Security Laboratory

Security Laboratory

Interview with David Rice, author of Geekonomics

By Stephen Northcutt
When reading David Rice’s book Geekonomics and writing the book review, we were so impressed that we asked for an interview to further understand David’s thoughts. The Security Lab certainly thanks him for his time.

How did you first get interested in information security?

My interest started from my work in the Information Warfare curriculum at the Naval Postgraduate School. Information Warfare, at least at the time, focused on how to attack a "system of systems." A natural component of that understanding was thinking critically about the massive interconnection of networks across the globe. The Internet was, and remains, one of the largest and fastest growing "system of systems" that we know of. My eyes were opened, so to speak, at the Naval Postgraduate School.

So, you have written a new book, Geekonomics. Please tell us what it is about.

Geekonomics is about the astonishing lack of consumer protection in the software market and how this impacts economic and national security.

Software buyers are literally crash test dummies for an industry that is remarkably insulated against liability, accountability, and responsibility for any harm, damages or loss that should occur because of manufacturing defects or weaknesses that allow cyber attackers to break into and hijack our computer systems. As a matter of good public policy, this is unacceptable and must change.

Geekonomics is also about us and why we behave the way we do when it comes to protecting ourselves in cyber space. As such, Geekonomics is about incentives. Specifically, Geekonomics is about incentives that affect three groups of people: consumers, software manufacturers, and hackers. Each group has incentives for making, buying, and breaking into computer systems that are rife with defects, errors, and weaknesses. This book explains these incentives and how new and different incentives are necessary to address the problem of "bad" software.

Finally, this is a book for everyone, not just for geeks or technophiles, because frankly, in modern civilization, how and when software touches us is less our choice every day.

What is different about Geekonomics' view on the security of our nation's infrastructure?

Geekonomics takes a novel, yet necessary, approach to the dangers confronting national infrastructure. So much of the discussion about software security and how it impacts national infrastructure has largely been dominated over the decades by very smart, but very technically-oriented individuals. As such, their response to the "software problem" has been almost unanimously technical. It has also alienated the very people that software impacts: us. The problem of bad software has been a discussion lead by experts for experts. This was necessary, but far from complete. Software is so pervasive in modern civilization that the discussion should not be limited only to experts.

As Geekonomics argues, insecure software is as much an economic issue as it is a technology issue. This is a critical matter of public policy. Without proper incentives, technology alone will not address the problem of "bad" software. In short, incentives matter. To change the story of "bad" software, the incentives must change.

What do you want people to take away from reading Geekonomics?

We are all in this together, consumers and manufacturers alike. We are all, as economists like to say, trying to "maximize our utility." That is, we, each in our own way, are trying to make our lives as absolutely pleasant as possible. But society is a morass of competing, mis-aligned, and contradictory incentives. This means individual actions, though beneficial to ourselves, may detrimentally affect others.

Though my tone is often times urgent and forceful in Geekonomics, I am not blaming software manufacturers in their entirety for the sorry state of cyber space. Software manufacturers are not consciously trying to harm you, hoodwink you, or otherwise cheat you; however, as Geekonomics argues, software manufacturers do not currently have sufficient incentives to look out for your well-being in a meaningful manner.

A similar scenario existed in 1950s and 1960s America relating to auto manufacturers. Auto manufacturers were not trying to kill people when building cars that were more aesthetically pleasing than safe. But the result was tragic nonetheless. Market incentives simply promoted cars that were festooned with chrome and tailfins, but deadly in their operation.

Without meaningful incentives that held auto manufacturers to account, the modern car would not nearly be as safe as it is today. Geekonomics makes a similar argument regarding software. Wonderful graphical interfaces and "feature-rich" software are the modern equivalent of chrome and tailfins.

Compelling indeed, but far from safe or secure, unless meaningful incentives exist to make it so.

Consumers are not without culpability however. Consumers are participants in the software market just as much as software manufacturers. Consumers also have an impact by what they demand, or do not demand, from software manufacturers.

Arguing which is more culpable for the sorry state of cyber space, consumers or software manufacturers, simply benefits the third group: hackers. The incentives of the software market must change for both consumers and manufacturers. The cyber attackers exploiting our computer systems are hungry, relentless, and cunning. Software needs to be suitable to the task and position we have given it within our nation's infrastructure. The incentives for attackers are simply too compelling to do otherwise.

David, one of the things we would like to do here is give you a bully pulpit, an opportunity to say a few words about the things that they are really thinking about or are concerned about, what would you like to share with the readers?

Insecure software, and indeed security products themselves, hurt our economic progress. Not only does it hurt the economic progress of the United States, but everyone else’s also. This might sound nonsensical and hyperbolic at first. It is not. It is simple economics. By way of explanation, let me start with a short story that is very popular in economics.

One day in a small village, a teenager throws a rock through the window of a local bakery and runs off before anyone can catch him. The shop keeper comes storming out, furious at the vandalism. His yelling attracts the attention of his fellow villagers, who at first, are as displeased as the shop keeper at the event. After everyone has calmed down a bit, the more optimistic among the villagers remind everyone that this event, in a way, has an upside. If it were not for broken windows, the glass maker in the local village would not be necessary. After all, if broken windows never occurred, who would remain in the glass business? This event makes business for the glass maker. If a new windows costs $100, the baker must pay the glass maker exactly that amount to get the window fixed. This in turn means the glass maker has $100 to spend on other items with other merchants, thus those merchants have money to spend on yet more items with yet more merchants, and so on and so on. In fact, the broken window has a cascading effect that benefits the whole village. While the crowd remains largely displeased over the teenager’s actions, it may be, the villagers reluctantly conclude, that the teenager has created some good. If this were the villagers reasoning, they might come to see the teenager as a benefactor, as opposed to a public nuisance.

Does this story sound corny? Perhaps, but the reasoning of the villagers in this story is the same erroneous reasoning of the general populace and the popular news media that natural disasters (such as Hurricane Andrew) actually benefit the economy. The massive destruction of Hurricane Andrew meant thousands upon thousands of homes needed to be repaired or rebuilt, creating work for thousands of people. This additional purchasing and employment ultimately helps the economy. Yet, like the story above, to say that there is an overall benefit to the economy is simply not true. Let’s find out why.

The reasoning about the broken window in the village, or the massive destruction caused by Hurricane Andrew, is correct insofar that the event did, in fact, create more business. In the case of the village, the glass maker needed to make another window for which the baker was required to pay him. This much is obvious. In the case of Andrew, builders needed to build or repair homes for which home owners were required to pay them. What is less obvious is that victims in both cases will be out the money they were hoping to spend on something else. This is bad.

In the case of the baker, he will be out $100 that he was hoping to spend on something else. For instance, a new suit. Instead of having an unbroken window and a new suit, the baker will now have a fixed window and no suit. Because the baker is part of the village, the village has a lost a new suit that it would otherwise have, and therefore the village is just that much poorer.

What has happened here is not so much that the baker has paid the glass maker, but the baker has not paid the tailor. The tailor, having no demand to make suits, does not make any, and now something of additional value that could have been created, is not. An opportunity is lost. Something the baker could have purchased cannot be purchased now because $100 has gone to fix the broken window. In short, the glass maker’s gain of business is simply the tailor’s loss of business. Though a broken window has been fixed, no new employment has been added to the village as a whole because the broken window has precluded the new suit.

The villagers, like the news media in the case of Hurricane Andrew, only see two parties in the transaction, when in fact there are many more. The villagers only see the baker and the glass maker. The news media only sees home owners and builders. The villagers do not see the tailor because he will now not enter the transaction. The tailor is forgotten from the equation precisely because there will now be no demand for something he makes. The baker had to forgo buying a suit because of the broken window.

As the message of Geekonomics attempts to convey, the real cost of something is not what it costs us, but what we have to give up in order to get it. In the case of the baker, he had to give up a new suit to fix his window. He lost $100 as well as his new suit. As a result, the village is worse off. The victims of Hurricane Andrew are in the same position. They are spending to reclaim what they lost, not purchasing new items in addition to what they already possessed. In other words, they are spending extravagantly just to run in place. The “village” is worse off because of it.

Against this background, then, is the story of insecure software and the security products we purchase to protect insecure software from exploitation. As Geekonomics argues, software vulnerabilities are the broken windows of cyberspace. Not only do they communicate an unmistakable message of disorder in cyberspace, but (and I did not cover the following in Geekonomics) broken windows also harm the world’s economic well-being.

Broken windows must be fixed, just like the baker must fix his broken window if he is to send a message of care and attention about his shop. Who likes to visit a run-down bakery or any run-down food establishment? But because a broken window must be fixed, something else must be given up to fix it.

Insecure software must be patched. While the patch might be free, the process of patching is not. The more computers under your control, the more difficult it becomes to keep everything patched. It is very expensive. But insecure software must not only be patched, but also protected from exploitation because new, unknown vulnerabilities are discovered every day. In fact, software is full of latent defects. Neither you, nor the manufacturer, have any idea about how many broken windows a given piece of software actual contains. Therefore, software must not only be patched, it must also be protected with a fantastical panoply of security products like intrusion detection, firewalls, anti-virus, and so on.

The $45 spent on a single instance of anti-virus, the $3000 spent on a firewall, or the $254 (per machine) spent on patching software, means exactly that amount of money cannot be spent on something else. Software buyers, like survivors of Hurricane Andrew, are spending frantically just to run in place. This is bad. Unlike the survivors of Andrew however, you are not running in place. You are spending frantically only to lose ground. This is disastrous.

But, alas, this is not the worst of it.

When you purchase insecure software and security products to protect it, other things of value cannot be created, because you do not have the money to purchase them. This makes the “global village” just that much poorer. Insecure software, and the security architectures we use to protect it, are far more expensive than you can ever imagine. Just ask the tailor.

Last question, can you tell us just a bit about the person, David Rice; what do you do when you are not in front of a computer?

I’m outside; usually in the most beautiful place I can find which isn’t hard living on the Central Coast of California. Hanging out with family and friends, hiking, walking, surfing are all favorites. And plenty of yoga. Lots and lots of yoga.