Shostack + Friends Blog Archive

 

'Experts' misfire in trying to shoot down Charney's 'Internet Security Tax' idea

The information security industry intelligentsia are often poorly qualified to evaluate economic and public policy solutions to systemic InfoSec problems. They just don’t have the training or depth of knowledge. That doesn’t stop them from being quoted in industry media as if they are the be-all-end-all ‘experts’. I just wish the media would seek out people who knew what the hell they were talking about in this arena. Here’s a case in point.

In a keynote speech at RSA 2010 (full text), Microsoft’s Scott Charney proposed proactive solutions to systemic problems like botnets. Drawing analogies with public health and environmental protection, he said it might make sense for ISPs quarantine infected consumer PCs [link to http://www.yinhuan.net/2010/03/15/microsoft-exec-infected-pcs-should-be-quarantined/ no longer works]. Then he said:

And then there’s a question of who would pay for that. Well, maybe markets will make it work, but if not, there are other models: use taxes for those who use the Internet. We pay a fee to put phone service in rural areas, we pay a tax on our airline ticket for security. You could say it’s a public safety issue and do it with general taxation. [emphasis added]

In other words, some collective action might be beneficial and either markets might pay for it, or taxes might be necessary. Two days later, a Microsoft spokesperson clarified:

“Scott Charney did not suggest a new Internet tax to fund cybersecurity programs. As part of his keynote at RSA he recommended that the industry and government look at developing the equivalent of the World Health Organization to combat malware on the Internet,” the spokesperson said. “Within this context he mentioned the need to explore how to develop a sustainable funding model for this initiative, not suggesting that any particular funding model is best.”

To be even more clear, he definitely didn’t say that Microsoft should get the proceeds or play any part in how it is spent.

In the following days, industry analysts, executives, and bloggers weighed in and their judgment was mostly negative. A prime example is the Computerworld article with a headline that called it “a horrible idea”, quoting John Pescatore of Gartner Group. Here are more ‘expert’ reactions quoted in the same article:

  • Pescatore: ” ‘Why not a tax on all retail goods for a standard antishoplifting service all merchants would have to use?’ A business, he said, can now select what it thinks is the best anti-malware solution, but that choice would presumably vanish if funding for battling the bad guys went national.”
  • Pescatore: “A general tax would reduce the services to the lowest common denominator”
  • Wolfgang Kandek, CTO of Qualys: “I have a hard time seeing [a tax] work. The Internet is an international body; you can’t regulate it, and you cannot levy a tax. ISPs might have to up their fees to pay for something like this, I can see that, but a tax that brings government into play — I can’t see that.”
  • Randy Abrams, Director of Technical Education at ESET Security: “A tax may be a bad idea, but people will pay for it one way or another.”
  • Andrew Storms, Director of Security Operations at nCircle Network Security: “I don’t have a problem with charging a fee and giving it to good works for the whole. The problem is that one, you have to find a big, smart and trustworthy organization to handle this. And most people will agree that’s not the government, and that’s not Microsoft.”
  • Storms: “More likely is that an ISP will take the plunge, charge its users a little extra to keep their machines clean, and prove that it’s possible. Then I could see a consortium of ISPs getting together to do that.”

Here are some of the negative reactions from bloggers:

“Let’s also not forget that Microsoft has gone out of its way to create a monoculture where one OS dominates, through legal and illegal methods. So the idea that we should now all pay to solve a problem that Microsoft not only wanted to create, but made billions of dollars in the process is frankly … ridiculous.”

“Microsoft’s “Trustworthy Computing” shtick has gone so far over the oxymoronic top that it’s just no longer possible to give the company the benefit of the doubt. … Really, Scott? … Did you really think we’d all look at each other with nods of agreement, impressed by the brilliance of your epiphany? Didn’t you realize that revelation might just backfire on you?

It’s unfathomable that a company with Microsoft’s resources can be so clueless and out of touch. … If Microsoft expects to be taken seriously as an enabler of “trustworthy computing,” it needs to do a lot more than this to demonstrate trustworthiness. Taxing users who find the software they bought is non-secure is like taxing Toyota owners for finding they have faulty gas pedals.”

This is where I step in an call “BOGUS!”

Q: How many of these ‘experts’ know any thing about information economics and public policy responses to negative externalities? A: Zero.

Even more basic Q: How many of them bothered to find out what Charney was really proposing — rather just reacting to the headline version: “Net tax to clean computers” or the fact that someone from Microsoft said it? A: Of the articles and blog posts I saw, only two bothered to dig into the speech and seek to understand or clarify Charney’s comments: BetaNews and yinhuan.net. Conversely, the comments by Pescatore and Kandeck lead me to believe that they didn’t really understand the proposed idea. Others used this opportunity to throw rocks at Microsoft rather than deal with the substance of the ideas.

Regarding the idea itself, I think the comment by Randy Abrams is on the mark: “… people will pay for it one way or another.” Right now, we pay for it through the cost of security breaches and through the cost of inefficient security spending.

The idea of taxes as a way to counteract or pay for mitigation of negative externalities has been thoroughly researched in economics, especially environmental economics. Here are some links if you want to learn more:

  • Also known as Pigovian tax
  • Short Tutorial
  • Longer Tutorial [link to http://www.csc.noaa.gov/coastal/economics/index.htm no longer works] in the context of environmental economics
  • Green taxes” [link to http://www.parliament.uk/commons/lib/research/rp2009/rp09-086.pdf no longer works] — public policy analysis from UK
  • Economic analysis of negative externalities and possible solutions (PPT)

Myself, I’m more in favor of market-based funding methods (e.g. insurance, etc.): Incentive-based Cyber Trust. But mandated insurance or other mandates can be seen as a form of “tax”, so the main question is what form of incentives and funding is most effective and most efficient.

This is just one small case in the on-going public policy discussions regarding economics of information security, but given the reaction of the ‘experts’, this was a step backward.

2 comments on "'Experts' misfire in trying to shoot down Charney's 'Internet Security Tax' idea"

  • Jared says:

    While watching Scott talk I think he made a great point. It’s a conversation I’ve joined in the past. Pulling a page from schneier, put the liability on those who are able to enforce. Isp’s can quarantine, help clean for a fee, allow you access to self serve tools, or point you to others who may charge. I’m willing to share in the cost of helping grandparents get clean.just covering 80/20 would be a good experiment. The market will respond to these added costs. Let’s start putting a dollar figure on the pollution. This would also set up some interesting intenational drama…
    (from my mobile)

  • Chris says:

    Great post.

    Pescatore’s remark in particular is idiotic. We already pay a standard anti-shoplifting tax. It is spent on the police department!

    Charney’s “mistake” was to call for a use tax rather than a “usage fee” or something. People get all dopey when they hear about a “tax”, but are much less whiny when the same levy is magically transmogrified into a fee-for-service which just happens to go to the exact same body.

Comments are closed.