Dan Geer on "Cybersecurity and National Policy"

Worth reading:

Those with either an engineering or management background are aware that one cannot optimize everything at once ­ that requirements are balanced by constraints. I am not aware of another domain where this is as true as it is in cybersecurity and the question of a policy response to cyber insecurity at the national level. In engineering, this is said as “Fast, Cheap, Reliable: Choose Two.” In the public policy arena, we must first remember the definition of a free country: a place where that which is not forbidden is permitted. As we consider the pursuit of cybersecurity, we will return to that idea time and time again; I believe that we are now faced with “Freedom, Security, Convenience: Choose Two.”

Posted on November 2, 2010 at 5:51 AM35 Comments


shadowfirebird November 2, 2010 6:20 AM

Okay, maybe it’s too early in the morning, but I’m not seeing it.

The obvious two sides of the triangle to pick are “freedom” and “security”. How will sacrificing convenience help to get those?

I mean, it sounds suspiciously like the arguments in favour of security theatre: “yes, I know it’s inconvenient to go on the plane stark naked and have your luggage vaporised, but that’s just the price we pay for freedom and security.”

markyj November 2, 2010 6:26 AM

re: shadowfirebird

I think the point is that having both freedom and security will cost you in convenience – not the other way round 🙂

I’m sure you can appreciate there’s a bit of poetic licence in the statement anyway.

Personally, in the context of terrorism, I would choose convenience and freedom over security any day.

Nobody In Particular November 2, 2010 6:41 AM

I think that the real “argument in favor of security theater” comes when Greer says: “[…]that a public loss of confidence is to be avoided at all bearable cost, but that everything short of this amounts to nothing more than some private tragedy[…],” since it is a focus on public confidence as an end that drives security theater.

Of course, to make an argument for security theater requires one to take Greer’s statement out of context, as he quite clearly says: “First, security is a means, not an end.” But since when have policymakers, both public and private, been above taking the experts out of context?

But what struck me most about Greer’s statements was the assertion “[…]that 75 percent of all data losses are discovered by unrelated third parties[…].” That says to me that too many information security regimes fail silently, with no warning to the effected parties, perhaps in the service of maintaining public confidence.

shadowfirebird November 2, 2010 6:50 AM

@Nobody In Particular:
Of course, to make an argument for security theater requires one to take Greer’s statement out of context, as he quite clearly says: “First, security is a means, not an end.”

I think the point that I’m working towards is, “a means to what end?”

Security Theatre is a means to an end, too — politicians impressing the voters that they are handling the crisis.

Saying that we need to sacrifice convenience to gain security and freedom is not entirely helpful. Even the proponents of security theatre agree. The question is, in what way?

Conversely, the current air freight threat was solved by intelligence. I can’t see how it involved a lack of convenience to anyone — unless it was inconvenient for the security services to use intelligence to do their job properly, which seems a very odd conjugation.

Not really anonymous November 2, 2010 8:21 AM

That combination of attributes are not at odds. I don’t see freedom and security in conflict. If I am not free to say, secure my communications or travel long distances anonymously, I don’t see how I am more secure.

BF Skinner November 2, 2010 8:33 AM

When you can measure what you are speaking about, and
express it in numbers, you know something about it; but
when you cannot measure it, when you cannot express it in
numbers, your knowledge is of a meagre and unsatisfactory
kind; it may be the beginning of knowledge, but you have
scarcely, in your thoughts, advanced to the state of Science.

While it’s usually safe to agree with Lord Kelvin in the same way it’s safe to agree with Albert Einstein. We have 3 numbers as a rule High, med, low for our security impacts.

hwKeitel November 2, 2010 8:38 AM

“Freedom, Security, Convenience: Choose Two.”

is this an all or nothing question? is it digital, either .. or?

Or is it fluid? a little more freedom here, and less security there. more security here and less convenience or freedom there…

security and freedom are big words. who or what ‘secures’ me? what kind of freedom are we talking about (society, personal,..)? what is the threat? what kind of restrictions I have to accept? etc. etc.

moo November 2, 2010 8:42 AM

Since 9/11, all western nations have been steadily eroding freedom, AND putting a few roadblocks in the way of convenience. But only a fool would believe that our security has actually increased as a result.

Imperfect Citizen November 2, 2010 8:55 AM

” if the tariff of security is paid, it will be paid in the coin of privacy” Thanks Bruce. This is a great article. I wish he wasn’t right. I have unfortunate experience as a target, and I have to say that if our own people knew the actual suffering involved when people are “watched”, we’d be thinking more about the trade offs.

I think its hard to say what you would choose if you don’t know what it means to have your freedom taken away by these systems. If you don’t realize how much the watching hurts others. If you don’t have any idea how careless people are with your information when you are being watched by contractors.

The potential for abuse and fraud is tremendous and he alludes to it, besides the compromise to the role of the government in terms of antitrust

  1. If you think about the role of contractors in the process and the sheer numbers of folks who have right to access/and the companies involved in the domestic observation business the Antitrust bit will make sense to you. Look at ATT and the role with the law enforcement/civil defense, in the talk below he says all you have to do is trust ATT, applicationshttp://www.youtube.com/watch?v=2TE6vBWsTGM (remember antitrust history and Ma Bell), look at Booz Allen Hamilton’s website on Homeland, look at the FEMA Sprint cellphone network info, how many get access to information about people being watched? Its like crowdsourcing of civil defense.
  2. Another spin on insider attacks. How about accuracy of data collected and compromised/conflicts of interest? Who watches the contractors computer piece for the government? For example, if verint’s software program is manipulated by insiders, as defined by the author (anyone with right of access not necessarily government or the contracting agency watching) or certain anomalies are not put into context, what would happen to the folks targeted?http://verint.com/communications_interception/index.cfm
    What would be the consequences for the data collected by the government?
    Say if a target gets an email from a person who mentions that so and so was kidnapped by (name terrorist group here) and the software just counts the instances. The contractors have no interest in clearing up the misunderstanding as it funds jobs, so nobody’s watching them or their software. So the feds get a report that x person had x number of hits on key dictionary terms. Its not ruled out. So the folks out east get crap for data, the contractors get paid, and citizens are hurt.

If the government and law enforcement can’t even respond when there is obvious fraud on these cases, how useful is the cybersecurity? Software systems on telecommunications looking for key words. Fallible systems that compromise people’s freedom, and then corrupt systems that allow people to be targeted for years with no safeguards. Who is secured by that?

Clive Robinson November 2, 2010 8:58 AM

@ BF Skinner,

“We have 3 numbers as a rule High, med ow for our security impacts.”

They are not numbers 😉

Actually it has been observed that when dealing with the world in general only three numbers make sense zero, one and infinity.

That is “something does not exist, something is unique or there can be any number of somethings”.

Winter November 2, 2010 9:18 AM

Democracy ends when the ruling party can close public and private commerce to those who do not vote for them. That moment comes when your privacy is gone.

Given that the previous US administration allegedly limited government contracts to firms with Republicans in the board, this moment might not be that far away.

How this works in practice can be seen in, e.g., Zimbabwe.

paul November 2, 2010 9:50 AM

I’m all for personal responsibility. So all we have to do is arrange that people who will be responsible have all the information they need to make good decisions, in a timely manner. Any other policy on the part of vendors would be fraud. Um.

There are a lot of damage control models in the public health sphere that don’t emphasize personal responsibility in the sense of financial/moral liability. It seems they might ultimately be more useful here.

moo2 November 2, 2010 9:57 AM

Moo speaks of canadas tories, I came across an interesting etymology of tory, while reading a wikipeadia thread on raparees, its a kick to know that it comes from some irish word for highwaymen.

Nobody In Particular November 2, 2010 11:13 AM

@ shadowfirebird

“We need to sacrifice convenience to gain security and freedom” is NOT the same as saying “Increasing security and freedom involves a necessary reduction in convenience.” (Assuming, of course, that you lack the ability to simply throw resources at the issue.)

There is nothing that says that, in and of itself, making a system less convenient automagically makes it more free and more secure. In this respect it is no different than “good, fast or cheap” – intentionally making a craptastic product does not mean that it was faster or cheaper than a comparable product.

On the other hand, if you ramp up the freedom AND security of a travel system, it does become less convenient, because of the time that it takes to screen out the false positives and the false negatives involved in travel to sketchy places. If the bomb plot had not panned out, someone who was expecting their printer would be wondering where it is right about now.

I likely could conceptualize a system that would allow any or everyone, to travel between any two points on the globe with little to no chance of being killed in a terrorist incident, using a security apparatus that was completely invisible, non-intrusive and non-time-consuming. It would be astronomically expensive. Given that fact, I have some trade-offs to make. The problem that you bring up is that I could effectively make poor trade-offs, and gain nothing in return – the system could restrict who can travel and where they can go; it could still allow for terrorists to rack up an impressive body count; it could require time-consuming and invasive screening techniques; and, on top of all of that, it could still be ridiculously expensive. And a lack of any means to evaluate how effective the system is can exacerbate that.

BUT… that doesn’t mean that the reverse is also true – that I could have the system be free, convenient and secure at a low cost.

Tangerine Blue November 2, 2010 11:23 AM

This seems like regurgitated tripe, where “Security” is confused with “Governmental Control.”

The complicated truth is that Government can’t control violence any better than it can control markets. It can impose quick fixes, and/or it could bring either to ruin.

But the thing government could do well, if it were interested, is step back and let people work things out among themselves, intervening when people aren’t playing fair. Government should referee instead of play.

RH November 2, 2010 11:24 AM

Freedom and security without convenience comes from freedom to do anything you want, securely, but with so much oversight and red-tape that it is non-trivial to exercise such freedoms.

First Timer November 2, 2010 12:29 PM

Sorry for the off-topic…


I knew (in the online sense) a Canadian with a fondness for cookies that used the nickname ‘moo’ not that long ago, but we lost touch. I wonder if you are him? I realize you may not even be Canadian, but the Canadian news reference suggested that might be the case.

He also went by the name ‘cookiemoo’ on occasion.

Davi Ottenheimer November 2, 2010 1:15 PM

It is so well written I am tempted to believe some of what he says; unfortunately the gaping philosophical errors pain me to do so.

Take, for example, he says “when you do not know where you are going, any direction will do”.

This is not true. You might also decide no direction is acceptable without knowing where you are going. Resistance is an option. Another option is to define “knowing” as a degree rather than absolute. You don’t know where exactly you will end up (completely secure or insecure) but you can estimate higher and lower increments.

Yes, I just used security as an end and not just a means. I would say Geer does too. Although he writes “First, security is a means, not an end” he also gives us three ends: Freedom, Security and Convenience. Am I missing something? The start and end to the essay are a giant contradiction.

He also cherry-picks five quotes about fear from history and calls them “the worry over fear”. I could pick another five quotes from history that oppose his. Why are his five the only perspective worth citing? He does not say.

Examples of those who say not to worry:

“While F.D.R. once told Americans that we have nothing to fear but fear itself, Mr. Ashcroft is delighted to play the part of Fear Itself, an assignment in which he lets his imagination run riot.” – Frank Rich

“Courage is resistance to fear, mastery of fear, not absence of fear.” – Mark Twain

“Men fear death as children fear to go in the dark; and as that natural fear in children is increased by tales, so is the other.” – Francis Bacon

Geer leaves out the obvious counter-points and takes no time to explain why, although sensible, they do not interfere with his overall hypothesis.

I guess I should write a full and detailed response but let me also just say I see many examples where technology provides freedom, security and convenience together. The automobile. The mobile phone. The fact that we give away something does not mean we have to give it up. It seems to be more about choices than a requirement or an immutable law. Geer’s work thus leaves me with the impression he really is just upset about decisions being made and his essay is a critique of the market and consumers disguised as a study of natural forces.

Micah Stetson November 2, 2010 2:14 PM

“We must first remember the definition of a free country: a place where that which is not forbidden is permitted.”

I admit not having read the article, but this seems a particularly useless definition of a free country. If the law forbids any media that is not state controlled, then allowing only state-controlled media doesn’t reduce a country’s free-ness. If the law forbids both choosing your own spouse and remaining unmarried, then forced, state-arranged marriages don’t reduce a country’s free-ness. That seems far off the mark.

It would be nice to have a succinct definition of “free country”, but I don’t think this is it.

Tangerine Blue November 2, 2010 3:45 PM

It would be nice to have a succinct definition of “free country”

Not sure if it’s a definition, but my rule of thumb for today is:

A country is free if its government allows its citizens to walk from one end of the country to the other while living off the land.

the-first-moo November 2, 2010 5:05 PM

@First Timer:
Sorry, you must know some other moo. Its a pretty generic tag. I use it for my posts here mostly because of the futility of searching for it with Google.

moo November 2, 2010 5:12 PM

My definition of a “free country”: A country where a citizen who keeps to himself will be left to himself, and where a citizen who does no harm to others can keep his privacy from others — the government in particular.

I recognize that our fearful lords and masters are not willing to leave us alone, they feel compelled to snoop on our communications and maintain secret files about our lives. Even if that has been (and remains) the norm, I feel that its an embarassing situation for a so-called “free country” to be in. Its not the fault of government that it is draconian; it is the fault of the citizenry who, through apathy and inaction, allowed it to become that way. We will have the government we deserve. If we don’t want the government to behave in certain ways (tapping all of our communication in AT&T’s closet for example), we must collectively raise an uproar about it and force the government to change its ways.

I’m afraid that as long as we all have television and other “essential” comforts, we will accept a severe curtailing of our freedoms without much protest. Then we will wake up one day and find ourselves living in the London of V for Vendetta.

Nobody In Particular November 2, 2010 6:21 PM

“We must first remember the definition of a free country: a place where that which is not forbidden is permitted.”

I think that is more true than is immediately evident. In a police state, the fact that you have not done anything that is forbidden may not be enough to protect you from arrest. In a free country, it is possible to know, and therefore work within, the rules, even if there are a large body of them.

Winter November 3, 2010 2:23 AM

@Tangerine Blue:
“A country is free if its government allows its citizens to walk from one end of the country to the other while living off the land.”

I find this definition very illuminating. Because of how wrong it is. Outside of the USA this concept is simply impossible (and I doubt it inside). It is a completely useless guide to freedom.

First of all, In most areas of the world, you cannot live “off the land”. You will simply die without the help of (many) other people.

Take the UK, as one example of a country known to most English speaking people. On their own, few people will be able to survive even a single year. There is NO way that an isolated individual can grow and store enough food to survive a winter in the UK. Go to Canada or Siberia for even worse odds.

Second, in many places on earth there are simply too many people around for even a fraction of them to return to “living off the land”. Think the island Java in Indonesia, or Bangladesh. Think South East England. In such countries, attempts to “live off the land” must be restricted to make sure everyone survives.

Any definition of freedom that refers to lonely and isolated individuals is beside the mark and completely irrelevant.

Anyhow, most people confuse legal definitions of freedom, which refer to state intervention, with practice. If public or private parties can harass you with no recourse to enforcement of your rights, what use are the laws?

In this discussion, security is a matter of social organization and structures. The relation to freedom is that any type of social organization or structure will limit the behavior of it’s members. Which many people see as restricting freedom.

Privacy is part of the equation because social organization implies that other people will judge your behavior, one way or another. And that means they will need to “know” things about you.

We all know that if security requires a level of social organization, we can expect that increasing security will likely tighten the limitations and decrease the level of privacy.

However, there is no reason at all to assume the reverse, that increasing personal limitations and reducing privacy will increase security.

Common Sense November 3, 2010 9:21 AM

“Freedom, Security, Convenience: Choose Two.”

That’s the dumbest thing I’ve heard today (yes, it’s early). Most compromises to convenience are a compromise to freedom, ie bag/butt searches.

Correct statement is “Freedom, Security. Choose one…or a mix of the two.” Complete freedom is anarchy, complete security is big brother enforced slavery.

Tangerine Blue November 3, 2010 10:42 AM

this concept is simply impossible

It’s not impossible – things used to be that way. It’s been a couple centuries, though.

there are simply too many people… attempts to “live off the land” must be restricted

Bingo. Freedom is inversely proportional to population density.

Winter November 3, 2010 11:10 AM

“> this concept is simply impossible

It’s not impossible – things used to be that way. It’s been a couple centuries, though.”

Living off the land in the UK, going back some millenniums, would mean you collect or grow food during summer/fall and live off it during winter early spring. You will not survive that on your own.

Human hunter gatherers and early farmers lived in communities. A human individual alone is dead within a year almost everywhere.

And if you can only be free if you are alone in the world, the word freedom loses its meaning.

Tangerine Blue November 3, 2010 12:17 PM


I don’t think I ever said my idea of a free country required every/any individual to be a solitary mountain man.

But I do think a free country would not forbid its citizens from giving it a go. Of course, with our current populations, a country that allowed such freedom would soon look like Haiti.

Hence freedom is inversely proportional to population density. It’s a law of nature. Living beyond nature’s capacity comes at a price of regimentation, and historically, eventual collapse.

Dave Funk November 5, 2010 2:13 PM

Personnaly I have never been a fan of the famous Lord Kelvin quote about measuring things. First, I would point out another quote of Lord Kelvin that X-Rays are a passing fad that will not last for 2 years. Lord Kelvin was smart, but not that smart. Secondly love is something that we do a remarkably poor job of measuring, but…Is our knowlege of it meger and unsatisfactory? Room for a LOT of argument here. Do these thoughts raise to the State of Science. Well no, but is Shakespear worth less for not being a scientist? I think not. Is love the less for being unfriendly to managment. Again, I think not. Without question, the art of information security is not well measured and I would agree better called an art than a science. And I am well aware that the unfriendlyness of that art to managment. And I don’t question that it would be better if it were a science. But the problem is that it isn’t a science. And we don’t see when and how it will become one. Oh yes, everyone says that we have to measure this stuff. But saying we have to measure it doesn’t mean that we can. People in hell need to have ice water. But they don’t. As of today, nobody really knows how to measure how a Security Operations Center is doing, except to count intrusions. Pretty much everyone agrees that isn’t a very good measure. So what’s left, counting vulnerabilities. We do a remarkably poor job of that and a worse job linking that count to an actual measure of security. (it does do a remarkable job of justifying KPMG’s bill though!)
Just deal with it. IT Security is an art, not a science. You need artists to do it. Managers don’t understand it and probably never will. But you ignore it at your peril. Kinda like love.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.