Asymmetrical Information

From the desk of Jane Galt:

Decentralization of Information and the American Ideal

You know what I love about having a blog? I love the fact that I can return to the same subject over and over and hammer it into the ground until y'all are begging me to stop. Like that's going to work. Ha! If you've got something to say, say it with cash. Tip jar's over on the right. If you want something out of me, you pile gold before me until I smile.

Anyhow, as I was saying, I've been thinking more about open v. closed security. Generally, you can find me voting with the libertarians, but on this one, I'm of two minds.

On the one hand, a decentralized, open information system works better at processing information for the optimal answer. A large part of why communism failed was that no one did any work, of course; but another large part is that the economic system did a very poor job at finding out what people needed and how badly they needed it. So instead of basing their decisions on what people needed, the guys in charge of production based their decisions on what they thought people needed. If you have parents you know this is not the same thing. No matter how well-meant the decision-makers, the result is decidedly sub-optimal.

So on the one hand, releasing potential security holes to the entire population and allowing the giant processor that is the hearts and minds of the American public is an order of magnitude more likely to produce an innovative way to plug your hole than is asking a small team of experts to come up with the solution.

But on the other hand, some security holes don't have fixes; or at least, many of the cures are worse than the disease. Let's say that we didn't have these nifty heat scanners for cargo containers. That would be a major security hole. However, the likely solutions -- open every container, go back to non-container shipping, or shut down shipping -- would likely cause more damage and lost lives than a terrorist attack, as they would cripple our economy.

At that point, releasing the information doesn't enhance your security; it gives the terrorists ideas, without producing new solutions.

The problem is, there's no way of telling in advance which problems have solutions that just haven't been discovered yet, and which are insoluble. They're all insoluble to your little team of experts.

So you have to make a tradeoff between finding solutions and not giving terrorists ideas. And you tend to err on the side of security. This is not unreasonable; after all, if you have the experts on your team, you've already got the people most likely to generate solutions. Even though sheer weight of numbers means that the American public would be even more likely to do so, the curve is not smooth; there are diminishing returns to telling more people, while the heightened security risk is real.

At this point, the hard core open source/open society types tend to say that of course the terrorists will have thought of anything you can. Now, that's just silly. First of all, a lot of the holes in security are visible only to people in highly specialized professions: pilots, engineers, scientists. There aren't a lot of those in terrorist groups, because they have, y'know, jobs.

And second of all, that giant processing system works the other way. There are a lot more of us than there are of the terrorists, and consequently, we're going to generate a lot more high-quality ideas for bringing the nation to its knees. Mathematically, some of those ideas are going to lack solutions, cost-efficient or otherwise. After all, we've been working on the problem of finding a really good low-calorie dessert for fifty years, and what have we got? Snackwells.

There's a certain element of "to the person with a hammer, everything looks like a nail". Sure, open source does a great job of patching Apache. But Apache still gets hacked. And let's get a little perspective here: software security is not the same thing as personal security. When I wrote a post criticizing medical residency programs for having residents work 48 hour shifts, old friends emailed to point out that I used to do "mission critical" work on shifts that lasted up to, one momorable weekend, 65 hours. Okay, guys, we're getting a little exaggerated idea of our own importance. I worked on a box of bolts. If it went down, the companies I worked for lost a lot of money. But at the end of the day, all of the little bankers got up from their desks and went home to their families. Equating the two is sheer hubris.

Urging people to publish their ideas on security weaknesses with the intent of pressuring the government to do something about the security holes has the flavor of an open source suicide pact. If you don't have a ready solution, all you're doing is giving someone else an idea they may not have had. And not just terrorists, either. There are, I regret to say, homegrown American lunatics of the non-terrorist variety who might like to take up some of your ideas for their very own.

There is a reason that the government is biased towards secrecy. Often, it probably goes too far, and that's why we need the libertarians and the ACLU and the open source afficionadoes pressuring it to give us more information. But the level of distrust where you think its safer to publish, in mass media, all your thoughts on how to attack America than to trust the government. . . well, I think you've been spending a little too much time reading your own literature.

Posted by Jane Galt at November 22, 2002 08:11 AM | TrackBack | Technorati inbound links