At a meeting to be held this week, according to a Pentagon source who spoke on condition of anonymity, the Army’s leadership is expected to request $9 billion for 9,000 MRAPs to be fielded through fiscal year 2008, with another 8,700 for fiscal 2009.
That's $1 million per vehicle.
I have a sinking feeling that although the new vehicle is "Mine Resistant," the "Ambush Protected" part will be tested by unpredictable, creative adversaries.
What does this teach us about digital security?
Frequently I hear people refer to the "if cars were like Windows" analogy. Let's take a look at cars and PCs, given the MRAP is really just a fancy car.
- A car that doesn't start may be like a PC that doesn't boot. It could be the fault of the manufacturer or the owner, depending on maintenance, etc. If it's the manufacturer's fault, they could be held responsible for the problem.
- A car that behaves erratically or in an unsafe manner while being driven may be like a PC that behaves erratically or crashes. It could be the fault of the manufacturer or the owner, depending on maintenance, etc. If it's the manufacturer's fault, they could be held responsible for the problem.
- A car that gets hit by a boulder dropped from a bridge may be like a PC that is attacked by an exploit. This is not the fault of the driver or PC operator -- it's the fault of the threat dropping the boulder and the intruder launching the exploit. (Even if the PC is not patched, it's not the victim's "fault." If you can't accept that, consider the PC fully patched and the vulnerability a zero-day.)
In cases 1 and 2, we could hold either the owner or the manufacturer responsible for the problem, depending on the circumstances. In case 3, the threat is responsible.
Unfortunately, few owners are in a position to do anything about threats. If we take a vulnerability-centric approach, we end up driving vehicles like the MRAP and building layers of security around PCs (anti-virus, network firewalls, etc.) In both cases the mitigation is costly and ultimately ineffective, because the threat remains free to devise new and ingenious ways to inflict his will against the target.
Thinking we can build "invulnerable" vehicles like the MRAP is like Bruce Schneier thinking we can build invulnerable software. Sure, you can make more attack-resistant vehicles and software, but for what cost? Ultimately the threat must be directly addressed. No one thinks the way to peace in Iraq is by giving every Iraqi a bunker in which to live and a MRAP to drive. Why do people think we can do that with software?