The Answer Is Transaction Costs

Honor Among Thieves: Anja Shortland and Ransomware

Michael Munger

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 1:06:32

Send us Fan Mail

A talk with Dr Anya Shortland about the economics of ransomware and the gray-zone institutions that let extortion markets function when nobody can truly enforce trust. We dig into how cyber insurance quietly becomes a form of governance, why data leaks change the game, and what national security risks emerge as everything gets connected. 
• criminal markets that sit between legal firms and underworld gangs 
• insurance as governance through protocols, repeat play, and incident response packages 
• why victims amplify risk when they throw money at crises 
• the origin story of early ransomware and the transaction costs that made it fail 
• step-by-step ransomware mechanics from phishing to exfiltration to encryption 
• how gangs price ransoms by reading cash flow and insurance certificates 
• leak sites, privacy regulation, and third-party liability as bargaining leverage 
• why cyber insurance is fragmented and slow to enforce security standards 
• deductibles, coverage caps, and market hardening that push better cybersecurity 
• AI-enabled phishing and the asymmetric arms race between attackers and defenders 
• state-linked ransomware, impunity jurisdictions, and critical infrastructure threats 
• efficiency versus resilience in smart cities and the Internet of Things 

Anja Shortland at Kings College London


Links mentioned in podcast:

Alex Danco's pirate puzzle

Pete Leeson's book, The Invisible Hook

David Deutsch's book, The Beginning of Infinity

If you have questions or comments, or want to suggest a future topic, email the show at taitc.email@gmail.com !


You can follow Mike Munger on Twitter at @mungowitz 


Welcome And Guest Preview

SPEAKER_01

This is Mike Munger, the knower of important things from Duke University. This month, our first repeat visitor, Dr. Anya Shortland from King's College, London. She'll be talking about her just published book, Dark Screens: Hackers and Heroes in the Shadowy World of Ransomware, New Twedges, This Month's Letters, Book It A Month, and more. Straight out of Creedmoor, this is Tidy C.

SPEAKER_03

I thought they talk about a system where there were no transaction costs, but it's an imaginary system. There always are transaction costs.

SPEAKER_00

When it is costly to transact, institutions matter. And it is costly to transact.

Studying Crime In The Gray Zone

SPEAKER_01

This month on the Answer is Transactions Cost, our guest is Anya Shortland of King's College in London. Anya is the first repeat guest on the Answer is Transaction Cost. And so it is a sign partly of how much I think of her, but also how interesting her new work is. So welcome, Anya. And can you tell us a little bit about your background? You um, like many interesting people, it took you a little while to choose your subject, both of study and then of research.

SPEAKER_02

Indeed. So I'm fascinated by criminal markets and uh specifically the governance of markets that straddle the line between the legal economy and the economic underworld. So I study the gray zone, the institutions that facilitate trades between legal entities and criminal gangs. And what I find so fascinating about this zone is that it's peopled by all sorts of characters that are who are interesting in themselves. Some of them have legal occupations and do things that uh they're not always entirely proud of because they're facilitating trades with the underworld. Um, and then there are people who come from the underworld but who are doing something that is not illegal, that helps people recover treasures. So my work is about finding out who peoples that zone and specifically what norms, protocols, processes, institutions fill the trust gap in extortive crime. So where somebody's been victimized by a criminal group and then has to trust the criminal that they will see them right, um, whether that is paying a ransom for a hostage or for a pirated ship, whether that is for a piece of art. And uh in my latest work, it's about ransomware, it's about whether I trust a criminal group to um be able to decrypt stolen data or encrypted data, but but also do I trust that they will not release um personally sensitive data of my students, customers, patients, um, whatever has been taken.

SPEAKER_01

So what is interesting about your approach to take a step back before the current project, um, you your work at Oxford, you did some in engineering and some in economics. And so the engineering interest is also very close to institutions because these things are constructed. Now, they it may be an emergent construction rather than a laid-on construction. And then you studied international relations, which at the LSE is a complicated thing, it's hard to say exactly what field that is, but it's certainly consistent still with economics, but it's not traditional economics. At first, looking at your own description of yourself, that you had the chance, somewhere you got a chance to describe yourself, and you said you started out by being interested in the way that crime and war affect economies, which is the sort of traditional, these are binaries, there's the economy, there's the government, and then there's disruptions. And then you did the Lynn Ostrom or the kind of approach that Douglas North has taken, where institutions are a more encompassing idea, and it is interesting to think about the world in which people construct and then interact, and this economy government binary is not very useful, and you've largely put it aside. So you you have looked at something that you call insurance as governance, as the structuring property, and then you have taken that hammer and hit a bunch of different nails with it, and it's not obvious that those were all nails, and yet once you say it, I I I have this idea. Damn it, those are nails. She's right. And so the the you know, someone with a hammer, everything looks like a nail. You've been very creative about finding different nails. So, this idea of insurance, when you when you say people are interacting, it is possible for an outsider to help structure these interactions and actually, in a way, help both sides, because it is an especially if they're on the hook for the losses, yes, have a vital economic interest. It changes the you I am then offering to say I will take part of this risk, but I am going to impose certain conditions, and then everyone is stuck with that. So, can you say something more about insurance as governance before we look at the new project?

SPEAKER_02

Absolutely. So I've been looking at extortive crime mostly from the relatively safe point of uh the insurer's view of that market, um, not least because insurers also have excellent data on crime that nobody else has. So that makes it good for an economist. So insurers come into these markets as people start to perceive rising risks. They go to their brokers and they say, is there anything that insurers can offer in in this region, whether it's uh kidnap for ransom, whether it's piracy, whether it's art theft, um, or cybercrime. So it was cybercrime risks uh that that started. Insurers say, well, we don't really know about these risks yet. Um, we're gonna just take a punt on it. And um after a while they realize uh yes, there is an exogenous part of the risk um that that that that comes from various malicious actors and and and rogues um in the uh in the uh sort of internet uh sphere. But what they realized quite quickly was that their customers um multiplied the losses by um dealing badly uh with the resolution of uh these uh the these uh cyber events, kidnap events, etc. They were not good at um negotiating uh resolutions with the uh with the perpetrators. Um they had a tendency to throw money at the problem, which is individually rational, but of course uh amplifies the risk for everybody else if criminal communities get the impression that this is a safe and lucrative business. But also in terms of the aftermath of an attack, how long does it, how long is the business disrupted, how long does it take to rebuild a brand? How long does it take to rebuild trust? Um, what are all the regulatory requirements uh for dealing with such an incident? Um their customers had A, very little clue, and B, they were completely out of their depth in terms of curating this sort of all-round response um to a critical incident. And uh therefore, insurers have basically decided to offer them one helpline number and say, all you need to do is call the helpline and then we've we've got a package. We we can sell you peace of mind. So these insurances come not just as a risk spreading package, but a risk management package, which I find fascinating.

SPEAKER_01

Well, and one of the things that insurance can do is that there are two things that affect the the nature of the game itself. One is is the group larger? And if I can spread risks across a group, then that changes the risk that each individual faces. And the other is if this process is indefinitely repeated. So if I face a one-off and I this is my only time to deal with this entity, which by its very nature is a criminal organization, I have no idea who they are, then I have neither the group nor the indefinitely repeated nature of it. Insurance companies have can have both. They can have a group within which the risk can be shared, and they deal with these entities over and over again, where you can get something like reputation and brand name. And the thing that's brilliant about your work is to show that this can actually benefit even the criminal entities that manage to regularize their in their interactions because they actually have less risk and lower transactions cost, also.

SPEAKER_02

Indeed. And that's one of the problems of ransomware that you have a whole industry that uh relieves the ransomware operators from tidying up the mess that they have uh created. Um, but on on the other hand, it does turn these massive risks um into something that's just become part of the cost of doing business on the internet.

The First Ransomware Story

SPEAKER_01

And so this this is actually a bit different. I think that one of the I've I've I learned so much about the first and now the second iteration of your work on cybercrimes, because when it came to piracy, uh the fact that there was a reputational aspect to dealing with the same entity might even help. But there it's clear that I don't want you to take my ship, I don't want you to take my crew. Can you say something? Um, you're probably tired of telling this story, but one of the interesting reviews that I read of of this book was in the in The Guardian, which of course, with all of the problems that come with with the Guardian, they they said it lacked verve. You have no verve for Professor Shortland. But the the they start out, and would you be willing to tell the the famous first, maybe first incident of randomware, ransomware was uh Joseph Pop, who was at the time working for the World Health Organization. Because I don't think that's a story most people know.

SPEAKER_02

Yes, this is a really fascinating story. It's the story of the uh father of ransomware, um, who invented the business model but was faced with such astronomic transaction costs at every corner that it just was not viable as a business model, which makes it the perfect story for your podcast. So it's probably more of a prank than a crime at this stage. Um, it was a researcher um at the World Health Organization um who was working on AIDS and the transmission of AIDS. And um, this was at a time when people were othering AIDS and said this is this is a problem of minorities, this is a problem of gay people, um, this is a problem of black people. And Joseph Pop said, no, this is very much a problem of anybody who behaves um voraciously and uncarelessly. And um, therefore, he thought he would teach people a parable. And uh his idea was that he would um code some malware onto a floppy disk and mail that out to thousands of uh people, particularly AIDS researchers, but also computer specialists. And uh with the bump that came with that uh that that um disk, it said, please don't um put this into your computer. Your computer will will cease to operate normally if you do this. And um, yeah, but if you do it, then you will then then you will owe me um uh$189 um to make your computer operable again. Um unfortunately, or fortunately for him, people did not read the Bonf, which effectively said, just be careful where you put your thing. Don't put things in your computer or in your body. But look, that could be problematic. Hundreds of people did. Um the computer world very quickly realized um that this was malware, but uh people in the AIDS community were not so cautious, and uh they downloaded the malware, and um once they realized that this was associated with a Trojan, with malware, they started wiping their computers clean, which solved the problem, except it also completely destroyed their data. So so this this was was a was a real problem for the AIDS community. And um, but in terms of transaction costs for Joseph Pop, um this was a disaster. Um, first of all, the cost of the uh the discs. Um secondly, he had to communicate with his victims in some way. So he'd uh hired himself a post box in Panama. Um his idea for uh taking payment, his$189 were going to be paid um by postal order sent to Panama. And it was just a very, very clunky thing. He also had only one um encryption protocol. So once somebody had cracked the protocol, anybody could just get the uh AIDS program out uh disk for free. It was just really the world was not really ready for ransomware at this particular point, and it all went spectacularly wrong when the United States uh invaded Panama within days of uh Pop uh running starting his scheme and uh his communication uh with his uh victims was uh was cut off. Um poor guy went mad over this um and uh identified himself to the authorities inadvertently and was then unfit to stand trial. But yeah, it just really showed how many innovations were necessary for ransomware to become a uh a viable um economic proposition and business model.

How A Ransomware Attack Unfolds

SPEAKER_01

And that the the reason why that origin story is interesting is that there's a number of things that fairly quickly changed. This was 1989 when this happened, and floppy disks were no longer a thing. And the people under 40 may have seen one in a museum, but probably not. Um and he was sending them out by physical mail and then getting paid by physical mail. So none of those things is necessary anymore. We can use electronic mail, and the the way that digital things are transmitted is almost instant. And you can use either some payment mechanism or you can use Bitcoin. There may be a requirement that you use Bitcoin. So the you have generally looked at settings where there is weak state capacity, where it is possible, it is difficult to enforce rules or even to say exactly what the rules are, but then looked at the emergent properties of the rules that do happen through the lens of insurance as governance. So your uh longtime colleague at King's College, David Skarback, has done some of this work, but on prisons, and there it's more like a constitutional set of rules. And uh Peter Leeson at George Mason has done this for pirates, particularly uh 17th and 18th century pirates who came up with constitutions and rules. You and looking most recently at ransomware, but before that, art pirates, kidnapping, have looked through the lens of insurance. The interesting thing about ransomware and the thing that you have pointed out is this kind of market is different because a lot of people just want this to go away. They're not careful about being sure. And the insurance companies, because for kidnapping, the insurance companies could insist you're not going anywhere by yourself, you take care, you go through some classes. We haven't reached that point yet with ransomware. So, so can you say something about the nature of the risk and how does this even work? What are the nuts and bolts? So, if I get some sort of attack that's successful, what can I expect to happen? And let's let's ignore insurance for now. I'm on my own. How is this going to work?

SPEAKER_02

So, the first thing that you will find is that your computer is being made inaccessible to you in some way. You either find uh a lock screen or you find only one text file in your directory that is still readable.

SPEAKER_01

That happens after I have somehow contracted the virus. How do I do that?

SPEAKER_02

Um, usually through some sort of social engineering attack. Um, so you will have been sent an email with somebody offering you a fantastic data set or a PhD student who comes with a what sounds like a super idea, and uh you just open their CV without thinking about it. You enable the malware to come into your computer, or you pick up the phone and it's one of your students, or somebody very much sounds like one of your students, and uh you give them access to uh a file, you divulge your password, you recycle your password multiple times. So somebody gets into the system, they will probably spend some time sniffing around, finding out what data you would most likely uh want back, and the data that you most want to keep private. Um, they will exfiltrate anything that's sensitive, and then they will trigger this encryption protocol, which is impossible to crack if they know what they're doing. So if it's a sophistic sophisticated ransomware gang, you have no hope of decrypting the uh the ransomware um by yourself or even with the help of the most advanced um computer security firm. So the question is then can you recover from backups? And how vulnerable are you to extortion? Is there stuff on your computer that you really want to keep private?

SPEAKER_01

And the the your book is coming out in two forms. One is dark screens, but the other one is interesting. The title is We Know You Can Afford to Pay a Million or something like that.

SPEAKER_02

That's right, yes.

SPEAKER_01

One of the things that's interesting is that what's the if I can get your computer files, if I can look at your hard disk, I can probably also look at emails that you've sent, I can look at your financial records, I may even be able to break into some of your financial accounts, at least to look at them. I can actually tell, I can charge a price that is gauged to be something like the most you are able or willing to pay. Is is that actually fairly common?

SPEAKER_02

So mostly we're not talking about private individuals, we're talking about firms. Yes, they're looking for profit and loss accounts, they're looking for cash flow. Um, but of course, what they really want to find is your insurance certificate, which says exactly how much you're insured for, and that absolutely cuts um the negotiation, um, the negotiation time, because they said, okay, well, we'll just take whatever it's insured for. So, yes, we know you can pay a million comes from these negotiations where they're they say, Well, what is what what is the affordability, but also how much is it going to cost you for each day that you don't begin the recovery? And another negotiation opener on the um ransomware front is has always been how much is your regulator going to charge you for losing all this sensitive personal data? So with the GDPR and data privacy legislation, um, the threat of being on the hook for these massive third-party liabilities, um, that was the big thing that the that that that the that the insurers were always looking at. Yeah, it's it's not the$100,000 or in first like a$300 ransomware demand, or the$10 million that you that that is going to cost to keep the business, uh business continuity plan, but it's the$300 million um third-party liabilities that the insurers were worried about. So so they weren't focusing on on the crime problem, they were focusing on are you ticking all the boxes on the regulation side? Because we don't want you to be involved in a lawsuit that's gonna cost us massive amounts of money. So in this particular case, insurance as governance was not focused on the crime, but on the downstream repercussions of the crime, in particular, the relationship of the firm with the regulator.

SPEAKER_01

And to make sure it's clear to the listeners, the the liability here is because of a regulation that says you have collected data in which you have sensitive private information, you have financial information. The condition under which you can collect this is if you ensure that it is not revealed. And they're trying to make sure that you don't reveal it and that you keep it uh confidential. And so if it is released, and what what the what the bad guys are threatening to do then is to publish this, to put it on a website.

SPEAKER_02

Absolutely right. Yeah, so they're they're they're weaponizing this threat against um again against the firms. And uh yes, they have these uh uh walls of shame, they're leak sites. And um, if your firm's name appears on there as having been breached, then you're already in trouble. But then if they start revealing what's what what what what's in there, um that of course can have catastrophic implications uh for for people. So uh one of the uh companies that I discuss in my my book is is planned parenthood. Um that's extremely sensitive information, of course. So the the wish to trust in the honor of thieves that if you pay this money this information will not appear is is is is often overwhelming. But of course, it's a it's a complete trust issue. Um, you don't know how many copies of it exist. They can tell you oh, it's we wiped one copy. Um don't know whether they've already sold it. Um but the sort of wall of shame on the leak side has been really powerful in uh in compelling people to engage with the perpetrators. So that that's what initially this was not necessarily because people didn't have backup plans, they didn't have a plan B, they just had to engage um with the ransomware gangs. Um, as they built the capacity to say thanks, but no thanks, we don't need a decryption key, we're gonna be up and running in three days from our fantastic backups. Um, that's when there was this sort of round of innovation and said, no, well, we're gonna exfiltrate your data, and and and this is how we're going to get you to engage.

SPEAKER_01

And and that get is really very significant. So there's if we're talking about artwork, there's a thing. If we're talking about getting a ship or a crew back, there's a thing. If we're talking about a kidnapping, there is a physical corpus. I the it's clear what the exchange is. So I pay you not to release some data, and you say, and I've and in fact, I will let you, I will let you press the button to delete the data. They have copies. There's no way of enforcing that. And as you have said, and I think if you could say more about this, it's interesting because it's one of the most interesting aspects of it. Everyone's focus seems to be on to limit the damage or the liability rather than to prevent the crime in the first place. And that just doesn't make sense because if you could prevent the crime in the first place, if you could prevent the breach in the first place, that would solve all of your problems. So those two difficulties make this just different from the other things that you have looked at. And it's fascinating.

Why Cyber Insurance Struggles To Govern

SPEAKER_02

Yeah, so the last two things that I looked at, which was um these special risks around kidnapping and piracy, and uh around art insurance, do you have an insurance market that is very highly concentrated, uh, specifically in the underwriting room at Lloyd's of London, uh, with a handful of companies that uh that that dominate the market, with another dozen or so companies that sort of hangers on. And uh within that group of people who who sit within spitting distance of each other in the underwriting room, who go to to to lunch and to coffee and to dinner together, who all know each other from their past in the elite military forces, they're very, very good at creating protocols and very good in enforcing those protocols. Um, cyber insurance is different in two ways. The the first one, the first clue is in the name, it's cyber insurance, it's not ransomware insurance. So this is not something that has been specifically created to deal with a specific crime, but it was created to deal with a broad category of risks that started to emerge with the internet in the 1990s. So by 2013, when ransomware starts to really emerge as a viable business model, um you're not using an instrument that is designed around it, but you're using something really clunky that's trying to do all sorts of things to deal with a new problem, and they're not focusing on the actual uh the the nitty-gritty details of what it would take to control that problem. The second problem with uh cyber insurance is that this is not a market that's highly concentrated, it emerges concurrently in the UK, in the US, in Europe, in Asia, um, in Australia. People just turn to their brokers and say, what can you do about um about cyber uh cybercrime, cyber accidents, uh cyber fallout from whatever is happening in the world. Um so people are inventing this class of insurance, they realize that there are lots of people who are worried about it, it becomes the growth business, everyone wants market share. And although there are some people who say, well, we're not really interested in ensuring these uncontainable risks, and we don't really want to insure people for being irresponsible. If you want to have a stake in this rapidly growing market, um, it's really difficult to say, well, but I want you to do this and I want you to do that. Um, firms were not receptive to the idea of cybersecurity. They said, well, we do want to take risks, we we do want to do business on the internet. Um the the last thing that we want to do is to impede our customers' access to us. Um you can't run a university if you're filtering out 70% of student emails. That would be a safe thing to do, but that's not what we want. We want insurance um because we want to take risks. So, yes, it's been it's been a real issue because also based on my work um and the work of other people in this field of insurance as governance. Governments, governments said to insurers, well, go and do something, do some governing here. And and insurers said, Well, well, we can't. Um, there are some insurance companies that offer you um lower premium if if if you put in better cybersecurity measures, but but as a market, they were just not willing um to try and push something, uh cybersecurity measures on their customers.

SPEAKER_01

The problem with insurance is that you have to charge on average the expected value of the loss across all of the people that have this policy with you. And in the other markets that you've looked at, they've come up with innovative ways to reduce the problem of moral hazard. So having training about kidnapping and having that be mandatory as a condition for having a certain level or maybe having a high deductible are the usual ways that we solve problems of moral hazard. Here, if you're talking about$300 million, and because that's that's what happens if this is exfiltrated, and this company is not careful, the amount that you'd have to charge for that insurance is just prohibitive. And I wonder if there have been attempts to get this regulated, because in some of the there are places in the United States where there are fires and earthquakes. I'm looking at you, California. People complain that the insurance is so expensive. Well, it would be because there's a really good chance of a fire or an earthquake. You have to cover the expected value of that cost. And if there's a fire, all the houses on that whole street or in that entire town, they're gone. You can't diversify that. You'd have to have it in different places. So the this is it seems like this this insurance would be either prohibitively expensive or have such a high deductible that the company is going to be exposed, or you have to find some way to get them to reduce the risk. And all three of those seem difficult in this market.

SPEAKER_02

Yeah. Um they've tried all of them. They've tried that to get the government to um put in regulation for better cybersecurity. Um, but the governments around the world have basically said, well, we're not that good at regulating this kind of business. Um, we don't have uh the expertise. Um we would like this to be self-regulation, we would like industry to come forward with with with standards, um, not least because government agencies are some of the worst offenders when it comes to low cybersecurity.

SPEAKER_01

Absolutely, yes.

SPEAKER_02

Um what insurers have done is is is two things. Uh they've uh created these large uh uh deductibles, but they've also limited how much they're going to pay out.

SPEAKER_01

So they've total liability. They've limited total liability.

SPEAKER_02

Yeah, exactly. And and that's ultimately what's led quite a lot of firms to improve their cybersecurity. We we now have multi-factor authentication and uh and and and strong passwords, and and we've had the security training, but that is because it's in the uh in the personal interest, uh in the business interest um for firms who are who've been put on the hook by the insurers. Um not least because the insurers say, well, you're not really coming for us to us for insurance, you're coming to us for the uh peace of mind that if something goes wrong, um we're gonna take care to minimize the regulatory fallout, the business interruption, the PR problems, etc.

SPEAKER_01

That's the very definition. That's the definition of more.

SPEAKER_02

Absolutely, yes. It's it's not really insurance as such. But yeah, we've moved through a very hard market where it's almost impossible to get anything, like the amount of cover that that firms wanted, and that's created a step change in in firms' attitude to to cybersecurity.

SPEAKER_01

I have noticed an increase, and maybe this is just idiosyncratic, but of really oddly and I disquietingly targeted phishing with a pH. So I've gotten a fair number of emails from people whom I knew saying something that they might have said, and I've just become a lot more paranoid because it wasn't them and the payload of this, I don't know what it was because I didn't open it, but the there's an arms race, and the it seems like it's really hard for the good guys to win that arms race.

SPEAKER_02

It always has been an arms race, and the good guys have never won, but neither have the well, the the the good guys have have to be successful 100% of the time, and for the bad guys, the business works if they're occasionally successful. So so it it's it's really asymmetric uh as as as well. But yes, artificial intelligence is problematic. Um, translation software is getting better and better. So things do sound like they might have been said um by by by by a friend or a colleague um that that that is problematic. Um people's voice can be.

SPEAKER_01

I wanted to hear more about that.

SPEAKER_02

Yeah, but I mean generally fishing just trades on on our best trades, like our curiosity, uh collegiality, uh, general visions of of just being friendly and and and and holding open a door, helping somebody out who's in a pickle, um some manager, somebody who sounds like this part of your organization and just needs a new password, uh, because they're out in the field and it's a blizzard. And they really know how to play on on people's finest instincts, um, as well as curiosity and say here here's a picture off of whatever is attractive.

Ransomware As State Power Tool

SPEAKER_01

Well, there there is there is you you have described this as a crime with underworld people doing it and the difficulty of insuring. Uh, towards the end of your book, you there's another difference from kidnapping, although I suppose mass kidnapping might be an act of war. Um, but an organized government use of these tools to not in order to be paid, but in order to disable a part of an enemy's economy or uh war-making capacity, is something that didn't really seem possible 20 years ago. And now it's it's not hard to imagine if they can find a vulnerability that it might be possible. So, can you say something about, and then I have uh another question about uh a kind of paranoia paranoia about Chinese switches?

SPEAKER_02

Yeah, so there were two instances where once North Korea and and and once Russia um created a ransomware strain, which in the end didn't turn out to work. That was very virulent. Um, coming through a computer worm, you might remember the WannaCry and the Not Petya attack, not Petya directed against Ukraine, um, WannaCry, in the hope of creating revenues for the North Korean government that were not subject um to sanctions. Um, but mostly the problem of ransomware is that ransomware can be conducted with impunity from from countries like Russia, where it's not a crime. So a lot of these issues around how do you run a company um that's dedicated to crime under the radar, off the law, with people you don't know, who might be undercover police officers, all you have for them is is is a nickname, a handle. Um what is the yeah, how do you how do you organize a business when trust is at uh at uh at such a premium? That falls away if um the president of your your country says, well, as long as you've got Western people in you as your targets, um, it's kind of patriotic to run ransomware, then you get around all that and you have your uh business premises somewhere um in Moscow, and uh cybercrime works a lot more effective like that. But yeah, we we really do need to worry about whether at some stage all that capacity for infiltration um could be used aggressively and more aggressively. So far, it's it's only been used to needle um aggression short of war and a long way short of war. But the United States has had an attack on critical infrastructure with the uh colonial pipeline incident. So you don't do know what it feels like when your eastern seaboard is uh suddenly facing a fuel shortage. Um the American president at the time did have um a sense of humor failure about it and talk to his Russian counterpart. And uh yeah, at the moment we're relying on the honor of thieves that that they will not attack critical infrastructure. But but the fact is that they can.

SPEAKER_01

There was a movie a couple of years ago where a uh Americans had done something China didn't like. The Chinese ambassador called the uh the assistant secretary of state and said, you know, we're very upset about this, look out your window. And then the uh uh Chinese ambassador says three, two, one, and all of the stoplights go off. And so immediately there's chaos, there's cars running up on the sidewalk, uh, wrecks, no one can get around the city, and then the Chinese official says three, two, one, and they all come back on. And the the the the ambassadors, and we can do that anytime. Now that's sort of science fiction-ish, but if you had control of that level, particularly in a world where there's an internet of things, then is this a weapon of war, the exposure to which we should be concerned about? And so a number of people have pointed out that almost all of the 5G switches in the US are made by WaHwe. And we don't really have the capacity to make those. There's a whole lot of, and so two things. One is, can someone listen? And the other is, is there a kill switch? Because if you have those two things, this is different from electronic equipment in the past. Is this a national security exposure where perhaps we should give up of some of our aspirations for connectedness? So is the Internet of Things inherently Excessively risky.

SPEAKER_02

Well, it does come with huge risks and also provides a great deal of convenience. But certainly one of my colleagues here in the UK, Jen Ellis, says the smart city won't seem like such a smart idea once the Russians are inside the sister. And I think she's absolutely right about that. In my book, I reflect on these trade-offs between efficiency and resilience, between risk and opportunity. I don't have an answer, but I think we do need to ask the questions. People need to engage with their own cybersecurity. They need to engage with these risks and they need to start asking questions of government, both in terms of what is online, what is offline, where do we have backups, where do we not? And what is the plan B? You're absolutely right. Just like a global pandemic, this is something that is predictable. And I really did not enjoy the on the hoof policy making that governments engaged in over COVID-19. And I want voters to engage with their government uh on this. So that's very much one of my aims with this book of giving people the language and the confidence to engage with this topic, but but but also to to make a part of the political debate. I don't know what the perfect stance is, but pretending that the risk does not exist is not it.

Book Titles Release Dates And Preorder

SPEAKER_01

That's actually what I thought the answer was, because there are a lot of people who just have this, you should be terrified. You should be go to your basement and live in quivering fear. We should get rid of all of these sorts of connections, or it's no problem, it's too convenient, we can't do without it. Your answer was this is actually complicated. We don't know the answer, and we should think about it. So the I I thought you did answer the question. It's just an answer that a lot of people are going to find unsatisfying, but it's the correct answer. Well, is is is the the can you say something about when the book is going to come out and something about the two different editions, one in the US and one in the UK?

SPEAKER_02

Yeah. So the uh the UK edition is already out. We know you can pay a million. Um, I found it in the wild yesterday in a bookshop.

SPEAKER_01

Congratulations.

SPEAKER_02

That's that's absolutely great. Um, the Americans went for a different title, Dark Screens, Hackers and Heroes and the Shadowy World of Ransomware.

SPEAKER_01

And a very different look. It's a very different look.

SPEAKER_02

A different look, yes, rather more um yeah, threatening.

SPEAKER_01

Yes, terrifying.

SPEAKER_02

Terrifying, but but but I think, yeah, I think both uh both both have uh a vision of of of who the readership would be. And I'm I'm trying to to engage um a lot of people who say, well, this is something that I'd like to outsource to my IT department, that I would like to outsource to my government, that I want to outsource to my insurance. So no, you need to be part of that debate. And here are the stories of the people behind the screens, the the people you can engage with. Um just give you that 360 view of the ecosystem of which you are part as a computer's user. Um, the the willing victim, the unprepared victim is part of the ecosystem. And it's a lifeblood just as much as cryptocurrency is. So cryptocurrency was was uh the switch that that made ransomware um the uh the big threat that it is. Um without it, or with better regulated uh cryptocurrency, that would be a different kettle of fish and yeah, we need to ask those questions.

SPEAKER_01

Only when we ask those questions will we start to get the answers. Her book comes out in the United States on April 28th. This will post on April 14th. So if your people are listening, they're hearing it on the 14th. That means you have two weeks to pre-order the book. And uh having read an early copy, I can say it really is terrific. She keeps coming up with new and provocative ways to see a set of the same questions. So thank you very much, Professor Shortland. And I really do appreciate you being on The Answer is Transaction Costs.

SPEAKER_02

It's been fun as usual. Thank you, Mike.

The Pirate Problem Game Theory Puzzle

Book Recommendation On Pirate Rules

Listener Letters And Final Wrap

SPEAKER_01

Whoa, that sound means it's time for the twedge. I have two. First, about pirate. Man walks into a bar, sees a pirate with a peg leg, a hook for a hand, and an eye patch. The man is intrigued. Ask the pirate, how'd you get the peg leg? The pirate replies, Hurg, I was in a great bottle at sea and a cannonball tore me leg off. Whoa, says the man. And and the hook? Hurg, says the pirate. I was boarding a merchant vessel, and a British Navy officer cut it off. That's amazing, says the man. When the the eye patch. Gurrr, says the pirate. A seagull pooped in me eye. The man's confused. Well you you lost your eye to seagull poop? Gurr, don't you be smug, growled the pirate. It were my first day with the hook. I think that's the worst thing I've ever heard. How marvelous. The reason I like that is that it's clearly about transaction cost. One of the things that Adam Smith talks about is increases in dexterity and tool use, learning to use the hook. That's really a big transaction cost. Which brings me to the second joke. Although this is really more like an exercise than a joke. This is from Alex Danko's newsletter, February 2nd, 2021, and it's called The Pirate Problem. And it's a riddle, although I said it's more like an exercise. I will just read it, and I'll put up a link to it in the show notes. Quoting now from Alex Danko's newsletter. Here's a riddle I think about quite often, and just might be of interest to people who think about games. Five pirates, who used to be hedge fund managers before they gave up their life of sin and looked for a more honest profession, attack and board a ship. While plundering the boat, they uncover a chest filled with 100 identical indivisible gold coins. Before parting ways, the pirates must decide how to divide the treasure. They commit to the following scheme, that is, a way of deciding how to decide. Pirates rank themselves one through five by ascending seniority, that is youngest to oldest, or maybe longer time being a pirate. Most junior pirate, number one, goes first. He proposes a split of the treasure. The treasure can be any five-way split that adds up exactly to 100. So it could be 20, 20, 20, 20. Could be 45, 30, 24, 1, 0. A five-tuple, where each of the elements is the allocation to that pirate and the sum has to be 100. Once pirate number one submits his proposal, all the pirates will vote. If a majority, or at least a tie, of the pirates vote in favor, the pirates split the treasure according to the proposal and they go their separate ways. But if there's a majority against the proposal, pirate number one is thrown overboard to the sharks, and then pirate two presents a proposal of his own. If that proposal fails, it goes to Pirate Three and so on. So to be clear, there's a proposal. If at least half of the pirates vote in favor of the proposal, it's implemented and the game ends. If a majority votes against, then whoever made the proposal is thrown overboard and they go back to deciding with the next person making a proposal. Now this might seem like the dictator game, where one person proposes a split of some maybe a hundred gold coins. Somebody else decides whether to accept it or not. It's not, though, because there is an incentive problem. If you throw someone overboard, that means there's only n minus one instead of n people to split. So back to the quote. Recall, these pirates used to run hedge funds. They're all very smart, at least in this domain, and they think rigorously through each proposal. Now, let's suppose they care only about maximizing their own treasure. They don't care about their fellow pirates. After all, they were hedge fund pirates. Uh, forgive me, hedge fund managers, although maybe that slip is okay. They do abide by the pirate code, however. If a proposal passes voting, they will honor it. So suppose you're the most junior pirate and you get to make the first proposal. How much treasure can you get? Well, if you're the first pirate, it probably feels like you have zero leverage. Why would it be in any of the pirates' interest to hear your proposal at all? They're just going to vote you overboard no matter what, because no matter what, we'll be splitting it four ways instead of five. Shouldn't they just vote you overboard regardless? So you could propose a fair split, you could propose everything goes to the others. Uh, and maybe they would accept that, but then you would get zero. So it seems like it's no way that you could uh win. So if you say zero, twenty five, twenty five, twenty five, twenty five, that is you get zero, and the others each get twenty five, that means you don't get anything, but maybe you could at least survive. You might buy survival that way. Now, that's also true for pirate two, is the problem, because the pirates can look down the game tree and say, we're also going to do this for pirate number two, we're gonna throw him overboard. So that means they're not gonna accept your zero, 25, 25, 25, 25. So you're actually just totally out of luck as pirate one. But maybe you do have a little leverage as the the youngest pirate. So is there some way that you can get leverage against the other pirates? Well, what are the other pirates most afraid of? Are they afraid of you? No. If you're pirate five, who are you afraid of and who might be your friend? If you're pirate four, who are you afraid of and who might be your friend? So, as pirate one, the most junior pirate, you can actually make off with 98 gold coins out of the original 100 if you make the correct proposal. Now, most people, when they approach this puzzle, start by thinking, okay, it must be a story of the little pirate against the big pirates. They try to work out how the little, the disadvantaged pirates at the beginning can gain leverage over the big senior pirates at the end who have the voting power and can wait you out. No matter how you try, you're never going to make that work. The big pirates will beat the little little pirates. But you have to go all the way to the end of the game and then work backwards. Imagine there's only two pirates. Now, they're not afraid of the little pirates anymore, but they're afraid of the other big pirate. If there's only two pirates, or in other words, a scenario where one through three have already been thrown overboard, only four and five are left. Well, we know what's going to happen. Pirate four will read the rules and submit his proposal 100, 0. There's no majority that can vote against him, and he got the entire treasure treasure in the bag because he can all it takes is a tie. So if at least half of the pirates vote in favor, so if it comes down to the final two pirates, pirate four will say, I get 100, you get zero, we vote. It's one to one. That means we implement the proposal, and Pirate Five has to obey the pirate code because it was on his honor to accept the results of the vote. And so with probability one, if it comes down to the final two, pirate four gets one hundred, pirate five gets zero. Pirate five does not like that scenario. He doesn't like it one bit. He doesn't get thrown overboard, but he doesn't get any treasure either. So any offer that's going to get him something better than that, he will favor. Pirate five knows that he needs to make sure it never gets down to the final two pirates. You know who figures that out first? Pirate three. Pirate three understands that Pirate 5 is afraid of Pirate 4. If it gets down to three pirates, Pirate 3 has total leverage over Pirate 5. Any deal is better than no deal. He has no leverage over Pirate 4, but that doesn't matter. He only needs one more vote. So Pirate 3 is going to propose 9901, or maybe 98.02. That is 98 goes to Pirate 3, 0 to Pirate 4, but 2 to Pirate 5. Pirate 5 knows if he turns down this proposal, he's going to get nothing. And so he will vote for that, which means that Pirate 3 and Pirate 5 can impose this on Pirate 4. Pirate 4 has lost all of his leverage. Now you know who doesn't like that scenario? Pirate 4, who wants to avoid that outcome at any cost. You know who has been thinking about that? Pirate 2. Pirate 2 understands, hey, Pirate 4 will do anything to avoid this scenario, coming down to only three pirates. So it gets to Pirate 2. We know that he will offer 99010. Pirate 4 will have no choice but to accept that one gold coin because it's better than zero. You know who doesn't like that scenario? Pirates 3 and 5. Now they're going to get zero coins. So the big bad pirates with the voting majority at the end have lost everything. You know who understands that? By that point in our story? Pirate number one. You can make your offer 980101. Pirates three and five have no choice but to sullenly accept one single gold coin each, because the alternative is nothing. No matter how tiny you feel at the beginning, or how many senior pirates come after you, it doesn't matter because they're all more afraid of each other than they are of you. That's actually a timeless and very generalizable lesson among pirates, hedge fund managers, and faculty department chairs. Specifically, that was that was not quoting, that was obedericum from me. Back to the quote. Specifically, in this case, the odd-numbered pirates and the even numbered pirates are all afraid of each other. If the even numbered pirates gain control, the odd-numbered pirates all end up with zero coins, and vice versa. So the pirate with all the power is the very first one. Now, this works for any large number of coins and any number of pirates. It's time for Book of the Month. This month's book is, I may have recommended this once before, but it's such a good book, I'm happy to do it again. Peter Leeson, George Mason University, The Invisible Hook, was published in 2009 by Princeton University Press. It is a remarkable book just for entertainment, but also about institutional economics. Well, I did get some letters, and so let me talk about several. First, dear Professor Munger, I wanted to write you a quick note of appreciation for your work on transaction cost. Your framing for thinking about how reducing transaction costs unlocks entirely new categories of exchange, has made me take a different lens to the way I think. I'm currently reading David Deutsch's The Beginning of Infinity, which was published in 2011. Deutsch argues that the scientific revolution was really about establishing a tradition of criticism, demanding that explanations be hard to vary and subjecting them to rigorous scrutiny. It struck me that this tradition is essentially a transaction cost-reducing institution for the knowledge economy. It lets scientists trust and build on each other's work without personally re-verifying everything, which is what allows knowledge to compound. On the flip side, when the system fails and transaction costs rise, that is, replication crises, progress becomes harder and entire fields may stagnate. I thought you'd enjoy that connection. The series on Wealth of Nations is next on my list. Thanks. Best regards, MR, Munich, Germany. Well, thanks, MR. I don't know that book, but let's make it a recommendation for a second book of the month. That is David Deutsch, The Beginning of Infinity, 2011. And thanks for the recommendation. Letter two. I thoroughly enjoyed the Adam Smith series. Thank you for taking the time and energy to share that. MP. Thank you, MP. And I really enjoyed doing it. I learned so much from that. I don't know if I would have started it if I know it was going to end up being 11 episodes and about 16 hours, but I hope I would have. In any case, we got through it together, and I hope you guys are enjoying it. Letter three, dear Professor Munger, in one of your recent episodes, Alex Schueschle wondered why companies that were so focused on maximizing outcomes via the assets they own would continue to use large custom software programs instead of some common software as a service platform. The answer, of course, is transaction costs. Or, slightly reframing, what is preventing firms that have spent the twast 20 years perfecting their customers' Kosian firm boundary from having a lean, narrow Kosian boundary themselves? Software is a capitalized service. In general, third-party software provides the most benefit when it can transform the service the purchasing company sells or uses internally into a configuration or effectively data rather than customization, which is either software or procedure change to work with the software. For example, very few companies develop their own accounting software right now because it's well known how to model most companies' general ledgers as configuration data. Companies may need to change their procedures to start using QuickBooks, but often this is as much about learning proper accounting as it is fundamentally changing the way they do business. Returning to Alex's question, a third-party software firm would need to overcome the internal firm product vagueness of the rental operation software. There's no accounting line item or division for rental operating software. Instead, the costs for the existing system are scattered across payroll and capital accounts. So the first thing that a vendor would need to do is define the market. Where does the rental operation service end and where does the accounting service or software begin? If the vendor can't do that, then the rental firms need to maintain the custom software in-house as an activity that can't be entrusted to the market. If a third-party software firm clears this hurdle, the next hurdle is that all of the large rental companies may share 90% or more of the same core functionality, but less than 10% that differs is what's seen as the core differentiator of the rental company. A new vendor must support these differentiators to justify a switch. For a third party to enter the market, they need to show that they can handle the common items as well as the current system, but that the core differentiators can become configurations rather than customizations. If the third-party service can't abstract these changes from the third-party software standard process as configurations, the benefit to the rental company is minimized. A concrete but potentially non-trivial portion of these differentiators is translating business activities into other software owned by the company. For example, as much of the current functionality provided by the custom software may be sending a job completion notice to the customer relation management platform, Salesforce, and to the accounting software, or NetSuite, as tracking the job status itself. While there are only a few large vendors in most of these related categories, keeping these systems in sync may not translate well across the rental company's view of the various services. Company A may want to alert business development reps, while Company B may wish to alert account executives. Some of these differences may be easily translated into configuration, while others may still require customization, limiting the benefits of the third party solution. Well, I hope this note helps explain some of the more rational bases for computed companies to maintain and grow their in house software teams. Even as we've seen an explosion in the number of third party software systems for smaller and smaller parts of a Firm's operations. Thank you for your show, JPB. End of letter. Gosh, thanks, JPB. That's very interesting. I always appreciate actual information from somewhere on the inside, and I'm happy to share it for with the listeners because many of them also are much more insiders than I am. Well, that's it for April of 2026. It's almost time to get back to the weekly summer format of Tidy C. I'm excited. Thanks for listening.