Schneier on Security
A blog covering security and security technology.
« Crypto 2010 Proceedings |
| Intel Buys McAfee »
August 18, 2010
"The Fear Tax"
Good essay by Seth Godin:
We pay the fear tax every time we spend time or money seeking reassurance. We pay it twice when the act of seeking that reassurance actually makes us more anxious, not less.
We pay the tax when we cover our butt instead of doing the right thing, and we pay the tax when we take away someone's dignity because we're afraid.
We should quantify the tax. The government should publish how much of our money they're spending to create fear and then spending to (apparently) address fear. Corporations should add to their annual reports how much they spent just-in-case. Once we know how much it costs, we can figure out if it's worth it.
Posted on August 18, 2010 at 3:48 PM
• 34 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Anyone else appreciate the irony that taking the time to log all the costs of fear is a step taken in fear of the cost of fear?
One thing common in my profession (i'm an internal auditor) is overreaction to petty or rare threats. I try to use my influence as a leader and educator in the local audit community to calm some of that, best I can.
"Today, Hang Dinh at the University of Connecticut and a couple of pals show that cryptographers have been staring at one all along. They say that a little-used code developed by the CalTech mathematician Robert McEliece in 1978 can resist all known attacks by quantum computers. "
based on the "hidden supgroup problem" apparently?
"... a little-used code developed by the CalTech mathematician Robert McEliece in 1978 ..."
I've always liked it for several reasons, however as it was not popular it has never recieved much attention and little analysis.
It might just get some attention now 8)
Nuclear weapons are the most extreme version of Fear Tax.
We have them "just in case" the boogie man attacks us.
Actually, we have them to strong arm other people into doing what we tell them, *OR ELSE*. Which is why all those other guys are so busy trying to build their own nukes ...
I have always been afraid of an attack from the boogie man.
I don't blame it on the sunshine, the moonlight, not even on the good times. Just the boogie.
I'm with Dom DeVitto. When we were in South Dakota, we visited a decommissioned missile silo. There was a great patriotic speech that went along with it, but to me it sounded like we pissed about $20B into various concrete bunkers across the midwest over the course of fifty years. On the plus side, at least those folks had jobs.
The problem for politicians is that if they let the fear go away, we'll decide they need less money for 'Defense' and then there will be a lot less way for them to deflect black project money into their campaign accounts. :-/ Congress *loves* black projects. Guess why?
Just to ruin everyone's day, one dictionary definition of "security" is:
the state of feeling safe, stable, and free from fear or anxiety
Let's discuss this in a new blog post:
"Researchers tout new weapon in Internet censorship arms race
Georgia Tech School researchers will demo content hiding “ Collage” at next month’s Usenix security conference"
I too visited a big missile silo ... in Plokštiné, Lithuania, the former USSR. The target was said to be New York.
So, Roxanne, in case of the silos, the fear of the other power was pretty much substantiated.
"Actually, we have them to strong arm other people into doing what we tell them, *OR ELSE*. Which is why all those other guys are so busy trying to build their own nukes"
Yup who remebers the build up to the second gulf war where the US said it would deploy tactical nukes if Sadam used (his non existant) WMD.
The thing that most "Nuke Wanabee" nations have noticed is the "them and us" or "part of the club" attitude of the US.
The Nuke does not have to be anything other than a low yield "lab only" experiment to get entry. It does not have to be a viable fieldable device and the nation does not have to have a viable delivery mechanism (although having one gets a top table invite to diplomatic negotiations).
At best such a "lab only" weapon could only be used for "scorched earth" defence, thus it could be said that the US has an irrational fear of nukes.
On reading about an incident that happened many years ago, I thought what would the people in the State Department do on receiving a small package containing a set of blue prints and a small sample of weapons grade material with a little note attached saying "forth of July"...
I'd not heard of Seth Godin before but his essay hits the nail on the head; would that we had people of equivalent intelligence running the TSA and its equivalents around the world working to reduce the tax we pay rather than increase it.
Like Marian, I never visited a nuclear silo, but I did visit a decommissioned Soviet-era SS-19 ICBM assembly plant just outside of St. Petersburg, Russia.
You can argue that the US and the USSR overreacted to each other during the cold war, but to suggest that the US/NATO nuclear buildup was wasted money thrown at a non-existant threat or simply a means of getting political pork ignores the facts. Its easy to look back with 20/20 hindsight and dismiss the fears of that time.
The USSR did not have 40,000+ atomic warheads by 1985 because they thought they might go to war with Jamaica.
@Hjohn "calm some of that, best I can"
I'd drop Terrorist from my threat assessments if I could but it's often in the SOW and the C class asks about it if I leave it off. Best I have been able to do is rate it low and point to it and say "See this? Terrorist action is not a high risk for you."
@BF Skinner: "I'd drop Terrorist from my threat assessments if I could but it's often in the SOW and the C class asks about it if I leave it off. Best I have been able to do is rate it low and point to it and say "See this? Terrorist action is not a high risk for you.""
I think that is one of those cases where, even if something is a negligible risk for a given entity, if people are thinking about it or worried about it, then it has to be addressed even if the purpose is to reduce the fear to more closely match the actual risk.
For four years I was in charge of 10 active silos in Montana. And yes there were silos in Russia aimed at us. There was much wrong with the MAD arrangement between us and Russia, but there is a reason that 9-11 only happened after it was over.
I have lived in and visited socialist and communist countries and have a few friends from them. There is a difference, and you wouldn't like the other side. How many Cubans are in Miami; how many Americans are in Havana? One former citizen of East Germany asked me, "you had Czecholovakia, why did you give it to the Russians?" He lived on the other side and did not like it one bit. Not that he is enamored of the materialism of the west, but it beats the hypocrisy of socialism. So no, we did not just piss away $20 billion, a lot of people still alive around the world today wish we had done better than a stand-off.
"how many Americans in Havana?"
...not that many, but how much of that is because your government won't let you travel there. Land of the free?
Maybe not as different as you would like to think.
I think we need to distinguish between defense and fear. Defense costs are those we pay to counter a threat we perceive, and which are rationally expected to reduce the threat. The nuclear missile silos were intended to deter a large nuclear attack on the US (which was a possibility), and there's reason to think they contributed to our safety from attack. Similarly, somebody who wants to advance to a high management position might want to get an MBA from a prestigious school.
Godin's examples were about useless countermeasures to fears that were not well founded. I'm afraid of terrorists in the same sense I'm afraid of man-eating tigers: if I ever run into one, I'm in danger, but it's far more dangerous for me to drive home. Most TSA measures will not stop even an incompetent terrorist, so those are useless measures against a minimal threat that merely inconvenience people, costing a lot of potentially productive time.
I am certainly amicable to the general idea of being able to count how much money is wasted on fear. I just see one "small" problem to overcome:
Ensure your answer is enumerable.
The fear tax is especially prevalent in the 'child safety' industry. Some parents will do literally anything for a little perceived safety for their children.
Yes, I have a child too. But he didn't wear a helmet while he was learning to walk.
How ironic it is that the Bush/Cheney administration that was so committed to cutting taxes was even more committed to greatly increasing this particular tax!
George at August 19, 2010 3:12 PM
575 days and counting.
"... so committed to cutting taxes was even more committed to greatly increasing this particular tax"
To a non US citizen it appears that there is a simple set of rules to US politics,
0, Get a "front" person as candidate.
1, Get money for your candidates campaign.
2, Promise what will get them elected
3, Make policy to pay off campaign funders.
4, Use taxes to pay off campaign funders.
5, Use what is left to pay lip service to pre election promises, and fill up war chest.
6, A year before next ellection use taxes and war chest to bribe voters.
7, If your "front person" flufs it either time "consult" to campaign funders...
Did I miss anything? ;-)
Interesting article. I wonder about the MBA bit, maybe the entrepreneurs aren't pursuing the degrees to be more successful at starting their own business, but the MBA being something to fall back on if the business fails? Isn't there a high failure rate for small businesses? The reasoning being at least they are more marketable as potential employees for a large established firm with an MBA right?
@ Imperfect Citizen,
With regards MBA's...
As you note there is,
" a high failure rate for small businesses"
But due in the main to lack of customers for the product for a whole heap of reasons an MBA alone will not equip you for.
The MBA is starting to suffer an image problem to many people thought like you,
"The reasoning being at least they are more marketable as potential employees for a large established firm with an MBA right?"
Way to many assumed that an MBA was the key to walnut corridor and whilst the markets where expanding this appeared to be so and was a view point encoraged by the actions of way to many Human Remains Depts.
In the current downturn employers are now looking for "real experiace" so an MBA is seen as a nice addition not sufficient in it's own right.
Thus there is a significant glut of inexperianced MBA's in the market currently.
I'm not saying an MBA or other business diploma etc is bad, not at all, I would still encorage IT folk to get one. BUT only when you have sufficient experiance and want to move up in your career. It helps you bridge the divide between "tec head" and "senior managment" by teaching you basic business skills.
As a result of the market down turn you can see that some organisations are now looking for MEM's not MBA's which is a clear indicator they want solid experiance and a proven track record. They don't have the spare resources any longer to take a "punt" on a training up a neophyte "chancer" who's sole visable worth is an MBA from Noname Collage Nowheresvile and hoping they "will come good".
Wait, *that* was an essay?
It's too bad BP didn't spend some "just in case" money on a working blowout preventer.
There's an aphorism from the advertising business that half all money spent on advertising is wasted. We just don't know which half. The same can be said of security.
"There's an aphorism from the advertising busines that half all money spent on advertising is wasted We just don't know which half. The same can be said of security."
Oh if that where true how easy life would be.
Wiith marketing you get feed back a good spend on marketing makes sales go up a bad make them go down...
With security you spend to much you see no change, spend to little or badly you get burned...
I quite understand the idea of a "fear tax," but I'm not sure that an MBA fits in that category. I think that getting an MBA was, until recently, merely a reasonable economic decision: if you're looking to be employed by someone else, you want to make them comfortable with you as cheaply and easily as possible for them, and an MBA could do that. Further, an MBA isn't entirely rubbish; it does prove that you've been exposed to certain things and have had others test certain skills to some degree.
As far as the cold war goes, even as someone who would be considered by many an anti-war socialist I found George Keenan's long telegram to be insightful and convincing, at least with my limited knowledge of Russian and European history. It's well worth reading.
A "fear tax" is no different from any other cost built into the pricing of a product or service. It's all about risk management fundamentals and product/service reserve or economic capital pricing. There is always a cost associated with risk treatment - remediation, avoidance, transference or acceptance. It shouldn't be a surprise to anyone.
How many Americans in Havana? How hard do you think it is for an American who wants to go to Havana to get there. Regularly scheduled flights from Mexico City. 120 mi trip from Key West. Coast Guard has a heck of a time stopping the northbound trip, doesn't even try on the southbound side.
The tax is necessary if it improves the system. I believe that in the end it does not help us because everyone is guilty by default until proven otherwise. My parents fled from the Czech Republic during communism and they did that because of the fear that was created through the system. Germany (where I grew up) embraced this mentality a long time ago and it created a huge blown up system controlled by fear. And that is where this "tax" eventually leads to: fear.
Quantified data is always a welcome plan of action. We are expected to pay on so many things, but do we know how they are spent and on which portions of the state they are allocated for? Then again, how can we be sure the data is valid and not just tampered with? Sigh, one day at a time I guess...
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.