The myth of cyber-security 网络安全,神话不再

英文部分及图片来自“经济学人”杂志。译文是个人学习、欣赏语言之用,谢绝转载或用于任何商业用途。本人同意简书平台在接获有关著作权人的通知后,删除文章。

Computers will never be secure. To manage the risks, look to economics rather than technology.

计算机安全永远不会实现。控制风险需要寻找经济手段而不是技术解决方案。

COMPUTER security is a contradiction in terms. Consider the past year alone: cyber thieves stole $81m from the central bank of Bangladesh; the $4.8bn takeover of Yahoo, an internet firm, by Verizon, a telecoms firm, was nearly derailed by two enormous data breaches; and Russian hackers interfered in the American presidential election.

计算机安全这个说法自相矛盾。仅仅考虑过去的一年:网络大盗从孟加拉中央银行窃取了8100万美元; 电信公司威瑞森(Verizon) 和它48亿美元收购的互联网公司雅虎几乎被两次数据大泄露打翻在地(此句翻译错误,感谢@sucher指正。评论区有正解); 俄罗斯黑客干涉美国总统大选。

Away from the headlines, a black market in computerised extortion, hacking-for-hire and stolen digital goods is booming.The problem is about to get worse. Computers increasingly deal not just with abstract data like credit-card details and databases, but also with the real world of physical objects and vulnerable human bodies. A modern car is a computer on wheels; an aeroplane is a computer with wings. The arrival of the “Internet of Things” will see computers baked into everything from road signs and MRI scanners to prosthetics and insulin pumps. There is little evidence that these gadgets will beany more trustworthy than their desktop counterparts. Hackers have already proved that they can take remote control of connected cars and pacemakers.

除了那些头条新闻,计算机勒索黑市,黑客雇佣以及数字商品被盗情况正在快速发展。问题将越来越糟。计算机不仅能越来越多地处理诸如信用卡详细资料和数据库之类的抽象数据,也能应对实物和脆弱人体构成的真实世界。现代化的汽车是轮上电脑;飞机则是插上翅膀的计算机。 “物联网”的到来将使电脑融入到一切事物之中。从道路标志到核磁共振成像扫描仪,从假肢到胰岛素泵。没有证据表明这些数字装备比台式电脑更值得信赖。黑客们已经证明,他们可以对联网汽车和起搏器进行远程控制。

MRI 核磁共振成像

It is tempting to believe that the security problem can be solved with yet more technical wizardry and a call for heightened vigilance. And it is certainly true that many firms still fail to take security seriously enough. That requires a kind of cultivated paranoia which does not come naturally to non-tech firms. Companies of all stripes should embrace initiatives like“bug bounty” programmes, whereby firms reward ethical hackers for discovering flaws so that they can be fixed before they are taken advantage of.

人们倾向于相信安全问题可以用更多的技术魔法来解决,并呼吁大家要提高警惕。诚然,很多企业还没有认认真真地对待计算机安全。这就需要培养出某种偏执狂,对非技术性企业来说这可不是理所当然的事。大大小小的公司都应该参加“赏金猎人”计划。企业承诺奖励那些发现计算机漏洞的白帽子黑客,并在这些漏洞被别人利用之前给予修复。

But there is no way to make computers completely safe. Software is hugely complex. Across its products, Google must manage around 2bn lines of source code—errors are inevitable.The average program has 14 separate vulnerabilities, each of them a potential point of illicit entry.Such weaknesses are compounded by the history of the internet, in which security was an afterthought.

但计算机安全实在难以完全实现。软件非常复杂。 在其产品中,谷歌必须管理大约20亿行源代码 - 错漏在所难免。一个普通的程序平均来说有14个独立的漏洞,每个漏洞都是非法进入的潜在入口。而互联网的历史使得这些弱点更加棘手。安全问题历来都是马后炮。

Leaving the windows open

让窗户开着

This is not a counsel of despair. The risk from fraud, car accidents and the weather can never be eliminated completely either.But societies have developed ways of managing such risk—from government regulation to the use of legal liability and insurance to create incentives for safer behaviour.

这并非绝望的忠告。欺诈,车祸和天气变化的风险同样永远不会被完全消除。但是社会已经开发出控制风险的办法 - 从政府监管到法律义务和保险手段的运用等,以便创造更安全行为的鞭策措施。

Start with regulation. Governments’ first priority is to refrain from making the situation worse. Terrorist attacks, like the recent ones in St Petersburg and London, often spark calls for encryption to be weakened so that the security services can better monitor what individuals are up to. But it is impossible to weaken encryption for terrorists alone. The same protection that guards messaging programs like WhatsApp also guards bank transactions and online identities. Computer security is best served by encryption that is strong for everyone.

首个重点是政府监管。政府的首要任务是避免情况变得更糟。像近期发生在圣彼得堡和伦敦的袭击一样,这些恐怖行径经常会引发削弱加密保护的呼吁,这样安全部门就能够更好地监控个人的行动。但是,仅仅因为恐怖分子的原因就削弱加密保护是不可能的。为WhatsApp信息传递程序提供安全保护的方法也同样保护着银行交易系统和在线身份的安全。加密是计算机安全的最好方法。对所有人它都同样强大。

The next priority is setting basic product regulations. A lack of expertise will always hamper the ability of users of computers to protect themselves. So governments should promote “public health” for computing. They could insist that internet connected gizmos be updated with fixes when flaws are found. They could force users to change default usernames and passwords. Reporting laws, already in force in some American states, can oblige companies to disclose when they or their products are hacked. That encourages them to fix a problem instead of burying it.

下一个重点是设定基本产品规定。缺乏专业知识总是阻碍着计算机用户自我保护的能力。所以政府应该推广计算机的“公共卫生”。他们可以坚持联网设备在发现缺陷时提供补丁来更新修复程序。他们可以强制用户更改默认用户名和密码。在美国一些州已经生效的汇报法强制要求公司披露公司或产品遭到黑客入侵的情况。这鼓励他们解决问题而不是加以掩盖。

Go a bit slower and fix things

慢一点,解决问题

But setting minimum standards still gets you only so far. Users’ failure to protect themselves is just one instance of the general problem with computer security—that the incentives to take it seriously are too weak. Often, the harm from hackers is not to the owner of a compromised device. Think of bot nets, networks of computers, from desktops to routers to “smart” lightbulbs, that are infected with malware and attack other targets.

但是设定最低标准仍然不能带给你更多效果。用户未能保护好自己只是计算机普遍安全问题中的一个例子 - 认真应对的动机严重不足。通常,黑客伤害的不是受损设备的所有者。想象一下僵尸网络,计算机网络,从台式机到路由器再到“智能”灯泡,它们被恶意软件感染并攻击其他目标。

Most important, the software industry has for decades disclaimed liability for the harm when its products go wrong.Such an approach has its benefits. Silicon Valley’s fruitful “go fast and break things” style of innovation is possible only if firms have relatively free rein to put out new products while they still need perfecting. But this point will soon be moot. As computers spread to products covered by established liability arrangements, such as cars or domestic goods, the industry’s disclaimers will increasingly butt up against existing laws.

最重要的是,几十年来,软件行业在产品出现问题时,拒绝承担损害责任。这种方法有其优点。企业有权在产品尚不完美的情况下相对自由地推出新产品,只有这样硅谷才能结出累累硕果,形成“快速前行,打破常规”的创新风格。但这一点很快会失去意义。随着计算机扩展到既有责任安排所涵盖的产品,比如汽车或家用物品等,行业的免责声明将越来越多地与现行法律产生冲突。

Firms should recognise that, if the courts do not force the liability issue, public opinion will. Many computer-security experts draw comparisons to the American car industry in the 1960s, which had ignored safety for decades. In 1965 Ralph Nader published “Unsafe at Any Speed”, a bestselling book that exposed and excoriated the industry’s lax attitude. The following year the government came down hard with rules on seatbelts, headrests and the like. Now imagine the clamour for legislation after the first child fatality involving self-driving cars.

这些公司应当认识到,如果法院不推动责任问题的明确,舆论也会迎难而上。许多计算机安全专家将之与20世纪60年代的美国汽车行业安全问题相提并论。曾经有几十年汽车行业一直对安全问题视而不见。1965年,拉尔夫·纳德(Ralph Nader)出版了一本畅销书《任何速度都不安全》,披露并强烈谴责了汽车行业不严谨的态度。第二年,政府就严格落实了安全带,头枕等方面的规定。现在我们无法想象假如由于自动驾驶的原因,造成首个儿童死亡,呼吁相关立法的声音有多大。

Fortunately, the small but growing market in cyber-security insurance offers a way to protect consumers while preserving the computing industry’s ability to innovate. A firm whose products do not work properly, or are repeatedly hacked, will find its premiums rising, prodding it to solve the problem. A firm that takes reasonable steps to make things safe, but which is compromised nevertheless, will have recourse to an insurance payout that will stop it from going bankrupt. It is here that some carve-outs from liability could perhaps be negotiated. Once again, there are precedents: when excessive claims against American light-aircraft firms threatened to bankrupt the industry in the 1980s, the government changed the law,limiting their liability for old products.

幸运的是,现在虽然较小却在不断增长的网络安全保险市场提供了一种既能保护消费者同时又能保持计算机行业创新能力的方法。如果产品无法正常工作,或者企业反复被黑客入侵,他们的保费将上涨,这样可以促成问题的解决。一个公司采取了合理的步骤,试图使产品变得安全,假如最终还是带来了损害,这时公司就可以使用求授权,要求保险赔付以避免破产。这样,也或许可以开始债务责任的谈判。同样有一些先例可供参考:20世纪80年代,当美国轻型飞机公司接到过多索赔要求甚至威胁到行业破产时,政府修改了规定,限制其为老产品承担责任。

One reason computer security is so bad today is that few people were taking it seriously yesterday. When the internet was new, that was forgivable. Now that the consequences are known, and the risks posed by bugs and hacking are large and growing, there is no excuse for repeating the mistake. But changing attitudes and behaviour will require economic tools,not just technical ones.

现在计算机安全如此糟糕的原因之一是以前没有引起足够的重视。当互联网刚出现时,这是可以原谅的。既然已知后果如此不堪,缺陷和黑客造成的风险又越来越严重,那么就没有任何借口再重复这样的错误。不过,改变态度和行为需要经济手段,而不仅仅是技术手段。

最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 205,132评论 6 478
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 87,802评论 2 381
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 151,566评论 0 338
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 54,858评论 1 277
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 63,867评论 5 368
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 48,695评论 1 282
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 38,064评论 3 399
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 36,705评论 0 258
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 42,915评论 1 300
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 35,677评论 2 323
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 37,796评论 1 333
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 33,432评论 4 322
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 39,041评论 3 307
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 29,992评论 0 19
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 31,223评论 1 260
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 45,185评论 2 352
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 42,535评论 2 343

推荐阅读更多精彩内容

  • 你好,大家!
    爱唉阅读 109评论 0 0
  • 今天一天没出门,女儿早上8点整开始写作业。写作业之前我再一次强调了书写一定要认真,整洁,不合格必须重写,女儿也知...
    金慧恩妈妈阅读 135评论 0 2
  • 昨天练习山式站立,一直寻找手臂用力的感觉,赫然发现自己已经习惯性肩部发力,不自觉地耸肩。经过老师的提醒,旋肩...
    Redchen阅读 122评论 0 0
  • 愤怒是一种对抗的力量。 生活有一些糟心事需要动脑子去化解,而不是不加思考的去埋头苦做。一开始把事情想简单了,做着做...
    丹茞茞阅读 307评论 0 0