TCS Daily

Security Intervention?

By Arnold Kling - October 1, 2003 12:00 AM

"As a result of Microsoft's concerted effort to fortify and expand its monopolies by tightly integrating applications with its operating system, and its success in achieving near ubiquity in personal computing, our computer networks are now susceptible to massive, cascading failures."
-- Computer and Communications Industry Association

A report commissioned by an industry trade group makes the following arguments:

1. Microsoft software has security flaws.

2. Microsoft software is dominant in the market.

3. Virus writers are motivated to target computers running Microsoft software, because of its flaws and its market dominance.

4. Viruses that penetrate Microsoft software spread widely, because of its market dominance.

5. Security flaws and viruses are costly to Internet Service Providers and to users of Microsoft software.

6. Therefore, the government should step in and regulate Microsoft in ways that would reduce its market dominance and enhance the position of its competitors.

All of the premises of the argument are reasonable. However, the conclusion should be taken with a grain of salt. While the authors of the CCIA study know a ton more than I do about computer security, I think that their technical knowledge could stand to be bolstered with an understanding of markets and regulation.

Software and Economics

Software is like economics in that trade-offs are a central concept in both disciplines. To get more of one characteristic, such as ease of use, you may need to give up some of another characteristic, such as security. There are dozens of trade-offs in software, many of them quite subtle.

One example of a subtle but important trade-off is between ease of learning and ease of use. Hal Varian describes how this trade-off works in the context of a monopolist.

"...a monopoly provider of software generally invests the right amount of resources in making the software easy to learn, but too little in making it easy to operate. In some extreme cases a monopolist may even make the software too easy to learn."

Although Varian's paper was written before America Online became a household word, I think it may apply to AOL. AOL has always been easy to learn. However, if you have learned to surf the Net using other software, then chances are that you would find that on AOL some tasks are difficult -- or impossible -- to perform. If so, then this illustrates the trade-off between designing software to be easy to learn and designing software that is easy to use once you have learned it.

Security, Continuity, and Integration

I am not an expert in computer science, but it strikes me that most of the security weaknesses in Microsoft software come at the "seams" between its "integrated" applications. For example, plain text email seems to be safe. However, the ability to open attachments, which helps to "integrate" email with word processing, spreadsheets, and other applications, creates security problems. Thus, there appears to be a trade-off between integration and security.

I suspect that if Microsoft could start from scratch, then they could make the operating system secure in an environment with integrated applications. No trade-off is carved in stone, and with enough programming resources you can overcome a trade-off.

However, I suspect that the problem is more complex for Microsoft, because they cannot just start from scratch. My guess is that the challenge is compounded by the need to provide continuity among different versions or generations of Microsoft software. Someone may have downloaded the current version of their email software, but it is being used along with a three-year-old version of their word processing software on a four-year-old version of the operating system. People expect these to be integrated, and Microsoft complies -- but the integration is likely to be less than elegant.

Buyers and Trade-offs

Software buyers also face trade-offs. In 1997, when I was in charge of a commercial Web site, I chose not to use Microsoft software for the Web server. Instead, I picked a competing product, because it ran on an operating system that crashed less frequently. However, there was a trade-off for me. I had to learn a more difficult programming language for Web applications than what I would have been able to use with the Microsoft server.

For electronic mail, I use a shareware product. I do this specifically because I believe that it reduces my vulnerability to viruses, although I cannot prove that this is the case. The trade-off is that I miss out on some features of the Microsoft email client, particularly since they tend to enhance it more dramatically than does the author of my shareware.

Many geeks use the Linux operating system on their desktops. Reportedly, they experience fewer freeze-ups than Microsoft users. One trade-off is that some applications are not available to them. Anecdotal reports suggest that another trade-off is that Linux can crash in ways that are very ungraceful. That is, when something goes wrong, it tends to take a lot more time and effort to recover and people tend to lose more data.

Should Market Choices be Overridden?

The buyers of Microsoft software are consenting adults. That does not mean that all Microsoft users are happy -- if you work for an organization that standardizes on Microsoft, you may have had no voice in the decision. Still, somebody somewhere looked at the trade-offs and decided to purchase software from Microsoft instead of a competitor.

Economists are wary of overriding the market decisions of consenting adults. Another way to put this is that in a two-sided market, any regulation that changes the trade-offs for Microsoft also has the effect of changing the trade-offs for software buyers.

One rationale for government intervention in software is that buyers are uninformed. For example, if I do not know about security flaws that increase the cost of Microsoft software relative to that of other software, then perhaps I would have chosen differently had I possessed more information.

I suspect that the people with the strongest incentive to make the right choice in software purchasing are the decision-makers at large private corporations. If the cost of Microsoft's security flaws is greater than the benefits of continuity and integration, then private corporations ought to be able to figure this out and change their buying habits. If they do not change their buying habits, then I believe that the government ought to be really cautious about assuming that it has better information.

Negative Externality?

A more plausible case for market intervention would be one based on externality. The theory would be that by using Microsoft software, in addition to increasing my own risk of incurring costs of viruses, I increase everyone else's risk. The increase in risk to others is a cost that I do not take into account, because I do not pay for it. It is what economists call an "externality." When there is a negative externality, as in this case, the standard economic prescription is for a tax in proportion to the externality. Thus, I should perhaps pay a tax when I buy Microsoft software, and this tax could be used to help defray the costs of Internet Service Providers or others who suffer because I contribute to security risks.

The argument for taxation is intriguing. However, in a world of trade-offs it is important to be careful. Another rule in economics is that you should try to directly tax the behavior that creates the cost. The more indirect the tax, the more unintended consequences and distortions can result.

For example, if you want to reduce automobile emissions of dangerous gases, then you should tax those emissions. Instead, if you tax new cars with high emission rates, for example, the result will be to distort the market. It may even cause people to hang on to older cars longer, making the emissions problem worse.

Similarly, taxing new software could lead people to hold onto older software longer. That probably would not help solve security problems.

Private-sector Solutions?

If I were the chief technology officer at a large corporation, my instinct would be to configure email so that it can only handle plain text, without attachments. Anything fancy would have to go to a central server, where it can be scanned for viruses. If you want to send me a word processing document, you put it on the server first, and then send me an email telling me where to find it. If Microsoft's email cannot be reconfigured this way, then I would give Microsoft a deadline to either modify its software or lose my business.

My goal would be to improve security. The trade-off is that it would be more difficult for my company's employees to send and receive email that has fancy layout, graphics, and attachments. I am also creating the extra expense of providing for and managing the central server. On the positive side, however, limiting email to plain text would greatly reduce the cost of processing and filtering spam.

There are security holes elsewhere in Microsoft products, but those holes strike me as less important. For example, in the server market, switching to a competitor is a low-cost solution. It does not create the headaches involved in trying to train and equip all of your employees with new desktop software.

I am not a corporate chief technology officer, and I do not see any signs of the market moving to implement my suggestions. However, I am confident that the private sector will do a better job of finding a way to reduce security costs than what might be achieved with government regulation.


TCS Daily Archives