The Declarer (Floyd McWilliams' Blog)

Wednesday, March 03, 2004


The Mercury News declares itself the "Newspaper of Silicon Valley." Why is it then that the Merc knows so little about technology -- and worse, loudly trumpets its ignorance as something to be proud of? Yesterday's lead editorial was one of the dumbest things about the computer industry that I have read in recent years:


On the Internet, safety comes first

VOLUNTARY SECURITY MEASURES WON'T WORK

Mercury News Editorial

Here's a recap of last week's cybersecurity news.

In San Francisco, Bill Gates told a skeptical audience that Microsoft's software was getting more secure. In Washington, D.C., a dozen computer security companies formed a lobbying group to cooperate with the government on Internet security -- but to avert any regulation or mandates. And in cyberspace, variants of the Mydoom and Netsky viruses infected computers around the world.


And .. that's it? That's it! I have just quoted the full list of horrors. Bill Gates said something. A dozen computer companies did something. A bunch of jackasses who still haven't learned not to execute email attachments had their computers lock up for awhile until they could find an IT person or a friend or some other grownup to help them restore their machines to normal.

No one died. No one lost vast sums of money. Sure, some businesses lost some productivity, but businesses also get less productive when the NCAA basketball tournaments start. (Last October when the A's were about to lose their third consecutive game against the Red Sox, I spent the whole afternoon in the office clutching at my gut and moaning.)


Small wonder that, also last week, two senior senators were criticizing the government's voluntary, market-based approach to cybersecurity. ``The strategy is to leave most of this to the private sector,'' California Democrat Dianne Feinstein said. ``I'm not sure, long term, that this is going to work.'' Sen. Jon Kyl, R-Ariz., seemed equally troubled. We share their concerns.


In 1982 my family bought an Apple II computer for $1500. It had 48K of RAM, no permanent internal storage, and a hideous green-and-black monitor that displayed 24 lines of 40-character columns, all caps. Last April I bought a laptop that has 448 megs of RAM, a 37-gig hard drive, and a beautiful 15-inch full color display. For $1500, which is of course about half what the Apple II cost in constant dollars.

I'd like to hear Feinstein or Kyl explain to us what government program or service has done as much for its beneficiaries.


No one is suggesting that protecting the computer networks that have become a critical part of the modern infrastructure will be easy. But the leave-it-to-the-industry approach favored by both tech companies and the Bush administration has not produced many successes so far.


What "success" could there possibly be? Are computer companies supposed to parade down El Camino Real with teenage hackers' heads on pikes?

Of course you might feel that the fact that no one dies or suffers serious injury from computer security breaches is a "success." Unless you're a bunch of editorial writers who feel obligated to get your panties in a bunch when it's a slow news day.


Neither the private infrastructure, which makes up about 80 percent of the Internet, nor government networks appear to be more secure now than a year ago. Security breaches -- some responsible for billions in losses -- are routine, and experts say the risk of a truly devastating attack is high.


Billions of dollars? Which security breaches are those? If you make extraordinary claims, shouldn't you feel obligated to provide examples and evidence?


Cars didn't get safer because the government asked Detroit to please do a better job. They got safer because, after the free market failed to address the issue, the government mandated seat belts, air bags and other improvements.


Really? Then why, if car buyers are morons who don't care about their safety, do we see automakers such as Volvo make safety a key selling point in their marketing campaigns?


The tech industry insists that would be the wrong approach for cybersecurity. The technology is vastly more complex. Innovation is more rapid, and today's mandate could be tomorrow's obsolete technology.

All of that rings true. But that doesn't mean the government should not set high-level standards and let the market figure out how to meet them. Regulators could also consider mandating disclosures of cybersecurity efforts at public companies, demanding more cooperation and information sharing from industry and providing incentives for security investments.


Legislators are notorious for their low comprehension of computer issues. (Random example: In the early days of the Web, the Georgia legislature passed a law which made it illegal to "falsely identify" oneself on the net. The law was so poorly written that there were worries that Georgia had outlawed links to other pages.) The idea of computer security written by a bunch of computer-illiterate politicians gives even the Mercury News editorialists pause, so they try to pass the buck by saying that government should "set high-level standards." But it's not hard to imagine that indirect attempts to legislate could be disastrous.

What if the government sets standards that are unattainable? ("Be it hereby resolved, there shall be no computer viruses in the year 2006.") What if legislation forces technology companies to focus on trivial issues, to the detriment of real security? And what's up with that "mandating disclosures of cybersecurity efforts at public companies?" Is it really a good idea to force corporations to make public their proprietary data about how they hope to defeat hackers? (Free clue for the Merc: "Public company" does not mean "owned by every citizen." It means "owned by anyone who bought its stock." Go buy ten shares of Microsoft and make an ass of yourself at their shareholder meetings rather than in the pages of your newspaper.)

The Mercury News does not consider that the current state of affairs is rational and efficient. Most people can install a secure system, like Linux. Why don't they do so? Because they want to use a simple, visually appealing operating system that is the release platform of choice for most software titles. Furthermore every single computer user has the option of not being ass enough to click on email attachments. I suppose the threat of viruses does not outweigh the pleasures of running the dancing baby applications or whatever it is that their friends email them.

I also object to the very idea that the government should set "high level standards." Legislation should be specific, not vague. As P.J. O'Rourke said, "Being specific is the essence of lawmaking and the difference between having a Congress and having a Mom."


Cybersecurity is akin to public health: If one computer or network is not secure, it's not only a danger for that one computer or network but also for the entire networked community.

The government doesn't allow individuals to choose whether to get immunized against infectious diseases. It doesn't allow farmers to decide whether a chicken with avian flu should be killed. Why, then, is cybersecurity optional?


Because ... infectious diseases kill people? Whereas computer viruses are merely an annoyance -- like the Mercury News' editorials.


0 comments

0 Comments:

Post a Comment

Home