Read Liars and Outliers Online
Authors: Bruce Schneier
Comparing the top picture with the middle one shows the difference between less and more technology. In the middle, the gap between attacker and defender is the same width, but because there's more technology, the area is greater. There are actually two dimensions to innovation: technological advancement and technological prevalence. In either dimension, the more technology there is, the greater the security gap. In other words, if there are more innovations to exploit, there will be more damage resulting from society's inability to keep up with exploiters of all of them.
Think about it this way. Technology is available to both the attackers and the defenders, and it's pretty much all there is until moral, reputational, and institutional pressures catch up. When there's more technology out there, the attackers have more opportunity to increase the scope of defection before the defenders catch up. Technology can affect the scope of defection in many ways, but in general, it gives the attackers more leverage. So the more technological a society is, the greater the security gap is.
This is an intrinsic condition of the problem, for all the reasons we just talked about. The security gap cannot be eliminated.
The security gap is also greater in periods of rapid technological change, as society struggles to manage the broader social changes as well as quickly adapting defectors do. In 1970, futurist
Alvin Toffler wrote
about
future shock
, the psychological and social problems that result from people being forced to absorb too much technological change too quickly. His estimates about how much technological change people could deal with were way too low—the rate of technological change in the second decade of the 21st century is much faster than the seventh decade of the 20th—but his basic ideas are sound.
People learn how
to cope with new technologies at their own pace, some more easily than others. And groups of people move more slowly than some of their members. Defectors are not inherently less susceptible to future shock than society at large, but the more successful ones are. Successful defectors are always going to be able to outpace the average capability of society.
Again, look at
Figure 15
, the bottom this time. In a period of rapid change, technology increases faster, so the curve climbs higher in the same period of time than in the earlier figures. This faster growth rate makes for a larger area under the curve in the same period of time—a greater security gap.
This has happened before, notably in the 19th century. That's when we got railroads, steamships, the widespread use of paper mail, the telegraph, and then the telephone—all allowing people to communicate at greater distances and with greater speed. But perhaps even more important than any of that, there were significant changes in attitudes about people and the world. Society came to expect economic growth, along with universal education and universal betterment. The world changed, and that affected security.
The ease of rapid travel meant more people traveled. On one hand, this meant that you could no longer distrust people just because they came from “out of town.” On the other, this allowed for a
new type of grifter
, conning people out of their money and moving on before he could be caught. At the same time, cities got larger.. Policing in 18th-century London was a hodge-podge of unpaid and unorganized constables and a draconian court system (160 different crimes carried the death penalty). This sort of community policing didn't scale to a large modern city, so Sir Robert Peel organized the first modern police force and criminal justice system.
Other cities followed
suit.
Technology directly changed society as well. The telegraph meant that money could be transferred instantaneously, but the open nature of the system meant conversations could be eavesdropped on and spoofed. So operators developed codes to prevent that. Other examples were the mass production of timepieces, making it easier to manage employees; the rise of unions, giving employees more power with respect to their employers; and the telegraph and then the telephone, an enormous change in communication that affected everyone. It was an age where defectors adapted to a changing society, and society had to adapt to changing defectors.
Today, we're seeing the effects of both more technology than ever before
and
a faster rate of technological change than ever before.
2
In particular, the revolutionary social and political changes brought about by information technology are causing security and trust problems to a whole new degree. We've already seen several manifestations of this: the global financial crisis, international terrorism, and cyberspace fraud. We've seen music and movie piracy grow from a minor annoyance to an international problem due to the ease of distributing pirated content on the Internet. We've seen Internet worms progress from minor annoyances to criminal tools to military-grade weapons that cause real-world damage, like the
Internet worm Stuxnet
, the first military-grade cyberweapon the public has seen. All this has come about because information technology increases the scope of defection in several ways:
There are two more changes that belong on this, too, but they won't fit neatly into bullet points: changes in organizational structure and changes in organizational behavior.
Let's start with organizational structure. The Internet reduces the cost of organization dramatically, enabling ad hoc and loosely connected organizations of individuals who contribute tiny amounts of effort towards a large goal.
4
Linux and Wikipedia are both informally produced and freely available “products” created by legions of unpaid volunteers; and both are viable competition to corporate, traditionally created, alternatives. Crowdsourcing can produce results superior to more traditional mechanisms of delegating work.
From a societal pressure perspective, the normal competing interests we've come to expect from traditional organizations don't apply in the same way to these ad hoc organizations. For example, Microsoft can be—and in the past has been—pressured by the U.S. government to deliberately weaken encryption software in its products, so the government could better spy on people. This works because Microsoft is an American corporation, and in at least some ways beholden to American interests. Its operating system competitor, Linux, is not. Linux is an open-source operating system, not controlled by a business. The Linux team, even the few individuals at the core, are not motivated by profit. They're not in any one country. They are probably unlikely to agree to a confidential meeting with government officials of any nationality. They are a different sort of actor. On the other hand, Microsoft probably has better systems in place to prevent infiltration by rogue programmers.
WikiLeaks is another stateless organization. WikiLeaks sits somewhere between a loose organization of activists and the personal mission of a single individual named Julian Assange. It exposes information that governments and powerful corporations would rather keep secret. In this way it is very much like an organization of journalists. But because it is not a commercial enterprise, and because it is not moored within a country, it's much more difficult to corral. And this scares countries like the United States.
Compare WikiLeaks to a traditional newspaper. That newspaper is in a societal dilemma with all the other newspapers in that country.
Societal Dilemma: Newspapers publishing government secrets. | |
Society: All the newspapers in the country and the government. | |
Group interest: Government not clamping down on freedom of the press. | Competing interest: Increase market share. |
Group norm: Self-censor. | Corresponding defection: Publish any juicy secrets you discover. |
To encourage people to act in the group interest, the society implements a variety of societal pressures. Moral: It's unpatriotic, or otherwise wrong, to publish government secrets. Reputational: Newspapers want good reputations because it keeps their readers, advertisers, and sources all happy. Institutional: Often, none. In fact, the U.S. Supreme Court has held that it is legal to publish secrets, even though it is illegal to leak them. Security: Potentially, espionage that lets the government know when a story is about to leak. |
This doesn't look like effective societal pressure, but it largely works. It works because, even in the absence of any laws, the pressure to cooperate—to self-censor—is surprisingly powerful. No press organization wants to be labeled as unpatriotic or traitorous, or jeopardize its advertisers.
The result is that newspapers sometimes publish embarrassing government secrets, and sometimes they don't. In 1971, the
New York Times
published the Pentagon Papers, a secret and damning history of U.S. military involvement in Vietnam. In mid-2004, the
New York Times
learned about the NSA's illegal wiretapping of American citizens without a warrant, but
delayed publishing
the information for over a year—until well after the presidential election. Presumably there are things the
New York Times
has learned about and decided not to publish, period.
WikiLeaks changes that dynamic. It's not an American company. It's not even a for-profit company. It's not a company at all. And it's not really located in any legal jurisdiction. It simply isn't subject to the same pressures that the
New York Times
is. This means the government can't rely on the partial cooperation of WikiLeaks in the same way it can rely on that of traditional newspapers.
5