Broken Windows Revisited: Why Insecure Software and Security Products Hurt the Global Economy

Geekonomics author David Rice on what a tailor can teach us about software security

Insecure software—and indeed the security products we use to protect software from exploitation—hurt our economic progress. This is true not only for the U.S. economy but for the rest of the world's, as well. This might sound nonsensical and hyperbolic at first. It is not. It is simple economics.

In my book, Geekonomics: The Real Cost of Insecure Software (Addison-Wesley Professional, 2007), I argue that software vulnerabilities are the broken windows of cyberspace. [See a CSOonline excerpt from Geekonomics: The Perversity of Patching.] Broken windows are significant in the eyes of criminologists. A broken window, if left unrepaired, sends a message of disorder into the community. This message of disorder invites greater elements of disorder and can, in the end, invite more serious forms of crime. As such, it can be argued that neighborhood decline is less a function of financial misfortune or poverty and more a function of inattention and sloppiness. Even poor neighborhoods, if the community is attentive, can experience a lower incidence of crime than neighborhoods that are less attentive.

Because software creates the environment of cyberspace, small elements of disorder in software (like software bugs), may lead to greater elements of disorder (like exploitation of vulnerabilities), which ultimately lead to more serious forms of crime (like cyber crime and cyber espionage). Historically, software manufacturers have not been liable for broken windows (software defects), even though software applications have been—and continue to be—shipped with an unknown number of latent and preventable weaknesses. Software does not "break" in use, as do physical products. Software is shipped by the manufacturer already broken (with the extent of the "brokenness" discovered at some later, unknown time).

In other words, software buyers—far from purchasing the equivalent of a shiny new home—are in fact purchasing a fixer-upper, where the number of broken windows in the new home is unknown both to the buyer and the manufacturer. In the story of software, our computers are broken even before we purchase them. We are buying into disorder and thus creating more of it. Aggressively patching software weaknesses does not inhibit the message of disorder in any meaningful way because software manufacturers release a continuous new stream of preventable software defects into the global stream of commerce almost on a daily basis. This is a shame. It is also far from the entire story.

Broken windows are also significant in the eyes of economists, if not more so. By way of explanation, let me start with a short story.

One day in a small village, a teenager throws a rock through the window of a local bakery and runs off before anyone can catch him. The shop keeper comes storming out, furious at the vandalism. His yelling attracts the attention of his fellow villagers, who at first are as displeased as the shop keeper at the event. After everyone has calmed down a bit, the more optimistic among the villagers remind everyone that this event, in a way, has an upside. If it were not for broken windows, the glass maker in the local village would not be necessary. After all, if broken windows never occurred, who would remain in the glass business? This event makes business for the glass maker. If a new window costs $100, the baker must pay the glass maker exactly that amount to get the window fixed. This, in turn, means the glass maker has $100 to spend on other items with other merchants, thus those merchants have money to spend on yet more items with yet more merchants, and so on and so on. In fact, the broken window has a cascading effect that benefits the whole village. While the crowd remains largely displeased over the teenager's actions, the villagers reluctantly conclude that the teenager has created some good. If this were the villagers reasoning, they might come to see the teenager as a benefactor, as opposed to a public nuisance.

This story may be a tad simplistic, but it has a point. Economists like stories such as this because what a story may lack in complicated detail, it more than makes up in illumination.

The reasoning of the villagers in this story is the same erroneous reasoning applied to natural disasters such as Hurricane Andrew, the second most destructive hurricane in U.S. history. The massive destruction of Hurricane Andrew meant thousands upon thousands of homes needed to be repaired or rebuilt, subsequently creating work for thousands of people and new invoices for thousands of replacement refrigerators, cars, windows, roofs and so on. The additional purchasing and employment is thought by some people to ultimately help the economy. Yet, like the village story above, this simply is not true. Let's find out why.

The reasoning about the broken window in the village, or the massive destruction caused by Hurricane Andrew, is correct insofar that the event did, in fact, immediately create more business. In the case of the village, the glass maker needed to make another window for which the baker was required to pay him. In the case of Andrew, builders needed to build or repair homes for which home owners were required to pay them. What is less obvious is that victims in both cases will be out the money (either in direct payments or increased insurance premiums) that they intended to spend on something else. This is bad.

In the case of the baker, he will be out $100 that perhaps he was hoping to spend on something else, such as a new suit. Instead of having an unbroken window and a new suit, the baker will now have a fixed window and no suit. Because the baker is a member of the village, the village has now lost a new suit that it would otherwise have, and therefore the village is just that much poorer.

What has happened here is not so much that the baker has paid the glass maker, but the baker has not paid the tailor. The tailor, having no demand to make suits, does not make any. Something of additional value that could have been created is not. An opportunity is lost. Demand is foreclosed, and need takes it place.

In short, the glass maker's gain of business is simply the tailor's loss of business. Though a broken window has been fixed, no new benefit has been added to the village as a whole, because the broken window has precluded the new suit.

If broken windows became common enough in the village, demand for new suits—or new washing machines or new TVs—would never arise. And the village would be just that much poorer for the absence.

The villagers, like the news media in the case of Hurricane Andrew, only see two parties in the transaction of the broken window, when in fact there are many more. The villagers only see the baker and the glass maker. The news media only sees home owners and builders. The villagers do not see the tailor because the tailor will now not enter the picture. The tailor is forgotten from the equation precisely because there will now be no demand for something he makes. The tailor is invisible but no less real.

As the message of Geekonomics attempts to convey, the real cost of something is not what we pay but what we have to give up in order to get it. In the case of the baker, he had to give up a new suit to fix his window, so in effect, he lost $100 as well as his new suit. The victims of Hurricane Andrew are in the same position. Victims of Andrew are spending extravagantly just to run in place, not to create demand for new items of value. The "village" is worse off because of it. Wealth is lost.

Against this background, then, is the story of insecure software and the security products we purchase to protect insecure software from exploitation. As Geekonomics argues, software vulnerabilities are the broken windows of cyberspace, vulnerabilities that communicate an unmistakable message of disorder in the global digital neighborhood. This disorder imposes a significant cost in terms of cyber crime and cyber espionage; yet, this cost is only the tip of the iceberg.

Unlike the young teenager in the village story, cyber attackers do not break windows; attackers discover windows already broken by the manufacturer. Once discovered, cyber attackers then use the defect to exploit the software and all the information it contains. In other words, cyber attackers do not throw rocks and thus create broken windows. Broken windows come with the product upon receipt.

Nonetheless, software vulnerabilities must be fixed, just like the baker must fix his broken window if he is to send a message of care and attention about his shop. Who likes to visit a rundown bakery or any disheveled food establishment? But because a broken window must be fixed, something else must be given up to fix it.

Insecure software must be patched, and while the patch might be free, the process of patching is not. The greater the number of computers under your control, the more difficult it becomes to keep everything patched. Patching becomes quite expensive.

And not only does insecure software have to be religiously patched but it also needs to be protected from exploitation because new, unknown vulnerabilities are discovered every day for which no patches might yet exist. In fact, software is full of latent defects. Neither the buyer nor the manufacturer have any idea about how many broken windows a given piece of software actual contains. Therefore, software must be protected with a fantastical panoply of security products like intrusion detection, firewalls, anti-virus and so on.

The $65 spent on a single instance of anti-virus software, the $3,000 spent on a firewall or the $254 per machine spent on patching software it all adds up to the exact amount of money that cannot be spent on something else.

And unlike the survivors of Hurricane Andrew or the village baker, software buyers aren't just spending to run in place; they're spending and losing ground. After all, software manufactures release a relentless stream of software defects into the global stream of commerce. Cyber crime and cyber espionage are increasing at astounding rates, despite massive expenditures to forestall the increase. This is not only bad; this is ruinous.

When software buyers purchase insecure software and security products to protect insecure software from exploitation, other things of value will not be created because buyers no longer have the extra money to purchase them. Instead of having high-quality, secure software and a new suit, software buyers now have patched or protected software and no new suit, no TV, no DVD player, no new car and so on. This makes the "global village" just that much poorer. Insecure software, and the security architectures we use to protect it, is far more expensive than we can ever imagine.

Just ask the tailor. ##

This article was originally published on Sandhill.com, a blog for software executives.

Related:
SUBSCRIBE! Get the best of CSO delivered to your email inbox.