Donate for the Cryptome archive of files from June 1996 to the present

25 February 2016

Schneier's Internet Security Agency - bad idea because we don't know what it will do

Bruce Schneier:

From: Ian G <iang[at]>
To: "cryptography[at]" <cryptography[at]>
Date: Sat, 25 Feb 2017 16:26:27 +0100
Subject: [Cryptography] Schneier's Internet Security Agency - bad idea because we don't know what it will do


Bruce Schneier has recently published an impassioned plea for a United States Federal Internet Security Agency, which would likely gain control of civilian cryptography, among many other munitions. The essay is impassioned, it is much longer than his normal 2 pagers, which signals something - belief, preparedness, foundation?

Poignantly, the link in the Crypto-gram was broken, use the above one.You should read it, but let me summarise.

Schneier's basic argument is that the Internet of Things is becoming too big and too dangerous to be ignored. He uses the metaphor of building an Internet-sized robot, which I think is a great picture of something too big and dangerous to ignore any more.

As we're all agreed, security is hard, and the market has failed to solve it.Therefore, Schneier suggests, we need a non-market solution.Which is, by implication, a government agency.

Quite fairly, he points out that the US government isn't structured to deal with this because the problem is spread across too many departments.

Where he is quite right is that the problem will be seriously considered at USG level - we already know that Trump's impressive list of executive orders included one on cyber-security, and people close to the USG are reaching out for ideas.

These are claims I think we can agree on: that the IoT trainwreck to be is on the tracks and picking up speed, and the USG is going to do something.

But then, concluding that a government agency is the solution to this does not follow. For three reasons, in increasing fundamentality:

1. Bringing it all under one roof doesn't work, and that goes especially for the USG, which famously always fails to coordinate. For cynical example, it has about 15 intelligence agencies, and its attempts to unify them all post-911 just resulted in the creation of another intelligence agency. For other example which Schneier highlights, Americans are still paying for the problem of DHS which was basically that solution - bring the problem of securing the 'homeland' under one roof.

2. I think we can agree that the market hasn't solved the problem. But it is a fallacy that this implies the government has to then step in. As a matter of objective reality, governments can't solve some problems, and governments can make some problems worse. Which is why we have bad wars and bad legislation, something that even Schneier admits with DCMA.

Unconvinced? Look at what the DHS/CBP has done with the so-called muslim ban: they are now searching people's phones and other devices for 'expressions (un)aligned to US values' or some such nonsense. This is damage done, spilt milk, but let me cry out the reasons:

1/ The security community is upset, which means we will now start thinking about 'duress' devices which will further complicate everyone's life. Also, nobody in the field will want to work with DHS/CBP on this for fear of tarring their reputation.

2/ Worse, all the people who actually do want to harm others (e.g. terrorists but also murderers, fraudsters, baby-snatchers, whoever) now know about it, and will not bring compromising devices across the border. They'll start creating legends - and if you think about it, the more nefarious you are, the easier it is to create a legend, and the harder it is for the border guard to see it's a legend.

So the only consistent, predictable outcome is that searching devices will harm innocent people - companies and individuals that have their hardware compromised by CBP must now replace them because of security breach, and reset any compromised passwords. Corrupt or prejudiced officers will be empowered. People will be slowed down.

This negative signal to the world can never be repaired! Worse, it will make Americans absolutely unsafer because by using the tool, CBP has destroyed its efficacy in most all the useful cases and made it harmful in most all the non-useful cases. It might not be absolutely the worst thing DHS could have done, but it's got a place in the top 10.

3. The final and fundamental reason why this is wrong comes down to thinking about who knows what to do, which is known in economic circles as the market(s) in insufficient information.

In the now-canonical paper "The Market for Lemons," George Akerlof argued that when the buyer does not know the quality of a used car, the direct sales market does not clear, and institutions arise to solve that problem: used-car warranties, sales yards with brand, regulations, etc.

Akerlof shared the Nobel Prize for this paper, so the insight is widely accepted as being useful - but the Market for Lemons was premised on one important caveat, that the seller knew what the state of the car was.

This critical point becomes much clearer if you consider the works of the other two papers cited in that year's Nobel Prize.

Rothschild and Stiglitz wrote on the market for insurance, which they identified as the reverse of Lemons - the insurer being the seller did not know the quality of the goods, whereas the buyer did know the state of what he was trying to insure. A mirror image, if you like, and together, economists called these markets in asymmetric information. As Lemons was such a powerful metaphor, I called this the market for Limes.

But as we are logical people, we know that where there is an asymmetry, there are two other choices.There is not only the case where both buyer and seller know, there is also a null case - where neither buyer nor the seller know the quality of the good. In this case, there is no information - a mirror doesn't work when the light is off.

Which brings us to Spence, the third laureate of that year, who showed that in a market where neither side knows the quality of the good, signals can emerge to guide us, but they can be as false as they are truthful. Indeed that was part of his argument - a good signal is one that can be interpreted by both sides, but could be interpreted incorrectly by one or even both sides.

Spence doesn't dispute Akerlof's claim that institutions arise, and indeed his first example was the undergraduate degree, a very clear institution. What he disputes is that the signal of the institution is correct in some objective manner - he shows that under some circumstances of inadequate feedback over quality, the institution can sustain without any reference to quality.

That is, we all believe in the institution because it turns out we don't know what the problem is, and we are happier passing our responsibility off somehow. E.g., to another party; in the market for undergrad degrees, everyone passes off the quality argument to someone else: the student to the university & employer, the university to the student and employer, and the employer to the student and the university. This works, is sustainable, but has no quality anywhere in the argument. So quality drifts...

And so it is with a government agency for all of Internet cybersecurity. We can all believe in it, and we can all pass on the responsibility for the signal to someone else. See where I'm going here? The government will pass on the responsibility for absence of success to someone else: its people aren't the experts, terrorists aren't playing doggy with phones any more, the APTs are smarter than us, the Russians are interfering with our democracy again, etc, etc.

And one thing that government agencies are objectively good at is saying that more money will solve the problem. So more money will be thrown at the problem, guaranteeing that the institution will sustain, while the responsibility for success will be necessarily handed on to next year's patsy.

The fundamental problem here is that we don't have a solution. We can outline the problem, but there is no solution in sight that fits the general needs. And, if we create a government agency without having that solution in sight, we'll just be creating another problem. Remember DHS? They are now a problem, they are now arguing against the cybersecurity of your phone, and we still no closer to a coherent concept of "border control."

Schneier's argument relies, in a sense, on asking the question:what's the least bad thing we could do, when we don't know what to do? Schneier says that the market has failed, and what we do with market failure is create a government agency to implement a solution to the problem.

But what's that solution? Cybersecurity is not like airplanes or cars or radio spectrum - for all of those 'market failures' we have a clearly delineated and standardised solution: careful design, crash-test dummies or auctions.

I say that creating a government agency will objectively create a new problem, because government agencies are good at growing in uncertainty, and we haven't got a solution to hand to this agency, only more problems, more uncertainty, and more potential for big agency spends.

Curiously, we - the security industry - have been sitting on this controversy for some time. Is the market for security one of Lemons, in which case an institution can objectively find a solution to market failure, or is it a market for Silver Bullets, in which case institutions can exist but their existence says little or nothing about the problem? And it's been a tough intellectual puzzle, if it was that easy, we'd have agreed by now.There's even a Workshop on Economics & Information Security, and it hasn't resolved the Lemons debate, nor come up with a clear plan to solve the wider problem of the economics of information security - which makes for a nice problem to have, if you're an academic. We might ponder whether institutions like WEIS sustain because they are the institutional solutions in Akerlof's model, or because they're the signals in Spence's model? Poignancy all around.

So let me propose an objective test. Let's say this: if we can put a random or otherwise independently chosen group of experts in a room, and they can come to consensus on a solution, then we're in a market for Lemons - an institution can arise, and they've chosen it for trial.

In the alternate, if the experts can't come to consensus, we're in a market for silver bullets.

What happens in a market for silver bullets? Once all the dust settles, I suggest that an institution arises, but it arises because of the money - the solution is the one that supports the biggest lobbiest. Industry wins, but the user does not.

Basically, the one with the most influence - paid or otherwise - gets their solution mandated.

Who might that be? RSA? Symantec? Boeing? SANS? NIST? NSA? BlackRock? CIA? [*] We can't tell right now because bidding hasn't started. We can't predict who's going to reach deeper and further into the pocket for the lobbying. But I am predicting that an agency solution will go to that entity that pays for the most influence.

Is that how we're going to solve cybersecurity? I don't think so - but, and I think Schneier is right on this - we're going to find out. I think the desperation for a solution will cause the cries for a new, single cross-government agency will rise.

I say - resist.

As of now, we are, and so is Pres. Trump. Not only did the leaked draft of a cybersecurity executive order not suggest anything like an agency, it was the first EO to be delayed and deferred. POTUS appears to have got that message at least - we don't know what to do, so best bet right now is to do nothing impetuous, and ask for more research.

Let's see who's right.

I'd urge you all to choose sides on this, because our Internet - our security, our crypto, our institution - hangs in the balance. Choose sides. Prove me wrong.Because it's a damn sight better if you can prove me wrong than the alternate.

iang, seller of silver bullets, voodoo spells, snake oil and other charms


The cryptography mailing list cryptography[at]