英文部分及图片来自“经济学人”杂志。译文是个人学习、欣赏语言之用,谢绝转载或用于任何商业用途。本人同意简书平台在接获有关著作权人的通知后,删除文章。
Computers will never be secure. To manage the risks, look to economics rather than technology.
计算机安全永远不会实现。控制风险需要寻找经济手段而不是技术解决方案。
COMPUTER security is a contradiction in terms. Consider the past year alone: cyber thieves stole $81m from the central bank of Bangladesh; the $4.8bn takeover of Yahoo, an internet firm, by Verizon, a telecoms firm, was nearly derailed by two enormous data breaches; and Russian hackers interfered in the American presidential election.
计算机安全这个说法自相矛盾。仅仅考虑过去的一年:网络大盗从孟加拉中央银行窃取了8100万美元; 电信公司威瑞森(Verizon) 和它48亿美元收购的互联网公司雅虎几乎被两次数据大泄露打翻在地(此句翻译错误,感谢@sucher指正。评论区有正解); 俄罗斯黑客干涉美国总统大选。
Away from the headlines, a black market in computerised extortion, hacking-for-hire and stolen digital goods is booming.The problem is about to get worse. Computers increasingly deal not just with abstract data like credit-card details and databases, but also with the real world of physical objects and vulnerable human bodies. A modern car is a computer on wheels; an aeroplane is a computer with wings. The arrival of the “Internet of Things” will see computers baked into everything from road signs and MRI scanners to prosthetics and insulin pumps. There is little evidence that these gadgets will beany more trustworthy than their desktop counterparts. Hackers have already proved that they can take remote control of connected cars and pacemakers.
除了那些头条新闻,计算机勒索黑市,黑客雇佣以及数字商品被盗情况正在快速发展。问题将越来越糟。计算机不仅能越来越多地处理诸如信用卡详细资料和数据库之类的抽象数据,也能应对实物和脆弱人体构成的真实世界。现代化的汽车是轮上电脑;飞机则是插上翅膀的计算机。 “物联网”的到来将使电脑融入到一切事物之中。从道路标志到核磁共振成像扫描仪,从假肢到胰岛素泵。没有证据表明这些数字装备比台式电脑更值得信赖。黑客们已经证明,他们可以对联网汽车和起搏器进行远程控制。
It is tempting to believe that the security problem can be solved with yet more technical wizardry and a call for heightened vigilance. And it is certainly true that many firms still fail to take security seriously enough. That requires a kind of cultivated paranoia which does not come naturally to non-tech firms. Companies of all stripes should embrace initiatives like“bug bounty” programmes, whereby firms reward ethical hackers for discovering flaws so that they can be fixed before they are taken advantage of.
人们倾向于相信安全问题可以用更多的技术魔法来解决,并呼吁大家要提高警惕。诚然,很多企业还没有认认真真地对待计算机安全。这就需要培养出某种偏执狂,对非技术性企业来说这可不是理所当然的事。大大小小的公司都应该参加“赏金猎人”计划。企业承诺奖励那些发现计算机漏洞的白帽子黑客,并在这些漏洞被别人利用之前给予修复。
But there is no way to make computers completely safe. Software is hugely complex. Across its products, Google must manage around 2bn lines of source code—errors are inevitable.The average program has 14 separate vulnerabilities, each of them a potential point of illicit entry.Such weaknesses are compounded by the history of the internet, in which security was an afterthought.
但计算机安全实在难以完全实现。软件非常复杂。 在其产品中,谷歌必须管理大约20亿行源代码 - 错漏在所难免。一个普通的程序平均来说有14个独立的漏洞,每个漏洞都是非法进入的潜在入口。而互联网的历史使得这些弱点更加棘手。安全问题历来都是马后炮。
Leaving the windows open
让窗户开着
This is not a counsel of despair. The risk from fraud, car accidents and the weather can never be eliminated completely either.But societies have developed ways of managing such risk—from government regulation to the use of legal liability and insurance to create incentives for safer behaviour.
这并非绝望的忠告。欺诈,车祸和天气变化的风险同样永远不会被完全消除。但是社会已经开发出控制风险的办法 - 从政府监管到法律义务和保险手段的运用等,以便创造更安全行为的鞭策措施。
Start with regulation. Governments’ first priority is to refrain from making the situation worse. Terrorist attacks, like the recent ones in St Petersburg and London, often spark calls for encryption to be weakened so that the security services can better monitor what individuals are up to. But it is impossible to weaken encryption for terrorists alone. The same protection that guards messaging programs like WhatsApp also guards bank transactions and online identities. Computer security is best served by encryption that is strong for everyone.
首个重点是政府监管。政府的首要任务是避免情况变得更糟。像近期发生在圣彼得堡和伦敦的袭击一样,这些恐怖行径经常会引发削弱加密保护的呼吁,这样安全部门就能够更好地监控个人的行动。但是,仅仅因为恐怖分子的原因就削弱加密保护是不可能的。为WhatsApp信息传递程序提供安全保护的方法也同样保护着银行交易系统和在线身份的安全。加密是计算机安全的最好方法。对所有人它都同样强大。
The next priority is setting basic product regulations. A lack of expertise will always hamper the ability of users of computers to protect themselves. So governments should promote “public health” for computing. They could insist that internet connected gizmos be updated with fixes when flaws are found. They could force users to change default usernames and passwords. Reporting laws, already in force in some American states, can oblige companies to disclose when they or their products are hacked. That encourages them to fix a problem instead of burying it.
下一个重点是设定基本产品规定。缺乏专业知识总是阻碍着计算机用户自我保护的能力。所以政府应该推广计算机的“公共卫生”。他们可以坚持联网设备在发现缺陷时提供补丁来更新修复程序。他们可以强制用户更改默认用户名和密码。在美国一些州已经生效的汇报法强制要求公司披露公司或产品遭到黑客入侵的情况。这鼓励他们解决问题而不是加以掩盖。
Go a bit slower and fix things
慢一点,解决问题
But setting minimum standards still gets you only so far. Users’ failure to protect themselves is just one instance of the general problem with computer security—that the incentives to take it seriously are too weak. Often, the harm from hackers is not to the owner of a compromised device. Think of bot nets, networks of computers, from desktops to routers to “smart” lightbulbs, that are infected with malware and attack other targets.
但是设定最低标准仍然不能带给你更多效果。用户未能保护好自己只是计算机普遍安全问题中的一个例子 - 认真应对的动机严重不足。通常,黑客伤害的不是受损设备的所有者。想象一下僵尸网络,计算机网络,从台式机到路由器再到“智能”灯泡,它们被恶意软件感染并攻击其他目标。
Most important, the software industry has for decades disclaimed liability for the harm when its products go wrong.Such an approach has its benefits. Silicon Valley’s fruitful “go fast and break things” style of innovation is possible only if firms have relatively free rein to put out new products while they still need perfecting. But this point will soon be moot. As computers spread to products covered by established liability arrangements, such as cars or domestic goods, the industry’s disclaimers will increasingly butt up against existing laws.
最重要的是,几十年来,软件行业在产品出现问题时,拒绝承担损害责任。这种方法有其优点。企业有权在产品尚不完美的情况下相对自由地推出新产品,只有这样硅谷才能结出累累硕果,形成“快速前行,打破常规”的创新风格。但这一点很快会失去意义。随着计算机扩展到既有责任安排所涵盖的产品,比如汽车或家用物品等,行业的免责声明将越来越多地与现行法律产生冲突。
Firms should recognise that, if the courts do not force the liability issue, public opinion will. Many computer-security experts draw comparisons to the American car industry in the 1960s, which had ignored safety for decades. In 1965 Ralph Nader published “Unsafe at Any Speed”, a bestselling book that exposed and excoriated the industry’s lax attitude. The following year the government came down hard with rules on seatbelts, headrests and the like. Now imagine the clamour for legislation after the first child fatality involving self-driving cars.
这些公司应当认识到,如果法院不推动责任问题的明确,舆论也会迎难而上。许多计算机安全专家将之与20世纪60年代的美国汽车行业安全问题相提并论。曾经有几十年汽车行业一直对安全问题视而不见。1965年,拉尔夫·纳德(Ralph Nader)出版了一本畅销书《任何速度都不安全》,披露并强烈谴责了汽车行业不严谨的态度。第二年,政府就严格落实了安全带,头枕等方面的规定。现在我们无法想象假如由于自动驾驶的原因,造成首个儿童死亡,呼吁相关立法的声音有多大。
Fortunately, the small but growing market in cyber-security insurance offers a way to protect consumers while preserving the computing industry’s ability to innovate. A firm whose products do not work properly, or are repeatedly hacked, will find its premiums rising, prodding it to solve the problem. A firm that takes reasonable steps to make things safe, but which is compromised nevertheless, will have recourse to an insurance payout that will stop it from going bankrupt. It is here that some carve-outs from liability could perhaps be negotiated. Once again, there are precedents: when excessive claims against American light-aircraft firms threatened to bankrupt the industry in the 1980s, the government changed the law,limiting their liability for old products.
幸运的是,现在虽然较小却在不断增长的网络安全保险市场提供了一种既能保护消费者同时又能保持计算机行业创新能力的方法。如果产品无法正常工作,或者企业反复被黑客入侵,他们的保费将上涨,这样可以促成问题的解决。一个公司采取了合理的步骤,试图使产品变得安全,假如最终还是带来了损害,这时公司就可以使用求授权,要求保险赔付以避免破产。这样,也或许可以开始债务责任的谈判。同样有一些先例可供参考:20世纪80年代,当美国轻型飞机公司接到过多索赔要求甚至威胁到行业破产时,政府修改了规定,限制其为老产品承担责任。
One reason computer security is so bad today is that few people were taking it seriously yesterday. When the internet was new, that was forgivable. Now that the consequences are known, and the risks posed by bugs and hacking are large and growing, there is no excuse for repeating the mistake. But changing attitudes and behaviour will require economic tools,not just technical ones.
现在计算机安全如此糟糕的原因之一是以前没有引起足够的重视。当互联网刚出现时,这是可以原谅的。既然已知后果如此不堪,缺陷和黑客造成的风险又越来越严重,那么就没有任何借口再重复这样的错误。不过,改变态度和行为需要经济手段,而不仅仅是技术手段。
