Wired: Echelon Furor Ends in a Whimper

[Ross Anderson]

Owen:

> It is an interesting conundrum, isn't it? Moreover it's to be found in all
> countries and all walks of life. People and organisations will pay more and,
> in particular, will pay more readily to gain an advantageous position,
> compared to that which they (with reluctance) will pay to secure properly
> what they already have.

It's not a conundrum at all, but simple applied economics.

Suppose that you head up a U.S. agency with economic intelligence
among its objectives, and one of your scientists has just discovered a
beautiful new exploit on Windows 2000. If you tell Bill, you might
protect 250 million Americans; if you keep quiet, you will be able to
conduct operations against 400 million Europeans and 100 million
Japanese.

What's more, you will get credit for operations you conduct
successfully against foreigners, while any operations that they
conduct successfully against U.S. targets will probably remain unknown
to your superiors. This further emphasizes the motive for attack
rather than defense. 

Finally -- and this appears to be less widely realized -- the balance
in favour of attack rather than defense is still more pronounced in
smaller countries such as Britain. We have fewer citizens to defend,
and more foreigners to attack.

For more, see my book, or the paper on economics and information
security on my web page. Many of the things that appear to be
perpetually frustrating, or just simply perverse, about infosec (and
IT policy in general) have straightforward explanations - once you
look at them using concepts from applied microeconomics, rather than
moralising and handwaving

Ross