what’s a seven-year view anyway? ross anderson cambridge university icss, leuven, 06/09/2013

What’s a seven-year view anyway?

Ross AndersonCambridge University

ICSS, Leuven, 06/09/2013

What’s good engineering research?

• Advice I got from my thesis adviser, the late Roger Needham– Don’t try to invent stuff that will get to market next

year – you’re competing with industry who have more people and more money

– If you try to invent stuff for 25 or 50 years from now, you’re doing pure maths or science fiction

• So try to figure out what people will need 5–10 years from now. That’s out of scope for product managers (and ministers) but maybe just about foreseeable


Where are the real problems?

• Crypto we can do now (AES, SHA2/3) though protocols can be hard in practice [2]

• Hardware tamper-resistance we can sort of do but it’s harder than crypto [3]

• Access control is often tractable but there are constant new challenges (phones, SDN …) [3]

• Software security is seriously hard [7]• The complexity of real-world systems is the real

long-term killer [4+]



What’s our Grand Challenge?

• Complex, global-scale socio-technical systems are emerging as computers and communications become embedded everywhere

• We’re coming to depend on the Internet, on the payment system, on many others …

• How are we to understand them, manage them and improve them?


Complex Systems

• Since the invention of agriculture and towns about 10,000 years ago we’ve been building complex systems

• Armies, civil services, religions, industries, markets…

• Until recently systems were driven by people – with control mechanisms based on hierarchy, small-group relationships or exchange


Roman Army


Chinese Civil Service


Bank of England


Tiffin Box Delivery


Complex Socio-technical Systems• Now we have people plus software!– The Internet itself– The global card payment system– The global advertising ecosystem– Smart grids for distributing electricity– Facebook– …

• But with global-scale systems we get conflict!• How do we build such systems to be dependable

and fit for purpose?


Economics Matters Too• Since 2000, we have started to apply economic

analysis to security and dependability• Systems often fail because the folks who guard them,

or who could fix them, have insufficient incentives– Where banks can dump fraud risk on customers or

merchants, fraud increases– If electricity generation companies don’t have an incentive

to provide reserve capacity, there will be blackouts

• Insecurity is often an ‘externality’ – a side-effect, like environmental pollution

IT economics and dependability• High fixed/low marginal costs, network effects and

switching costs all tend to lead to dominant-firm markets with big first-mover advantage

• Microsoft philosophy of ‘we’ll ship it Tuesday and get it right by version 3’ was quite rational

• In a market race, you must appeal to complementers – developers for PC versus Apple, Symbian versus Palm, Facebook versus Myspace

• Little security in early versions so easier to develop apps; win the market; then lock it down

• That’s one of the reasons platform security sucks!ICSS, Leuven, 06/09/2013


Information Security Economics

• Models of what’s likely to go wrong – perverse incentives, asymmetric information

• Measurements of what is going wrong – patching cycle, malware, fraud

• Recommendations for how to fix it – what actors can likely do what

• In the last ten years, it’s grown from zero to over 100 active researchers

• Policy recommendations now being adopted in both the USA and Europe

Security economics and policy

• 2008: ‘Security Economics and the Single Market’ report looked at cybercrime and what governments could do about it

• 2011: ‘Resilience of the Internet Interconnection Ecosystem’ examined critical infrastructure and made recommendations

• 2012 ‘Measuring the Cost of Cybercrime’ sets out to debunk myths and scaremongering


What’ll be hot in policy in 2020?

• Policy timescale is 5–10 years or more while ministers mostly think of the next election …

• So policy becomes reactive! Two big drivers:– Tech shifts create winners (who keep quiet) and

losers (who lobby)– Existing state agencies try stuff, and do more of

what ‘works’• So we get the music industry’s copyright jihad,

the spooks’ surveillance programs, …ICSS, Leuven, 06/09/2013

IT economics in maturing markets• A firm building a network monopoly must race to

market – and appeal to complementary vendors • Once established, it’s about lock-in• So don’t be surprised at creeping platform

lockdown (UEFI …)• With service firms, expect more bundling, and

exploitation of what they know of the customer• Security tussles over many systems from smart

meters to medical record privacy are increasingly about business models, not evil outsiders


Who’ll be the lobbying losers?

• They’re bound to be interests that are already losing. Here are some thoughts:– Big pharma, as the new drugs pipeline is getting

empty and genomic medicine isn’t delivering; so use genomics to sell existing drugs more

– Service industries: for example, lawyers’ salaries are under pressure now that firms in India can take over routine and unregulated work

– There will be rush to access ‘big data’ to lock in customers, and to lobby for privacy carve-outs


Public-sector lobbying successes?

• In the 15 years since the dotcom boom, winners have ranged from the smart-meter lobby to the NSA. Who else?– If crime continues to move online, the police

might eventually be more serious winners– Local data-centre owners can use Prism to sell

‘government clouds’– But overall there will be a push to use ‘big data’ to

discriminate between taxpayers / service users– More privacy carve-outs will be demanded


What might break?• The biggest candidate is data protection!• This is a classic ‘sanctuary’ set up by elected

politicians to avoid toxic choices (see Fiske and Tetlock, or www.lightbluetouchpaper.org)

• That was OK so long as choices between privacy and profit / convenience had few visible consequences for most voters

• That’s now changing! Lobbying storm over the Data Protection Regulation, and now Prism


A view on 2020• See this morning’s Guardian!• Recall Crypto AG, Clipper, key escrow?• The crypto wars didn’t end in 2000: the NSA

and their friends have worked hard to insert vulnerabilities via vendors and standards

• Will the Internet fragment? Saskia echoed industry’s response to Prism: can’t use clouds or the Americans will get your stuff

• Now: can you trust any foreign vendors? ICSS, Leuven, 06/09/2013

Bruce Schneier’s op-ed this morning

‘Government and industry have betrayed the internet, and us.‘By subverting the internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract. The companies that build and manage our internet infrastructure, the companies that create and sell us our hardware and software, or the companies that host our data: we can no longer trust them to be ethical internet stewards.‘This is not the internet the world needs, or the internet its creators envisioned. We need to take it back.’ICSS, Leuven, 06/09/2013

Conclusion• Security is just one aspect of a complex

regulatory mix that also affects competition, trade liberalisation and much else

• Member states will be much more able to stand up to US / Chinese bullying collectively

• Cecilia’s vision of a European internet that promotes and defends our values is great, but her cybersecurity proposals would channel EU efforts via one agency in each nation state

• That’s giving control to GCHQ & friendsICSS, Leuven, 06/09/2013

what’s a seven-year view anyway? ross anderson cambridge university icss, leuven, 06/09/2013

Documents