Seems to be a case of prisoners dilema. The security of any one network is to some extent at the mercy of all other connected networks. The overall security of the network is only as strong as it's weakest link. In a highly competitive market place there is going to be little incentive to invest in security if it will just be compromised by your cost cutting competitors. If this is the case then the question is what kind of intervention is necessary to prevent a prisoners dilema and allow something like a Nash Equilibrium - the bar scene in A Beautiful Mind where they fight over the hottie blonde... Basically where a set of strategies for security are arranged so that each player believes that it is doing the best it can (most personal gain) given the strategies of the other players. The current state appears to be that many providers do little to nothing to provide for security, so each player adjust their strategy accordingly resulting in the prisoners dilema. It seems to get beyond this you have to bring up the lowest common denominator so that strategy is not based on networks doing nothing. How do you get the worst offenders to improve the lowest common denominator. Purchasing requirements, subsidies, taxes, regulation??? Maybe a bunch of economic voodoo, but might be a different way of looking at the issue. ----- Original Message ----- From: Pete Kruckenberg <pete@kruckenberg.com> Date: Tuesday, January 14, 2003 8:16 pm Subject: Re: Scaled Back Cybersecuruty
On 14 Jan 2003, Vijay Gill wrote:
Avi Freedman <freedman@freedman.net> writes:
Perhaps the Feds (and maybe states) could use their purchasing power>> to effect change. Short of that, or regulation, the I don't see how the serious issues we have with the 'net will get resolved.
People do. I've been beating this particular horse for a while now, and we are starting to deploy the capex hammer. I suggest others start to do the same. See my presentation at the eugene nanog.
I can see how purchasing power may motivate a vendor (and maybe lots of individual vendors) to fix their own problems, develop better products, or be more responsive.
I'm trying to envision an RFP that awards business to one or a few network operators, but requires that they interoperate effectively with other operators who don't win any of the business. I've only got a state-level purchasing perspective, but I don't see it happening at any level.
Is spending really an effective hammer (or gun) to make people work together if they aren't otherwise motivated to? Behavior related to the '96 Telecom Act doesn't inspire confidence.
Can technical solutions be an effective band-aid for a complex poli-socio-economic problem like this?
Pete.