Financial Cryptography

When risks go south: FM&FM to be nationalized

Not just another two scalps being counted: Fannie Mae and Freddie Mac, the huge USA mortgage lenders, are to be nationalised:

The government’s planned takeover of Fannie Mae and Freddie Mac, expected to be announced as early as this weekend, came together hurriedly after advisers poring over the companies’ books for the Treasury Department concluded that Freddie’s accounting methods had overstated its capital cushion, according to regulatory officials briefed on the matter.

Well, what else can they do? Think about how huge this is: the two of them hold or back debts of around $5.3 trillion dollars . Failure is almost certain systemic collapse: first the US housing market, then the rest.

The theory of central banking has it that the CB is the lender of last resort. And after that last resort, it owns the bank. So the Fed now will own these mortgage lenders, as a consequence of its role. No change here.

But, the theory also has it that any lending brings on the most severe punishments. Collapse and rescue by the CB then means: all shareholders are set to zero. All directors are sacked. It is then welcome to see that, in contrast to earlier wimpy efforts by Bernanke's Fed, this:

The details of the deal have not fully emerged, but it appears that investors who own the companies’ common stock will be virtually wiped out; preferred shareholders, who have priority over other shareholders, may also wind up with little. Holders of debt, including many foreign central banks, are expected to receive government backing. Top executives of both companies will be pushed out, according to those briefed on the plan.

will be pushed out? Pah! In Switzerland, it is apparently a crime to be an officer of a failed bank. Think hard here.... Who are their auditors? Who were the ratings agencies? Who were the regulators?

While others ponder the detail of rounding up the guilty, there is the wider question of how to act, systemically, and properly, if one were a CB. What caused this to happen?

Clearly, we don't know the full detailed story. We do know the US economy has been out of balance for the last many years, you pick the number. We do know that pay-up time is now. Further, it has been obvious for a long time that FM & FM have been structured on continually rising housing prices. How dumb is that?

Still, assuming a free-market, the government is wise not to tell bad investors (or companies) how to act properly. Even if it "knows" what is "right", the theory of free markets is that it knows much less than it would like to, and certainly less than how to run a business. (Otherwise it would be doing it, right?)

The mistake then is in allowing the mortgage backers to become too big to fail. That is, assuming a free-market, we must also respect the right to collapse. When there is no right to collapse, there is no free market. All else is subsidies, and the various other isms are just around the corner. Communism, nationalism, socialism, playing-fieldism:

Fannie Mae executives are likely to have resisted the proposed takeover because the company's financial condition isn't as dire as its sibling company, said Bert Ely, an Alexandria, Va.-based banking industry consultant.

But the government would still have to take over both companies, he said, to allow them to borrow money at the same rates. "In order to level the playing field between the two companies, you've got to take over both of them," said Ely, a longtime critic of the two companies.

The backing by the USG for the mortgage lenders' debt is the tactical error. Having got the systemic details off our chest, let's move to the witchhunt. Who started these monstrosities then? How did the shared guarantee from the US taxpayer come into being? Who fell for that old trick? The US taxpayer deserves to know who's stupidity she's paying for this time, no?

Fannie Mae was created by the government in 1938, and was turned into a shareholder-owned company 30 years later. Freddie Mac was established in 1970 to provide competition for Fannie.

Oops!

Yet more evidence: your CISO needs an MBA

I have in the past presented the strawman that your CISO needs an MBA. Nobody has yet succeeded in knocking it down, and it is proving surprisingly resilient. Yet more evidence comes from Bruce Schneier's blog post of yesterday:

Return on investment, or ROI, is a big deal in business. Any business venture needs to demonstrate a positive return on investment, and a good one at that, in order to be viable.

It's become a big deal in IT security, too. Many corporate customers are demanding ROI models to demonstrate that a particular security investment pays off. And in response, vendors are providing ROI models that demonstrate how their particular security solution provides the best return on investment.

It's a good idea in theory, but it's mostly bunk in practice.

Bunk is wrong. Let's drill down. It works this way: NPV (net present value) and ROI (its lesser cousin) are a mathematical tool for choosing between alternate projects. Keep the notion of comparison tightly in your mind.

The tools measure the money going in versus the money going out in a neutral way. They are entirely neutral between projects because NPV is just mathematics, and the same mathematics is used for each project. (See the top part of Richard's post.)

Obviously, any result from the model depends totally on the inputs, so there is a great deal of care and theory needed supply those proper inputs. And, it is here that security projects have the trouble, in that we don't have a good view as to how to predict attack costs. To be clear, there is no controversy about the inputs being a big problem.

But, assuming we have the theory, the process and the inputs, we can, again in principle, measure fairly across all projects.

That's how it works. As you can see above, we do not make a distinction between investment, savings, costs, returns or profits. Why not? Because NPV model and the numbers don't, either.

What then goes wrong with security people when they say ROI doesn't apply to security?

Before I get into the details, there's one point I have to make. "ROI" as used in a security context is inaccurate. Security is not an investment that provides a return, like a new factory or a financial instrument. It's an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. The term just doesn't make sense in this context.

Or, or here:

The bottom line is that security saves money; it does not create money.

It seems to be that they seize on the words investment and returns, etc, and realise that the words differ from costs and savings. In conceptual or balance sheet terms, they do differ, but here's the catch: to the models of NPV and ROI, it's all the same. In this sense, we could say that the title of ROI is a misnomer, or that there are several meanings to the word "investment" and you've seized on the wrong one.

If you are good at maths, consider it as simply a model that deals equally well with negative numbers as well as positive numbers. To a model, savings are just negatives of returns.

Now, if your security director had an MBA, she would know that the purpose of NPV is to compare projects, and not anything else, like generating returns. She would also know that the model is neutral, and that the ability to handle negative numbers mean that expenses and savings can be compared as well. She would further know that the problems occur in the inputs and assumptions, not in the model.

Finally, she would know how to speak in the language of finance, which is the language that the finance people use. This might sound obvious, but it isn't so clear. As a generalism, it is this last point that is probably most significant about the MBA concept: it teaches you the language of all the other specialities. It doesn't necessarily make you a whizz at finance, or human resources, or marketing. But it at least lets you talk to them in their language. And, it reminds you that the other professions do have some credibility, so if they say something, listen first before teaching them how to suck eggs.

Discovery, the bright new sword of the digital judiciary!

Over at the Economist, they sound the alarm of justice being eaten from within by discovery and especially, electronic discovery. On a case worth $1000 per month:

Horizon immediately asked to see practically everything the teenagers had said on their Facebook and MySpace profiles, in instant-messaging threads, text messages, e-mails, blog posts and whatever else the girls might have done online.

The Beyes’ lawyer, David Mazie at Mazie, Slater, Katz & Freeman, objected on the grounds that Horizon’s demands violated the girls’ privacy. He lost. So hard disks and web pages are being scoured in order for the case to proceed. Gathering and then sifting through all the electronic information that a few teenage girls have generated is excessive and daunting, says Mr Mazie.

Something wrong there, but what is the issue? In comments last week, Daniel Perry pointed to this article by William J. McLean:

Discovery matters are frequently assigned to retired judges and/or experienced local trial attorneys and typically involve the payment of significant fees to these appointed special masters -- often in excess of $400 per hour. ...

The burden and cost of electronic discovery may fall disproportionately on one of the parties in litigation, and this can lead to an unsatisfactory state of affairs in which litigation is determined not on the merits, but instead on rulings that arise out of discovery disputes. Unfortunately, any party with the financial ability to play the e-discovery card may be able to overwhelm its opponent with the discovery process to the point of either driving that opponent out of business or forcing it to forgo a valid claim for damages. Alternatively, it could leave a party without the financial ability to defend a case on the merits.

(Yes, as this is a non-legal blog, I elipsed the formal law reference.) So, discovery is a weapon. If you have more money, you can flood the other side with discovery requests. Back to the Economist:

And yet almost all information today is electronic, and there is ever more of it. “Things that we would never have put in writing are now in electronic form,” says Rebecca Love Kourlis, formerly a justice on Colorado’s Supreme Court and now the director of an institute at the University of Denver dedicated to rescuing America’s civil-justice system.

This system, she says, was already a “sick patient”—with crowded dockets and understaffed courts—but electronic discovery now threatens a lethal “spike in fever”. She has seen ordinary landlord-tenant disputes take three years, and divorce cases that might have been merely bitter, but are now digital wars of attrition. She sees cases that are settled only because one party cannot afford the costs of e-discovery: whereas in the past 5% of cases went to trial, now only 2% do. She knows plaintiffs who cannot afford to sue at all, for fear of the e-discovery costs.

From 5% to 2% suggests Kourlis is blaming electronic discovery on a halving of justice!

How do we -- the victims -- deal with it? What are the defences for that? The Economist suggests that the continental tradition of inquisitional justice is a natural break on the abuse, so do we have to move to Europe? McLean implies there are two defences: traditionally, costs of searching for paper had a natural limit, and the legal code(s) of conduct limits any abuse. As we know, there is now no limit to searching and copying data (remember google, RIAA, etc). The second can go spectacularly wrong:

Discovery motions, meanwhile, continued to be filed. Huge amounts of attorneys' fees were being spent month after month as part of this exercise. No controls or limitations were placed on the discovery process. Despite warnings from counsel that he should get control of this case, the special master continued to allow and hear motions to compel and to impose sanctions. As many as six lawyers would attend the hearings, which would continue day after day, week after week, month after month.

A pattern was developing. Defendants came to fear that yet another motion for terminating sanctions would be forthcoming if something was not done to try and remedy what the special master seemed to believe were the inadequacies of previously supplied answers to interrogatories. At one point, about $1 million was spent on preparing a fifth set of supplemental answers, with the knowledge that yet another a motion would almost certainly be forthcoming. Ultimately no further motion was filed -- at least as to those specific answers.

But, it gets worse. McLean outlines the nuclear option, wherein the Special Master seizes on a lost or deleted document, and strikes the submission. From there, a default on the entire case may be entered.

What's with that? For the record, I, and everyone I know, delete documents all the time! Indeed, I have deleted most of article, above, and the article authors themselves have been skimpy themselves for editorial reasons.

Caveats and memories of Arthur Anderson aside, it seems clear that discovery is a weapon, and the courts may not defend you against it. Further, in this age of digital documents -- 80% of evidence according to one estimate -- there is no natural upper bound on discovery patience, as there was with boxes of paper.

This then makes discovery a threat to your business. In financial cryptography, we search out these threats and work with them, in advance of the lawyers' fees (sorry about that!). Luckily, we can do something about this one: we can use many techniques to organise the documents to be firstly secured and secondly complete. What remains as the open question for you: do we include it in each and every design, in your design, or in no design. This is a question of risk management, of course, but here is the final salutory warning to add some bias:

Postscript: Ultimately the dispute between Synopsys and this group of former employees settled, but not before more than 20 additional discovery motions were filed and heard. The defendant corporation no longer exists, following its acquisition by Synopsys in May 2005. The product that Nassda developed is now owned by Synopsys. The case generated some $100 million worth of attorneys fees. Nine law firms were involved in the prosecution and defense of the case. The special master received about $1 million. Pursuant to the terms of the settlement agreement, our client (one of the Nassda employees) paid nothing.

Which side of that weapon do you want to be on?

Should a security professional have a legal background?

Graeme points to this entry that posits that security people need a legal background:

My own experience and talking to colleagues has prompted me to wonder whether the day has arrived that security professionals will need a legal background. The information security management professional is under increasing pressure to cope with the demands of the organization for access to information, to manage the expectations of the data owner on how and where the information is going to be processed and to adhere to regulatory and legal requirements for the data protection and archiving. In 2008, a number of rogue trader and tax evasion cases in the financial sector have heightened this pressure to manage data.

The short, sharp answer is no, but it is a little more nuanced than that. First, let's take the rogue trader issue, being someone who has breached the separation of roles within a trading company, and used it to bad effect. To spot and understand this requires two things: an understanding of how settlement works, and the principle of dual control. It does not require the law, at all. Indeed, the legal position of someone who has breached the separation, and has "followed instructions to make a lot of money" is a very difficult subject. Suffice to say, studying the law here will not help.

Secondly, asking security people to study law so as to deal with tax evasion is equally fruitless but for different reasons: it is simply too hard to understand, it is less law than an everlasting pitched battle between the opposing camps.

Another way of looking at this is to look at the FC7 thesis, which says that, in order to be an architect in financial cryptography, you need to be comfortable with cryptography, software engineering, rights, accounting, governance, value and finance. The point is not whether law is in there or not, but that there are an awful lot of important things that architects or security directors need before they need law.

Still, an understanding of the law is no bad thing. I've found several circumstances where it has been very useful to me and people I know:

• Contract law underpins the Ricardian contract.
• Dispute resolution underpins the arbitration systems used in sensitive communities (such as WebMoney and CAcert).
• The ICANN dispute system might have an experienced and realises that touching domains registries can do grave harm. In the alternate, a jurist looking at the system will not come to that conclusion at all.

In this case, the law knowledge helps a lot. Another area which is becoming more and more an issue is that of electronic evidence. As most evidence is now entering the digital domain (80% was a recent unreferenced claim) there is much to understand here, and much that one can do to save ones company. The problem with this, as lamented at the recent conference, is that any formal course of law includes nothing on electronic evidence. For that, you have to turn to books like those by Stephen Mason on Electronic Evidence. But that you can do yourself.