文章结构图

译者按：本文为《经济学人》4月8日刊封面文章

COMPUTER SECURITY

The myth of cyber-security

Computers will never be secure. To manage the risks, look to economics rather than technology
973 words

1. COMPUTER security is a contradiction in terms. Consider the past year alone: cyberthieves stole $81m from the central bank of Bangladesh; the 4.8bn takeover of Yahoo, an internet firm, by Verizon, a telecoms firm, was nearly derailed by two enormous data breaches; and Russian hackers interfered in the American presidential election.

takeover: when one company takes control of another by buying more than half its shares
derailed: To derail something such as a plan or a series of negotiations means to prevent it from continuing as planned. (JOURNALISM)

1）计算机安全是一个矛盾的说法。仅看看过去一年：网络窃贼从孟加拉国中央银行偷走了8100万美元；电讯公司威瑞森Verizon以48亿美元对雅虎（Yahoo）的收购几乎因为两次大规模的数据泄露导致泡汤；俄罗斯黑客干扰了美国总统大选。

2. Away from the headlines, a black market in computerised extortion, hacking-for-hire and stolen digital goods is booming. The problem is about to get worse. Computers increasingly deal not just with abstract data like credit-card details and databases, but also with the real world of physical objects and vulnerable human bodies. A modern car is a computer on wheels; an aeroplane is a computer with wings. The arrival of the “Internet of Things” will see computers baked into everything from road signs and MRI scanners to prosthetics and insulin pumps. There is little evidence that these gadgets will be any more trustworthy than their desktop counterparts. Hackers have already proved that they can take remote control of connected cars and pacemakers.

extortion: Extortion is the crime of obtaining something from someone, especially money, by using force or threats.
baked: If you bake, you spend some time preparing and mixing together ingredients to make bread, cakes, pies, or other food which is cooked in the oven.
prosthetics: The branch of medicine or surgery that deals with the production and application of artificial body parts.弥补术，修复术
insulin pumps: A portable device for people with diabetes that injects insulin at programmed intervals in order to regulate blood sugar levels.胰岛素注射器
pacemakers: 心脏起搏器

2）除了这些头条新闻，一个利用电脑敲诈勒索，黑客雇佣和数字商品销赃的黑市正在蓬勃发展。问题即将进一步恶化。计算机不仅越来越多地处理诸如信用卡详细信息和数据库之类的抽象数据，而且还越来越多地涉及真实世界的物品和脆弱的人体。现代汽车是轮子上的电脑；一架飞机是一台带翅膀的电脑。 “物联网”的到来将会把电脑嵌在所有东西上，从路标和核磁共振扫描仪，到假肢和胰岛素泵。没有什么证据表明这些装置比台式机更值得信赖。黑客已经证明，他们可以远程控制联网的汽车和起搏器。

3. It is tempting to believe that the security problem can be solved with yet more technical wizardry and a call for heightened vigilance. And it is certainly true that many firms still fail to take security seriously enough. That requires a kind of cultivated paranoia which does not come naturally to non-tech firms. Companies of all stripes should embrace initiatives like “bug bounty” programmes, whereby firms reward ethical hackers for discovering flaws so that they can be fixed before they are taken advantage of.

wizardry: impressive ability at something or an impressive achievement
vigilance: careful attention that you give to what is happening, so that you will notice any danger or illegal activity
paranoia : an unreasonable belief that you cannot trust other people, or that they are trying to harm you or have a bad opinion of you
of all stripes/of every stripe: of all different types
whereby: by means of which or according to which

3）人们很容易相信，安全问题可以通过更多的技术魔法和呼吁（人们）提高警惕来解决。而且，很多企业仍然没有认真对待安全问题。这就需要一种长期养成的偏执，而非技术公司不会自然地养成这一特质。各种各样的公司都应该接受诸如“漏洞悬赏”项目的举措，借由此公司奖励正派黑客来发现缺陷，以便在它们被利用之前将其修复。

4. But there is no way to make computers completely safe. Software is hugely complex. Across its products, Google must manage around 2bn lines of source code—errors are inevitable. The average program has 14 separate vulnerabilities, each of them a potential point of illicit entry. Such weaknesses are compounded by the history of the internet, in which security was an afterthought.

compounded: To compound a problem, difficulty, or mistake means to make it worse by adding to it. (FORMAL)
afterthought: something that you mention or add later because you did not think of it or plan it before

4）但是没有办法让电脑完全安全。软件非常复杂。Google在其产品中必须管理约20亿行源代码，错误是不可避免的。一个普通程序有14个不同的安全漏洞，每个漏洞都是非法入侵的潜在点。这样的弱点因互联网的历史雪上加霜，在互联网中，安全是一个事后考虑的问题。

Leaving the windows open

5. This is not a counsel of despair. The risk from fraud, car accidents and the weather can never be eliminated completely either. But societies have developed ways of managing such risk—from government regulation to the use of legal liability and insurance to create incentives for safer behaviour.

counsel: advice

5）这不是无计可施。遭遇欺诈、车祸和天气的风险也不可能完全消除。但是，社会已经研究出管理风险的方法——从政府监管到使用法律责任和保险来激励更安全的行为。

6. Start with regulation. Governments’ first priority is to refrain from making the situation worse. Terrorist attacks, like the recent ones in St Petersburg and London, often spark calls for encryption to be weakened so that the security services can better monitor what individuals are up to. But it is impossible to weaken encryption for terrorists alone. The same protection that guards messaging programs like WhatsApp also guards bank transactions and online identities. Computer security is best served by encryption that is strong for everyone.

refrain: to not do something that you want to do
encryption: the activity of converting data or information into code

6）从规定开始。各国政府的首要任务是克制使情况更糟（的举动）。像圣彼得堡和伦敦这些近期的恐怖袭击经常会引发削弱加密的呼声，以便安全部门可以更好地监控个人在做什么。但是，削弱加密不可能只针对恐怖分子。保护像WhatsApp这样的短信程序的安全措施也同样在保护银行交易和网上身份信息。对每个人都做好加密，计算机安全才能得到最好的保护。

7. The next priority is setting basic product regulations. A lack of expertise will always hamper the ability of users of computers to protect themselves. So governments should promote “public health” for computing. They could insist that internet-connected gizmos be updated with fixes when flaws are found. They could force users to change default usernames and passwords. Reporting laws, already in force in some American states, can oblige companies to disclose when they or their products are hacked. That encourages them to fix a problem instead of burying it.

gizmos: a small piece of equipment - used when you cannot remember or do not know its correct name
disclose: to make something publicly known, especially after it has been kept secret = reveal

7）第二重点是设定基本的产品法规。缺乏专业知识将总是阻碍电脑用户保护自己。所以政府应该推广计算的“公共健康”。他们可以坚持要求，联网的装置如果找到漏洞必须修复更新。他们可以强制用户更改默认的用户名和密码。在美国一些州已经生效的报告法会迫使公司披露它们或它们的产品遭到黑客入侵的情况。这鼓励他们解决这个问题而不是藏匿它。

Go a bit slower and fix things

8. But setting minimum standards still gets you only so far. Users’ failure to protect themselves is just one instance of the general problem with computer security—that the incentives to take it seriously are too weak. Often, the harm from hackers is not to the owner of a compromised device. Think of botnets, networks of computers, from desktops to routers to “smart” light bulbs, that are infected with malware and attack other targets.

僵尸网络（Botnet，亦译为丧尸网络、机器人网络）是指骇客利用自己编写的分布式阻断服务攻击进程将数万个沦陷的机器，即黑客常说的僵尸电脑或肉鸡，组织成一个个控制节点，用来发送伪造包或者是垃圾数据包，使预定攻击目标瘫痪并“拒绝服务”。通常蠕虫病毒也可以被利用组成僵尸网络。

8）但是设定最低标准仍然只能仅此而已。计算机安全普遍问题是（人们）认真对待这一问题的动机太弱了，用户未能保护自己只是一个例子。通常，黑客伤害的不是被黑设备的所有者。想想僵尸网络，即被恶意软件感染并攻击其他目标、由台式机到路由器到“智能”灯泡组成的电脑网络。

9. Most important, the software industry has for decades disclaimed liability for the harm when its products go wrong. Such an approach has its benefits. Silicon Valley’s fruitful “go fast and break things” style of innovation is possible only if firms have relatively free rein to put out new products while they still need perfecting. But this point will soon be moot. As computers spread to products covered by established liability arrangements, such as cars or domestic goods, the industry’s disclaimers will increasingly butt up against existing laws.

disclaimed: to state, especially officially, that you are not responsible for something, that you do not know about it, or that you are not involved with it = deny
moot: Without legal significance, through having been previously decided or settled.【法律】 不具合法意义的：没有法律上的重要性，通过先例决定的或解决的
butt up against : to hit or push against something or someone with your head

9）最重要的是，软件行业几十年来拒绝在产品出现问题时为损害承担责任。这种方法有其益处。只有企业能相对自由地推出有待完善的新产品，硅谷“快速推进、打破成规”的创新风格才能硕果累累。但这一点很快就会不具合法意义。随着计算机扩展到诸如汽车或家用商品等已建立责任制度的产品，业界的免责声明将越来越多地与现行法律相抵触。

10. Firms should recognise that, if the courts do not force the liability issue, public opinion will. Many computer-security experts draw comparisons to the American car industry in the 1960s, which had ignored safety for decades. In 1965 Ralph Nader published “Unsafe at Any Speed”, a bestselling book that exposed and excoriated the industry’s lax attitude. The following year the government came down hard with rules on seat belts, headrests and the like. Now imagine the clamour for legislation after the first child fatality involving self-driving cars.

excoriated : to express a very bad opinion of a book, play etc
lax: not strict or careful enough about standards of behaviour, work, safety etc = slack
fatality: a death in an accident or a violent attack

10）公司应当意识到，如果法院不强制（推行）法定责任，公众舆论也会这么做。许多计算机安全专家对比了20世纪60年代美国汽车行业，该行业几十年来忽视了安全问题。1965年，拉尔夫·纳德（Ralph Nader）出版了《任何速度都不安全》，这本畅销书揭示并痛斥了汽车制造业懒散的态度。第二年，政府采用严格手段，出台了安全带、头枕等方面的规定。现在想象一下，自动驾驶导致首例儿童死亡后要求立法的呼声（会是如何）。

11. Fortunately, the small but growing market in cyber-security insurance offers a way to protect consumers while preserving the computing industry’s ability to innovate. A firm whose products do not work properly, or are repeatedly hacked, will find its premiums rising, prodding it to solve the problem. A firm that takes reasonable steps to make things safe, but which is compromised nevertheless, will have recourse to an insurance payout that will stop it from going bankrupt. It is here that some carve-outs from liability could perhaps be negotiated. Once again, there are precedents: when excessive claims against American light-aircraft firms threatened to bankrupt the industry in the 1980s, the government changed the law, limiting their liability for old products.

premiums: the cost of insurance, especially the amount that you pay each year
prodding: to make someone do something by persuading or reminding them that it
recourse : something that you do to achieve something or deal with a situation, or the act of doing it is necessary, especially when they are lazy or unwilling
carve out: remove from a larger whole

11）幸运的是，网络安全保险这个虽小却不断增长的市场提供了一种保护消费者同时保持计算机行业创新能力的方法。产品不能正常工作或被黑客反复入侵的公司将会发现其保费上涨，敦促它解决问题。采取合理措施来保障安全，但仍然遭到伤害的公司可以求助于保险金，免于破产。正是在这里，一些责任的免除或许可以协商解决。再次有先例：在20世纪80年代，当美国轻型飞机公司面临巨额索赔以致整个行业有破产风险时，政府更改了法律，限制了它们对旧产品的责任。

12. One reason computer security is so bad today is that few people were taking it seriously yesterday. When the internet was new, that was forgivable. Now that the consequences are known, and the risks posed by bugs and hacking are large and growing, there is no excuse for repeating the mistake. But changing attitudes and behaviour will require economic tools, not just technical ones.

12）计算机安全今天如此糟糕的一个原因是之前很少人重视它。互联网兴起时，那是可以原谅的。既然（如今）后果已经为人所知，漏洞和黑客攻击所造成的风险巨大而且不断增加，那就没有借口再重复这个错误了。但是，改变态度和行为将需要经济手段，而不仅仅是技术手段。

---

原文出处：经济学人杂志

翻译：七呵夫

本译文仅供个人研习、欣赏语言之用，谢绝任何转载及用于任何商业用途。本译文所涉法律后果均由本人承担。本人同意简书平台在接获有关著作权人的通知后，删除文章。