Are Hackers Inefficient?

It’s been a very interesting first day at the Security and Human Behavior 2012 conference, chaired by computer security guru Bruce Schneier.

A number of speakers agreed on a basic description of computer security vulnerabilities: (1) there is a long run-up period where vulnerabilities exist but are not exploited; and (2) an exploit is developed and other attackers adopt it rapidly.

That raises the question — are the hackers (collectively) being efficient? The analogy is to the debate in economics about the Efficient Capital Markets Hypothesis (ECMH).  The ECMH essentially says that you cannot expect to get above-normal returns — the market is efficient and you can’t beat the market.  (Since the 2008 crash there has been lots of new doubt about the ECMH among mainstream economists.)

The long period of non-attacks at least raises the possibility that there is “inefficiently low investment in hacking.”  I use “inefficient” here in a special sense — the market is “inefficient” if there are attack strategies for the hackers that are likely to get a high risk-adjusted return.  When there are so many vulnerabilities that are not attacked, the idea is that hackers collectively quite possibly are leaving money on the table.

Of course, a certain level of non-attacks is rational.  Suppose you expect to spend $1000 in time and effort to write an attack, and the expected pay-off is only $700.  Then we rationally don’t see that attack.  But the large number of existing vulnerabilities at least hints that if you spend $1000 then you might expect a big pay-off, such as $5000. After all, the attacks get used a lot once they are publicized, showing a potential pay-off.

I actually wrote about the ECMH and computer security in a 2004 article called “A Model for When Disclosure Helps Security: What is Different About Computer and Network Security?”  But it was a short discussion at the end of a piece that people read for other reasons.  The computer security folks at the conference today hadn’t worked through the comparison and seemed intrigued — I think it might be a fruitful way to think about vulnerabilities and hacker behavior.

You may also like...

7 Responses

  1. Ken Rhodes says:

    There is *absolutely no doubt* that the great majority of hacking is terribly inefficient, in the sense that you are using the term.

    The ECMH is absurd. “The market” (not the underlying concept of “investment”) is a zero-sum game. If nobody could consistently beat the market, then nobody could consistently lose to the market. Believe that???

    The absurdity, of course, relates to the theme of another of my favorite blogs: “Everyone is entitled to his own opinion, but not his own facts.” The ECMH states, in essence, that the facts are all there is, and there is no relevance to opinions (i.e., interpreting the facts). Believe that???

    In re hackers and hacking, of course, the same rule applies: If everyone (i.e., “the market”) has full information, that’s still a long way from saying everyone will reach the same conclusions, or gain the same benefit from that information. Furthermore, the capital market is hundreds of years old, and yet we still have lots of folks doing a mediocre job there, and a few doing much better. The “hacking market” is still in its figurative infancy. A hundred years from now we should revisit the question of how it’s doing.

  2. PrometheeFeu says:

    @Peter Swire:

    I’m not sure why you would conclude that hackers are inefficient just because it takes time to identify vulnerabilities and develop exploits.

    The long wait followed by quick bursts of activities actually makes a lot of sense in an efficient market. Consider earnings reports. Nobody knows what they are for months at a time. Then suddenly, they are released and prices respond quasi-instantly. Yet, the capital markets are not considered inefficient just because the earnings reports take time to be made public.

  3. PrometheeFeu says:

    @Ken Rhodes:

    Can you please substantiate your claim that capital markets are a zero-sum game?

  4. Peter Swire says:

    My principal claim is that the huge ECMH literature (hundreds of academic papers) provides a useful source of ideas and analogies for the analysis of the economics of hacking. Investors and hackers are both trying to beat the market. There is a range of views about when & whether it is possible to beat the market. So computer security researchers can do thought experiments and think through empirical work by learning from the analogous, well-developed literature.

    On the idea that capital markets is a zero-sum game, that is the usual assumption of economists in the following sense — if someone wins $10 by buying a call option that works out, then someone else loses by selling that call option. By contrast, the overall effects of capital markets are not zero sum — well designed capital markets have many positive externalities, while corrupt/malfunctioning/badly run capital markets have negative externalities.

  5. PrometheeFeu says:

    @Peter Swire:

    I strongly agree. I have found the EMH to be useful guide in thinking about many topics and I am sure it applies here. My claim was rather that the hacking market seemed very efficient.

    As for capital markets being zero-sum, I beg to differ. A major function of capital markets is to intermediate between actors with different risk preferences. This could hardly be described as an externality. Sure, a purely speculative capital market would be a zero-sum game, but I don’t think those actually exist. Most capital markets were after all created as risk management tools.

  6. Peter Swire says:

    On capital markets and zero-sum, there are many ways that well organized capital markets provide benefits in lots of ways.

    The zero-sum claim is sustainable, though, in the specific sense that someone who gains from a market move has zero sum with another party who loses from that market move.

  7. PrometheeFeu says:

    @Peter Swire:

    I don’t disagree that you can define a capital markets game in a very narrow sense to find a zero-sum game. But then again, you can do that with any trade. (even apricots have price movements) Yet, we generally agree that most trade is a positive-sum game.

    Either way, your idea to apply the EMH to hacking is an interesting one.