Amrit Williams, BigFix CTO, discusses Author David Rice’s concept of Geekonomics in this two part interview.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter, and today I am joined by David Rice. David is the Executive Director of the Monterey Group. He is the Consulting Director for Policy Reform with the U.S. Cyber Consequences Unit, and he is the author of ‘Geekonomics’. And that book looks at the economic impact of insecure software.

David, thanks for joining me today.

David Rice: A pleasure to be here. Thank you.

Amrit Williams: So David, I did ask you to the come on to dig into ‘Geekonomics’ and I think there is a lot of really wonderful things in there that I would like to talk to you about. But I am absolutely curious about what the U.S. Cyber Consequences Unit does. So if you could give us just a short explanation and maybe a little bit of detail behind that, on what its purpose is and what the goal is.

David Rice: Sure. So the U.S. Cyber Consequences Unit is a nonprofit organization. It’s not a government entity. It’s a nonprofit that researches the impact of cyber attacks and cyber assisted physical attacks. And the name is exactly what it implies. It’s looking at the consequences that cyber has introduced to nation states.

So it’s not just about throwing bits on target, i.e., a hacker coming against you at your website or against your digital infrastructure, but also what happens if there is a physical component. That is, someone not only goes kinetic, i.e., throws atoms at your system in the form of a bomb or a bullet or something like that, but also if that would support a cyber assisted attack. So it’s really about full spectrum warfare.

So not only would the U.S. government use this, but also other nation states could say, alright, well, now that we are digitizing everything, or one of my phrases that I like to say is, now that we are dematerializing everything, whether it’s citizenship documents, whether it’s health records, when we dematerialize this, what’s the impact that we need to start considering, because we are starting — more and more nation states are starting to see the impact. So the research is really focused towards the risk of dematerialization.

Amrit Williams: It’s interesting, a couple of years ago I was in London and I was speaking to one of the information technology people who worked with the Holland Police, the police in Holland. And what he said is, for the most part, in the Netherlands, parts of law enforcement hadn’t digitize a lot of the records, and the only way you could get access to confidential information is you basically had to go through a mantrap and you had to be authorized in, and you had to go and you had to physically touch the documents, whether those documents were on organized crime or undercover agents. And he said, now they want us to put that on the Internet and share that with Interpol and others, and we are scared to death.

David Rice: And well-placed fear too.

Amrit Williams: They say, we have no idea how to secure this stuff.

David Rice: No, indeed, indeed. And the interesting thing too is, I use this phrase, it’s called Information Liquidity, and what a lot of businesses, whether they are nonprofit or profit focused, Information Liquidity is just as important as capital liquidity or even labor liquidity, i.e., the free flow of labor across borders or the free flow of capitals so that you can do your investment.

But a lot of companies and a lot of organizations that may not be profit focused, but just service focused, realize that the flow of information is critical to their success. But in dematerializing what was once an atom, down to bits, introduces risks that everyone is trying to come to terms with.

So again, there is plenty of research effort to be applied there. And there is no real solution; there’s just coping mechanisms that we come up with.

Amrit Williams: And I understand you have some economic muscle, some minds helping you –

David Rice: Yes, yes, there is. Scott Borg is the Director of the U.S. Cyber Consequences Unit, a powerhouse when it comes to economic thinking. And then Warren Axelrod. We have also got John Bumgarner, who is kind of the technical mind also, but balances that out. So it’s really a holistic look at security as opposed to just the technology or just the economics. It’s to say, alright, well, this is a multidimensional issue, we have to bring multidimensional talent to the game field.

Amrit Williams: So is there information out that’s available to the public?

David Rice: Whatever is on the website is what is available. Again, there is no notion of trying to restrict the flow of information unless there is a real risk that can be uncovered by what the unit actually discovers in their research. So mostly it’s targeted at government entities to consume. It’s not generally consumable. Although, there is not a notion of like secret or top secret type classification. It’s really meant to be consumable by decision makers and governments.

Amrit Williams: Yeah, sure. What is the website by the way?

David Rice: It is usccu.us.

Amrit Williams: I have got to tell you, I will be shocked if that doesn’t turn into a FX prime-time series.

David Rice: No doubt.

Amrit Williams: Of course you all will be driving Hummers and wearing very expensive clothing.

David Rick: Oh, actually I have got on my black Armani, I am just waiting for the episode.

Amrit Williams: So nice segue into, if you don’t mind — actually it was a really poor segue, I should have segued earlier, into ‘Geekonomics’ and the impact on insecure software. I have to ask you one question before we dig into this, which is, I have been amazed at the level of acceptance by the industries, in general, in allowing certain regulations to move forward against the consumers of the software. And by consumers, I mean large enterprise, government, private citizens, and how the onus to place security around insecure software is placed on those consumers and not the developers of it all.

(00:05:09)

We have seen a lot in other industries, like the auto industry, or any type of consumer good industries, where they go through recalls. If something doesn’t work or it can cause pain or damage or actually physically death or impact to something, they recall it.

And with software, we don’t have any concept of that at all. And there really is nothing but market forces, the free market to force organizations to build secure software.

Conversely, those consumers of secure software are slapped silly by regulation after regulation, after compliance pressure after compliance pressure, to wrap security around this insecure stuff.

I want to get your quick thoughts on that before we drill into the book. Where do you stand? And I am certainly not suggesting that we start regulating the software industry, but I am not sure I would be opposed to it either.

David Rice: Yeah, that’s a huge hot button issue for me. Taking another analogy or using the car industry, let’s imagine that car buyers were held liable for buying an unsafe car, but the only cars available were unsafe. Most of your consumers or just citizens out there would find it reprehensible and they would be writing letters to their Congressmen the instant that type of law or that type of situation was there.

And if you look at the compliance mechanisms that we have in place now, it really holds the acquirers of software liable for insecure systems, when the only systems available are insecure.

And so from my perspective, a public policy stance like that is untenable. It’s reprehensible. It’s perverse. It’s all those nasty words that you can throw at it. It’s not that I am against regulation of the end users of software. I wouldn’t be against holding people liable for driving drunk in a car, but without a bright line in cyberspace, that is what users are clearly culpable for, what the manufacturers are clearly culpable for. Without that bright line, the current compliance mandates I find perverse. And it’s just unacceptable level of responsibility for people who literally cannot get it right. So when it comes to the issue of software regulation, I am very much in favor of it.

Now, when that regulation actually comes is of course a deeper discussion. But I think that type of imbalance, that type of asymmetry between culpability, that type of unfairness really is unacceptable. And from a security perspective is just unworkable.

Amrit Williams: Yeah. I mean, I completely agree with your statements, and I think you articulated that quite well. What is curious to me is, those folks that are very much in favor and supporters of, either because they have their own economic interests at play here, of regulations like PCI and the benefits they feel that, that provides. But when you talk to them about applying certain type of pressures on software manufacturers or developers to develop secure software from the beginning, they are very much against that. And I have never really quite understood the — I don’t think they have the full understanding about the impact that can be had further down the chain. So it’s interesting to me.

I also am surprised at — we went through, gosh, it’s probably 20 years now since we first started talking about quality assurance and its economic impact. And there are well-documented cases that, if you find defects earlier in the development cycle, it costs less, and yet, it took some pretty massive pressure for QA to become an accepted discipline, and it is for the most part now, and there is an entire industry set up to support quality assurance.

And what’s interesting now is, people are taking the exact same approach to security, and developing secure software; it’s too expensive, we can’t do it, it’s going to impact us, go to market, blah, blah, blah. And there really has not been the same level of pressure applied across the board like there was with quality assurance and defects.

David Rice: Agreed. There is this notion that regulation is the bugbear, and I am always kind of — I find it humorous when people say the security industry throws about fear, uncertainty, and doubt excessively. But the minute you bring up any notion of regulating the software industry, they throw fear, uncertainly, and doubt. You are going to crush innovation. You are going to — what about all these independent software developers out there? They are not going to have a chance.

And certainly, there are some downsides to it. But if you also look at the type of regulation you use, which again, regulation is a four letter word, but the type of regulation, it’s not just one form that we have, we have multiple aspects that we can put into play. But what we see in almost every industry is that regulation can actually help focus innovation.

And so a lot of the bugbears they bring up, well, software is going to be more expensive, it’s going to be more difficult to use, that hasn’t happened in any other industry. And I can’t imagine that software is so uniquely special that somehow it’s going to be tripped up immediately by any — even a candid approach to regulation. I just don’t see the industry, one, being that stupid frankly, and nor do I see the regulators being that stupid.

(00:09:58)

Amrit Williams: Whose best economic interest is it for secure software to be built? It certainly isn’t in the best economic interests of the security industry. It’s not in the best economic interest of the regulators themselves or those who are QSAs and the folks who are in consult. Quite honestly, I am not sure it’s in the best industry of the software folks themselves or I don’t think they realize the economic benefits.

So there really is no – there is no real part of the security industry or the IT industry that would be in favor of this from an economic perspective except the consumers of the technology. And for whatever reason they are not demanding it. And I am not really sure why that is. Because if you think about it, if you just probably sat down and ran the economics for this, what you would is that if you build Secure Software and you didn’t require that type of band-aid expensive, half-ass reactive solutions they were to point today to be required, you would change the economics.

David Rice: Absolutely. And that’s what we see as a more efficient distribution of security, but also a more efficient distribution of skill and talent across the spectrum for dealing with security issues.

One example a colleague of mine gave me was the example of refrigerators. And a while back they mandated the use of safety latches in refrigerators. And of course the refrigerator makers threw a huge red flag up there saying it’s going to drive up the cost of refrigerators. It’s a regressive tax against poor people. They are not going to be able to afford refrigerators, yaddy, yaddy, yadda.

And then ultimately when the requirement went into place, some engineers said, why don’t we just use a magnetic lock instead of a physical lock? And of course it cost like $0.20. And that’s where you have the magnetic seals on all your refrigerators now. And kids if they are locked in can kick the door out. It’s a much safer mechanism, I choose what it needs to at a much lower cost.

And so this notion that regulation or any type of safety control will no doubt raise the level of the cost of the product. At first that maybe true but in general again it focuses innovation to say, what type of safety can we get at the lowest price possible that’s still effective. And security would never really ask that question. It’s usually vendors with $100,000 price points or even professional services to be fair since I have run a professional services firm, trying to say, well, this is what you need to do, and we really haven’t focused innovation yet. We have really just kind of perpetuated the problem in such a way that now we are really getting into a cul-de-sac that we can’t get of.

Amrit Williams: It’s interesting too, and we are talking about two aspects of security as part of the software development process. There is how one builds more — will it be considered I guess more Secure is probably wrong word, but more Survivable or even more –

David Rice: I like Rugged.

Amrit Williams: Yeah, that’s what I was going to say, a more Rugged, as the audience may know David Rice is one of the creators of the Rugged Software Manifesto and we had him on a couple of weeks ago with Josh Korman. More rugged software. And then there is building security controls as part of the software itself. So the difference between threat modeling and the software development lifecycle at Microsoft versus a personal firewall being built in is part of the operation system. And there really are two sides of that, and I think both are important. But I think the former, the threat modeling and software development lifecycle, the implementing security throughout the development lifecycle is the one that we probably have the bigger problem within the issue, within terms of awareness and understanding and discipline, and just really getting the mindset out to the software organizations that this is really important for them.

David Rice: Truly. And they are the least cost avoiders in this whole issue. I mean almost time-and-time again when the Doctrine of Privity was removed from the automobile industry that was done in the 1960’s; you actually saw the ability that levied several actions against the auto manufacturers. The Doctrine of Privity really shielded them from the end-users. And you see the same type of shielding or insulation in the software market but the software makers just like in the auto industry or pharmaceuticals, the manufactures time-and-time again have been showing to be the least cost avoiders.

And it maybe expensive for them. But the point is that it’s less expensive for everybody else. And the prices actually adjust over time to reflect the proper pricing of security and risk or whether it’s quality or food safety, whatever intangible you want to tend to focus at. And that there is disruption that occurs in the marketplace, and that’s what people are worried about. But at the same time the disruptions tends to be very positive over time, because when you see this progression, what I like to call an inspirational model, which allows people to compete around that intangible or that competitive variable driving them towards better, more effective, more efficient behaviors that we don’t see in the security market, or even in the IT market right now. I think the numbers are something like 50% of spend for organizations now is on IT. And there are a lot of folks questioning the value of IT period, let alone the redheaded step child that is security.

(00:14:49)

So you see this massive inefficiency in the technology market in general and then security just complicates the whole darn thing. And so it gets a bad wrap in many instances. But when you see that that focus, that focused innovation start to appear all of a sudden things start to change, here all of a sudden being a 10-20 year timeframe. So I am not saying it happens overnight. But when you look at across the spectrum of the technology introduced in the market, 20-30 years you would start seeing some real impact that you just didn’t see with the status quo behaviors. And then that’s where we are in security right now.

Status quo behaviors, all the major indicators are going in the wrong direction. And folks are saying what do we need to do differently? And I think economics plays a large part and that of being able to look at the market and saying how do we negotiate private and social costs? How do we negotiate these things in the marketplace where government isn’t the heavy hand but really just a – there I say a kind referee, and I know a lot of people will take issue with that statement. But the referee on the competitive variable as opposed to dictating hands-on keyboards as opposed to telling a software developer, this is how you write Secure Software, they regulate to resolve rather than regulate to rule.

And the current compliance mandates are regulate to rule. And we have seen they just don’t work very well. But when we regulate to effect or regulate to the outcome that we want you see really positive things start to appear.

Amrit Williams: Very nicely said. Have you as part of the US Cyber Consequences Unit, part of the policy reform, have you guys put together any suggestions around regulating the software industry?

David Rice: In general, there is a lot of momentum. And so I am not going to be able to speak directly for the US Cyber Consequences in this respect, but by personal opinion is that I have seen a lot of momentum in the current approach to cyber security which really just says throw more security contraptions, through more money, through more process and throw more training at the issue, and then we should see some things come out of this, that’s very beneficial.

For instance, monitoring US network so that we can see the problem that’s occurring, so we can actually have a national response. I am not against that. But there is this momentum which is very network-centric, which is if we can get on the network, look at the network, see the network, control the network, then we will be able to do things that we haven’t done before. We just haven’t spent enough money and attention on the problem. And there will be some positive outcome from that. I am not a total pessimist in that guard. But I don’t think it’s going to be enough.

And the reason why I say that is because when you look back again 1950’s, 1960’s, there was the three Es in auto safety, and it was Engineering, which related to the highway, Education which related to the end-users, and Enforcement which related to the fact that, well, okay, people drink and drive for speed, we are going to catch them with the police force, punish them.

Well, it didn’t work, that was the problem, until they actually addressed the automatically manufacturers the death rate finally started going down. But they put enormous amount of time and effort and money into the three Es and the death rates still didn’t go down. Until they actually applied the manufacturer, applied pressure to the manufacturer, then all of a sudden the death rate not only did it stabilize but it started going down. And now US citizens or US population drives 2 trillion miles a year and yet we stabilize it about 40,000 deaths, the official position is every death is affordable. But we say, okay, about 40,000 deaths is about right. In fact last year we just broke 37,000. It’s the lowest death rate we’ve had in the highway system. That’s because we focused on the vehicles.

In cyber space right now we are doing the same thing, the three Es in engineering. Well, we need a better network. We need to watch it more closely. We need to hold the ISPs to account. And again, there will be some positive things. But we need to educate our populous. We need to train them about all the security problems that are out there, and then finally enforcement. We need to punish those people who don’t protect their data.

And so we will spend an enormous amount of time and effort on that. And will we see some forward motion? Yeah. I am not at all pessimist like I said. But we will run into the same mistakes that we did with the three Es in the auto market, which is, it’s not going to be enough. Not until you address the fact that these applications are just wiping people’s data out. That gives the attackers just an enormous advantage, you’d start dealing with the software that creates the fabric of cyberspace, you are not going to get the positive results that we are all hoping.

Amrit Williams: I completely agree with you. And I really do hope that the industry as a whole accepts this reality and moves to it sooner rather than later, because it’s inevitable that it will go there.

David Rice: Yeah. A favorite quote I’d like to say is that, we will eventually do the right thing in cyberspace after we have exhausted all other options.

Amrit Williams: And hopefully we won’t experience cyber getting in the meantime. I am joking.

David Rice: Well, you know there was one point that I wanted to address early in the conversation was you said that maybe the users don’t really get the whole problem in cyberspace. And the interesting thing is, they didn’t really get the whole problem back with deaths on highways back in the 1950’s, and 1960’s. In fact the US populous as a whole are less than 18% of the populous actually felt that auto safety was a critical actionable concern.

(00:20:00)

When the US government looked at it in aggregate they said, oh my gosh! This is an epidemic of death. Literally epidemiologists looked at the data and said, this is like a major virus outbreak. It’s that kind of death level. But if you talk to drivers out there they would say, do you know anybody who died on the road? Do you any friends of your friends who died on the road? And everyone would say no. And that’s probably the same thing in cyberspace right now. You can talk to [Indiscernible] street and say what’s going on in cyberspace. He is like, I don’t know. Do you know anybody who had their identities stolen? And I would say that the vast majority probably would say no.

But the US government can now look at aggregate across cyberspace and we know, I mean, you see the words like hemorrhaging leading a death. These are not good words to describing our stance in cyberspace. So it doesn’t need to have general populous acceptance.

Amrit Williams: I think you are right Dave, and I think one of the problems is that we sort of go through this evolution of awareness and the first step is just to be aware that there is a problem and then as you move to that from awareness of the problem is understanding of the scope of the problem. And then from that you can start looking at resolutions. And I don’t think we even understand the scope in totality or in a majority. There are only few people, a handful of people probably that not only understand the scope but have some directions to modify that. So it is unfortunate, but I agree we will eventually do the right thing. I just hope that it’s sooner rather than later.

David, thanks for joining me today. We are going to switch gears in a minute. We will get you back on for a podcast to dig into specifics of Geekonomics. I really appreciate your time!

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening!