February 27, 2004
Security Oxymoron
Is there a magic bullet that will provide the ultimate cure for network security? This man thinks so.
"There's no point in requiring security if there's no secure product," Clarke said. "If the US government made it a priority as important as the moon project to somehow figure out how to write software without vulnerabilities, we could do it, then require vital parts of the economy to use it."
The speaker is Richard Clarke, former chief of cyber-security under President Bush.
The experts I give credence to tend to believe that network security is a process, not a product. But somehow it does not surprise me that a government security expert would believe otherwise. I suspect that the very term government cyber-security expert is an oxymoron.
Posted by Arnold at 6:59 AM |
Email this entry
| Category:
transparent society
Two points. First, the market failure here is the presence of negative externalities from running an insecure system. Your system's failure may impact my use of my system. For example, your system may become a source of DDoS or spam. Or more generally, it may swamp the network with attempts to propagate a virus or worm which has infected it. This kind of externality may be able to be addressed technically, with filters at ISPs to prevent misbehavior of end-user systems.
There are also impacts like those mentioned in the article, where the phone network or electrical grid goes down due to software attacks. However, these are not true externalities, as there exist contractual relationships among the parties so that the costs and benefits of security are properly reflected and accounted for.
My second point is that I'd say that Clarke has a point. A moon mission program could not write all the software that exists in the world securely; but it might well be able to write a secure microkernel and networking stack. Thousands of talented people working for ten years in a multibillion dollar program ought to be able to do that much.
Posted by Cypherpunk on March 2, 2004 02:06 PM | Permalink to Comment
Two points. First, the market failure here is the presence of negative externalities from running an insecure system. Your system's failure may impact my use of my system. For example, your system may become a source of DDoS or spam. Or more generally, it may swamp the network with attempts to propagate a virus or worm which has infected it. This kind of externality may be able to be addressed technically, with filters at ISPs to prevent misbehavior of end-user systems.
There are also impacts like those mentioned in the article, where the phone network or electrical grid goes down due to software attacks. However, these are not true externalities, as there exist contractual relationships among the parties so that the costs and benefits of security are properly reflected and accounted for.
My second point is that I'd say that Clarke has a point. A moon mission program could not write all the software that exists in the world securely; but it might well be able to write a secure microkernel and networking stack. Thousands of talented people working for ten years in a multibillion dollar program ought to be able to do that much.
Posted by Cypherpunk on March 2, 2004 02:06 PM | Permalink to Comment