25 February 2016
Schneier's Internet Security Agency - bad idea because we don't know what
it will do
From: Ian G <iang[at]iang.org>
Date: Sat, 25 Feb 2017 16:26:27 +0100
Subject: [Cryptography] Schneier's Internet Security Agency - bad idea because
we don't know what it will do
Bruce Schneier has recently published an impassioned plea for a United States
Federal Internet Security Agency, which would likely gain control of civilian
cryptography, among many other munitions. The essay is impassioned, it is
much longer than his normal 2 pagers, which signals something - belief,
Poignantly, the link in the Crypto-gram was broken, use the above one.You
should read it, but let me summarise.
Schneier's basic argument is that the Internet of Things is becoming too
big and too dangerous to be ignored. He uses the metaphor of building an
Internet-sized robot, which I think is a great picture of something too big
and dangerous to ignore any more.
As we're all agreed, security is hard, and the market has failed to solve
it.Therefore, Schneier suggests, we need a non-market solution.Which is,
by implication, a government agency.
Quite fairly, he points out that the US government isn't structured to deal
with this because the problem is spread across too many departments.
Where he is quite right is that the problem will be seriously considered
at USG level - we already know that Trump's impressive list of executive
orders included one on cyber-security, and people close to the USG are reaching
out for ideas.
These are claims I think we can agree on: that the IoT trainwreck to be is
on the tracks and picking up speed, and the USG is going to do something.
But then, concluding that a government agency is the solution to this does
not follow. For three reasons, in increasing fundamentality:
1. Bringing it all under one roof doesn't work, and that goes especially
for the USG, which famously always fails to coordinate. For cynical example,
it has about 15 intelligence agencies, and its attempts to unify them all
post-911 just resulted in the creation of another intelligence agency. For
other example which Schneier highlights, Americans are still paying for the
problem of DHS which was basically that solution - bring the problem of securing
the 'homeland' under one roof.
2. I think we can agree that the market hasn't solved the problem. But it
is a fallacy that this implies the government has to then step in. As a matter
of objective reality, governments can't solve some problems, and governments
can make some problems worse. Which is why we have bad wars and bad legislation,
something that even Schneier admits with DCMA.
Unconvinced? Look at what the DHS/CBP has done with the so-called muslim
ban: they are now searching people's phones and other devices for 'expressions
(un)aligned to US values' or some such nonsense. This is damage done, spilt
milk, but let me cry out the reasons:
1/ The security community is upset, which means we will now start thinking
about 'duress' devices which will further complicate everyone's life. Also,
nobody in the field will want to work with DHS/CBP on this for fear of tarring
2/ Worse, all the people who actually do want to harm others (e.g. terrorists
but also murderers, fraudsters, baby-snatchers, whoever) now know about it,
and will not bring compromising devices across the border. They'll start
creating legends - and if you think about it, the more nefarious you are,
the easier it is to create a legend, and the harder it is for the border
guard to see it's a legend.
So the only consistent, predictable outcome is that searching devices will
harm innocent people - companies and individuals that have their hardware
compromised by CBP must now replace them because of security breach, and
reset any compromised passwords. Corrupt or prejudiced officers will be
empowered. People will be slowed down.
This negative signal to the world can never be repaired! Worse, it will make
Americans absolutely unsafer because by using the tool, CBP has destroyed
its efficacy in most all the useful cases and made it harmful in most all
the non-useful cases. It might not be absolutely the worst thing DHS could
have done, but it's got a place in the top 10.
3. The final and fundamental reason why this is wrong comes down to thinking
about who knows what to do, which is known in economic circles as the market(s)
in insufficient information.
In the now-canonical paper "The Market for Lemons," George Akerlof argued
that when the buyer does not know the quality of a used car, the direct sales
market does not clear, and institutions arise to solve that problem: used-car
warranties, sales yards with brand, regulations, etc.
Akerlof shared the Nobel Prize for this paper, so the insight is widely accepted
as being useful - but the Market for Lemons was premised on one important
caveat, that the seller knew what the state of the car was.
This critical point becomes much clearer if you consider the works of the
other two papers cited in that year's Nobel Prize.
Rothschild and Stiglitz wrote on the market for insurance, which they identified
as the reverse of Lemons - the insurer being the seller did not know the
quality of the goods, whereas the buyer did know the state of what he was
trying to insure. A mirror image, if you like, and together, economists called
these markets in asymmetric information. As Lemons was such a powerful
metaphor, I called this the market for Limes.
But as we are logical people, we know that where there is an asymmetry, there
are two other choices.There is not only the case where both buyer and seller
know, there is also a null case - where neither buyer nor the seller know
the quality of the good. In this case, there is no information - a mirror
doesn't work when the light is off.
Which brings us to Spence, the third laureate of that year, who showed that
in a market where neither side knows the quality of the good, signals
can emerge to guide us, but they can be as false as they are truthful. Indeed
that was part of his argument - a good signal is one that can be interpreted
by both sides, but could be interpreted incorrectly by one or even both sides.
Spence doesn't dispute Akerlof's claim that institutions arise, and indeed
his first example was the undergraduate degree, a very clear institution.
What he disputes is that the signal of the institution is correct in some
objective manner - he shows that under some circumstances of inadequate feedback
over quality, the institution can sustain without any reference to quality.
That is, we all believe in the institution because it turns out we don't
know what the problem is, and we are happier passing our responsibility off
somehow. E.g., to another party; in the market for undergrad degrees, everyone
passes off the quality argument to someone else: the student to the university
& employer, the university to the student and employer, and the employer
to the student and the university. This works, is sustainable, but has no
quality anywhere in the argument. So quality drifts...
And so it is with a government agency for all of Internet cybersecurity.
We can all believe in it, and we can all pass on the responsibility for the
signal to someone else. See where I'm going here? The government will pass
on the responsibility for absence of success to someone else: its people
aren't the experts, terrorists aren't playing doggy with phones any more,
the APTs are smarter than us, the Russians are interfering with our democracy
again, etc, etc.
And one thing that government agencies are objectively good at is saying
that more money will solve the problem. So more money will be thrown at the
problem, guaranteeing that the institution will sustain, while the responsibility
for success will be necessarily handed on to next year's patsy.
The fundamental problem here is that we don't have a solution. We can outline
the problem, but there is no solution in sight that fits the general needs.
And, if we create a government agency without having that solution in sight,
we'll just be creating another problem. Remember DHS? They are now a problem,
they are now arguing against the cybersecurity of your phone, and we still
no closer to a coherent concept of "border control."
Schneier's argument relies, in a sense, on asking the question:what's the
least bad thing we could do, when we don't know what to do? Schneier says
that the market has failed, and what we do with market failure is create
a government agency to implement a solution to the problem.
But what's that solution? Cybersecurity is not like airplanes or cars or
radio spectrum - for all of those 'market failures' we have a clearly delineated
and standardised solution: careful design, crash-test dummies or auctions.
I say that creating a government agency will objectively create a new problem,
because government agencies are good at growing in uncertainty, and we haven't
got a solution to hand to this agency, only more problems, more uncertainty,
and more potential for big agency spends.
Curiously, we - the security industry - have been sitting on this controversy
for some time. Is the market for security one of Lemons, in which case an
institution can objectively find a solution to market failure, or is it a
market for Silver Bullets, in which case institutions can exist but their
existence says little or nothing about the problem? And it's been a tough
intellectual puzzle, if it was that easy, we'd have agreed by now.There's
even a Workshop on Economics & Information Security, and it hasn't resolved
the Lemons debate, nor come up with a clear plan to solve the wider problem
of the economics of information security - which makes for a nice problem
to have, if you're an academic. We might ponder whether institutions like
WEIS sustain because they are the institutional solutions in Akerlof's model,
or because they're the signals in Spence's model? Poignancy all around.
So let me propose an objective test. Let's say this: if we can put a random
or otherwise independently chosen group of experts in a room, and they can
come to consensus on a solution, then we're in a market for Lemons - an
institution can arise, and they've chosen it for trial.
In the alternate, if the experts can't come to consensus, we're in a market
for silver bullets.
What happens in a market for silver bullets? Once all the dust settles, I
suggest that an institution arises, but it arises because of the money -
the solution is the one that supports the biggest lobbiest. Industry wins,
but the user does not.
Basically, the one with the most influence - paid or otherwise - gets their
Who might that be? RSA? Symantec? Boeing? SANS? NIST? NSA? BlackRock? CIA?
[*] We can't tell right now because bidding hasn't started. We can't predict
who's going to reach deeper and further into the pocket for the lobbying.
But I am predicting that an agency solution will go to that entity that pays
for the most influence.
Is that how we're going to solve cybersecurity? I don't think so - but, and
I think Schneier is right on this - we're going to find out. I think the
desperation for a solution will cause the cries for a new, single
cross-government agency will rise.
I say - resist.
As of now, we are, and so is Pres. Trump. Not only did the leaked draft of
a cybersecurity executive order not suggest anything like an agency, it was
the first EO to be delayed and deferred. POTUS appears to have got that message
at least - we don't know what to do, so best bet right now is to do nothing
impetuous, and ask for more research.
Let's see who's right.
I'd urge you all to choose sides on this, because our Internet - our security,
our crypto, our institution - hangs in the balance. Choose sides. Prove me
wrong.Because it's a damn sight better if you can prove me wrong than the
iang, seller of silver bullets, voodoo spells, snake oil and other charms
The cryptography mailing list cryptography[at]metzdowd.com