Wired: Echelon Furor Ends in a Whimper

Owen Lewis oml at eloka.demon.co.uk
Wed, 11 Jul 2001 19:59:41 +0100 

> -----Original Message-----
> From: ukcrypto-admin@chiark.greenend.org.uk
> [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Ross Anderson
> Sent: 11 July 2001 14:59
> To: ukcrypto@chiark.greenend.org.uk
> Subject: Re: Wired: Echelon Furor Ends in a Whimper
>
>
> Owen:
>
> > It is an interesting conundrum, isn't it? Moreover it's to be
> found in all
> > countries and all walks of life. People and organisations will
> pay more and,
> > in particular, will pay more readily to gain an advantageous position,
> > compared to that which they (with reluctance) will pay to
> secure properly
> > what they already have.
>
> It's not a conundrum at all, but simple applied economics.
>
> Suppose that you head up a U.S. agency with economic intelligence
> among its objectives, and one of your scientists has just discovered a
> beautiful new exploit on Windows 2000. If you tell Bill, you might
> protect 250 million Americans; if you keep quiet, you will be able to
> conduct operations against 400 million Europeans and 100 million
> Japanese.
>
> What's more, you will get credit for operations you conduct
> successfully against foreigners, while any operations that they
> conduct successfully against U.S. targets will probably remain unknown
> to your superiors. This further emphasizes the motive for attack
> rather than defense.

If 250 million Americans have a generation to a generation and a half lead
in the key technologies of the present and future world, will you choose to
protect that or maintain your capability to hack the other 6 billion people
on this planet, a fair number of whom are not yet far removed from the stone
age? To follow your argument, one must.

No, it's simpler that you seem to allow. Security never turns a profit.
Taking a risk usually does. The trick lies in the gauging of risk and the
reward. Security is simply the also-ran that should prevent unforeseen risk
becoming catastrophic.

It would be interesting to document some case studies along these lines.
It's a common experience that when catastrophe has struck, there was no
single, glaring omission in the security procedures but rather a general
laxness that has allowed several minor and seemingly unrelated lapses to
occur. One day, by no more than ill luck, these lapses align into a
formation that enables a massive, overwhelming and entirely unforeseen
disaster to occur. I think that good security management may be about
maintaining a level of efficiency that prevents such situations rather that
in constructing some mega-dollar fortress that consumes profit(proponents of
SDI please note).

Also, there's the useful maxim is that, whatever your endeavour, you should
get 80% of the possible benefit for only 20% of the possible spend. Those
who seek something substantially better than 80% will see their costs start
to rise so that very small increments in gain cost the earth.

> Finally -- and this appears to be less widely realized -- the balance
> in favour of attack rather than defense is still more pronounced in
> smaller countries such as Britain. We have fewer citizens to defend,
> and more foreigners to attack.

Again, it does not follow. If it did, by the time you scale down to the
likes of thee and me, we should be putting all that we have, every day, into
the most rabid attacks, ripping off all and sundry. But we do not. In the
main, we behave as rational and perhaps even likeable persons. Now, that
thought you *can* scale back upwards, if you like.

The real point is actually a different one, I believe. If one bothered to do
the homework, I think one might find that there is a common ratio between in
the balance of commitment of resources to offence and defence. The military
have thought so for a long time and indeed the ratio commonly applied has
not changed for hundreds of years. That ratio is three to one. As a rule of
thumb this means that one could pare down the defensive 'budget' to a third
of an offensive budget without any running undue risks. Yet a gifted strateg
ist may be continually triumphant in the face of a ratio of eight or even
nine to one of a defence over his offensive. Genghis Khan, Napoleon, Von
Manstein, MacArthur q.v. So perhaps best trick is to establish correctly
whether you are taking on the Great Khan or Gen Westmoreland.

In business (some of) the cries are different but the realities of such
matters can be remarkably similar.

Owen