Bruce Schneier explains the causes of security gap between e-crime and law enforcement, and makes some final points before the Q&A part of the presentation.
Technology results in the balance changing. We have this balance in cooperation defectors, technology changes it somehow, and society has to respond to restore that balance with some sort of new societal pressures, maybe some new laws, maybe some new technology, maybe some new group norms, maybe some new reputational systems.
This is an iterative process, I mean, this is not deterministic, and it is hard to get it right, but, you know, we do more or less, and stability is mostly the norm. The problem here is that attackers tend to have a natural advantage. In these systems, the attacker tends to do better and faster. Some of it is just a first mover advantage, but some of it actually is that the bad guys tend to make use of innovations faster.
Think of someone who invents the automobile, and the police say: “Wow! An automobile!” They have meetings to determine if they need one, they come up with some kind of RFP document, they go out for bids, they evaluate the bids, they buy an automobile, they set up a training program, and they train their officers, and they figure out how they are going to use it. Meanwhile, the bank robber says: “Oh, look, a new getaway vehicle! I can use it instantly.”
We saw the same thing in Internet crime. The possibility of fraud in e-commerce happens on the Net, and pretty much instantly we had a new breed of Internet fraudster that started attacking these systems. Meanwhile, the police who basically trained on Agatha Christie novels had to reinvent themselves, and it took about 7 or so years before the police were able to go after these criminals, and we still have problems because of the scale, the international nature, the inability to collect good evidence.
That’s the delay, and I call that ‘the security gap’, there is a sort of a gap between the good guys and the bad guys, and it’s caused by the delay in restoring the balance after technology imbalances things. And this gap, if you think about it, is, one – greater when there’s more technology; and two – greater in times of rapid technological change, actually, greater in times of greater social change due to rapid technological change. And today we’re living in a society where, one – there’s more technology than ever before; and two – there’s more technological change and resulting social change than ever before, which means the security gap is greater than ever before and, and probably going to remain big for a long time.
I think this is why we’re starting to see in our community different security paradigms that try to take this into account, I’ve seen it called lean security, or agile security, or reactive security; the idea here is that we’re not going to get ahead of the bad guys, we need to be able to respond faster, that’s really about closing the security gap. On the other hand, technology does help societal pressures scale, too.
Technology helps the good guys as well, just not as often and not as much. What are some examples of that in policing: fingerprint technology, the radio. Radio is probably the biggest change in law enforcement ever, because what it did is it no longer was a policeman a lone agent in the community, he could call for backup; that change, you know, happened over a hundred years ago, but the change was remarkable.
What are some examples of scaling? The credit scoring system – I assume, this one is going to be similar here, in New Zealand. In the Unites States there’s a credit scoring system: everybody has a credit score, and it’s a number. And it used to be when you wanted a loan, you would go to the bank, and the bankers would know you, and would give you a loan based on who you were – a reputation-based security system. The problem with that is it doesn’t scale very well, a bank officer has to know you. We’ve replaced that in the United States with a credit scoring system, and you can go virtually, probably online to any bank in the country, apply for a loan, that bank will pull your scoring system, and give you a loan based on that number. And if you think about it, that’s also a reputational-based system, because that number is generated by your past behavior. There is a massive database that has information about you, your income, and your past loans, and your payment history, and makes the decision based on that. It’s probably not as good, but the value of scaling that system is so enormous that it’s worth it.
Going back into history, writing allowed moral systems to scale, writing is a technology that allows you to transfer your moral codes, you can write them down in books, and that was a big deal for humanity. All sorts of technologies help laws scale. And of course technologies themselves act as security mechanisms: better door locks, better burglar alarms, better credit scoring algorithms, better fraud detection algorithms for credit cards.
1. Actually, let me do it this way: let me make a bunch of final points and then I’ll take questions. So, I guess this is a sum up. No matter how much societal pressure you deploy, there always will be defectors, and you can never get the defection rate down to zero. The basic reason is, as you get the defection rate lower and lower, the value of switching strategies becomes greater and greater, so somebody will switch.
2. Increasing societal pressure isn’t always worth it. There’s diminishing returns here, if you double the security budget, you don’t get twice the security, so there’s some optimal level.
3. Societal pressures can also prevent cooperation. As you increase the amount of pressure, the greater the chance that you mistakenly punish an innocent. The more draconian you make your anticrime laws, the more non-criminals get caught by accident. And that has an effect on cooperation. A totalitarian state, even one without a lot of street crime, is not considered a high-trust society, because there’s other mistrust that comes out besides.
We all defect in some things at some times, no one is 100% cooperative in all things. We are human and, occasionally, we do put our self-interest ahead of group interest. I’m not convinced this is bad, because there are good defectors and there are bad defectors, and society can’t always tell the difference. Cooperation is about following the social norm. It doesn’t mean the social norm is in some ways moral, there have been a lot of immoral social norms in our civilization’s past, slave-owning is an obvious one, and, presumably, if you fast forward two hundred years there are things that we do in our society that will be looked at as barbaric, primitive, and something no moral society would do any more. Sometimes it takes history to determine who’s in the right.
And this is why society needs defectors. The group actually benefits from the fact that some people don’t follow the social norms, because that’s where you get the incubation for social change, that’s how society progresses.