I couldn't quite figure out where Dave was mistaken with his "market
failure" analogy - instinctively it didn't feel right. Twitter's market is
selling customer data and attention to advertisers and as long as the a) platform is up b)
eyes are peeled to the feed, the market is working[1]; i.e. they don't need better
security.
What we are facing however is a "policy market failure", meaning that Internet
users want better privacy on social media platforms[2], but the vendors don't deliver
it. This is a little bit similar to seatbelts in cars. Manufacturers tried to offer
seatbelts but were faced with resistance in the market (analogy - more secure social
media) despite experts agreeing that it's a good thing. Unlike social media where
choice is largely individual, if you need to get from point A to point B you probably need
to get into a car and as a passenger you don't have much choice.
So, the policy market failure here is that those who sell policy - elected officials are
unable to sell it to the public, majority of whom don't care but the disproporitionaly
affeted minority - those whom Indian govt wanted to spy on can't afford.
The privatized utilities security issue can be solved quite effectively by demanding that
they carry a specific type of (cyber) insurance or they have to have it back to govt.
Insurers as of 2022 have developed a decent "cyber fire code". The caveat here,
and its not a small one, is if private utility companies then pass these costs onto the
consumers. Insurers won't write companies that are garbage. We'd have to work out
some kind of adjustment formula for security dereliction (your annual spend on security
should have been X, it was Y where Y<X, therefore you can't pass these costs onto
consumers if you made profits those years)
[1] You could argue that there's also the barter of customers give their time in
exchange for advertisement.
[2] You could argue that if they want more privacy they can move to chat groups on Signal
or IRC over Tor, but we all know that social media works when there's a critical mass
which is the story about all these high valuations on businesses that either lose money or
just about break even like Twitter.
On Wed, 24 Aug 2022, at 21:38, Dave Aitel via Dailydave wrote:
If you were at a talk at Defcon this year in the
Policy track, you probably heard someone talk about how they, as a government official,
are there to address "market failures". And immediately you thought: This is a
load of nonsense.
Because that government official is not allowed to, and has no intentions of, addressing
any market failures whatsoever. If the Government was going to address market failures,
they'd have to find some way to convince every cloud provider from making their
security features the upsell on the Platinum package. They'd have to talk about how
trying to get into different markets means every social media company faces huge pressures
to put Indian spies on their network.
Obviously you know, as someone who did not emerge from under a rock into the security
community yesterday, that the answer to having a malicious insider on your network is
probably some smart segmentation, which we call "Zero Trust" now.
But Zero Trust is expensive! And most social media companies are not exactly profitable
as the great monster known as TikTok has eaten every eyeball in every market because the
very concept of having people explicitly choose who their friends are is outdated now.
In fact, as everyone is pointing out, almost all companies you know are in this position!
They're cutting costs by sending jobs overseas while spending huge amounts of money
propping up their stock prices and paying their executives to sell them to a dwindling
market of buyers. Private Equity companies spend every effort on squeezing the last dollar
out of old enterprise software by exploiting the lock-in they have on small businesses.
And as critical as Twitter is, we have the exact same dynamic with our privatized water
and power companies - who have no plans to make strategic investments in security or
anything really - which is why on public calls you can hear them humiliating themselves
asking Jen Easterly to absorb the entire costs of their security programs.
The ideal practice for all of these companies is to offload their costs onto the
taxpayer, which is why instead of investing in security, they cry for the FBI to go
collect their bitcoin from whatever ransomware crews are on their network this week using
offensive cyber operations that themselves cost the government an order of magnitude more
than the bitcoin is worth.
As you're sitting in that Defcon talk, listening to someone from government talk
about how they only want to regulate with the "input of industry" or something,
you have to wonder: if this is every company we know, maybe the market failure isn't
just how hard it is to buy a good security product because they all abuse the copyright
system to avoid any kind of performance transparency. Maybe it's also how hard it is
to SELL a good security product because every single company is trying to cut their budget
to the exact minimum amount that will allow them to tell the FBI they did their best, and
the FBI needs to go out there and pick up their slack.
-dave
_______________________________________________
Dailydave mailing list -- dailydave(a)lists.aitelfoundation.org
To unsubscribe send an email to dailydave-leave(a)lists.aitelfoundation.org