All capable states spy on each other. Enemy states spy on govt secrets and friendly states focus on industrial espionage. France, Israel and China are some of the most vigorous at industrial espionage. Like it or not that's how the world operates and, unfortunately, we can't simply wish that away.
If only we had some government agency that helped large companies be less vulnerable to industrial espionage, making sure that secrets stayed secret. Encouraging strong encryption, discovering and preventing software bugs, generally promoting computer security. Hmmm... A nation-wide security-focused agency. Maybe we could call it the National Security Agency?
Sounds great but that isn't the NSA's mission, not even the defensive mission. Their defensive mission is limited to DoD networks and national security related systems, and producing various recommendations.
DHS and/or NIST cover commercial and non-DoD government. But even then it is a voluntary and/or advisory capacity too - there is no authority to make a company fix a software product (unlike say a car defect, which gets into liability issues nobody wants to open for software).
As for discovering and preventing bugs, I think that would be a waste of time/effort in the current towards NSA and software in general. Nobody is going to take a binary patch from them, nobody is going to submit their source code for review, any help given to a company would draw complaints from their competitors, and fundamentally as long as companies aren't actually liable for damages due to bugs or security issues, they aren't going to care much about spending money to improve the situation. A corporation would just rather add another clause to a EULA to disclaim more and more responsibility.
It's a free market failure since bottom line profits aren't affected so there is no incentive to improve. That leaves the question of whether the government should be subsidizing the business world's failure to meaningfully invest in bug fixes and security improvements.
My point isn't that the NSA should suddenly become that agency. My point is that it would be pretty handy to have an agency like that. And the joke is that the agency we have under that name is doing the opposite.
> That leaves the question of whether the government should be subsidizing the business world's failure to meaningfully invest in bug fixes and security improvements.
One good way to sum up what government is good for is "things the market can't or won't do on its own." So I'd say yes.
>"things the market can't or won't do on its own."
This is one of those situations - be careful what you ask for, you might get it.
Apple and Microsoft between them make $35 billion in profit a quarter (not picking on them, just examples) - corporations don't need government handouts for this, they need proper motivation which is absent because security issues don't cost them anything except PR.
Actual monetary damages would alter that however. Fines, penalties, liability assumption, etc. You really want to see that?
Otherwise, how would it work exactly?
Existing models of the FDA (and its drug approval process) or the DoT (and its ability to force auto recalls) would introduce monetary damages, legal liability, government authority to pull products, and regulatory approval as ways to the free market ignoring costs related to security/defects - you really want to see that for the software market?
How would you REQUIRE corporations to have their code vetted by the "future software security agency" (FSSA)?
Or say FSSA provides reference implementations or reviews open-source code only? That's only part of the software universe, is it enough?
If participation is voluntary/optional, corporations still aren't going to care; they will need to be compelled to participate.
If you're looking for a model, consider the CDC. Or your local health department.
The world isn't neatly divided into things that people care about (and do) and don't care about and therefore will never do). It's a continuum.
For example, many people in companies care about security but never have time to do enough. If you make it so that they can do more per unit of time, they'll do more.
I wonder if this even makes sense. Today multinational corporations are becoming sovereign trans-national governments. Why would the NSA want to help protect Corporation X or its US branch, if said corporation may be a potential threat to national security?
I have yet to see any single example of 'sovereign trans-national' corporations, AFAIK big companies are definitely from their mother-country, no matter how many subsidiaries or branches they have.
There've been cases of big companies suing whole countries (Philip Morris vs Australia comes to mind). While they may be not technically sovereign entities yet, it seems to me that some megacorps have enough power to successfully compete with governments.
Sure, but they still remain US companies, and it's basically the main fact that allow them to do so (the US government negotiated treaties with countries so that US companies can sue their government).
It's not necessary, it's just an easy way to get a short-term advantage. It fundamentally degrades our ability to interact peacefully on an international scale, and it is one of the reasons our politicians form a privileged class.
The only justification for it is "they did it first," which is both childish and irresponsible. Just because everyone else does it, doesn't mean it is correct, necessary, or justified.
No. The second use is to "keep them honest". It's not to gain a one time advantage or short term advantage, but it serves as a way to ensure your competition isn't doing monkey business.
It's both an out of band communications channel but also provides a feedback loop. If your enemy or your competitor is engaging in something you all agreed to is out of bounds, you can respond to it with the information you have gained.
EDS and Boeing will know if the other is underselling, bribing, receiving subsidies, etc. and be able to respond accordingly, for example.
Can you tell me what legal framework will allow you to undertake these investigations --to delve into and discover economic secrets? We have enough trouble extraditing criminals, nevermind politicians from sovereign nations. What court makes decisions and who in the court is making those decisions, to whom are they beholden?
See how so many countries are rushing to resolve territorial disputes at the International Court of justice? Only the plaintiffs.
I don't think he wished anything away, I think his point is that it reduces the value for all of us.
Maybe take it as an appeal to logic: if nations are to grapple with the issues raised by the NSA and her sister orgs in the five eye countries, the best approach to raising the issue and proposing solutions (in my opinion) is to appeal to the logic of each individual and demonstrate how they are best served by dismantling these espionage operations.
I think it's wishful thinking. I knew of a guy who wanted to open a coffee shop. He got to know another existing coffee shop owner and picked his brain for the dos and don'ts. He said, I'll be opening a shop (in a diff city) and I see yours is doing well...
So what does he do? Opened a shop one block down and drove the fist guy out of business.
That's correct. It wasn't wished away. Slavery and other forms of cheap labor were part of the human condition for millennia.
It took revolts, revolutions and changes in mores for things to advance to where they are today. Yes, some day, we may all enter a new world order where everything is placid. We're not there yet and thinking we can wish ourselves there in the near future, let's say, extremely optimistic, to the point if being wishful thinking.
Perhaps most importantly is that servitude and slavery became economically untenable.
