the now-canonical paper "The Market for Lemons," George
Akerlof argued that when the buyer does not know the quality of a
used car, the direct sales market does not clear, and institutions
arise to solve that problem: used-car warranties, sales yards
with brand, regulations, etc.<br>
</p>
<p>Akerlof shared the Nobel Prize for this paper, so the insight is
widely accepted as being useful - but the Market for Lemons was
premised on one important caveat, that the seller knew what the
state of the car was.</p>
<p>This critical point becomes much clearer if you consider the
works of the other two papers cited in that year's Nobel Prize.</p>
<p>Rothschild and Stiglitz wrote on the market for insurance, which
they identified as the reverse of Lemons - the insurer being the
seller did not know the quality of the goods, whereas the buyer
did know the state of what he was trying to insure. A mirror
image, if you like, and together, economists called these markets
in asymmetric information. As <i>Lemons</i> was such a powerful
metaphor, I called this the market for <i>Limes</i>.</p>
<p>But as we are logical people, we know that where there is an
asymmetry, there are two other choices. There is not only the
case where both buyer and seller know, there is also a null case -
where neither buyer nor the seller know the quality of the good.
In this case, there is no information - a mirror doesn't work when
the light is off.<br>
</p>
<p><br>
</p>
<p>Which brings us to Spence, the third laureate of that year, who
showed that in a market where neither side knows the quality of
the good, _signals_ can emerge to guide us, but they can be as
false as they are truthful. Indeed that was part of his argument
- a good signal is one that can be interpreted by both sides, but
could be interpreted incorrectly by one or even both sides.</p>
<p>Spence doesn't dispute Akerlof's claim that institutions arise,
and indeed his first example was the undergraduate degree, a very
clear institution. What he disputes is that the signal of the
institution is correct in some objective manner - he shows that
under some circumstances of inadequate feedback over quality, the
institution can sustain without any reference to quality.</p>
<p>That is, we all believe in the institution because it turns out
we don't know what the problem is, and we are happier passing our
responsibility off somehow. E.g., to another party; in the market
for undergrad degrees, everyone passes off the quality argument to
someone else: the student to the university & employer, the
university to the student and employer, and the employer to the
student and the university. This works, is sustainable, but has
no quality anywhere in the argument. So quality drifts...</p>
<p>And so it is with a government agency for all of Internet
cybersecurity. We can all believe in it, and we can all pass on
the responsibility for the signal to someone else. See where I'm
going here? The government will pass on the responsibility for
absence of success to someone else: its people aren't the
experts, terrorists aren't playing doggy with phones any more, the
APTs are smarter than us, the Russians are interfering with our
democracy again, etc, etc.<br>
</p>
<p>And one thing that government agencies are objectively good at is
saying that more money will solve the problem. So more money will
be thrown at the problem, guaranteeing that the institution will
sustain, while the responsibility for success will be necessarily
handed on to next year's patsy.</p>
<p>The fundamental problem here is that we don't have a solution.
We can outline the problem, but there is no solution in sight that
fits the general needs. And, if we create a government agency
without having that solution in sight, we'll just be creating
another problem. Remember DHS? They are now a problem, they are
now arguing against the cybersecurity of your phone, and we still
no closer to a coherent concept of "border control."</p>
<p><br>
</p>
<p><br>
</p>
<p>Schneier's argument relies, in a sense, on asking the question:
what's the least bad thing we could do, when we don't know what to
do? Schneier says that the market has failed, and what we do with
market failure is create a government agency to implement a
solution to the problem.</p>
<p>But what's that solution? Cybersecurity is not like airplanes or
cars or radio spectrum - for all of those 'market failures' we
have a clearly delineated and standardised solution: careful
design, crash-test dummies or auctions.<br>
</p>
<p>I say that creating a government agency will objectively create a
new problem, because government agencies are good at growing in
uncertainty, and we haven't got a solution to hand to this agency,
only more problems, more uncertainty, and more potential for big
agency spends.</p>
<p><br>
</p>
<p>Curiously, we - the security industry - have been sitting on this
controversy for some time. Is the market for security one of
Lemons, in which case an institution can objectively find a
solution to market failure, or is it a market for Silver Bullets,
in which case institutions can exist but their existence says
little or nothing about the problem? And it's been a tough
intellectual puzzle, if it was that easy, we'd have agreed by
now. There's even a Workshop on Economics & Information
Security, and it hasn't resolved the Lemons debate, nor come up
with a clear plan to solve the wider problem of the economics of
information security - which makes for a nice problem to have, if
you're an academic. We might ponder whether institutions like
WEIS sustain because they are the institutional solutions in
Akerlof's model, or because they're the signals in Spence's
model? Poignancy all around.<br>
</p>
<p>So let me propose an objective test. Let's say this: if we can
put a random or otherwise independently chosen group of experts in
a room, and they can come to consensus on a solution, then we're
in a market for Lemons - an institution can arise, and they've
chosen it for trial.</p>
<p>In the alternate, if the experts can't come to consensus, we're
in a market for silver bullets.</p>
<p>What happens in a market for silver bullets? Once all the dust
settles, I suggest that an institution arises, but it arises
because of the money - the solution is the one that supports the
biggest lobbiest. Industry wins, but the user does not.</p>
<p>Basically, the one with the most influence - paid or otherwise -
gets their solution mandated.</p>
<p>Who might that be? RSA? Symantec? Boeing? SANS? NIST? NSA?
BlackRock? CIA? We can't tell right now because bidding hasn't
started - We can't predict who's going to reach deeper and further
into the pocket for the lobbying. But I am predicting that an
agency solution will go to that entity that pays for the most
influence.</p>
<p>Is that how we're going to solve cybersecurity? I don't think so
- but, and I think Schneier is right on this - we're going to find
out. I think the desperation for a solution will cause the cries
for a new, single cross-government agency will rise.<br>
</p>
<p>I say - resist.</p>
<p>As of now, we are, and so is Pres. Trump. Not only did the
leaked draft of a cybersecurity executive order not suggest
anything like an agency, it was the first EO to be delayed and
deferred. POTUS appears to have got that message at least - we
don't know what to do, so best bet right now is to do nothing
impetuous, and ask for more research.</p>
<p><a class="moz-txt-link-freetext" href="https://www.theregister.co.uk/2017/02/09/trump_cybersecurity_order_becomes_report_extravaganza/">https://www.theregister.co.uk/2017/02/09/trump_cybersecurity_order_becomes_report_extravaganza/</a><br>
</p>
<p>Let's see who's right.</p>
<p>I'd urge you all to choose sides on this, because our Internet -
our security, our crypto, our institution - hangs in the balance.
Choose sides. Prove me wrong. Because it's a damn sight better
if you can prove me wrong than the alternate.</p>
<p><br>
</p>
<p><br>
</p>
<p>iang, seller of silver bullets, voodoo spells, snake oil and
other charms<br>
</p>
</body>
</html>