April 14, 2008

Signs of Liability: 'Zero Day Threat' blames IT and Security industry

I painfully predicted a few years back that phishing and related identity theft would result in class action suits. I lost my bet as it didn't happen fast enough, but a significant step has been taken (reported by Lynn) with the publication of a book that apparently blames the banks and the software manufacturers for identity theft. Here's a review from USA today (also Yahoo):

Surprisingly, the real villains in Zero Day Threat are not the identity thieves themselves, despite their unsavory lives of crime. Rather, the villains are supposed pillars of communities: bankers, credit-bureau managers and computer makers who enable the burglars, and who could ameliorate the identify-theft crisis but, instead, look away in the name of larger corporate profit.

Acohido and Swartz did not expect to write a book about villainous bankers, credit-bureau managers and computer makers when they began research five years ago. They began by writing reports for this newspaper on PC viruses and spam, which at first seemed like mutually exclusive topics. The more they reported on their disparate stories, the more Acohido and Swartz realized that spammers and virus writers were more than amateur disrupters in cyberspace. In fact, many of them had become cybercrooks, capitalizing on the vulnerabilities of the Internet.

"We found that there were much more complex contagions eroding the security and privacy of sensitive data" than mere spammers and virus writers, Acohido and Swartz comment, "and those corrupters had more to do with business practices and marketing strategies of the financial services and technology industries."

The authors promise "astounding revelations," and they deliver. In keeping with the complexity of identity theft, Acohido and Swartz organize the book in a complex, even daring, manner. Each chapter has three recurring sections - Exploiters, Enablers and Expediters.

The Exploiters consist of the lawbreakers, some of them addicts needing money for narcotics, some of them stone-cold-sober career criminals operating identity-theft syndicates across national borders. The Enablers consist of the banks, credit bureaus, credit card companies and data brokers seemingly blind, deaf and dumb to the need for privacy protection. The Expediters consist of the technologists who write computer programs with good intentions (at places like Microsoft), and their evil twins who write programs as recreation to disrupt networks.

I'm not recommending the book, as I haven't got it nor read it. The point isn't to buy it, but to watch how much traction the book and the message gets in the public mind: If middle class America (the heartland of victims) groks that the banks and the software suppliers are responsible, then, things might happen.

Legislation might get written, as is suggested in the article. However, in general, we know that legislation is generally bad because the lawmakers don't know enough; more law will haunt us more than it helps us. It is no more than childish dreams to hope that the SB1386 miracle is repeated.

For this reason, the class action suit might result in a better result. If it goes wrong, only one manufacturer gets hurt. If it goes right, it establishes a precedent in law and a message in the minds of the otherwise security-shy manufacturers. N.B., another step closer was taken when class-action lawsuits were filed for the Hannaford breach.

A footnote based on some econ theory: One of the observations that is often made is that it is all to do with incentives. This comes from the agency theory branch of economics, and it identifies how actors act according to the monetary incentives in front of them.

The specific problem is that, other than a few anti-virus suppliers and other exceptions, nobody much ever made money from security in the world of IT. That's because of an unfortunate truth: the user bears the entire cost of a failure of security. Now, obviously, if there was a way to pass that liability and cost back to the manufacturers, then, so the theory goes , security will get better.

This hits a roadblock when we look at the structure of the industry: it is far more based on open standards and innovation than we might care to believe. E.g., the IBM PC line, the Unix OS, the 'C' language, the open email protocol, have all inspired massive standardisation, extension, and copying. This is great because the innovation diffuses across society in an extremely cost-effective way. But it has a downside, which is that we can't easily hold the "manufacturer" liable because it is unclear who is the manufacturer of these innovations.

E.g., if we decide that Linux security is flaky, do we sue Linus or Dennis or Redhat or ...?

The end result of all this bounty is that consumers have to take one for the team, because to make manufacturers liable will stop the innovation and diffusion, conceivably double the cost of their product, stop the IT revolution, and take us back to the time of national telco champions. Nobody wants that.

For that reason, blanket legislation is a bad idea. But as the problem remains, the class action suit might be the safety valve that corrects some of the worst excesses of the pathologically neutered security industry.

Posted by iang at April 14, 2008 10:47 AM | TrackBack

three financial areas ... all mentioning congressional &/or regulatory action:

breaches & ID theft:
http://www.garlic.com/~lynn/2008h.html#4 You won't guess who's the bad guy of ID theft
http://www.garlic.com/~lynn/aadsm28.htm#54 Liability for breaches: do we need new laws?

budget transparency:
http://www.garlic.com/~lynn/2008h.html#3 America's Prophet of Fiscal Doom

repeal of Glass-Steagall contributing to current write-downs
http://www.garlic.com/~lynn/2008g.html#66 independent appraisers
http://www.garlic.com/~lynn/2008g.html#67 independent appraisers
http://www.garlic.com/~lynn/2008h.html#1 subprime write-down sweepsteaks

Posted by: Lynn Wheeler at April 14, 2008 01:27 PM

In terms of predicting that people will call for more regulation, that's a sure-fire bet. You can take that to the bank, people calling on more other people doing more other things about it is human nature.

Which means we are likely to see legislation. My first point is that it will be bad legislation, simply because most legislation in complicated matters has been bad in the past. Legislation only works well when it codifies already solved processes. We are a long way from saying we have this one licked.

My second point is that we don't need it, because there is the class-action lawsuit. Although uncomfortable to some, it seems as though it will get there in the end.

But, I agree, we'll still likely get (bad) legislation because the problem is too big now.

Posted by: Iang at April 15, 2008 08:35 AM

latest in the ongoing saga

Hackers open new front in payment card data thefts; Cybercrooks are stealing info while it's in transit between systems. Can the PCI rules stop them?

from above:

Security managers often describe their efforts to protect corporate data from being compromised as a full-fledged battle of wits against cybercrooks who are continually arming themselves with innovative tools and methods of attack.

... snip ...

this is discussed in old "naked transaction" threads ... that it will be a constant ongoing battle

Posted by: Lynn Wheeler at April 16, 2008 12:25 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.