Risk Management is Where the Money is

Date: Thu, 12 Nov 1998 08:27:33 -0800 (PST)
From: risks@csl.sri.com
To: risks@csl.sri.com
Subject: Risks Digest 20.06

RISKS-LIST: Risks-Forum Digest  Thursday 12 October 1998  Volume 20 : Issue 06

   FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

This issue is archived at http://catless.ncl.ac.uk/Risks/20.06.html and at
ftp.sri.com/risks/ .

  Contents: [RISKS info in other issues]
Risk Management is Where the Money Is (Dan Geer)

----------------------------------------------------------------------

Date: Wed, 11 Nov 1998 22:20:09 -0500
From: Dan Geer (geer@certco.com)
Subject: Risk Management is Where the Money Is

Digital Commerce Society of Boston
3 November 1998

Daniel E. Geer, Jr., Sc.D.
Senior Strategist, CertCo, Inc.
55 Broad Street, NYC, and
100 Cambridgepark Drive, Cambridge
geer@certco.com

Given my biases, I am going to describe where the future of the security
marketplace is and where it is not. I will argue that the financial
community is and remains the place to look for "first light" for new
security technology. I will give you a rundown of what's new while I predict
what little time is left for many of today's products, purveyors and
regulators. I will argue that, in many ways, the party's over for the
security field as we know it now. I will range broadly because security, as
a concept, is universal.

"Nothing is so powerful as an idea whose time has come."  For security
technology, that time is now. IBM calls the three requirements of the
"e-business" future as: #1 security, #2 scalability, and #3
integration. Forrester, Gartner, META, Yankee and all the other analysts
agree -- the most important enabling technology for electronic business,
besides network connectivity itself, is security. AD Little estimates that
security, privacy and the legal issues of digital signature together
constitute over half of the quantifiable barriers to electronic
commerce. There are whole venture funds whose investment focus is around
security.  Security startups are everywhere; so are security books. The word
"security" is hardly rare in employment advertisements.  You cannot walk a
trade show and not see the word "security" in screaming big type. The number
of security meetings is preposterous.  Presidential Commissions are busy
spending real money on security for the information systems that run the
country.

"In the future, everyone will each get 15 minutes of fame." That
applies to security,too.  Today's security specialty companies cannot
all survive; they can be eclipsed by the platform vendors too easily.
Only platform vendors can deliver security that is integrated enough to
scale and invisible enough to ignore.  Even the Justice Department
knows that once something is in the operating system, any independent
market for it collapses. Yes, security's time may well have come, but
in a Warhol world, that would mean that it is about time to go.

The focus of "security" research today is the study of "trust management" --
how trust is defined, created, annotated, propagated, circumscribed, stored,
exchanged, accounted for, recalled and adjudicated in our electronic world.
This is natural because security is a means and not an end.  This is mature
because all technology differentiates along cost-benefit lines.  All the
security technology that you can buy today enables some aspect of trust
management and novel variations show up daily.

You can walk out of this hall and buy systems that use passwords that get
local machines to trust you enough to let you in. You can buy smart cards
that can do your cryptographic calculations for you, respond to challenges,
hold your keys inviolable or, more interestingly, have identities of their
own and serve merely to introduce you on their own terms. You can buy
biometric devices that look at your voice, your face, your retina, your
fingerprint, or even the idiosyncrasies of how you learned to type and so
say, "Yep, that's the guy." You can get systems that are sufficiently
hardened that you can rely on them if for no other reason they are so nearly
useless no one would want to break in. You can still get your hands on
security systems in the raw and roll your own directly from source-code.
You can, anywhere, anytime, spin-up virtual private networks that are
trustworthy protectors of your confidentiality however hostile the
intervening wires are. You can even deliver privacy between strangers --
nearly a matter of creating trust in order to propagate it. You can put a
document into the Eternity Service and trust that it can never be erased or
you can put it into a cryptographic file system and trust that it can never
be found.  Simple? Yes; academics and entrepreneurs alike are busy supplying
ways to propagate trust.

They have it all wrong.

If you ever took a course in probability then you know that many problems
are solved by calculating their dual -- the probability of "not X" can be a
whole lot more tractable than figuring Pr(X) directly.  If you're in a
security-based startup company, then you'll know that making money requires
making excitement, even if the excitement is somebody else's public
humiliation. And all of you can agree that the more important something is,
the more it must be managed. Trust management is surely exciting, but like
most exciting ideas it is unimportant. What is important is risk management,
the sister, the dual of trust management. And because risk management makes
money, it drives the security world from here on out.

Every financial firm of any substance has a formal Risk Management
Department that consumes a lion's share of the corporate IT budget.  The
financial world in its entirety is about packaging risk so that it can be
bought and sold, i.e., so that risk can be securitized and finely enough
graded to be managed at a profit. Everything from the lowly car loan to the
most exotic derivative security is a risk-reward tradeoff. Don't for a
minute underestimate the amount of money to be made on Wall Street, London
and/or Tokyo when you can invent a new way to package risk. The impact of
Moore's Law on the financial world is inestimable -- computing has made that
world rich because it has enabled risk packaging to grow ever more precise,
ever more real-time, ever more differentiated, ever more manageable. You
don't have to understand forward swaptions, collateralized mortgage
obligations, yield burning, or anything else to understand that risk
management is where the money is. In a capitalist world, if something is
where the money is, that something rules.  Risk is that something.

Security technology has heretofore been about moving trust around as if risk
is definitionally undesirable and reliable trust management simply obviates
the issue of risk.  It does not come close. In two years time the
"trust-hauling" market will be somewhere on the down-slope between legacy
and dead.  Risk management is going to take over as the dominant paradigm
because risk management can subsume trust, but trust management cannot
subsume risk. The Internet has made this so.

The Internet is irresistible because it lowers barriers to entry on a global
basis -- global in both space and time.  Ever more important parts of the
world's economy exist only in cyberspace, and lead times have entirely
collapsed.  Every professional fortune teller is bidding geometric increases
in the dollar volume of electronic commercial activity. But when there is
enough booty available, even absurdly difficult attacks become
plausible. This is the world we are in. It will never be possible to really
do the job of trust management any more than it is possible to really win an
arms race or really preclude your car from being stolen. But risk management
-- that is doable and it is doable at a profit. The proof is all around us.

We are a score of years down this road. 1978 was a vintage security year;
the remarkable papers by Rivest, Shamir & Adleman and Needham & Schroeder
were published, both in CACM as it happens. The former introduced public key
ideas and the latter created Kerberos. The counterpoint between these two
technologies is instructive. Both symmetric cryptosystems, like Kerberos,
and asymmetric cryptosystems, like RSA, do the same thing -- that is to say
they do key distribution - -- but the semantics are quite different. The
fundamental security-enabling activity of a secret key system is to issue
fresh keys at low latency and on demand. The fundamental security-enabling
activity of an asymmetric key system is to verify the as-yet-unrevoked
status of a key already in circulation, again with low latency and on
demand. This is key management and it is a systems cost; a secret key system
like Kerberos has incurred nearly all its costs by the moment of key
issuance. By contrast, a public key system incurs nearly all its costs with
respect to key revocation.  Hence, a rule of thumb: The cost of key issuance
plus the cost of key revocation is a constant, just yet another version of
"You can pay me now or you can pay me later."

Because of the tradeoffs between who pays for what part of the systems cost
and who gets the benefit, secret key systems and public key systems have
different fields of use. Secret key systems are fast and offer revocation at
no marginal cost. Public key systems are slow but they enable digital
signature and thus enable proof of action, non-repudiation as it is
called. Secret key systems are the default choice within an organization
while public key systems are the default choice between organizations, i.e.,
secret key for where security is an intramural concern intramurally
arbitrated, and public key for where security is extramural thereby
requiring recourse to a third party judge in cases of dispute. The
relentless blurring of what is intramural and what is extramural will favor
public key over time.

Because a trust management paradigm says that a digital signature is only as
valid as the key (in which it was signed) was at the moment of signature, it
is only as good as the procedural perfection of the certificate issuer and
the timely transmission of any subsequent revocation. **These are high
costs.** In fact, the true costs of general public key infrastructure are so
extraordinarily high that only our collective ignorance of those costs
permits us to propel ourselves toward a general PKI as if it were a panacea.
When, not if, the user community at large realizes this, we "security
people" will have but two choices, compromise on (gloss over) the quality of
trust that public key can deliver or back off from the claims of full trust
cheap.  In other words, we'll have to fit the benefit to the endurable cost
or fit the cost to the requisite benefit.  Since, as a rule of thumb, to
halve the probability of loss you have to at least double the cost of
countermeasures, any finite tolerance of cost means an upper bound on how
much security you can get. In the fullness of time, security technology will
be evaluated on the same cost-benefit-risk tradeoff on which other
technologies are evaluated. This is the price of maturity; this is the price
not yet paid.

Do not misunderstand me; public key technology, secret key technology,
security technology in general are daily reaching new levels of protective
capability. What they cannot protect against is being over-sold, and they
are being over-sold. Why is that?

The days when the Internet was a toy are gone even if a high percentage of
its new investors are still coming in merely to avoid looking dowdy.  The
real question on the table is: When does the Internet become more like the
data center. And what does making the Internet more like the data center
mean? At a minimum, it means metered use.  Discussions are already
widespread about requiring Internet postage; large ISPs will probably demand
it, existing postal services would love to sell it and data centers, such as
the financial giants, will get a better handle on what goes in and out the
door. At least one Wall Street bank already does charge-back for network
bandwidth consumption and their internal electronic security regime plays a
role in assigning those costs just as, in turn, their security group manages
the user database via incremental updates rather than fresh full copies so
as to minimize their bandwidth charges. That's not postage, but it is close
and it is now.

Incremental use charges are but one example, interesting mostly because they
are a near term step toward making the Internet into a data center. The
fundamental value of the data center is the information it holds. The past
few years have seen data warehousing, data mining and now connection of the
data center to the Web, data publishing if you will. MVS, for example, has a
really good web server and someone in the audience will have to convince me
that there is a difference between a 1970's central time-share machine and
an MVS web server in a swarm of "thin clients" on fast networks. It
certainly isn't the direct wire connection -- SSL simulates that well
enough. It surely isn't the management model; the MIS director who had
declared defeat in desktop configuration management will, you can be sure,
rejoice at getting control back.

In the mainframe world, you move the computation to where the data is.  In a
client server world, you move the data to where the computation is. Web
servers front-ending corporate databases attached to virtual private
networks full of some universal client like a web browser sure sounds like a
resurgence of the data center to me. The IBM 390 is a good machine and the
Wintel cartel has pretty much ensured that no upstart will enter their
space. From Wintel's point of view, using all those desktop cycles for
display functions is just fine. Could it be that simple?

Financial markets made SUN what it is today and vice versa -- SUN's first
big win, the first big demonstration that computing power had risen to such
a degree that moving the data to where the computing is made sense, "the
network is the computer" and all that. Financial markets, in the sense of
traders going head to head, used that power to replace whom you knew with
what you know and set off a technology-as-weapon metaphor that has overtaken
most of the business world. Financial Markets, in the sense of Exchanges,
now rely on a dense spread of computing that exceeds what most of us have to
deal with; more than one major bank has 15,000 FTP jobs a night just moving
data to or from its data center. Plenty of staff at the NYSE lose $1000
apiece for every 15 minutes the Exchange is late opening due to IT
unavailability. No computing equipment is too expensive when trumped with "I
can make that back on the first trade." No small country runs its currency
anymore.

There was once no question that the fundamental purpose of an exchange was
to provide "an advantage of time and place" to those who would trade on it
and, in so doing, establish efficiency and liquidity baselines against which
others would be judged.  Beginning first with the "Paperwork Crisis" in the
60's and reaching a crescendo after the "Crash of '87," the Exchanges have
been fully committed to electronic commerce before that phrase meant
anything.  But since the Internet, time and place are meaningless and the
Exchanges know it. They are working hard to make oversight, fair play and
quality of service into new baselines. Clearly, security technology is #1 in
their list of requirements followed closely by scalability and integration.

Security in a financial world market that is both nowhere and everywhere is
a difficult thing to define well enough to solve, but if there is anything
to engineering as a discipline then it is that the heavy work is in getting
the problem statement right. So, to return to my central premise, if new
security technology is a result of investment and if the investment in
security technology is naturally centered within the financial community,
what is the problem statement?  ** If we get that right, we can predict the
future. **

I submit that the problem statement is how to bring a transactional semantic
to the Internet. This is not a new problem, but it is an as yet unsolved
one. The existing financial markets want transactions because transactions
are what they are about and transactions are what they know. Upstarts like
the payment vendors want to be the first to deliver transactions and
disintermediate the financial firms.  Technical legal beagles reason that
there is no transaction without recourse, no recourse without contract, no
contract without non-repudiation and no non-repudiation without digital
signature.  Anyone who wants to do business on the Web needs transactions.

Hal Varian, an economist and Dean of the Information Management School at
Berkeley, taught me that what the Internet changes more than anything else
is that it brings the efficiency of auction to markets that never had that
option.  This is a cover story in this week's "The Industry Standard."
Auctions need security technology because what makes an auction an auction
is the ability to conclude a transaction which, by its own execution,
"discovers" a price. In other words, the nature of the world's economy is
changed by the existence of the Internet, but only on the condition that
electronic transactions are up to job.

So what do I mean by "transaction?" I mean a non-repudiable communication
between two parties who can each verify the time-, value- and
content-integrity of that communication, who can presume confidentiality of
that communication, who can verify the authenticity and authorization of
their counterparty and who can present all these evidences to third party
adjudication should there be a need for recourse at any arbitrary time in
the future. **Every single part of that definition begs the question of
security mechanism.** It is on that basis I claim that the security
technology of tomorrow will be crafted in response to the unmet needs of
financial markets today.

As an example, your handwritten signature on a check is what, in principle,
authorizes that funds move from A to B. In truth, from a bank's point of
view, actually verifying handwritten signatures is a transaction cost that
is not worth bearing unless the cost of verification is less than the risk
of loss. At the largest banks, the threshold dollar amount below which
verification does not really happen is a closely guarded number, but it
generally exceeds $20,000 and still they have platoons of people doing this
all day, every day. Converting the means of signature verification from a
manual process into a machine-able one would radically change the economics
of check processing. It would add billions to bottom lines and do it from
the cost-avoidance side of the ledger.

But that is not all. Some $300B of U.S. payments are made every day of which
only $60B are in the form of checks; the balance is largely in cash
transactions of $5 or less. From both the merchant's and the bank's
perspectives, getting rid of cash would be a huge win because handling costs
for small dollar amounts often exceed the profit margins on the underlying
sales.  While the consumer may well adopt cashless payment out of some sense
of convenience, the financial side of the house will enable it to avoid
costs.

Only this morning, Frost & Sullivan released a study that defines e-commerce
as "commercial transactions taking place over the Internet with exchange of
value in real time."  Web payment sparked numerous startups with numerous
different mechanisms. It is too late for you to enter this market, but it is
not too late for those payment-systems vendors to rethink what they are
trying to do. All of them are suffering because the volume of Web-based
retail business has not picked up as fast as their business plans had
presumed. For the retail customer, the main thing the Web offers is product
discovery; a good print catalog and an 800 number are otherwise hard to
beat. It is clear that the real money in Web commerce is in
business-to-business commerce, but there the supply chain has a lot more
complication and the kinds of security mechanisms need to be better than
those for buying a toaster oven.  Whereas retail commerce is about small
dollar amounts and stranger-to-stranger transactions through a financial
intermediary like a credit-card company, business-to-business is more about
relationships, the dollar value of the sale is much bigger, and banks play a
direct role (through letters of credit, collateralized bills of lading,
etc.)

B2B commerce does not have a good solution yet. If you want to sell into
this market, be aware that the customer will buy either to avoid costs he
has now or to make revenue he doesn't have yet. In the case of saving costs,
you'll have to sell him the technology on a turnkey basis - -- he will not
cut you into the transactional revenue stream. If you can really show that
your technology will make him revenue he did not have a chance to make
otherwise, you may be able to get a piece of the revenue stream, but do not
underestimate the cost-avoidance focus of big buyers and sellers. As far out
as 2005, over half the Internet-transactions will be transactions converted
from paper and credit/debit cards, not new transactions. **When selling into
a cost-averse market you automate rather than revolutionize, and you do not
get a piece of the action.**

Everyone likes to talk about "disintermediating the banks," that is making
the intermediary role of banks in commerce less essential by performing that
service in some other way. Bill Gates is widely quoted as saying that "Banks
are dinosaurs." At the highest end, they are not dinosaurs and they are not
about to be disintermediated.  Whilst the banks have a natural affection for
their income streams, that doesn't prevent disintermediation. Most wiseguys
trying to disintermediate the banks misunderstand what banks do. This is
what they do: They interpose their balance sheet between the expectations of
the counterparties to a transaction and the risk of default on either of
their parts. They undertake stop-loss protections against credit risk,
insolvency, operational failure, currency fluctuation, diversion of funds
delivery, etc. In other words, they manage risk because they can absorb
loss.  **Electronic commerce payment technology cannot absorb loss, so it
cannot and will not disintermediate the banks.**

Think of this this way: All public key technology is driven to make a
digital signature verifiable, i.e., it is about quality control and
guarantee on the signature itself. This is a stunning thing, but it is not
the whole equation. The intermediation role that banks play is to guarantee
the transaction, i.e., it is broader than just the verification of a
signature. The bank's know-how and its balance sheet are not something that
can be replaced by a cryptographic calculation.  The ability to avoid loss
never makes up for the ability to absorb loss.  The cryptography guarantees
the signature; the bank's capital guarantees the transaction. **Risk control
encapsulates trust.**

In the midst of this, you might say "What are the standards?" in the
sense of "What do the formal standards groups have to say?" The banking
world is regulation rich and standards rich, too, which begs the
question -- "Which standards matter?" The world of the Internet is
making some of the banking-centric standards passe' but, unlike the
combination of standards and regulations the banks are familiar with,
the standards groups of the Internet cannot take on accountability for
the implications of conformance/non-conformance though they continue to
define it for others. This makes Internet standards substantially
difficult to swallow because there is no accountability, nor can there
be. The absence of enforcement guarantees that the only Internet
standards that will really get attention are those that promote
interoperability across jurisdictional boundaries. Ironically, this is
all the pioneers of the Internet ever wanted.

What the banks want, and I assure you they will get, is a set of
cryptographically sophisticated tools that move the risks of the Internet
from open-ended to estimable. In a sense, this is like insurability. It is
probably apocryphal, but the story goes that a major investment firm with a
Web commerce idea went to a big insurance company to seek stop loss
protection. The conversation supposedly went like this:

   "How big is the potential loss?"
   "We don't know."
   "How likely is a loss to occur?"
   "We don't know."
   "How much is your company worth?"
   "This much."
   "That's the premium; send it in."

Whether true or not, it illustrates the point -- the issue is getting a
handle on the risk such that it can be priced.  Every one of you who has
tried to sell security technology has discovered that the only willing
customers are those who either (1) have just been embarrassed in public or
(2) have just learned that they are facing an audit.  Everyone else is an
unwilling customer.  We've been dumb about this; we've tried to sell
security as a means to establish trust but we've done it by railing about
threats. It's no damned wonder that we haven't sold much. I know I have
often wondered if my market might not explode were I to get just one of the
big loss-prevention insurers to make good security practices and technology
into an underwriting standard.  Then, just like "Do you have sprinklers?"
everyone is forced to confront whether they want to pay for security or pay
for non-security. I am confident that the insurers could soften up my
targets a lot better than I can.

Let me tell you, they are about to. Insurability of Web commerce is
essential, and no insurer is going to accept "We don't know" as an
answer. They will say "Send it all in" and they'll mean it. The demand side
for security technology is exploding but it isn't quite the security
technology we have on hand.

If a digital signature has the uniquely irreplaceable property of providing
proof to a judge, then the role of a "trusted third party" is going to
become more important over time, not less.  Think of it this way: when I get
a certificate issued to me by a certifying authority, I do have some risk
around whether the CA is well operated or not. This includes the probability
they will issue a certificate with my public key but someone else's name and
whether when I tell them that my key has been compromised they will spring
into decisive action. Most of that risk I can handle by a combination of due
diligence and contract.

However, when I give my certificate to you and say "Hi, I'm here from
Central Services to fix your system" it is you that's in a risky
position. You have to say "Is this certificate valid?" That means you have
to check that the certificate is not listed as revoked, that the signature
on the certificate is well formed, that the certificate authority which
issued this certificate itself has an identity certificate that is itself
validly signed, that the certificate authority is itself not in any trouble
with revocation, and and so forth, ** recursively. **

The full cost of revocation testing is proportional to the square of the
depth of the issuance hierarchy.  In other words, this exceeds the
intellectual capacity of most certificate recipients. This means that most
recipients cannot themselves rely on the security technology to establish
trust beyond the shadow of doubt. Instead, if recipients are smart, they
will turn again to the insurance world just as risk holders have done
whenever they cannot afford to carry on their books the consequences of a
remotely unlikely event. For the insurer, he will underwrite a guarantee on
the transaction for a fee that will reflect his experience with the CA's
practices, the kind of transaction undertaken, the dollar amounts involved,
etc.  This will seem sensible to all parties because it is so familiar.
This is risk management underwritten by financial intermediaries.  This is
where we will shortly be.  This is the card eight major banks and CertCo
played ten days ago -- the formation of "a global network of compliant
businesses that use a common risk management framework." **This is where we
securitize the transactional risk of electronic commerce.**

There is one potential fly in this ointment, and I do not intend to dwell on
it, but I cannot get this far and not mention the threat to strong security
apparati of having them undermined by key escrow.  Corporate policies and
laws alike have always been defined in a territorial way that relies on
clearly identifiable borders, physical locations where the policy or the law
come to an end. But in the electronic world borders are meaningless. In some
sense, sovereignty, based as it was on the idea of a border, is less
meaningful now than for some centuries. In its place is a different kind of
sovereignty, because the only borders in an electronic world are
cryptographic ones.  As such, the debate over who may or may not have a key
known only to themselves is a proxy discussion for who may or may not have
sovereignty within a cryptographically defined space.

There are hard questions yet to answer. Compromised keys are revoked
effective not to the moment of suspicion of compromise but rather
retroactively to the last known time when the key was safe. In the case of
escrow, should not a key's owner retroactively revoke it to the moment of
its seizure from escrow should the owner later discover that it has been so
seized? Or if a revoked key is only revoked by the action of the certifying
authority signing a revocation notice in a special key, can that
revocation-signing key itself ever be revoked? If it could, would that not
invalidate (reverse) any revocations signed in it and what does that mean? I
only offer these so that you do not equate my argument about the
near-inevitability of investment in public key technology and
digital-signature-dependent activities with some presumed infallibility of
the technology or our understanding of it.  These questions will be settled
one way or another, but they remain open as we speak here today, and there
is money to be made.

I have tried to lay out my estimation on which way the tide is running and
which moon's gravity matters. I could be completely wrong, or merely
overstating what my biases bring me, but I think not. I think that just as
the best estimate of tomorrow's weather is today's, the best estimate of how
the Internet and the financial behemoths will interact is for the Internet
to be driven, as a side effect, by the cost-reduction and profit-incented
strategies of those financial behemoths.  They already transcend national
boundaries and their investment decisions do run the world.  Were this to
get enough investment, it might make security a solved problem at least as I
define "solved" to mean "consistent with risk management in the insurance
style." Since that would collapse the market for novel security add-ons, I
strongly suggest that as you prepare your business plans you figure out how
to be, as Tom Lehrer would say, a doctor specializing in diseases of the
rich.

This is a very exciting time and it is a privilege to be a part of it.  When
we are all relics in rocking chairs, we will still know that we were present
at the creation. I know that I will count myself particularly lucky,
including for your close attention these past few minutes.

Thank you for the honor of speaking with you.

------------------------------

End of RISKS-FORUM Digest 20.06 
************************

To CSE 268D homepage
Maintained by Joseph Goguen
Last modified 13 November 1998