Ex-NSA Analyst To Be Global Security Head At Apple

AHuxley writes "Cnet.com reports that Apple has tapped security expert and author David Rice to be its director of global security. Rice is a 1994 graduate of the US Naval Academy and has a master's degree in Information Warfare and Systems Engineering from the Naval Postgraduate School. He served as a Global Network Vulnerability analyst (Forbes used cryptographer) for the National Security Agency and as a Special Duty Cryptologic officer for the Navy. He is executive director of the Monterey Group, a cybersecurity consulting firm. He's also on the faculty of IANS, an information security research company and works with the US Cyber Consequences Unit. In a 2008 interview with Forbes, 'A Tax On Buggy Software,' Rice talks of a 'tax on software based on the number and severity of its security bugs. Even if that means passing those costs to consumers. ... Back in the '70s, the US had a huge problem with sulfur dioxide emissions. Now we tax those emissions, and coal power plants have responded by using better filters. Software vulnerabilities, like pollution, are inevitable — producing perfect software is impossible. So instead of saying all software must be secure, we tax insecurity and allow the market to determine the price it's willing to pay for vulnerability in software. Those who are the worst "emitters" of vulnerabilities end up paying the most, and it creates an economic incentive to manufacture more secure software.'"

Why not a security rating, so buyer can choose?

[noidentity]

From the article:

But consumers prefer secure software to insecure software. Isn't that preference enough to create an incentive for companies to focus on security?

Wouldn't that be great? The problem is that right now people can't figure out whether software is secure. They buy software based on what's asserted and take companies at their face values.

If you look at the five-star rating on automobiles, you don't have to be an expert to make a decision about safety. You can appraise the risk you're purchasing based on that rating. Today almost all the cars on the road are four or five star rated: The market has chosen more safe cars because the safety rating is visible.

OK, so have a private certification company so you can see their rating on the product. Why is a tax needed? The example he cites, of automobiles, gives the buyer the choice of how safe the vehicle must be.

How would you measure software vulnerability?

The types of attacks we've seen over the past four years haven't changed. [The U.S. Department of Homeland Security] keeps a repository of attack patterns. So just as we run cars in various crash tests to see how they respond, we can run these attack patterns on software, judge how it performs and give it a security rating.

If determining software vulnerability were as simple as running some automated tests, it wouldn't be a problem in the first place. In his example of testing vehicles, it would be like having to protect them against a near-infinite variety of crash situations. How can you automate this, so as to give a simple rating?

A tax on insecure software would be passed on to the consumer in higher prices. Is that really the goal?

There's a notion in economics of private cost and the social cost of behavior. The results of insecure software--cybercrime and cyber-espionage--are largely social costs, not paid by the individual who's responsible for the behavior.

Vulnerabilities lead a consumer's computer to be hijacked by malicious software that allows the attacker to do practically anything with it. Sometimes the attacker targets the infected machines, like the attacks on the Pentagon last year. But often the machine is used to send out more spam, more phishing attacks, or it becomes one of the hundreds of thousands of machines that are used in "denial of service attacks" like the ones that shut down Estonia's Web last year. Those social costs are very heavy.

If a tax raised the private cost of cybercrime, people would get educated very quickly. When insecure software starts costing more, people will adjust their behavior.

OK, so let's say all software is secure. That doesn't stop people from combining it in ways that leads to insecurities, or even configuring a single piece so that it's insecure. How will this tax help that?

Here he talks of negative externalities and making those responsible pay, so that they educate themselves and avoid creating them. Sounds good, so why not do that? That doesn't involve taxation, it involves making those with vulnerable systems pay. That's the way to make the market respond.

For example, a home user's machine is infected and is now part of a botnet? Charge a fine. He'll quickly clean up his machine, switch/secure his OS, or find an ISP that will detect such a thing and automatically cut his internet connection until he cleans his machine up. Or a business leaks customer information. Fine it. That will encourage it to do what's necessary to secure the data. This way the need for security moves up the chain, from user to supplier, with whatever things are necessary to give it. Leave taxation out of it.