管理聯機安全風險

管理聯機安全風險

New York Times; New York, N.Y.; Jun 1, 2000; Hal R. Varian

translator: D.Nescient     2006-11-12    Shanghai

因特網有時被描述爲一個“逃出了實驗室的實驗”。它是在一個網絡研究人員都相互認識和信任的沒有災難的環境下發展起來的。但是自1995年從實驗室走出來後，它發現自己來到了一個充滿了醜惡和敵意的環境裏.

最近的安全事故比如幾個月前"I love you"病毒以及對大型網站的攻擊充分顯示了因特網是多麼的脆弱。

現代密碼學常被作爲打造安全的商業計算空間的萬能魔藥而受到歡迎，但是它只會在人們有效的使用密碼的安全特性的情況下發揮作用。

安全研究者開始趨向於關注密碼與系統設計的疑難問題。與此相對的是，圍繞普通百姓使用電腦、以及避免欺詐和濫用的動機的產生卻相對被忽視了。那是需要矯正的。

A.T.M.（自動取款機）就是一個很好的例子。很多的思想被用於這些系統的安全設計，並且與之相關的成熟的密碼技術被用來抵抗攻擊。但是這些設計有多少效用呢？

幾年前，劍橋大學的一個安全研究人員Ross Anderson，在調查了英格蘭大量的ATM欺詐案例後得到一個結論：幾乎所有的事件都與人的錯誤有關。密碼工藝是精巧的；安全問題的產生是由於系統被當地的銀行錯誤的安裝，錯誤的配置和失當的管理。他的論文“爲什麼密碼系統失效”可以在http://www.cl.cam.ac.uk/ftp/users/rja14/wcf.ps.gz . 找到。

爲什麼地方的銀行會如此的草率呢？答案在英格蘭對責任分配的方式。在美國，如果客戶和銀行之間存在爭議，那麼除非銀行能夠出示是客戶錯誤的證據，否則客戶總是對的。在英國，提供證據的責任恰好相反；除非顧客能夠出示是銀行錯誤的證據，否則銀行總是對的。讓顧客方來證明是銀行的過失是幾乎不可能的，所以英國的銀行幾乎沒有關注安全的動機。這樣導致的草率也就導致了一連串的A.T.M.欺詐。

在美國，銀行有投資風險管理技術的動機。比如，地區的銀行針對於A.T.M.欺詐安裝攝象機並且用安全實踐（慣例）對他們的員工進行訓練。因此，Mr. Anderson總結說，即使美國的銀行在安全上比英國的銀行花費更少的錢，他們對安全問題的處理也會更加奏效。

這個例子闡釋了責任經濟分析中的一條基本原理：責任應該指派給能夠盡力做好風險管理工作的一方。對於大多數與A.T.M.相關的風險，銀行處於比用戶更能管理好風險的地位，所以他們應該承擔大部分的責任。但是你又不希望用戶逃避因爲他們的行爲而產生的所有責任，否則他們就可能會變的很隨意。合理的平衡應該決定於可能的風險因素對於雙方的影響。

讓我們回到計算機攻擊。現實中的計算機安全如此薄弱的一個原因是責任太不集中。拿發生在幾個月前的那次攻擊事件來看，計算機破壞者在相對未受保護的大學網絡裏控制了計算機並且利用它們關閉了雅虎和其他一些大型網站。雖然那些大學覺得控制他們機器的行爲非常可惡，但他們沒有承擔雅虎遭受攻擊的巨大損失。如果讓這些大學替搞破壞的第三方承擔一些責任，那麼他們將產生強烈的使他們的網絡更加安全的動機。

在爲家庭提供高速寬帶服務中出現了同樣的問題。默認這些網絡總是與英特網相連接的，這使得它們很容易被用來在電子空間內發動攻擊。如果某個用戶的計算機被控制，那麼他應該爲其他遭受攻擊的用戶承擔損失嗎？一般的用戶對於如何保護他們的計算機免受攻擊根本上是無能的，所以把責任指派給他們將不會有什麼效果。如果把責任指派給網絡操作人員則更有意義。

一個典型的安全分析包括在一個系統中識別脆弱點並且指出誰將處於解決這些問題的位置。但是安全分析應該更進一步並且分析那些爲系統負責的人的動機。這樣的一個分析可以用來指派責任，以至於那些爲控制風險而被合理安置的人員有做好自己工作的動機。

一旦責任的指派得到解決，負有責任的一方將毫無疑問需要購買保險。乍一看，這似乎反而達不到預期的目的：如果你的責任完全被保險，你爲什麼還要投資風險的管理呢？實際上這忽略了保險公司的動機：他們唯一需要的是確保應用良好安全實踐的客戶們的安全，他們會付出所有的努力來指導客戶們如何改進他們的英特網安全。


正如一個承保辦公建築的保險公司將給你一個優惠的費率如果你每12英尺就有一個噴灑頭，如果你在補丁發佈的兩週內安裝了安全補丁，保險公司站在反對計算機犯罪的立場將給你一個優惠的比率，併爲安全人員提供持續的教育和進行其他的優良的風險管理實踐。

這就是它應該如何工作的，但是我們還沒達到那個程度。很多的保險公司只擁有很少的計算機安全經驗，並且不能夠判斷風險，他們幾乎不能在保護方面提供什麼方法。隨着他們的經驗的增長，他們將在一個更好的情況下爲他們的客戶提供建議。當保險公司開始承保反計算機攻擊，公司將全力把事情做好：如果他們提供糟糕的建議，他們將必須支付造成該結果所主張的理賠費。

所以，關於計算機犯罪，什麼是應該做的？第一步是把法律責任指派給最能管理好風險的一方。然後,保險公司要能爲計算機安全開發專門的風險管理技術併爲客戶提供這種服務。不幸的是，這將是一個漫長的過程。在此期間，我們能夠預見英特網上更多的混亂。


譯者註解:
費率:是單位保險金額的保險費，通常被稱爲購買保險的價格。

附原文:

Managing Online Security Risks

New York Times; New York, N.Y.; Jun 1, 2000; Hal R. Varian

THE Internet has sometimes been described as a "lab experiment that got loose." It was developed in a sheltered environment of network researchers who knew and trusted each other. But after it escaped from the laboratory in 1995, it found itself in a hostile environment full of unsavory characters.

Recent security incidents like the "I love you" virus and the attacks on major Web sites a few months ago have shown how vulnerable the Internet really is.

Modern cryptography is often hailed as the magic elixir that will make cyberspace safe for commerce. But it will only work if people use cryptographic security features effectively.

Security researchers have tended to focus on the hard issues of cryptography and system design. By contrast, the soft issues revolving around the use of computers by ordinary people and the creation of incentives to avoid fraud and abuse have been relatively neglected. That needs to be rectified.

Automated teller machines are a good example. A lot of thought went into the security design of these systems and relatively sophisticated encryption techniques were used to guard against attacks. How effective were these designs?

Several years ago, Ross Anderson, a security researcher at Cambridge University, examined a number of cases of fraud at automated teller machines in Britain and concluded that almost all of the incidents involved human error. The encryption technology was fine; the security problems occurred because the systems were misinstalled, misconfigured and mismanaged by the local banks. The paper, "Why Cryptosystems Fail" can be found at http://www.cl.cam.ac.uk/ftp/users/rja14/wcf.ps.gz .

Why were the local banks so sloppy? The answer lies in the way liability is assigned in Britain. In the United States, if there is a dispute between a customer and a bank, the customer is right unless the bank can show that he is wrong. In Britain, the burden of proof is reversed; the bank is right unless the customer can show it is wrong. Since it is almost impossible for a customer to prove the bank made a mistake, British banks had little incentive to take care. The resulting sloppiness led to a rash of A.T.M. fraud.

In the United States, banks have an incentive to invest in risk management techniques. Banks in areas prone to A.T.M. fraud, for example, have installed cameras and trained their staff in security practices. So, even though American banks spend less on security than do British banks, Mr. Anderson concluded, they deal with it more effectively.

This example illustrates one of the fundamental principles of the economic analysis of liability: it should be assigned to the party that can do the best job of managing risk. For most risks associated with A.T.M.'s the banks are in better position to manage risks than are the users, so they should end up with most of the liability. But you wouldn't want the users to escape all liability for their actions, since they would then tend to be too sloppy. The right balance should depend on the influence that each party has over the possible risk factors.

Which brings us back to computer attacks. One reason that computer security is so poor in practice is that the liability is so diffuse. Consider the attacks that took place a few months ago, in which computer vandals took over computers on relatively unprotected university networks and used them to shut down Yahoo and other major Web sites. Although the universities found the takeover of their machines a nuisance, they didn't bear the bulk of the costs of the attack on Yahoo. But if universities bore some liability for the damages to third parties, they would have a stronger incentive to make their networks more secure.

The same problem arises with providing high-speed broadband service to the home. These networks are, by default, always connected to the Internet, leaving them susceptible to being used to mount an attack in cyberspace. If a particular user's computer is taken over, should he have liability for the cost of the attack on someone else? The average user is essentially clueless about how to prevent his computer from being taken over, so assigning liability to him would be pointless. Assigning liability to the network operator would make more sense.

A typical security analysis involves identifying weak points in a system and indicating who might be in a position to fix them. But security analysts should go one step further and examine the incentives of those responsible for the system. Such an analysis could be used to assign liability so that those who are best positioned to control the risks have appropriate incentives to do so.

Once the liability assignment is straightened out, the parties stuck with the liability will no doubt want to buy insurance. At first glance, it appears that this is counterproductive: if you are perfectly insured against liability, why should you invest in risk management? But this ignores the incentives of the insurers: they only want to insure clients who use good security practices, giving them every incentive to instruct their clients in how to improve their Internet security.

Just as an insurer of an office building will give you a reduced rate if you have sprinklers every 12 feet, an insurer against computer crime will give you a reduced rate if you install security patches within two weeks of their posting, provide continuing education for security staff and engage in other good risk management practices.

This is how it should work, but we are not there yet. Most insurance companies have very little experience with computer security, and being unable to judge the risks, they offer little in the way of protection. As their experience increases, they will be better placed to offer advice to their clients. And when insurance companies do start insuring against computer attacks, the companies will have a great incentive to do it right: if they give bad advice, they will have to pay the resulting insurance claims.

So, what should be done about computer crimes? The first step is to assign legal liability to the parties best able to manage the risk. Insurers can then develop expertise in risk management for computer security and provide such services to their clients. Unfortunately, this will be a long and slow process. In the meantime, we can expect to see many more disruptions on the Internet.