The value of a thing is whatever it will bring. So goes the proverbial definition of fair market value, and fair markets are exactly what we need if were going to build any kind of sensible economy based on information as the scarce good.
Thats why I disagree, collegially but firmly, with the position taken by eWEEK Labs Director Jim Rapoza on the subject of premium-priced early-notification plans for IT security issues.
Unlike Jim, I have no problem with the existence of such arrangements. I believe that the IT market is best served when people are free, in security as in their other technology choices, to find their own equilibrium between what they want and what theyll pay to get it.
I invite you to imagine (what seems to me) a plausible sequence of events.
First, imagine that a company decides to staff its IT department with the kind of expert team that can identify, characterize and develop remedial strategies for attacks that affect only the companys own specialized IT installations. Few other companies would benefit from these narrowly focused discoveries, but there would be considerable costs involved in making announcements and responding to inquiries concerning those findings. I see no obligation, moral or otherwise, for that company to share that work with anyone.
As things progress, however, our hypothetical security team might find that it becomes difficult to draw a clear line between its narrow concerns and broader vulnerabilities. The company therefore decides to spin off that in-house research team into a separate operation, funded initially by the parent company but with a charter to offer the teams services on the open market and make it a self-supporting business unit.
At first, clients are drawn entirely from the business sector of the parent company, with a client base that quickly expands to include most of that companys competitors as well. Again, though, the operation involves considerable costs that are borne by those that have a need for its work.
I still dont see any obligation for this boutique security firm to announce its findings to the world at the same time that it provides them to its paying customers. The first priority has to be communicating with those who are paying the bills and answering whatever questions they have. If everyone gets the reports on Day Zero, wed invite a tragedy of the commons: There would be no incentive for any one company to provide any financial support.
What is the security firm supposed to do if it cant bill for its services? Conduct a pledge drive, in the style made famous by the Public Broadcasting Service? I dont think so.
Lets now imagine that our boutique firm catches the eye of a company—say, Sun or Microsoft—with a big cash hoard and an eye for ROI in an area that it intimately understands. Our security boutique becomes a wholly owned subsidiary, but the same people do the same things for the same paying customers. Im not seeing any added moral obligation to give away the work, although Id expect that the research does now become available to the new parent company. Its being bought and paid for, dont you agree?
Finally, lets suppose that this business unit assimilates into its new owner as a rebranded business offering of premium security analysis and field support—still to paying clients. Jim argues, as I understand him, that everyone who might be affected by the findings should be getting their benefit. I dont see, however, where the line was crossed to turn what was clearly work for hire into some sort of public good.
Jims column asks ironically, “And isnt making more money always the most important thing?” No, of course its not. But people in free markets face choices. IT users can own and operate limited-function systems that use nonproprietary technology, minimizing their exposure to undiscovered soft spots in their systems. Alternatively, they can seek the benefits that are found on the leading edge. But they shouldnt expect elite handholding at no extra cost.
Technology Editor Peter Coffee can be reached at [email protected].