I’ve been noticing recently how many parallels there are between the field of computer security, and the problems that face government policy in general. The two domains both seek to solve the same problem: how do you set up a system of rules that will be somewhat resistant to motivated, creative adversaries? The core problems underlying both regimes are eerily similar.
To fully protect computer systems from compromise or regulatory systems from capture is to prove a negative, the best strategy we have in either regime is to systematically plug leaks as they appear. Both systems suffer from the fact that a brittle set of rules written by an engineer or legislator are at a large disadvantage when matched against dedicated people willing to spend time and money to find vulnerabilities. Both face issues with long feedback loops. Software engineers are hamstrung by large installed bases and people who don’t apply updates, giving attackers a window to exploit whatever vulnerabilities they find. The long time scales of the legislative and judicial systems offer the same opportunities to those who seek out tax loopholes and cozy relationships with regulators.
In followup posts, I hope to explore what we can learn from government, by viewing policy problems through security frames. What does defense in depth mean from a governmental perspective? How do opt in and opt out aid policymakers in attaining their goals? How do audit mechanisms make regulatory frameworks more effective?
NERD