Computer security: The myth of cyber-security
The incentives for software firms to take security seriously are too weak
计算机安全:网络安全之迷思
计算机从来都不安全。要应对这一风险,更需要经济手段而非技术手段
COMPUTER security is a contradiction in terms. Consider the past year alone: cyberthieves stole $81m from the central bank of Bangladesh; the $4.8bn takeover of Yahoo, an internet firm, by Verizon, a telecoms firm, was nearly derailed by two enormous data breaches; and Russian hackers interfered in the American presidential election.
计算机安全是个自相矛盾的说法。姑且只看下去年的情况:网络窃贼从孟加拉中央银行盗走了8100万美元;电信公司威瑞森(Verizon)以48亿美元收购互联网公司雅虎的交易差点因两起大规模数据泄露而泡汤;俄罗斯黑客干扰了美国总统大选。
Away from the headlines, a black market in computerised extortion, hacking-for-hire and stolen digital goods is booming. The problem is about to get worse. Computers increasingly deal not just with abstract data like credit-card details and databases, but also with the real world of physical objects and vulnerable human bodies. A modern car is a computer on wheels; an aeroplane is a computer with wings. The arrival of the “Internet of Things” will see computers baked into everything from road signs and MRI scanners to prosthetics and insulin pumps. There is little evidence that these gadgets will be any more trustworthy than their desktop counterparts. Hackers have already proved that they can take remote control of connected cars and pacemakers.
在这些头条之外,一个利用电脑敲诈勒索、黑客雇佣和数字商品销赃的黑市日渐繁荣。这一问题还将进一步恶化。计算机的应用途径日益增多,它们不仅处理信用卡详细信息和数据库之类的抽象数据,还涉及真实世界里的物品和脆弱的人体。现代的汽车就是装在轮子上的电脑,而飞机则是插上翅膀的电脑。物联网的到来会让所有物品都嵌上计算机,从道路标识、核磁共振扫描仪,到假肢和胰岛素泵。没有证据表明这些装置会比桌面电脑更安全可靠。黑客们已经证明了他们能远程控制联网的汽车和起搏器。
It is tempting to believe that the security problem can be solved with yet more technical wizardry and a call for heightened vigilance. And it is certainly true that many firms still fail to take security seriously enough. That requires a kind of cultivated paranoia which does not come naturally to non-tech firms. Companies of all stripes should embrace initiatives like “bug bounty” programmes, whereby firms reward ethical hackers for discovering flaws so that they can be fixed before they are taken advantage of.
人们很容易认为,只要有了更多的技术魔法并呼吁大家提高警惕,安全问题就能得到解决。而且很多公司对待安全问题的态度确实还不够认真。这种意识需要一种长期养成的偏执,而科技界以外的公司不会自然而然地拥有这一特质。各种各样的公司都应该采纳像“漏洞悬赏”项目这样的举措——公司奖励发现缺陷的正派黑客,这样在被人利用之前就可以把漏洞修补好。
But there is no way to make computers completely safe. Software is hugely complex. Across its products, Google must manage around 2bn lines of source code—errors are inevitable. The average program has 14 separate vulnerabilities, each of them a potential point of illicit entry. Such weaknesses are compounded by the history of the internet, in which security was an afterthought (seearticle).
但是不可能让计算机百分之百地安全。软件极其复杂。谷歌在各种产品中必须处理约20亿行源代码,出错在所难免。一个普通程序一般有14个不同的安全隐患,每一处都是一个可能的非法入侵点。这些弱点因互联网的历史而雪上加霜:对互联网而言,安全是事后才想到的事情。
Leaving the windows open
敞开窗口
This is not a counsel of despair. The risk from fraud, car accidents and the weather can never be eliminated completely either. But societies have developed ways of managing such risk—from government regulation to the use of legal liability and insurance to create incentives for safer behaviour.
这并不表示已经无计可施。遭遇欺诈、车祸、坏天气的风险同样无法完全避免。不过社会各界已经研究出管理这类风险的种种方法,从政府监管到使用法定责任和保险,来鼓励更安全的行为。
Start with regulation. Governments’ first priority is to refrain from making the situation worse. Terrorist attacks, like the recent ones in St Petersburg and London, often spark calls for encryption to be weakened so that the security services can better monitor what individuals are up to. But it is impossible to weaken encryption for terrorists alone. The same protection that guards messaging programs like WhatsApp also guards bank transactions and online identities. Computer security is best served by encryption that is strong for everyone.
先要从监管开始。各国政府的首要任务是克制会让事态恶化的举动。恐怖袭击(例如最近在圣彼得堡和伦敦发生的那些)常常会引发削弱加密的呼声,因为这样一来安保部门就能更好地监控个人在做什么。但削弱加密不可能只针对恐怖分子。保护WhatsApp等短信程序安全的措施也在用于保护银行交易和网上身份信息。对每一个人都做好加密,计算机安全才能得到最好的保护。
The next priority is setting basic product regulations. A lack of expertise will always hamper the ability of users of computers to protect themselves. So governments should promote “public health” for computing. They could insist that internet-connected gizmos be updated with fixes when flaws are found. They could force users to change default usernames and passwords. Reporting laws, already in force in some American states, can oblige companies to disclose when they or their products are hacked. That encourages them to fix a problem instead of burying it.
第二要务是设立基本的产品法规。缺乏专业知识常常会阻碍计算机用户保护自己,因此政府应当推进计算的“公共健康”。它们可以要求联网装置发现漏洞时必须修补更新,还可以强迫用户修改默认的用户名和密码。已在美国部分州实施的报告法要求公司披露它们或它们的产品被黑客攻击的情况。这鼓励它们解决问题而不是隐匿不报。
Go a bit slower and fix things
慢一点,解决问题
But setting minimum standards still gets you only so far. Users’ failure to protect themselves is just one instance of the general problem with computer security—that the incentives to take it seriously are too weak. Often, the harm from hackers is not to the owner of a compromised device. Think of botnets, networks of computers, from desktops to routers to “smart” light bulbs, that are infected with malware and attack other targets.
但制定最低标准的作用也就仅此而已。计算机安全的普遍问题是人们实在缺乏动力来认真对待这一问题,用户无法自我保护只是其中一个例子。因黑客入侵遭受损害的往往不是被黑设备的所有者——想想那些感染了恶意软件后攻击其他目标的僵尸网络(由桌面电脑、路由器和“智能”灯泡等设备组成的计算机网络)。
Most important, the software industry has for decades disclaimed liability for the harm when its products go wrong. Such an approach has its benefits. Silicon Valley’s fruitful “go fast and break things” style of innovation is possible only if firms have relatively free rein to put out new products while they still need perfecting. But this point will soon be moot. As computers spread to products covered by established liability arrangements, such as cars or domestic goods, the industry’s disclaimers will increasingly butt up against existing laws.
更重要的是,软件业几十年来都拒绝为产品问题造成的损害承担责任。这种做法确有好处。只有公司能相对自由地推出有待完善的新产品,硅谷“快速推进、破除陈规”的创新方式才能结出累累硕果。但是这一点很快将失去意义。随着计算机扩展到已建立了责任制度的产品,如汽车或家用产品,这一行业的免责声明会越来越违背已有法律。
Firms should recognise that, if the courts do not force the liability issue, public opinion will. Many computer-security experts draw comparisons to the American car industry in the 1960s, which had ignored safety for decades. In 1965 Ralph Nader published “Unsafe at Any Speed”, a bestselling book that exposed and excoriated the industry’s lax attitude. The following year the government came down hard with rules on seat belts, headrests and the like. Now imagine the clamour for legislation after the first child fatality involving self-driving cars.
公司应当认识到,如果法庭没有强制推行法定责任,公众舆论也会这么做。很多计算机安全专家对比了20世纪60年代美国汽车业的情况。当时,汽车行业忽视安全问题已长达几十年。1965年,拉尔夫·纳德(Ralph Nader)出版了《任何速度都不安全》(Unsafe at Any Speed),这本畅销书揭示并痛斥了汽车制造业的懒散态度。第二年政府采取强硬手段,出台了安全带、头枕等法规。现在试想如果自动驾驶汽车导致首例儿童死亡,那么要求立法的呼声将会是怎样。
Fortunately, the small but growing market in cyber-security insurance offers a way to protect consumers while preserving the computing industry’s ability to innovate. A firm whose products do not work properly, or are repeatedly hacked, will find its premiums rising, prodding it to solve the problem. A firm that takes reasonable steps to make things safe, but which is compromised nevertheless, will have recourse to an insurance payout that will stop it from going bankrupt. It is here that some carve-outs from liability could perhaps be negotiated. Once again, there are precedents: when excessive claims against American light-aircraft firms threatened to bankrupt the industry in the 1980s, the government changed the law, limiting their liability for old products.
所幸网络安全保险这个虽小却不断发展的市场提供了一种方法,可以在保护消费者的同时保持计算机行业的创新能力。产品无法正常工作或是经常被黑客攻击的公司将面临保费上涨,这会敦促它解决问题。采取了合理措施来保障安全但仍然遭到伤害的公司可以向保险公司索赔,免于破产。也正是在这里,一些免赔的责任或许可以协商解决。在这方面也有先例:上世纪80年代,当美国轻型飞机制造公司面临巨额索赔以致整个行业都有破产风险时,政府更改了法律,限定了它们在旧产品上应负的责任。
One reason computer security is so bad today is that few people were taking it seriously yesterday. When the internet was new, that was forgivable. Now that the consequences are known, and the risks posed by bugs and hacking are large and growing, there is no excuse for repeating the mistake. But changing attitudes and behaviour will require economic tools, not just technical ones.
今天计算机安全问题如此严峻,原因之一便是之前极少有人认真对待过这个问题。在互联网兴起之初,这种状况还情有可原。既然如今后果已经彰显,漏洞和黑客攻击带来的风险也巨大且与日俱增,那么就没有理由再重蹈覆辙。但改变观念、改变行为都需要经济手段,而不仅是技术手段。
8������