The myth of cyber-security

网络安全的神话

Leaving the windows open
门户大开

This is not a counsel of despair. The risk from fraud, car accidents and the weather can never be eliminated completely either. But societies have developed ways of managing such risk—from government regulation to the use of legal liability and insurance to create incentives for safer behaviour.

这并不是绝望的建议。来自诈骗、交通事故以及气象灾害的风险同样无法完全避免。但社会已经发展出各种方式来控制这些风险——从政府监管到强制法的使用以及运用保险来刺激更安全的行为。

Start with regulation. Governments’ first priority is to refrain from making the situation worse. Terrorist attacks, like the recent ones in St Petersburg and London, often spark calls for encryption to be weakened so that the security services can better monitor what individuals are up to. But it is impossible to weaken encryption for terrorists alone. The same protection that guards messaging programs like WhatsApp also guards bank transactions and online identities. Computer security is best served by encryption that is strong for everyone.

首先是政府监管。政府的首要任务就是避免情况变得更加糟糕。像最近发生在圣彼得堡和伦敦的袭击，常常会使得人们想到通过降低加密措施来方便监视人们的一举一动。但我们做不到仅仅是针对袭击者来降低他们的加密措施。运用于 WhatsApp 和银行交易以及在线身份认证的的加密措施并没有什么不同。计算机安全措施平等地服务于所有人。

The next priority is setting basic product regulations. A lack of expertise will always hamper the ability of users of computers to protect themselves. So governments should promote“public health” for computing. They could insist that internet connected gizmos be updated with fixes when flaws are found. They could force users to change default usernames and passwords. Reporting laws, already in force in some American states, can oblige companies to disclose when they or their products are hacked. That encourages them to fix a problem instead of burying it.

下一个重点在于为基础产品设立规则。缺少经验将始终妨碍计算机用户成功地保护自身。所以政府应该提高计算机的“公共健康”。政府可以要求联网设备在发现漏洞的时候得到更新。可以强制用户更换用户名和密码。在美国有些州的法律已经要求公司在发现自己的产品被入侵时应当公开消息。这将使得他们去解决问题而不是掩盖问题。