[Cryptography] Schneier's Internet Security Agency - bad idea because we don't know what it will do

Ian G iang at iang.org
Sat Feb 25 10:26:27 EST 2017


Bruce Schneier has recently published an impassioned plea for a United 
States Federal Internet Security Agency, which would likely gain control 
of civilian cryptography, among many other munitions.  The essay is 
impassioned, it is much longer than his normal 2 pagers, which signals 
something - belief, preparedness, foundation?


Poignantly, the link in the Crypto-gram was broken, use the above one.  
You should read it, but let me summarise.

Schneier's basic argument is that the Internet of Things is becoming too 
big and too dangerous to be ignored.  He uses the metaphor of building 
an Internet-sized robot, which I think is a great picture of something 
too big and dangerous to ignore any more.

As we're all agreed, security is hard, and the market has failed to 
solve it.  Therefore, Schneier suggests, we need a non-market solution.  
Which is, by implication, a government agency.

Quite fairly, he points out that the US government isn't structured to 
deal with this because the problem is spread across too many departments.

Where he is quite right is that the problem will be seriously considered 
at USG level - we already know that Trump's impressive list of executive 
orders included one on cyber-security, and people close to the USG are 
reaching out for ideas.

These are claims I think we can agree on:  that the IoT trainwreck to be 
is on the tracks and picking up speed, and the USG is going to do something.

But then, concluding that a government agency is the solution to this 
does not follow.  For three reasons, in increasing fundamentality:

1.   Bringing it all under one roof doesn't work, and that goes 
especially for the USG, which famously always fails to coordinate.  For 
cynical example, it has about 15 intelligence agencies, and its attempts 
to unify them all post-911 just resulted in the creation of another 
intelligence agency.  For other example which Schneier highlights, 
Americans are still paying for the problem of DHS which was basically 
that solution - bring the problem of securing the 'homeland' under one roof.

2. I think we can agree that the market hasn't solved the problem.  But 
it is a fallacy that this implies the government has to then step in.  
As a matter of objective reality, governments can't solve some problems, 
and governments can make some problems worse.  Which is why we have bad 
wars and bad legislation, something that even Schneier admits with DCMA.

Unconvinced?  Look at what the DHS/CBP has done with the so-called 
muslim ban:  they are now searching people's phones and other devices 
for 'expressions (un)aligned to US values' or some such nonsense.  This 
is damage done, spilt milk, but let me cry out the reasons:

    1/ the security community is upset, which means we will now start 
thinking about 'duress' devices which will further complicate everyone's 
life.  Also, nobody in the field will want to work with DHS/CBP on this 
for fear of tarring their reputation.

    2/ Worse, all the people who actually do want to harm others (e.g. 
terrorists but also murderers, fraudsters, baby-snatchers, whoever) now 
know about it, and will not bring compromising devices across the 
border.  Or they'll start creating legends - and if you think about it, 
the more nefarious you are, the easier it is to create a legend, and the 
harder it is for the border guard to see it's a legend.

So the only consistent, predictable outcome is that searching devices 
will harm innocent people - companies and individuals that have their 
hardware compromised by CBP must now replace them because of security 
breach, and reset any compromised passwords. Corrupt or prejudiced 
officers will be empowered.  People will be slowed down.

This negative signal to the world can never be repaired!  Worse, it will 
make Americans absolutely unsafer because by using the tool, CBP has 
destroyed its efficacy in most all the useful cases and made it harmful 
in most all the non-useful cases.  It might not be absolutely the worst 
thing DHS could have done, but it's got a place in the top 10.

3. The final and fundamental reason why this is wrong comes down to 
thinking about who knows what to do, which is known in economic circles 
as the market(s) in insufficient information.

In the now-canonical paper "The Market for Lemons," George Akerlof 
argued that when the buyer does not know the quality of a used car, the 
direct sales market does not clear, and institutions arise to solve that 
problem:  used-car warranties, sales yards with brand, regulations, etc.

Akerlof shared the Nobel Prize for this paper, so the insight is widely 
accepted as being useful - but the Market for Lemons was premised on one 
important caveat, that the seller knew what the state of the car was.

This critical point becomes much clearer if you consider the works of 
the other two papers cited in that year's Nobel Prize.

Rothschild and Stiglitz wrote on the market for insurance, which they 
identified as the reverse of Lemons - the insurer being the seller did 
not know the quality of the goods, whereas the buyer did know the state 
of what he was trying to insure.  A mirror image, if you like, and 
together, economists called these markets in asymmetric information.  As 
/Lemons/ was such a powerful metaphor, I called this the market for /Limes/.

But as we are logical people, we know that where there is an asymmetry, 
there are two other choices.  There is not only the case where both 
buyer and seller know, there is also a null case - where neither buyer 
nor the seller know the quality of the good. In this case, there is no 
information - a mirror doesn't work when the light is off.

Which brings us to Spence, the third laureate of that year, who showed 
that in a market where neither side knows the quality of the good, 
_signals_ can emerge to guide us, but they can be as false as they are 
truthful.  Indeed that was part of his argument - a good signal is one 
that can be interpreted by both sides, but could be interpreted 
incorrectly by one or even both sides.

Spence doesn't dispute Akerlof's claim that institutions arise, and 
indeed his first example was the undergraduate degree, a very clear 
institution.  What he disputes is that the signal of the institution is 
correct in some objective manner - he shows that under some 
circumstances of inadequate feedback over quality, the institution can 
sustain without any reference to quality.

That is, we all believe in the institution because it turns out we don't 
know what the problem is, and we are happier passing our responsibility 
off somehow.  E.g., to another party; in the market for undergrad 
degrees, everyone passes off the quality argument to someone else:  the 
student to the university & employer, the university to the student and 
employer, and the employer to the student and the university.  This 
works, is sustainable, but has no quality anywhere in the argument.  So 
quality drifts...

And so it is with a government agency for all of Internet 
cybersecurity.  We can all believe in it, and we can all pass on the 
responsibility for the signal to someone else.  See where I'm going 
here?  The government will pass on the responsibility for absence of 
success to someone else:  its people aren't the experts, terrorists 
aren't playing doggy with phones any more, the APTs are smarter than us, 
the Russians are interfering with our democracy again, etc, etc.

And one thing that government agencies are objectively good at is saying 
that more money will solve the problem.  So more money will be thrown at 
the problem, guaranteeing that the institution will sustain, while the 
responsibility for success will be necessarily handed on to next year's 

The fundamental problem here is that we don't have a solution. We can 
outline the problem, but there is no solution in sight that fits the 
general needs.  And, if we create a government agency without having 
that solution in sight, we'll just be creating another problem.  
Remember DHS?  They are now a problem, they are now arguing against the 
cybersecurity of your phone, and we still no closer to a coherent 
concept of "border control."

Schneier's argument relies, in a sense, on asking the question: what's 
the least bad thing we could do, when we don't know what to do?  
Schneier says that the market has failed, and what we do with market 
failure is create a government agency to implement a solution to the 

But what's that solution?  Cybersecurity is not like airplanes or cars 
or radio spectrum - for all of those 'market failures' we have a clearly 
delineated and standardised solution:  careful design, crash-test 
dummies or auctions.

I say that creating a government agency will objectively create a new 
problem, because government agencies are good at growing in uncertainty, 
and we haven't got a solution to hand to this agency, only more 
problems, more uncertainty, and more potential for big agency spends.

Curiously, we - the security industry - have been sitting on this 
controversy for some time.  Is the market for security one of Lemons, in 
which case an institution can objectively find a solution to market 
failure, or is it a market for Silver Bullets, in which case 
institutions can exist but their existence says little or nothing about 
the problem?  And it's been a tough intellectual puzzle, if it was that 
easy, we'd have agreed by now.  There's even a Workshop on Economics & 
Information Security, and it hasn't resolved the Lemons debate, nor come 
up with a clear plan to solve the wider problem of the economics of 
information security - which makes for a nice problem to have, if you're 
an academic.  We might ponder whether institutions like WEIS sustain 
because they are the institutional solutions in Akerlof's model, or 
because they're the signals in Spence's model?  Poignancy all around.

So let me propose an objective test.  Let's say this:  if we can put a 
random or otherwise independently chosen group of experts in a room, and 
they can come to consensus on a solution, then we're in a market for 
Lemons - an institution can arise, and they've chosen it for trial.

In the alternate, if the experts can't come to consensus, we're in a 
market for silver bullets.

What happens in a market for silver bullets?  Once all the dust settles, 
I suggest that an institution arises, but it arises because of the money 
- the solution is the one that supports the biggest lobbiest.  Industry 
wins, but the user does not.

Basically, the one with the most influence - paid or otherwise - gets 
their solution mandated.

Who might that be?  RSA?  Symantec?  Boeing?  SANS?  NIST?  NSA? 
BlackRock?  CIA?  We can't tell right now because bidding hasn't started 
- We can't predict who's going to reach deeper and further into the 
pocket for the lobbying.  But I am predicting that an agency solution 
will go to that entity that pays for the most influence.

Is that how we're going to solve cybersecurity?  I don't think so - but, 
and I think Schneier is right on this - we're going to find out.  I 
think the desperation for a solution will cause the cries for a new, 
single cross-government agency will rise.

I say - resist.

As of now, we are, and so is Pres. Trump.  Not only did the leaked draft 
of a cybersecurity executive order not suggest anything like an agency, 
it was the first EO to be delayed and deferred.  POTUS appears to have 
got that message at least - we don't know what to do, so best bet right 
now is to do nothing impetuous, and ask for more research.


Let's see who's right.

I'd urge you all to choose sides on this, because our Internet - our 
security, our crypto, our institution - hangs in the balance. Choose 
sides.  Prove me wrong.  Because it's a damn sight better if you can 
prove me wrong than the alternate.

iang, seller of silver bullets, voodoo spells, snake oil and other charms

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170225/2d1cfd29/attachment.html>

More information about the cryptography mailing list