Monday, June 26, 2006

Cluelessness at Harvard Law Review

Articles like Immunizing the Internet, or: How I Learned To Stop Worrying and Love the Worm (.pdf) in the June 2006 (link will work shortly) Harvard Law Review make me embarrassed to be a Harvard graduate. This is the central argument:

[C]omputer networks, particularly the Internet, can be thought of as having immune systems that are strengthened by certain attacks. Exploitation of security holes prompts users and vendors to close those holes, vendors to emphasize security in system development, and users to adopt improved security practices. This constant strengthening of security reduces the likelihood of a catastrophic attack -- one that would threaten national or even global security. In essence, certain cybercrime can create more benefits than costs, and cybercrime policy should take this concept into account.

Apparently Harvard lawyers do not take economics classes. If they did (or paid attention) they would know of Frédéric Bastiat's parable of the broken window. The story demonstrates that crime, warfare, and other destructure behavior does not benefit society, since it shifts resources from productive behavior towards repair, recovery, and other defensive activities.

The HLR article continues:

Cybercrime is also different from other crime because it is amenable to innovative law enforcement approaches that exploit its unique underlying psychology. The objective of a bank robbery is to obtain money. Terrorists usually wish to maximize damage. Cybercrime, however, often provides no financial gain; many cyberattacks seem to originate from a desire for fame and attention or fun and challenge. Hackers often cause little to no permanent damage to the systems they successfully penetrate. This is true even of many high-profile cyber-attacks, in which damage initially appears to be widespread.

Wow, was this article published in 1996 or 2006? "No financial gain?" "Little to no permanent damage?" Welcome to the modern world, HLR. What would you consider permanent damage -- loss of life? Everything else can be repaired, even blasts by 2,000 pound bombs. Money spent on incident response and recovery, future lost revenue from decreased customer trust, insurance payments, spending on infrastructure -- all of this could be avoided in a world without "beneficial cybercrime."

Am I being too harsh? I don't think so. This is Harvard we're talking about, not Bunker Hill Community College.

Update: HLR should read Meet the Hackers.

6 comments:

John Ward said...

Agreed, this is right out there on the fringe. I believe using the term "CyberCrime" is a mistake since it is kind of a broad term. Cybercrime covers things besides simple web defacements and r00ting servers, and I would consider things like the Nigerian Money Scams, Spam, and Online Sexual Predators as forms of "CyberCrime". None of those are victimless or "just harmless fun". Try telling the old couple swindled out of their life savings that there was "no financial gain" on the part of the thugs who robbed them, or the molested child that there is "no permanent damage". And contrary to the article, it doesn't seem like this Internet “Immune system” analogy is really doing a whole hell of a lot to "repair" those problems. Of course, Harvard isn’t the bastion of intellectuals that it likes to pretend it is anymore, so drivel like this being spewed from them isn’t that much of a surprise.

Matt said...

The paper doesn't seem to take the analogy far enough. Can exposure to a disease spur immunization? Sure. But such vaccinations are administered by licensed professionals, not by hooligans with syringes.

Anonymous said...

unwarranted snobbery and elitism directed at BHCC at the close of your entry also gives harvard a bad name.

Richard Bejtlich said...

Anonymous-who-can't-take-a-joke,

There's a reason I linked to the IMDB entry for Good Will Hunting.

Try posting with a real name next time.

Richard Bejtlich said...

Furthermore, people write in HLR because policymakers read and act on their ideas. The same cannot be said of every other college-associated publication. That's reality, not snobbery and elitism.

Anonymous said...

A Good Insight. But a complete ignorance of security loopholes is also not going to take anyone far. Security loopholes need to be filled up as the humans by nature take advantage of anything that can provide material gains to them. Suppose the security threats that were not uncovered earlier on and then suddenly some unscrupulous element takes advantage of them it will surely be disastrous to society.

S.K.
Work From Home Information Provider