Mises Daily Articles
Department of Computer Security? It's a Joke
If you want to make a geek laugh derisively, suggest that responsibility for computer security be turned over to the government. This reaction is guaranteed, regardless of ideology. Everyone knows that this is not possible, but rarely are the implications for political economy noted.
Now, keep in mind that geeks know that producing fabulous looking and acting things for the web is only part of the job. These are people who spend a fantastic amount of time dealing with security issues, which change every season, day, hour, and even minute.
People know about viruses. Spyware and adware, meanwhile, are incredible threats to people's home computers. A new computer can be slowed to a crawl in a few days of quick browsing without good security against hijackings. And a huge industry has sprung up promising solutions, some good and some almost as dangerous as the thing they allegedly stop. Some of these are free, and some quite expensive, and the typical geek must work to discover what's what.
Other threats are less well known, such as the possibility that your own computer can be hijacked and controlled by other people who want to use it to store files or scan for other hijackable ports. This is mainly a threat faced by servers running large websites — huge magnets for hijackings and hacks — but it even affects home computers.
For example: I was recently talking to a technical administrator of a prestigious host of thousands of servers. He was amazed by the number of root-level compromises that had been taking place in recent months. The possible holes in people's systems are without limit. Software must be constantly upgraded. Even one small mistake can lead to data loss and disaster.
He tried a little experiment. He installed a new operating system on a new laptop, and disabled the firewall. He then hooked it up to a non-secure wireless network in an urban area. The first attack came in 6 minutes. In 12 minutes, the computer had already been hacked and was under the control of somebody or something else. All data on the computer was rendered vulnerable, available for looting or selling. In a few minutes more, it would have become a work station for more port scanning, denial-of-service attacks, or some other menacing behavior, and been added to the empire of servers being controlled by some of the world's smartest criminal minds.
Not that a good firewall and secure connection are infallible solutions. There is always a way in for someone with high-level skills and the will to take the risk. To keep threats away involves the technical equivalent of street fights between hackers and security professionals.
The fighters have similar skills; it's just that one group wears the black hats and one wears white hats. Some are criminals, some are saviors. The battle never stops. And yes, some of them change hats depending on their career prospects. The fight involves deploying skills that are far beyond what most any normal person could conceive of possessing. They can run circles around most computer science professors and even run-of-the-mill webmasters.
Some will rant and rave against the security holes in proprietary products such as those offered by Microsoft. And users of Internet Explorer would be likely to agree. The thing hasn't been properly updated in many years. It has not kept pace with the times, and so attracts web-based evil like a landfill attracts flies. Other products, however, are different. Server-level software is constantly monitored for holes, with updates sent out automatically and often (though not always as often as the people might like).
Still, open-source advocates say that this proprietary stuff is expensive and dangerous. The companies don't respond soon enough to threats, and no one but company employees can view the underlying code. That means that improvements come more slowly. With open source, the world community of programmers have access and work constantly to improve the product. To be sure, hackers too have access to the same code. So here too you have a battle between good and evil.
Among the good guys, there is a debate: should software holes be announced publicly (full disclosure) in the hope that the firms that work on open source will fix it before the hackers find out? But between the announcement and the fix, there is a gap that hackers can exploit. Perhaps then the hole should only be revealed to the firm or individuals who manage the open-source product (limited disclosure). The downside here is that the people responsible will lack the frantic sense of urgency that generates a quick hot-fix. Geeks thrive in emergencies, while non-emergencies fail to inspire.
So the debate over security rages furiously: open source or proprietary code, public security announcements or quiet revelations, development or risk? At any one time, all solutions are being used, with bulletin boards filling up thousands and thousands of pages of debate based on experience. Ideology can play a part here but, in the end, it comes down to what works best. And all the while, the war continues, pushed onward by the relentless pace of development and progress towards better living standards.
We haven't even touched on the war between the virus makers and the virus killers. The competition here is also intense. When a new virus is unleashed, the first firm to produce the fix wins new levels of consumer devotion and attention. A nothing company can become the next big thing by producing a fix for two or three viruses in a row, and doing it before the established firms get there. An established firm can lose its market edge in a month by failing to update its virus definitions in time. The difference between winners and losers in this struggle comes down to minutes, not days or weeks.
In this never-ending struggle, there are always tradeoffs between the pace of development and its security risks. No software is perfect. They all have bugs. But people demand development. The market never rests. We must all take some risk. How much is acceptable?
Competition prevails here too. A bad choice in favor of security over development can leave a company eating other companies' dust. A bad choice in favor of development over security can lead to bankruptcy in the face of a high-stakes security compromise. Geek personalities reflect this trade-off: some develop on live servers and deploy every beta the hour it appears, while others test and test and prefer only the tried and true.
All these fascinating details aside, keep in mind that the terrain on which these wars rage is wholly market based. The idea that any public bureaucracy could oversee the process is unthinkable. So let us ask the question again, so that the reader may join in the derisive laughter: in a world populated by black hats, should the government be the sole wearer of the white hat?
Actually, is there any point at all in giving a white hat to the state? It has no incentive to join the struggle. It lacks the calculational means to assess the trade-off between security and development. It lacks the entrepreneurial drive to produce either. The nature of the bureaucratic organization is to stay put, protect itself, and only move when kicked good and hard by political bosses.
As for the power to do good, how can anyone guarantee that it won't quickly become the power to do evil? If experience is our guide, the government in a position of authority is more likely to be creating viruses and spyware rather than stop them. As for the impact of the law, I vaguely seem to recall some legislation passed a few years ago that made spam illegal.
Government can't produce software that can outsmart every hacker. Not now, not ever. But the government can violate liberty and waste vast resources in the attempt.
As important as computers have become, there are interesting implications here. On a day-by-day basis the security of these machines is a far bigger matter than the threat of terrorism. Whether we like it or not, and regardless of ideology, we all depend on market competition to bring us not only innovation but also to protect us in our dealings with information technology. It is not a perfect solution. It can be messy and fallible. But the market is the strongest and best hope for security, and the alternative is unthinkable.
How interesting that we have been told for, oh, some 400 years, that government is the agency we need to give us the security that markets cannot give us. There are a thousand rationales why intellectuals have believed this, but none of them seem very robust by comparison to the experience of our times.