Are Hackers Inefficient?
posted by Peter Swire
It’s been a very interesting first day at the Security and Human Behavior 2012 conference, chaired by computer security guru Bruce Schneier.
A number of speakers agreed on a basic description of computer security vulnerabilities: (1) there is a long run-up period where vulnerabilities exist but are not exploited; and (2) an exploit is developed and other attackers adopt it rapidly.
That raises the question — are the hackers (collectively) being efficient? The analogy is to the debate in economics about the Efficient Capital Markets Hypothesis (ECMH). The ECMH essentially says that you cannot expect to get above-normal returns — the market is efficient and you can’t beat the market. (Since the 2008 crash there has been lots of new doubt about the ECMH among mainstream economists.)
The long period of non-attacks at least raises the possibility that there is “inefficiently low investment in hacking.” I use “inefficient” here in a special sense — the market is “inefficient” if there are attack strategies for the hackers that are likely to get a high risk-adjusted return. When there are so many vulnerabilities that are not attacked, the idea is that hackers collectively quite possibly are leaving money on the table.
Of course, a certain level of non-attacks is rational. Suppose you expect to spend $1000 in time and effort to write an attack, and the expected pay-off is only $700. Then we rationally don’t see that attack. But the large number of existing vulnerabilities at least hints that if you spend $1000 then you might expect a big pay-off, such as $5000. After all, the attacks get used a lot once they are publicized, showing a potential pay-off.
I actually wrote about the ECMH and computer security in a 2004 article called “A Model for When Disclosure Helps Security: What is Different About Computer and Network Security?” But it was a short discussion at the end of a piece that people read for other reasons. The computer security folks at the conference today hadn’t worked through the comparison and seemed intrigued — I think it might be a fruitful way to think about vulnerabilities and hacker behavior.