About this author


Arnold Kling has a Ph.D. in economics from MIT; founded, one of the very first commercial websites, in 1994; separated from Homefair in January 2000 after it was sold to Homestore; is author of Under the Radar: Starting Your Internet Business without Venture Capital, and is an essayist. Send comments to us at

Recent Comments

Recent Trackbacks

Bottom Line Archives
Site Search

Powered by
Movable Type 3.2
In the Pipeline: Don't miss Derek Lowe's excellent commentary on drug discovery and the pharma industry in general at In the Pipeline
The Bottom Line

« Mel Gibson's Next Blockbuster | Main | The List of Great Books, Again »

February 27, 2004

Security Oxymoron

Email This Entry

Posted by Arnold

Is there a magic bullet that will provide the ultimate cure for network security? This man thinks so.

"There's no point in requiring security if there's no secure product," Clarke said. "If the US government made it a priority as important as the moon project to somehow figure out how to write software without vulnerabilities, we could do it, then require vital parts of the economy to use it."

The speaker is Richard Clarke, former chief of cyber-security under President Bush.

The experts I give credence to tend to believe that network security is a process, not a product. But somehow it does not surprise me that a government security expert would believe otherwise. I suspect that the very term government cyber-security expert is an oxymoron.

Comments (1) + TrackBacks (0) | Category: transparent society


1. Cypherpunk on March 2, 2004 02:06 PM writes...

Two points. First, the market failure here is the presence of negative externalities from running an insecure system. Your system's failure may impact my use of my system. For example, your system may become a source of DDoS or spam. Or more generally, it may swamp the network with attempts to propagate a virus or worm which has infected it. This kind of externality may be able to be addressed technically, with filters at ISPs to prevent misbehavior of end-user systems.

There are also impacts like those mentioned in the article, where the phone network or electrical grid goes down due to software attacks. However, these are not true externalities, as there exist contractual relationships among the parties so that the costs and benefits of security are properly reflected and accounted for.

My second point is that I'd say that Clarke has a point. A moon mission program could not write all the software that exists in the world securely; but it might well be able to write a secure microkernel and networking stack. Thousands of talented people working for ten years in a multibillion dollar program ought to be able to do that much.

Permalink to Comment


Email this entry to:

Your email address:

Message (optional):

test entry
Taking a Break
Moore's Law and Military Technology
Biotech and Sports
I'll take Ohio
Email Innovation?
99-cent rip-off
If Brad DeLong called me stupid