Episode 83: Geekonomics and the Impact of Insecure Software, Part 2
Amrit Williams, BigFix CTO, discusses with David Rice, author of Geekonomics, ways to create incentive for increasing software assurance.
Subscribe in iTunes:
Subscribe with XML:
FULL TRANSCRIPT
Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter, and I am with David Rice, Executive Director of Monterey Group, Consulting Director for Policy Reform in the U.S. Cyber Consequences Unit, and author of ‘Geekonomics’.
And David, thanks for coming back and joining us today. I wanted to drill into ‘Geekonomics’ and talk about the economic impact of insecure software. We are going to start for those folks who are not familiar with ‘Geekonomics’ to sort of give the synopsis of it.
David Rice: Sure. What ‘Geekonomics’ argues is, there is a market failure in the software market, and that the players in the marketplace cannot self-correct. That is, no one in the market thinks anything is really wrong per se, but what we see in aggregate is that their behaviors are driving negative externalities. That is huge social cause.
So the book argues to say, listen, current incentives are X. In order to correct this, let’s not make it a technology problem; this is an incentives issue. We have known how to make secure software for 50 years, why don’t we still have it? Well, my premise is that, the incentives are either perverted or distorted, and so we need to create new incentives to help the market create the type of secure software or assured software that we need as a nation state, as companies, and as individuals.
Amrit Williams: So what are some of the — very well said. What are some of the incentives that could be applied to the industry in totality that would create the dynamics for better awareness, realization, and implementation of processes and technologies and tools to drive better assurance?
David Rice: So one of the larger issues is in terms of the excuses that we currently give, and excuses may not be a fair term; they sound like very rational reasons to say, well, we have credible time to market. Our competitors can choose not to do security. It’s just too expensive to do security. So there is a lot of market pressure and market variables in place now that are entirely irrational. They make sense when people bring it up, and they say, okay, well, if you want to survive as a company, you need to not do as much testing or not do as much security evaluation as you think you do.
Amrit Williams: By the way, isn’t that the same argument that was made almost 20 years ago about quality assurance?
David Rice: Oh, it has always been made, no matter what it is. I mean, in the auto market, it was a big deal just putting seat belts in. People said it was aggressive tax, because you will raise the cost of the car. So we made seat belts optional.
But the same argument was made for analog brakes, the same argument was made for airbags. Airbags are going to add $700 to the purchase price of a vehicle. Again, a regressive tax, that is, it’s unfair to poor people than to wealthier people, so you are actually doing an unfair thing to the lower wage people. But in fact, of course the price of the airbags went down dramatically when everyone started using them or was required to use them. So the argument about, it’s going to be more expensive, holds water, but only for about 25 seconds, I think, after the statement, because usually people end up innovating.
Amrit Williams: There is a spike.
David Rice: There is an undoubtable spike, but it’s an overcomeable issue or it’s an issue that can be overcome and has been overcome.
Amrit Williams: You see this at both the macro and micro level, which is, industry wide, but you also see this at the company itself. When they start to implement and do the right thing, they do experience a spike where they are trying to rationalize the processes and you want to get people used to it. But once they level out, once they start hitting the plateau of productivity, for lack of a better term, then what you see is more efficiencies, lower cost, and better effectiveness in responding to incidents when they do happen on the field, and we are lacking those three things right now.
David Rice: Agreed, agreed. So a lot of the inefficiencies of the spike in price comes from the fact that they have never really been forced to do this. So they have never really been forced to be efficient on it. So they can make all sorts of excuses to say, oh, I have to do a manual code review, I have to do all these other things, how horrible it is, wailing and gnashing their teeth.
And then all of a sudden when their innovation is focused to say, okay, how can we do this more cheaply, more effectively, then all of a sudden you start seeing the genius that we know these engineers to be known for actually applying it to the process around which we are asking them to, but without that directed ask, which, when you see an uncoordinated population, such as consumers, the voice doesn’t meet critical mass. It doesn’t hit that threshold where all the manufacturers start paying attention.
It wasn’t that the auto manufacturers were bad folks or evil folks for creating unsafe cars; they weren’t trying to create unsafe cars. They were just trying to create cars that sold.
And the same thing in the software market. These companies aren’t bad companies; they are not trying to make software that is insecure and hurts their consumers; they are just trying to make software that sells.
So again, there is no evilness, there is no conspiracy here among the manufacturers; they just don’t have an incentive to compete. So some of the incentives that we look for, and there is many different aspects to it, is simply inverting the cost of insecure and secure software.
Right now the argument is, is that, it’s too expensive to create secure software, but it’s incredibly inexpensive to create insecure software, and so you get an oversupply of it. In fact, there are some economists that argue that we have an oversupply of software, that is, it’s so cheap and so inexpensive to write software without any of the quality or security issues that really should be in the marketplace, that we have an oversupply and therefore an inefficient production of software.
(00:05:01)
And that complicates our problems, because now we get more software than ever before, every year than ever before, and then you have to buy a suite of security contraptions to try to deal with all that entropy and all that complexity that software introduces.
So that would be inverting the model, that is, make it more expensive to create insecure software than to create secure software. The initial bugaboo or bugbear that comes up from that is, well, you are going to drive all these small software houses out of existence. You know what, the hardcore reality is, probably. There used to be 3,000 auto manufacturers in the United States, 3000; almost every state in the nation had an auto manufacturer. And then of course as the competitive environment heated up, capitalism is what it is. Sorry folks, some kids are going to lose and that’s just the way it is.
It sounds horrible, because we like competition and theory but we hate it in practice. We hate the notion that just not anybody can go out and write software willy-nilly. And maybe it is too early to create that type of competitive pressure. But when we see the negative externalities, the negative consequences of this, maybe we need to start thinking about, there isn’t enough competition in the marketplace around security or quality to drive the people in the marketplace who shouldn’t be there.
Amrit Williams: It’s also interesting too, because people always use, well, it’s going to impact the innovation and the little guys are going to be driven out, but the reality is, it forces the boundaries for those folks to actually bring better innovation to the market. And a lot of times you see a lot of examples of this when constrained and bounded, highly intelligent people will come with very elegant solutions to sophisticated problems.
And I think we are doing ourselves a disservice by playing the innovation card on the wrong side. I have always been quite put back by people saying, well, if you do this, if you try to place regulations, or you try to force better security and building practices, that you will drive out the little guys. And I just think, I think, yeah, you will. You will drive out the noise. You will drive out those that shouldn’t be doing the stuff anyway. You will mock drive innovation out. There will still be innovation and there’s always going to be innovation and there is still car manufacturers that are popping out of nowhere, providing new innovative products, and people that are part of that industry are providing new innovative products. And they are doing it in a much more elegant way than they could before.
David Rice: Agreed. Agreed.
Amrit Williams: So aside from — by the way, I am not sure any of that was an incentive for someone to develop secure software. How do people have conversations though? I mean, how does an organization, for example, because I think this is a big problem, is I think, there are folks within software organizations that say, listen, we really do need to do this and we need to do this for the betterment of the industry, or we need to do this better just for better adoption of our software. But the buyers don’t really buy that way. There really is not a massive movement to say, I will only buy secure software or security is going to be a critical component of my purchasing decision.
I wrote a paper when I was with Gartner where I said, there is a probability that in 2010 and beyond, that secure software would be — rugged software, security assurance, software assurance, would be a critical component of purchasing decisions, but I haven’t seen that happen.
David Rice: No, because users can’t distinguish insecure from secure software. So when we look at an incentive structure — forgive me, I didn’t answer the question even close to where you wanted it to. So the incentive that we are looking at is, am I rewarded for creating secure software, and then that’s what I was trying to get at with inverting the price of secure software compared to insecure software.
The reason why we don’t have secure software is because really, you aren’t rewarded for it financially enough to really do it. So when we see the real secure software developers out there creating, let’s say, avionics or creating critical infrastructure, let’s just assume all that software is secure. They are selling — we know it’s not, but they are selling to a demographic that can afford it. So their reward is to be a niche player, to not share their techniques out, to spend a lot of time in creating this, and selling it to people with seven and eight-figure budgets to purchase it.
What you see though is an inconsistent distribution of security. There isn’t enough financial reward out there to allow normal software developers to feel like they are better off for creating secure software. In fact, what they feel is that they are worse off and that’s what they tell us. Time to market is such, they are worse off if they pay attention to security than they would be if they don’t pay attention to it.
So when we look at incentives, the notion is, is that, people will do whatever they can to make themselves better off. But the corollary is even more important, which is, people will not consciously do the things that make themselves feel worse off. So we have to say, am I going to go spend, let’s say, $14,000 on an Operating System as a consumer to be secure? Well, no, because I would feel I am worse off for it, and plus, I can’t really distinguish between insecure and secure Operating Systems outside of the marketing stuff that we get. So I would be worse off for purchasing an Operating System at that price point.
(00:09:56)
So people can’t distinguish secure and insecure software, and what that allows is a lot of unscrupulous players to come into the marketplace, like phishers, or any of the malware creators that we see out there. They can literally get users to run anything. We blame the users, hey, stop clicking on that codec, stop clicking on that — but the notion is, is that, they can’t distinguish between good software and bad software, software that might threaten them and software that might not.
So this allows a lot of unscrupulous players into the marketplace, and it actually does the manufacturers a greater disservice than if they actually paid attention to security. But because they don’t see a reward, a big enough financial incentive to do it, that’s a huge problem. Microsoft can spend literally hundreds of millions of dollars on trying to improve the security of the software, but at some point they have to stop. The reason being is that, any other manufacturer can choose to spend zero, if they really wanted to.
So they can undercut Microsoft and all of its capabilities or undercut any manufacturer in any of its attempts. So even with Microsoft, the biggest player in the marketplace, they can’t do more security at some point because they would feel they would be worse off from their shareholder’s perspective or whatever it might be, then doing it, so they are not going to consciously do something that makes themselves worse off.
So when you see this inconsistent distribution of security, when you see the lack of an observable competitive variable in the marketplace, the buyers aren’t going to demand it because they can’t see it readily, and the suppliers aren’t going to provide it because the buyers can’t distinguish it again. So you have this complete imbalance or what we call an information asymmetry, where this lack of information actually complicates the marketplace. You get an under supply of security and you get status quo with where we are at.
So when we look at an incentive, we want to drive a competitive variable that doesn’t say, listen, you have to create software this way; we go in and say, listen, this is the result of your behaviors. You can innovate on however you get there, but the result is some endpoint, where now the buyers can distinguish between secure and insecure software. There is a financial reward for it for the manufacturers. And of course, the price ultimately gets driven down, which rewards the consumers, which we are trying to get to.
Amrit Williams: Well, I can certainly see methods and options for driving the software industry to build more rugged software, but I am not really sure what methods would be used for consumer to understand the security implications of one piece of software versus another. What methods could be used to better inform the end user, and I am talking about the typical consumer here, like my mom?
David Rice: The first criteria has to be simple, and if you look at the current messaging out of the cyber security community, I mean, it is this tirade, this diatribe, and all the different things. I mean, if you look at the Top 7 list, Top 10 list, Top 25 list, I mean it is just this overwhelming list of all these things that people have to do, and they really stop listening at #3 frankly, and some may have stopped at #1.
So it has got to be simple, it has got to be something that doesn’t require users to be an expert. My favorite of late to call attention to is Walmart’s Sustainability Index. The Wal-Mart Sustainability Index is focused on Wal-Mart saying, listen, I am going to start making this intangible, that is, sustainability, or that is your product’s impact on the planet, I am going to make this intangible visible at the point of purchase. So that consumers can say, oh listen, this deodorant has a number on the index scale and this deodorant has a higher number. Well, this one is less sustainable than the other, how am I going to vote with my dollars?
So maybe that product that you once loved for the longest time has the most horrific footprint on the environment you have ever seen; they use sulfur dioxide, they ship it from Antarctica, so the carbon footprint is — just think about how ridiculous it would be. But they can say, well, listen, this one has a huge footprint on the planet, this one has a lesser footprint, I am going to go shop for that one.
So the price point for the product may be a little bit higher, but people can now look at that intangible and then they purchase it, and then the manufacturers can say, listen, this is a competitive variable that wasn’t in this space before, but now we can distinguish ourselves from other competitors. So we are going to be more sustainable than anyone else.
Amrit Williams: It would certainly be interesting to see a software assurance index provided by somebody, I am not sure who would be in the position to do that, but I would love to see it.
David Rice: Well, the nice thing and what I like about that, and I just want to make sure I gave a complete introduction to the index to understand what we are talking about here, is that, Wal-Mart uses a combination of first-order and second-order matrix, and that is, not only do they look at the amount of carbon that you can produce, although it’s highly imperfect in our calculations, but it also uses a second-order matrix, which is a collection of practices and processes. So it’s not just looking at what people say is, well, you can’t measure the security in software. Well, they had said, you couldn’t measure safety in automobiles either, but we figured it out.
Wal-Mart has made the determination that okay, no single matrix is going to do us or get us where we want to go. So they have looked at the whole body of different elements or variables that impact the environment, both sociological, physical, etcetera, and they said, okay, well, these are the indicators that we want to pay attention to.
(00:14:57)
And of course there’s lots of hemming and hawing over the index, but again, there’s no perfect solution here. I don’t even know if there is a solution. There is only coping mechanisms for these hugely complex issues. I like sustainability and security because they are very similar. They are intangibles. They are highly complex; you are dealing in sustainability, a global impact with the number of variables that we can barely keep track of, and security is the same way. Now it’s a global impact; we have a worldwide network, and the number of variables are just mind-boggling.
But because we can do it in sustainability, I would think that maybe we can make some progress on the security side using a mixture of matrix that allows — it allows people to compete or allows manufacturers to compete on this.
Now, Wal-Mart has two huge capabilities here. One, they have an enormous market presence. They do $400 billion in revenue a year. But what’s different about Wal-Mart — I mean, you also look at the financial industry; they have a huge impact, but they don’t have the same control over their software environment. They spend a lot of money on it, but they are not big enough to influence the entire software market, only the software that they tend to buy.
When you look at Wal-Mart, they have not only impact capability or market size, but they also have control, because they are a distribution point, and they can determine what goes on their shelves and what doesn’t. So they do have a position that’s different than your typical industry or sector out there that would just say, okay, well, in my legal requirements, on my contracts, I am going to mandate these things.
The interesting is, you have to negotiate all those contracts separately, which really bifurcates the market or fragments it, such that now software manufacturers can negotiate different contracts, even in a sector level, with different sectors, let alone different players within those sectors.
So as long as the buyers remain uncoordinated, you have a huge disadvantage to the buyers, because they can be played against each other. And if I can get a cheaper price for less security, by all means I am going to get it, because my competitor can’t, they negotiated a worse contract.
So you see that type of imbalance, you see it. But I like the Wal-Mart’s Sustainability Index because it says it’s possible, for something that’s tremendously complex in global impact. They made a really good attempt at it.
So on the software side, we might not have a single source distributor that has that type of control, but we can introduce the competitive variable into the marketplace, whether at a state level, federal level, or even at a global level, through OECD, you can inject that competitive variable into place, but there is a lot of naysayers that, the minute you say it’s possible, they immediately say, no, you can’t do it, because reasons x, y, z, and they let it go off. That really does a disservice to us. It takes us away from the creative things that we can do and only focuses on the things that we can’t. Enough guys, it’s brutal out there, stop saying no and let’s figure out how we can say yes.
Amrit Williams: Well, I think it absolutely is possible. What type of advice would you give to the individual organizations out there, of any size, that are dealing with the impact of basically insecure, poorly written software, that they are probably spending a lot of money to try and secure the inadequacies of these software packages that they are buying, so what’s some advice you can give them, what can they start doing today?
David Rice: So one of the things they can do, and this is — I don’t know if this is a solution, but this is a tool, and that is, at least in their contracts, on their software, they can start putting remedies into the actual language. They are not going to be — there are going to be shalls. The manufacturer shall do X, it shall do Y. And that’s probably the greatest impact you can have, at least on custom software.
The reason why I don’t say it’s really a solution and only a tool is because, it depends on your negotiating capability, and what we get is a lumpy and uneven distribution. So I don’t want to go into the negative of it too much. But you are at a huge disadvantage between EULAs, between the original licensing agreements that you get, you really are in a losing position. So status quo is, all you can hope to do is stop the bleeding, try to reduce the amount of insecure software that comes into your environment, where you can. But it’s really kind of a — it’s a counsel of despair in many ways, because we start falling back on, well, deploy antivirus and patch your systems and do all of the things what we have said, because that’s the only thing we can do right now.
That’s what I think shows the perversity in the marketplace, that the only thing we can do right now is the worst possible thing we could right now; negotiating contract separately, deploying massive amounts of technology, whose efficacy is unknown to us, whose price points are exorbitant, without the results that we really crave. We are really in a bad position.
So outside of being a counsel of despair, the best thing you can hope to do is maintain status quo, so that you are as a low profile target as you can possibly afford. It’s not the greatest answer in the world, and when I am actually forced into that cul de sac by my own reasoning, it’s really frustrating and it shows the perversity in the marketplace today.
Amrit Williams: It’s the reality, I mean it is the reality, and the only way it’s going to change is if we change it upstream, and that really is it.
(00:20:00)
David Rice: I mean, there is some hope in terms of, when you look at the automation drives that we have, at least on the federal government side, and the ability to try to use government buying power in the marketplace. Government buying power has traditionally only reduced the cost of particular technologies. When a government goes in the pharmaceutical industry and they use their buying power, it’s to drive down the cost of drugs, but it doesn’t drive up the efficacy of the drugs themselves. That’s a different competitive variable.
So you might be able to get cheaper technology out there in the cloud, but it’s not going to be better technology. And that’s that, when I am up late at night trying to figure out how do we solve this, I just start spinning on it, because it just seems like, again, a counsel of despair, where you just go back into this loop that you can’t get out of, and that’s a prime example of market failure.
Amrit Williams: Well, this is why I appreciate that there are other disciplines being brought to bear here. That’s why I like talking to folks who have an economic understanding outside of the IT industry and can apply that knowledge here, because there really is, aside from the medium we are using, there really is nothing new here. I mean, there is certainly something new, but in totality a lot of this that we have discussions about, in the security industry specifically, are things we have solved in other areas. And there’s not enough of those other disciplines being applied, not enough of the history and the knowledge that we have already been through being applied and understood here. So I think that that’s one of the things that really intrigues me about some of the things that you talk about, especially in the book.
So David, I really appreciate you coming on. I definitely want to have you back. You are a fantastic speaker. And for those listening, this is David Rice, Executive Director of the Monterey Group, Consulting Director with the Policy Reform U.S. Cyber Consequences Unit, and author of ‘Geekonomics’, the economic impact of insecure software.
Actually, this is not David Rice, this is Amrit Williams, I am talking to David Rice, for those out there who got confused. David, I really appreciate you joining me today. Thank you very much.
David Rice: My pleasure Amrit.
Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.
Thanks for listening.
