We all know there is a lot of money being spent on information security products, services, training, etc, and we all know there is still a lot of damages from cyber-crime and other types of information security breaches. But only when we add up the numbers, and look at what free market principles have turned the information security industry into, it becomes clear that there is something very very wrong with information security today. Many of my best friends work in this industry, so I’d imagine I might have a few less friends after posting this blog post today, but I feel that the realisation I have about the industry just screams to be shared with the world. Please don’t kill the messenger, but feel free to set me straight if you feel my assertions below are in any way unfair.
If we look at information security, we see that the market size of the information security industry is somewhere around 70 billion USD per year. If we look at what this bus-load of money is supposed to protect us from, cyber-crime and other information security related damages, we see that is a lot of room for improvement. The total yearly global damages from cyber-crime and other information security failure related incidents currently according to different sources seems to be somewhere between 200 billion and 500 billion. If we take it to be somewhere in the middle, we can estimate the total yearly cost for information security products, services and failure of information security to round and about 420 bilion USD per year. To put this into perspective, with 7 billion people on this planet and a world wide GDP per capita of about 10000 USD, that adds up to about 0.6% of the worlds total GDP. If we scale this to the GDP per capita of some western countries like the US or the Netherlands, we end up with every US man woman and child on average paying $300,- a year for information security related cost, or about €200,- for every man woman and child in the Netherlands. For for example a US family of four this would add up to about $200 for information security products and services and $1000 for damages, or about $100 a month.
Information security apparently is both relatively inefficient and relatively expensive. So what’s the problem with information security? Can’t we fix it to at least be more effective?
As anyone who has been reading my blog before will probably know, I’m very much convinced that using different techniques and paradigms to either reduce the size of the trusted code-base, or to sync information security models with our socio-genetic security awareness, it should be possible to greatly improve the integrity of information technology systems, and more importantly, to reduce the impact and cost of security breaches. I’m pretty much convinced that with the right focus this could mean that we could make information security about an order of magnitude more effective, potential at an order of magnitude less cost.
If we were to translate this to the numbers above, we should be able to reduce the damage done by cyber-crime and other infosec security breaches for our US family of four to about $100. That would be about 1% of the total global IT spending, while at the same time reducing the global cost of information security related products and services for our family to about $20,-, or about 0.2% of the total global IT spending.
Sounds good, right? Well no, at least not from an investors point of view apparently. While to most of us this should sound like a desirable cost reduction, this apparently isn’t a realistic idea. When half a decade ago I was attempting to get investors to buy into investing into an info-sec product I wanted to build a start-up around, it turned out that potential investors don’t really like the idea of reducing the information security market size by an order of magnitude, or even the idea of making information security significantly more effective. To them doing so would be the equivalent of killing the goose that lays the golden eggs.
So if investors aren’t going to allow the infosec industry to become the lean and mean information technology protection machine that we all want it to be, how can we kill the goose without solid investments?
From a commercial perspective, and this is basically my personal interpretation of the feedback I got from my talks for what I thought would be potential investors or partners, information security products should:
- Not significantly reduce revenues from other information security investments by the same investors.
- Never saturate the market with one-time sales, so either it should require periodic updates or it should generate substantial consulting and/or training related revenues.
- Allow the arms-race to continue. Keep it interesting and economically viable for the bad guys to invest in braking today’s security products so tomorrow we can create new products and services we can sell.
In contrast, for the people buying information security products should:
- Reduce the total cost of IT system ownership.
- Be low-maintenance.
- Be cognitively compatible with (IT) staff.
- Make it economically uninteresting for the bad-guys to continue the arms-race.
So do economic free market principles make it impossible to move information security into the realm that allows the second list of desirables to be satisfied? In the current IT landscape it seems that it does. Information security vendors are rather powerful and very capable of spreading the fear uncertainty and doubt that is needed to scare other parties from reducing the need for their services and products. This seems especially obvious in the case of operating system vendors. The OLPC BitFrost project for example has shown the world what is possible security wise with the simple concept of mutually exclusive privileges for software. It would be trivial for Google to implement such a scheme for Android, effectively eradicating over 90% of today’s android malware, making additional AV software lose most of its worth. Apple introduced the concept of a PowerBox based flexible jail to its desktop operating system, potentially effectively eradicating the need for AV. A bit later AV vendors launched a media offensive claiming Apple was years behind on its main competitor regarding security and stating they were willing to help Apple clean up the mess. Given that most of us think that infosec vendors know more about infosec than OS vendors, especially given the earlier track records of what used to be the OS-market monopolist. Inforse vendors, especially AV vendors know very well how to play the FUD game with the media in such a way that they seem to effectively keep OS vendors from structurally plugging the holes they need for selling their outdated technology. I’m pretty sure that Microsoft, Google and Apple are perfectly capable to find solutions that make their OSses significantly more secure without AV products than they would ever be with any upcoming generation of add-on AV protection. OLPC’s BitFrost has shown what is possible without the need for backward compatibility while HP-Labs Polaris and I dare claim my MinorFS project together have shown that very much is possible in the realm of retrofitting least authority operating systems.OS vendors are making small steps, but given that they are rightfully scared of the media power that FUD spreading AV companies can apparently command, they can not be expected to kill the goose that lays the golden eggs.
So how about open source? Forget about Linux, at least the kernel related stuff, much of the development on Linux is being done by companies with a large interest in infosec services, and the companies that haven’t have much to fear from AV company induced FUD in the media . But the concept of open source goose killing is quite an interesting one. We are trying to reduce global infosec related cost by many many billions, while a few hands full of projects that each would require the equivalent of just mere millions in man hours each would likely be sufficient to combine to make such major impact on the technical level. Investors won’t help, its not in their interest. OS vendors have to much to lose when they pick a fight with AV vendors, and openly investing in goose killing would be an outright declaration of war against the AV industry. While spare-time open source projects can produce great products, spare time is scarce and for most of us open source spare time development is a relatively low priority. So to make any impact, at least part of the people working on such projects should have development of these products as a source of income. Volunteers are invaluable but we can’t work with volunteers alone if we want to overthrow the information security industry. We don’t want to fall into the same trap that infosec vendors and investors have fallen in, any commercial interest in end product would be contrary to the goals we are trying to achieve. So how could we fund these developers?
The best position and the only one that has a slight chance of success would seem to be that of a non-profit charity organisation. An charity organisation free from commercial ties to infosec and OS vendors and service providers. Such an organisation could act with the purpose of:
- Funding the partially payed-development of free and open-source initiatives that show promise of both reducing the global IT security related cost and increasing integrity, confidentiality, privacy and availability of computing devices and IT infrastructure.
- Coordinating contact between volunteer developers and new projects and handling procedures to allow talented volunteers to go from volunteer to (part-time) payed developers.
- Marketing these projects.
- Defending all such projects against legal and media FUD campaigns by the AV industry.
Could this become reality? I think with the right people it could. I know I could not play more than a small role in the creation, but I would definitely put private time and money into such an organisation and if and when others would do likewise, we would have a great place to start from. I think its important in order for the information security field to progress that we kill the goose that lays the golden eggs. OS vendors used to be what was holding back infosec, now however its the information security industry itself, most notably the AV industry that has almost become a media variant a protection racket scheme.