DCSB: Risk Management is Where the Money Is; Trust in DigitalCommerce
Robert Hettinga
rah at shipwright.com
Wed Nov 11 06:33:24 PST 1998
--- begin forwarded text
To: dcsb at ai.mit.edu
Subject: Re: DCSB: Risk Management is Where the Money Is; Trust in Digital
Commerce
Date: Tue, 10 Nov 1998 23:40:49 -0500
From: Dan Geer <geer at world.std.com>
Sender: bounce-dcsb at ai.mit.edu
Precedence: bulk
Reply-To: Dan Geer <geer at world.std.com>
<per several requests>
-----------------8<----------------cut-here----------------8<-----------------
Nominal delivery draft
-------------------------------------
Risk Management is Where the Money Is
-------------------------------------
Digital Commerce Society of Boston
3 November 98
Daniel E. Geer, Jr., Sc.D.
Senior Strategist, CertCo, Inc.
55 Broad Street, NYC, and
100 Cambridgepark Drive, Cambridge
geer at certco.com
Given my biases, I am going to describe where the future of the
security marketplace is and where it is not. I will argue that the
financial community is and remains the place to look for "first light"
for new security technology. I will give you a rundown of what's new
while I predict what little time is left for many of today's products,
purveyors and regulators. I will argue that, in many ways, the party's
over for the security field as we know it now. I will range broadly
because security, as a concept, is universal.
"Nothing is so powerful as an idea whose time has come." For security
technology, that time is now. IBM calls the three requirements of the
"e-business" future as: #1 security, #2 scalability, and #3
integration. Forrester, Gartner, META, Yankee and all the other
analysts agree -- the most important enabling technology for electronic
business, besides network connectivity itself, is security. AD Little
estimates that security, privacy and the legal issues of digital
signature together constitute over half of the quantifiable barriers to
electronic commerce. There are whole venture funds whose investment
focus is around security. Security startups are everywhere; so are
security books. The word "security" is hardly rare in employment
advertisements. You cannot walk a trade show and not see the word
"security" in screaming big type. The number of security meetings is
preposterous. Presidential Commissions are busy spending real money on
security for the information systems that run the country.
"In the future, everyone will each get 15 minutes of fame." That
applies to security,too. Today's security specialty companies cannot
all survive; they can be eclipsed by the platform vendors too easily.
Only platform vendors can deliver security that is integrated enough to
scale and invisible enough to ignore. Even the Justice Department
knows that once something is in the operating system, any independent
market for it collapses. Yes, security's time may well have come, but
in a Warhol world, that would mean that it is about time to go.
The focus of "security" research today is the study of "trust
management" -- how trust is defined, created, annotated, propagated,
circumscribed, stored, exchanged, accounted for, recalled and
adjudicated in our electronic world. This is natural because security
is a means and not an end. This is mature because all technology
differentiates along cost-benefit lines. All the security technology
that you can buy today enables some aspect of trust management and
novel variations show up daily.
You can walk out of this hall and buy systems that use passwords that
get local machines to trust you enough to let you in. You can buy smart
cards that can do your cryptographic calculations for you, respond to
challenges, hold your keys inviolable or, more interestingly, have
identities of their own and serve merely to introduce you on their own
terms. You can buy biometric devices that look at your voice, your
face, your retina, your fingerprint, or even the idiosyncrasies of how
you learned to type and so say, "Yep, that's the guy." You can get
systems that are sufficiently hardened that you can rely on them if for
no other reason they are so nearly useless no one would want to break
in. You can still get your hands on security systems in the raw and
roll your own directly from source-code. You can, anywhere, anytime,
spin-up virtual private networks that are trustworthy protectors of
your confidentiality however hostile the intervening wires are. You can
even deliver privacy between strangers -- nearly a matter of creating
trust in order to propagate it. You can put a document into the
Eternity Service and trust that it can never be erased or you can put
it into a cryptographic file system and trust that it can never be
found. Simple? Yes; academics and entrepreneurs alike are busy
supplying ways to propagate trust.
They have it all wrong.
If you ever took a course in probability then you know that many
problems are solved by calculating their dual -- the probability of
"not X" can be a whole lot more tractable than figuring Pr(X) directly.
If you're in a security-based startup company, then you'll know that
making money requires making excitement, even if the excitement is
somebody else's public humiliation. And all of you can agree that the
more important something is, the more it must be managed. Trust
management is surely exciting, but like most exciting ideas it is
unimportant. What is important is risk management, the sister, the dual
of trust management. And because risk management makes money, it drives
the security world from here on out.
Every financial firm of any substance has a formal Risk Management
Department that consumes a lion's share of the corporate IT budget.
The financial world in its entirety is about packaging risk so that it
can be bought and sold, i.e., so that risk can be securitized and
finely enough graded to be managed at a profit. Everything from the
lowly car loan to the most exotic derivative security is a risk-reward
tradeoff. Don't for a minute underestimate the amount of money to be
made on Wall Street, London and/or Tokyo when you can invent a new way
to package risk. The impact of Moore's Law on the financial world is
inestimable -- computing has made that world rich because it has
enabled risk packaging to grow ever more precise, ever more real-time,
ever more differentiated, ever more manageable. You don't have to
understand forward swaptions, collateralized mortgage obligations,
yield burning, or anything else to understand that risk management is
where the money is. In a capitalist world, if something is where the
money is, that something rules. Risk is that something.
Security technology has heretofore been about moving trust around as if
risk is definitionally undesirable and reliable trust management simply
obviates the issue of risk. It does not come close. In two years time
the "trust-hauling" market will be somewhere on the down-slope between
legacy and dead. Risk management is going to take over as the dominant
paradigm because risk management can subsume trust, but trust
management cannot subsume risk. The Internet has made this so.
The Internet is irresistible because it lowers barriers to entry on a
global basis -- global in both space and time. Ever more important
parts of the world's economy exist only in cyberspace, and lead times
have entirely collapsed. Every professional fortune teller is bidding
geometric increases in the dollar volume of electronic commercial
activity. But when there is enough booty available, even absurdly
difficult attacks become plausible. This is the world we are in. It
will never be possible to really do the job of trust management any
more than it is possible to really win an arms race or really preclude
your car from being stolen. But risk management -- that is doable and
it is doable at a profit. The proof is all around us.
We are a score of years down this road. 1978 was a vintage security
year; the remarkable papers by Rivest, Shamir & Adleman and Needham &
Schroeder were published, both in CACM as it happens. The former
introduced public key ideas and the latter created Kerberos. The
counterpoint between these two technologies is instructive. Both
symmetric cryptosystems, like Kerberos, and asymmetric cryptosystems,
like RSA, do the same thing -- that is to say they do key distribution
-- but the semantics are quite different. The fundamental
security-enabling activity of a secret key system is to issue fresh
keys at low latency and on demand. The fundamental security-enabling
activity of an asymmetric key system is to verify the as-yet-unrevoked
status of a key already in circulation, again with low latency and on
demand. This is key management and it is a systems cost; a secret key
system like Kerberos has incurred nearly all its costs by the moment of
key issuance. By contrast, a public key system incurs nearly all its
costs with respect to key revocation. Hence, a rule of thumb: The cost
of key issuance plus the cost of key revocation is a constant, just yet
another version of "You can pay me now or you can pay me later."
Because of the tradeoffs between who pays for what part of the systems
cost and who gets the benefit, secret key systems and public key
systems have different fields of use. Secret key systems are fast and
offer revocation at no marginal cost. Public key systems are slow but
they enable digital signature and thus enable proof of action,
non-repudiation as it is called. Secret key systems are the default
choice within an organization while public key systems are the default
choice between organizations, i.e., secret key for where security is an
intramural concern intramurally arbitrated, and public key for where
security is extramural thereby requiring recourse to a third party
judge in cases of dispute. The relentless blurring of what is
intramural and what is extramural will favor public key over time.
Because a trust management paradigm says that a digital signature is
only as valid as the key (in which it was signed) was at the moment of
signature, it is only as good as the procedural perfection of the
certificate issuer and the timely transmission of any subsequent
revocation. **These are high costs.** In fact, the true costs of
general public key infrastructure are so extraordinarily high that only
our collective ignorance of those costs permits us to propel ourselves
toward a general PKI as if it were a panacea. When, not if, the user
community at large realizes this, we "security people" will have but
two choices, compromise on (gloss over) the quality of trust that
public key can deliver or back off from the claims of full trust cheap.
In other words, we'll have to fit the benefit to the endurable cost or
fit the cost to the requisite benefit. Since, as a rule of thumb, to
halve the probability of loss you have to at least double the cost of
countermeasures, any finite tolerance of cost means an upper bound on
how much security you can get. In the fullness of time, security
technology will be evaluated on the same cost-benefit-risk tradeoff on
which other technologies are evaluated. This is the price of maturity;
this is the price not yet paid.
Do not misunderstand me; public key technology, secret key technology,
security technology in general are daily reaching new levels of
protective capability. What they cannot protect against is being
over-sold, and they are being over-sold. Why is that?
The days when the Internet was a toy are gone even if a high percentage
of its new investors are still coming in merely to avoid looking dowdy.
The real question on the table is: When does the Internet become more
like the data center. And what does making the Internet more like the
data center mean? At a minimum, it means metered use. Discussions are
already widespread about requiring Internet postage; large ISPs will
probably demand it, existing postal services would love to sell it and
data centers, such as the financial giants, will get a better handle on
what goes in and out the door. At least one Wall Street bank already
does charge-back for network bandwidth consumption and their internal
electronic security regime plays a role in assigning those costs just
as, in turn, their security group manages the user database via
incremental updates rather than fresh full copies so as to minimize
their bandwidth charges. That's not postage, but it is close and it is
now.
Incremental use charges are but one example, interesting mostly because
they are a near term step toward making the Internet into a data
center. The fundamental value of the data center is the information it
holds. The past few years have seen data warehousing, data mining and
now connection of the data center to the Web, data publishing if you
will. MVS, for example, has a really good web server and someone in the
audience will have to convince me that there is a difference between a
1970's central time-share machine and an MVS web server in a swarm of
"thin clients" on fast networks. It certainly isn't the direct wire
connection -- SSL simulates that well enough. It surely isn't the
management model; the MIS director who had declared defeat in desktop
configuration management will, you can be sure, rejoice at getting
control back.
In the mainframe world, you move the computation to where the data is.
In a client server world, you move the data to where the computation
is. Web servers front-ending corporate databases attached to virtual
private networks full of some universal client like a web browser sure
sounds like a resurgence of the data center to me. The IBM 390 is a
good machine and the Wintel cartel has pretty much ensured that no
upstart will enter their space. From Wintel's point of view, using all
those desktop cycles for display functions is just fine. Could it be
that simple?
Financial markets made SUN what it is today and vice versa -- SUN's
first big win, the first big demonstration that computing power had
risen to such a degree that moving the data to where the computing is
made sense, "the network is the computer" and all that. Financial
markets, in the sense of traders going head to head, used that power to
replace whom you knew with what you know and set off a
technology-as-weapon metaphor that has overtaken most of the business
world. Financial Markets, in the sense of Exchanges, now rely on a
dense spread of computing that exceeds what most of us have to deal
with; more than one major bank has 15,000 FTP jobs a night just moving
data to or from its data center. Plenty of staff at the NYSE lose $1000
apiece for every 15 minutes the Exchange is late opening due to IT
unavailability. No computing equipment is too expensive when trumped
with "I can make that back on the first trade." No small country runs
its currency anymore.
There was once no question that the fundamental purpose of an exchange
was to provide "an advantage of time and place" to those who would
trade on it and, in so doing, establish efficiency and liquidity
baselines against which others would be judged. Beginning first with
the "Paperwork Crisis" in the 60's and reaching a crescendo after the
"Crash of '87," the Exchanges have been fully committed to electronic
commerce before that phrase meant anything. But since the Internet,
time and place are meaningless and the Exchanges know it. They are
working hard to make oversight, fair play and quality of service into
new baselines. Clearly, security technology is #1 in their list of
requirements followed closely by scalability and integration.
Security in a financial world market that is both nowhere and
everywhere is a difficult thing to define well enough to solve, but if
there is anything to engineering as a discipline then it is that the
heavy work is in getting the problem statement right. So, to return to
my central premise, if new security technology is a result of
investment and if the investment in security technology is naturally
centered within the financial community, what is the problem statement?
** If we get that right, we can predict the future. **
I submit that the problem statement is how to bring a transactional
semantic to the Internet. This is not a new problem, but it is an as
yet unsolved one. The existing financial markets want transactions
because transactions are what they are about and transactions are what
they know. Upstarts like the payment vendors want to be the first to
deliver transactions and disintermediate the financial firms.
Technical legal beagles reason that there is no transaction without
recourse, no recourse without contract, no contract without
non-repudiation and no non-repudiation without digital signature.
Anyone who wants to do business on the Web needs transactions.
Hal Varian, an economist and Dean of the Information Management School
at Berkeley, taught me that what the Internet changes more than
anything else is that it brings the efficiency of auction to markets
that never had that option. This is a cover story in this week's "The
Industry Standard." Auctions need security technology because what
makes an auction an auction is the ability to conclude a transaction
which, by its own execution, "discovers" a price. In other words, the
nature of the world's economy is changed by the existence of the
Internet, but only on the condition that electronic transactions are up
to job.
So what do I mean by "transaction?" I mean a non-repudiable
communication between two parties who can each verify the time-, value-
and content-integrity of that communication, who can presume
confidentiality of that communication, who can verify the authenticity
and authorization of their counterparty and who can present all these
evidences to third party adjudication should there be a need for
recourse at any arbitrary time in the future. **Every single part of
that definition begs the question of security mechanism.** It is on
that basis I claim that the security technology of tomorrow will be
crafted in response to the unmet needs of financial markets today.
As an example, your handwritten signature on a check is what, in
principle, authorizes that funds move from A to B. In truth, from a
bank's point of view, actually verifying handwritten signatures is a
transaction cost that is not worth bearing unless the cost of
verification is less than the risk of loss. At the largest banks, the
threshold dollar amount below which verification does not really happen
is a closely guarded number, but it generally exceeds $20,000 and still
they have platoons of people doing this all day, every day. Converting
the means of signature verification from a manual process into a
machine-able one would radically change the economics of check
processing. It would add billions to lines and do it from the
cost-avoidance side of the ledger.
But that is not all. Some $300B of U.S. payments are made every day of
which only $60B are in the form of checks; the balance is largely in
cash transactions of $5 or less. From both the merchant's and the
bank's perspectives, getting rid of cash would be a huge win because
handling costs for small dollar amounts often exceed the profit margins
on the underlying sales. While the consumer may well adopt cashless
payment out of some sense of convenience, the financial side of the
house will enable it to avoid costs.
Only this morning, Frost & Sullivan released a study that defines
e-commerce as "commercial transactions taking place over the Internet
with exchange of value in real time." Web payment sparked numerous
startups with numerous different mechanisms. It is too late for you to
enter this market, but it is not too late for those payment-systems
vendors to rethink what they are trying to do. All of them are
suffering because the volume of Web-based retail business has not
picked up as fast as their business plans had presumed. For the retail
customer, the main thing the Web offers is product discovery; a good
print catalog and an 800 number are otherwise hard to beat. It is clear
that the real money in Web commerce is in business-to-business
commerce, but there the supply chain has a lot more complication and
the kinds of security mechanisms need to be better than those for
buying a toaster oven. Whereas retail commerce is about small dollar
amounts and stranger-to-stranger transactions through a financial
intermediary like a credit-card company, business-to-business is more
about relationships, the dollar value of the sale is much bigger, and
banks play a direct role (through letters of credit, collateralized
bills of lading, etc.)
B2B commerce does not have a good solution yet. If you want to sell
into this market, be aware that the customer will buy either to avoid
costs he has now or to make revenue he doesn't have yet. In the case of
saving costs, you'll have to sell him the technology on a turnkey basis
-- he will not cut you into the transactional revenue stream. If you
can really show that your technology will make him revenue he did not
have a chance to make otherwise, you may be able to get a piece of the
revenue stream, but do not underestimate the cost-avoidance focus of
big buyers and sellers. As far out as 2005, over half the
Internet-transactions will be transactions converted from paper and
credit/debit cards, not new transactions. **When selling into a
cost-averse market you automate rather than revolutionize, and you do
not get a piece of the action.**
Everyone likes to talk about "disintermediating the banks," that is
making the intermediary role of banks in commerce less essential by
performing that service in some other way. Bill Gates is widely quoted
as saying that "Banks are dinosaurs." At the highest end, they are not
dinosaurs and they are not about to be disintermediated. Whilst the
banks have a natural affection for their income streams, that doesn't
prevent disintermediation. Most wiseguys trying to disintermediate the
banks misunderstand what banks do. This is what they do: They interpose
their balance sheet between the expectations of the counterparties to a
transaction and the risk of default on either of their parts. They
undertake stop-loss protections against credit risk, insolvency,
operational failure, currency fluctuation, diversion of funds delivery,
etc. In other words, they manage risk because they can absorb loss.
**Electronic commerce payment technology cannot absorb loss, so it
cannot and will not disintermediate the banks.**
Think of this this way: All public key technology is driven to make a
digital signature verifiable, i.e., it is about quality control and
guarantee on the signature itself. This is a stunning thing, but it is
not the whole equation. The intermediation role that banks play is to
guarantee the transaction, i.e., it is broader than just the
verification of a signature. The bank's know-how and its balance sheet
are not something that can be replaced by a cryptographic calculation.
The ability to avoid loss never makes up for the ability to absorb
loss. The cryptography guarantees the signature; the bank's capital
guarantees the transaction. **Risk control encapsulates trust.**
In the midst of this, you might say "What are the standards?" in the
sense of "What do the formal standards groups have to say?" The banking
world is regulation rich and standards rich, too, which begs the
question -- "Which standards matter?" The world of the Internet is
making some of the banking-centric standards passe' but, unlike the
combination of standards and regulations the banks are familiar with,
the standards groups of the Internet cannot take on accountability for
the implications of conformance/non-conformance though they continue to
define it for others. This makes Internet standards substantially
difficult to swallow because there is no accountability, nor can there
be. The absence of enforcement guarantees that the only Internet
standards that will really get attention are those that promote
interoperability across jurisdictional boundaries. Ironically, this is
all the pioneers of the Internet ever wanted.
What the banks want, and I assure you they will get, is a set of
cryptographically sophisticated tools that move the risks of the
Internet from open-ended to estimable. In a sense, this is like
insurability. It is probably apocryphal, but the story goes that a
major investment firm with a Web commerce idea went to a big insurance
company to seek stop loss protection. The conversation supposedly went
like this:
"How big is the potential loss?"
"We don't know."
"How likely is a loss to occur?"
"We don't know."
"How much is your company worth?"
"This much."
"That's the premium; send it in."
Whether true or not, it illustrates the point -- the issue is getting a
handle on the risk such that it can be priced. Every one of you who
has tried to sell security technology has discovered that the only
willing customers are those who either (1) have just been embarrassed
in public or (2) have just learned that they are facing an audit.
Everyone else is an unwilling customer. We've been dumb about this;
we've tried to sell security as a means to establish trust but we've
done it by railing about threats. It's no damned wonder that we haven't
sold much. I know I have often wondered if my market might not explode
were I to get just one of the big loss-prevention insurers to make good
security practices and technology into an underwriting standard. Then,
just like "Do you have sprinklers?" everyone is forced to confront
whether they want to pay for security or pay for non-security. I am
confident that the insurers could soften up my targets a lot better
than I can.
Let me tell you, they are about to. Insurability of Web commerce is
essential, and no insurer is going to accept "We don't know" as an
answer. They will say "Send it all in" and they'll mean it. The demand
side for security technology is exploding but it isn't quite the
security technology we have on hand.
If a digital signature has the uniquely irreplaceable property of
providing proof to a judge, then the role of a "trusted third party" is
going to become more important over time, not less. Think of it this
way: when I get a certificate issued to me by a certifying authority, I
do have some risk around whether the CA is well operated or not. This
includes the probability they will issue a certificate with my public
key but someone else's name and whether when I tell them that my key
has been compromised they will spring into decisive action. Most of
that risk I can handle by a combination of due diligence and contract.
However, when I give my certificate to you and say "Hi, I'm here from
Central Services to fix your system" it is you that's in a risky
position. You have to say "Is this certificate valid?" That means you
have to check that the certificate is not listed as revoked, that the
signature on the certificate is well formed, that the certificate
authority which issued this certificate itself has an identity
certificate that is itself validly signed, that the certificate
authority is itself not in any trouble with revocation, and and so
forth, ** recursively. **
The full cost of revocation testing is proportional to the square of
the depth of the issuance hierarchy. In other words, this exceeds the
intellectual capacity of most certificate recipients. This means that
most recipients cannot themselves rely on the security technology to
establish trust beyond the shadow of doubt. Instead, if recipients are
smart, they will turn again to the insurance world just as risk holders
have done whenever they cannot afford to carry on their books the
consequences of a remotely unlikely event. For the insurer, he will
underwrite a guarantee on the transaction for a fee that will reflect
his experience with the CA's practices, the kind of transaction
undertaken, the dollar amounts involved, etc. This will seem sensible
to all parties because it is so familiar. This is risk management
underwritten by financial intermediaries. This is where we will
shortly be. This is the card eight major banks and CertCo played ten
days ago -- the formation of "a global network of compliant businesses
that use a common risk management framework." **This is where we
securitize the transactional risk of electronic commerce.**
There is one potential fly in this ointment, and I do not intend to
dwell on it, but I cannot get this far and not mention the threat to
strong security apparati of having them undermined by key escrow.
Corporate policies and laws alike have always been defined in a
territorial way that relies on clearly identifiable borders, physical
locations where the policy or the law come to an end. But in the
electronic world borders are meaningless. In some sense, sovereignty,
based as it was on the idea of a border, is less meaningful now than
for some centuries. In its place is a different kind of sovereignty,
because the only borders in an electronic world are cryptographic ones.
As such, the debate over who may or may not have a key known only to
themselves is a proxy discussion for who may or may not have
sovereignty within a cryptographically defined space.
There are hard questions yet to answer. Compromised keys are revoked
effective not to the moment of suspicion of compromise but rather
retroactively to the last known time when the key was safe. In the case
of escrow, should not a key's owner retroactively revoke it to the
moment of its seizure from escrow should the owner later discover that
it has been so seized? Or if a revoked key is only revoked by the
action of the certifying authority signing a revocation notice in a
special key, can that revocation-signing key itself ever be revoked? If
it could, would that not invalidate (reverse) any revocations signed in
it and what does that mean? I only offer these so that you do not
equate my argument about the near-inevitability of investment in public
key technology and digital-signature-dependent activities with some
presumed infallibility of the technology or our understanding of it.
These questions will be settled one way or another, but they remain
open as we speak here today, and there is money to be made.
I have tried to lay out my estimation on which way the tide is running
and which moon's gravity matters. I could be completely wrong, or
merely overstating what my biases bring me, but I think not. I think
that just as the best estimate of tomorrow's weather is today's, the
best estimate of how the Internet and the financial behemoths will
interact is for the Internet to be driven, as a side effect, by the
cost-reduction and profit-incented strategies of those financial
behemoths. They already transcend national boundaries and their
investment decisions do run the world. Were this to get enough
investment, it might make security a solved problem at least as I
define "solved" to mean "consistent with risk management in the
insurance style." Since that would collapse the market for novel
security add-ons, I strongly suggest that as you prepare your business
plans you figure out how to be, as Tom Lehrer would say, a doctor
specializing in diseases of the rich.
This is a very exciting time and it is a privilege to be a part of it.
When we are all relics in rocking chairs, we will still know that we
were present at the creation. I know that I will count myself
particularly lucky, including for your close attention these past few
minutes.
Thank you for the honor of speaking with you.
END
For help on using this list (especially unsubscribing), send a message to
"dcsb-request at ai.mit.edu" with one line of text: "help".
--- end forwarded text
-----------------
Robert A. Hettinga <mailto: rah at philodox.com>
Philodox Financial Technology Evangelism <http://www.philodox.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
More information about the cypherpunks-legacy
mailing list