The Answer Is Transaction Costs

Making Deals With Shadows: The Economics of Ransomware and Cybersecurity

Michael Munger

Send us a text

The digital realm is rife with invisible threats, and this episode doesn't shy away from the gritty realities of ransomware and the burgeoning industry of cyber insurance. We tackle the conundrum: How do these defensive expenditures impact our economy when they don't actually produce anything tangible? From the early days of cyber insurance to the ongoing battle against hackers, learn how organizations across the board—from the halls of government to the frontlines of business—are fortifying their defenses against a barrage of cyber threats, each with their own unique strategies and vulnerabilities.

Wrapping up with a human touch, our conversation turns to the pivotal role individuals play in the security of networks and the negotiation tactics employed once defenses have been breached. And because all work and no play makes for a dull podcast, we round off the session with a sprinkling of economic humor, answering listener queries with a blend of wit and wisdom. Don't forget, for those hungry for more knowledge, I've got some book recommendations to deepen your understanding of the legendary thinker Adam Smith. 

Links:
Anja Shortland Website:  https://www.kcl.ac.uk/people/anja-shortland-1
Duke CHOPE Hayek Lecture with Dr. Shortland:  https://www.youtube.com/watch?v=Czs2EYDo2sI

Books:
Arthur Herman: How the Scots Invented the Modern World https://www.amazon.com/How-Scots-Invented-Modern-World/dp/0609809997
James Otteson: Adam Smith's Marketplace of Life https://www.amazon.com/Adam-Smiths-Marketplace-James-Otteson/dp/0521016568/ref=monarch_sidesheet
Adam Smith: The Theory of Moral Sentiments  https://www.libertyfund.org/books/the-theory-of-moral-sentiments/
EconTalk Book Club (six episodes):  https://www.econtalk.org/klein-on-the-theory-of-moral-sentiments-episode-1-an-overview/

If you have questions or comments, or want to suggest a future topic, email the show at taitc.email@gmail.com !


You can follow Mike Munger on Twitter at @mungowitz


Speaker 1:

This is Mike Munger of Duke University, the knower of important things Ransomware, insurance and the problem of making credible promises without formal enforceability, and the difficulties of acquiring a reputation for high-quality criminal services. Today's interview takes up these topics with an internationally recognized expert and author, dr Anya Shortland of Kings College London. Four new twedges plus this month's letter, and more Straight out of Creedmore, this is Tidy C.

Speaker 2:

I thought they'd talk about a system where there were no transaction costs. It's an imaginary system. There are always transaction costs when it is costly to transact. Institutions matter and it is costly to transact.

Speaker 1:

Dr Anya Shortland is a professor of political economy at Kings College in London in the UK. Anya studies private governance in the world's trickiest markets hostages, fine arts, antiquities and ransomware, and she looks at how people live, trade and invest in complex and hostile territories. Although often based in data analysis, her work usually cuts across disciplinary boundaries that adopt techniques and insights from sociology, engineering, geography, politics, international relations and, of course, economics. Anya was an engineering and economics undergrad at Oxford and then did her master's and PhD in international relations at the London School. Before coming to King, she worked as a lecturer in economics at Leicester. Professor Shortland, can you tell us something about yourself and how you came to be interested in the problem of transaction costs?

Speaker 2:

I got really interested in a number of very tricky markets where legal entities try and make a deal with an underworld organization, so it can be a kidnap for ransom event, it could be a hijack for ransom. So I started off as piracy. Sometimes it's about the recovery of an artwork, a stolen artwork or something that got looted in a conflict zone. And most recently I've been interested in data theft. And in all of these circumstances you have a firm or an individual that is not used to transacting with rebels, pirates, thieves, etc.

Speaker 2:

Hackers, and they have to come to some sort of arrangement to try and recover their treasure and, as you can imagine, this is just absolutely fraught with transaction costs. And what I discovered was that these markets are surprisingly orderly and at the bottom of that surprising order was often an insurance market and a market growing the expertise around resolving these incidents While minimizing the transaction costs, making the market work well enough to recover the assets, but not quite making it work well enough to inspire lots and lots of copycat crime. So that's that balance between making it work well enough and not well enough I find fascinating.

Speaker 1:

Well, one of the things that's striking about your work is that biologists, I think, are often surprised about the vitality of life. In apparently precarious and forbidding circumstances, we see the emergence of quite sustainable life, even in situations where it seems like it would be impossible. You have done that. In markets, it turns out there are benefits from cooperation in all sorts of settings that seem antagonistic to the point of being. We're talking about death, violence, force, fraud, and yet there emerge a kind of routinized process for eliminating some of the deadweight losses that would accrue to not being able to transact. So now some of these.

Speaker 1:

In the case of different kinds of extortion, it is the one of the parties is trying to use deceit or force in order to obtain money, we would say illegitimately, because they're violating property rights from another party.

Speaker 1:

But it's still the amazing thing about your work that I see over and over again it is still in the interest of the party that is exercising illegitimate force to make certain guarantees and certain ways of reducing the transaction cost of this exchange that appear to be in the benefit of the, to the benefit of the person that is being stolen from, but in fact it is to the benefit of the person stealing because it means that they now can receive the money that they're trying to get and the connection that you have found for that, for insurance, that you know you're trying to get rid of some of the some of the risk.

Speaker 1:

The difficulty of insurance is that it is contingent on being able to define precise states of the world and on the insured party not subjecting the insuring party to the kind of risks that would make the contract void. So the the particular work that you have been doing most recently is on a new kind I think a relatively new kind of extortion. Can you say something about what ransomware is, how this kind of extortion originated and how we should think of it in an economic context?

Speaker 2:

Yes. So I've been interested in ransomware, where hackers find a way into other people's computers and start encrypting files in such a way that removing the virus program would destroy the files and that the only way of restoring the files to a readable state would be to get a decryption key from the virus writer, from the original hacker. Sometimes you don't need to do that if you've got very good backup solutions and you can just say well, we're fine. Sometimes there is a second degree of extortion involved in this transaction, in this ransomware, where they say not only have we encrypted your file, but we've also stolen a copy of your file and you wouldn't want us to publicize the contents of your file. You probably don't want your university student data to be leaked onto the dark net, or your customer data or your patient data, anything that's sensitive. So there are these two types of extortion here. One is around the privacy, so weaponizing data privacy regulations here, and one is just here We've taken something away from you that you will need our help to get back.

Speaker 1:

And when were the first instances of ransomware? You have to have some way of delivering the program, which is the payload, the thing that changes their access to the data and it maybe enables you to copy it and control their computer. And the Obviously, access to the Internet or some sort of connection is crucial, but you might be able to deliver it on a hard drive or a thumb drive. It seems like there's a bunch of ways where, once you have gained control of the computer, you then might cause it to connect. What is the history of ransomware and what have been some of the great, salient examples of success or failure?

Speaker 2:

So the very first instance of ransomware was delivered on a floppy disk. So somebody who was trying to teach people a lesson about cyber hygiene and safe sex decided that they were going to mail out thousands of floppy disks with an AIDS questionnaire. So, literally about safe sex.

Speaker 2:

Exactly so. They were sending people to put this unknown thing into their computer and it was called the AIDS virus for this very reason, because it started to corrupt their drives after 100 backups, after 100 reboots, so very closely mimicked the behavior of the AIDS virus. And then, after 100 reboots, disaster struck for anybody who had not practiced safe.

Speaker 1:

Punishing promiscuity.

Speaker 2:

Yeah, it didn't work very well. And for the next 10 years, 20 years the problem that cyber criminals had in using ransomware and using viruses to extort money was that they didn't really have a payments mechanism that worked for them. So, yes, they could infect computers, they could encrypt people's files, but then they had to ask for Macy's store vouchers or ask people to phone premium phone lines to collect money and wasn't really worthwhile. And it was only with the advent of Bitcoin and cryptocurrencies and the sort of proof that this was a store of value, that ransomware really took off from 2013 onwards. So it took a very long time to solve the payment side of it.

Speaker 1:

It's always hard to measure the scale of these things, because many people to whom it happens are either embarrassed or, understandably, don't want to publicize the fact that their system was vulnerable and that their confidential data has been shared with the world. They prefer to deny that until there's incontrovertible proof. But are there any estimates about the scale of this? Your impression is that it has been growing since 2013. But is it growing 10% a year, doubling every year?

Speaker 2:

It's pretty unclear. You're absolutely right, but it's billions every year and massively growing. What we see is the tip of the iceberg, and it's the market for insurance that tells us how many people are worried about this. But basically there are only two types of companies, as they say those that have been breached and those that don't yet know that they have been breached. It is ubiquitous.

Speaker 1:

Well, I'm a student of Douglas North, who was one of my PhD advisors, and so I have to mention this on every podcast. I think if there's a drinking game, this means people have to chug tequila, because I mentioned Douglas North for the first time. But North was interested in the size of what he called the transaction sector or the nonproductive sector, and both efforts to steal or find ways to get rents outside of the normal system and efforts to defend yourself against that are both a big part of GDP that are nonproductive. And so his example was that in high crime neighborhoods it's expensive to live because you have to have an extra lock, maybe you have a bar on the door, and all that does it produces nothing except maintains the status quo, and so one of the big costs of ransomware for companies that have not been hacked is that they're trying to invest in countermeasures and those countermeasures and arms race between people that are trying to gain access and people that are trying to design countermeasures, and so there's white hat and black hat hackers, and one might switch sides on this. So, just as it takes a thief in other kinds of theft, you might hire an art thief to check your museum to see whether it is safe. We're going to try to find black hat hackers and just outbid the risk adjusted return they can get from working in ransomware and pay them to help us avoid these losses.

Speaker 1:

But let's turn then to insurance, because insurance companies can specialize in this in a way that individual companies cannot. But it seems like that your book on kidnap showed that the insurance companies, or in some ways company Lloyds of London, has managed to, if not solved, to mitigate many of these costs and rootinize the process of payment return. It's a credible threat not to overpay. The way that insurance works there is pretty well established. In ransomware, insurance has not made that kind of. It is turned out to be quite different. Why is it that insurance companies and companies are having a hard time finding contracts that will allow them to ensure this kind of extortion as opposed to kidnapping?

Speaker 2:

Well, they are ensuring it. It's not always profitable, so they're struggling to make it profitable. Insurance is available. The first thing that makes this different to kidnap for ransom is that there is no such thing as ransomware insurance. So what you're buying is cyber insurance, which is a very, very broad thing, and cyber insurance was first started in the 1990s when ransomware was nowhere at all. It was not a threat, so the product was designed around all sorts of other malicious threats like denial of service, things just getting wiped from servers, people making mistakes and accidentally losing some data, giving somebody access to something that they shouldn't have had, etc. So it's a product that's mostly designed around privacy breaches and an entire you talked about the biology of these things an entire ecosystem of specialists sort of grew up around cyber insurance to try and minimize the damage that criminals would do to companies, help the companies recover as fast as possible, throw as much money at the problem as was necessary to resolve downtime and end the downtime, get the company back up to speed, reduce the threat of being sued by customers, making sure that all the regulation was followed properly, etc. So, yeah, there's a huge amount of expertise around cyber breaches very broadly and so often in these cases, once you start designing a product around a particular set of threats, there's a path dependence. So when there's new threats and he comes in from left field and there's ransomware, you've got all these specialists who have experience in resolving cyber problems as fast as possible, as smoothly as possible and with a view to minimizing lawsuits around privacy breaches, which, of course, is absolutely ideal if you're a hacker engaged in ransomware, because that is just absolutely your bliss point where people are not worried about the ransom because they've got the 30 million dollar privacy breach fine in the background. They're quite happy to give you a thousand or 10,000 or 100,000 or a million dollars as long as it doesn't come to the privacy breach. So ransom were really absolutely thrived in the system. That was designed for quite a different kind of threat.

Speaker 2:

And now you're asking why didn't they get control of this? And one of the big reasons is that this market is hugely dispersed. So this is not a Lloyds of London story where you have 20 yacht syndicate, so having lunch together every day or every other day, that can meet for coffee, that can discuss these threats. But you've got them in various places in the United States. You've got them in Europe.

Speaker 2:

You've got some of them in London but A they're not really talking to each other and B the cyber insurance is just the booming market and everyone wants market share and they don't really care how profitable each particular subgroup is, as long as it's a broadly balances out. So they're not trying to do what insurers usually do in these tricky markets and will end up doing here as well, where they're really careful about selecting the risk and saying you've got to have that multi factor authentication and you've got to practice good cyber hygiene and we need you to do X, y and Z to reduce the risk. They were just trying to sell insurance with the minimum of scrutiny of who they were insuring and what exactly they were practicing in terms of cyber hygiene.

Speaker 1:

So one of the difficulties that we have with you've mentioned two part authentication. One way of solving the problem would be to design a technology that makes it harder to enter. It seems that a lot of the entities that are being targeted are government or nonprofits. Some for profit companies may well be targets of ransomware. There really is a big difference between being denied access to your data, which means that you're being shut down, and, depending on the degree to which you depend on computer systems, it may mean your business is entirely shut down. So the source of the threat there is I can't serve my customers and loss of revenue, and it's near total loss of revenue. It can be quite large that customers are going to know about. There's no way of hiding it. If there is a data breach and the only people that know about it are the company or the nonprofit and, of course, the hacker, it may be possible to keep it quiet. That really seems like a very different kind of risk. It strikes me that it's interesting that it's different from the kidnapping. If you kidnap my daughter, it means you have her and I don't. If you kidnap my data, we both have it. As long as I can get back access to it. I can do a lot of the things that I need to do Mightn't hackers.

Speaker 1:

If I'm paid, it would be in the interest of the hacker to make sure that it stays secret. It actually would be complicit with the company for not revealing the fact that there's been a data breach, but there are laws that require companies to reveal the fact that someone else now has this data. Are those enforced? Again, I'm asking about some of the things that are invisible.

Speaker 1:

I realized that it's kind of a dumb question, but the fact that if I can take your data and what I'm trying to lead to clumsily is it seems like there should be groups of hackers that try to develop a brand name for being reliable. I know just like groups of pirates might want to develop, or the FARC might want to develop, a reputation for being reliable because I'm more willing to pay, because I know that the transaction will actually be honored. If I know for a fact that this group of hackers will not reveal my data and will not reveal to the authorities that they have my data, I'm probably willing to just pay them right away. Are there brand names? Are we starting to see brand names among hackers?

Speaker 2:

Yeah, you're talking about the. If you have a clean finish, as the kidnapping people call it, once you've got the hostage back, you've got the hostage back With data. You can never be sure that it hasn't already been sold, that it hasn't already been copied, that it hasn't already been leaked. Yes, that's exactly where we see those brand names like Reval, where there are ransomware gangs that make a brand name and they say we'll develop a reputation for always publishing really damaging data. If we're not paid, we will never reveal data that has been paid for.

Speaker 2:

The problem with these reputations here is that it's very easy to lose a reputation and just start again under a different name. There isn't as much value associated with a name. These groups break up all the time. The first generation of reputation building was can we actually deliver the decryption keys? Because encryption and decryption matching up the decryption key with the machine in which something was encrypted that's actually really quite complex. Insurance companies and their incident responders were really keen on teaching hackers and ransomware gangs to make sure that they could actually decrypt, and that worked extremely well.

Speaker 2:

The second round of reputation building around never publishing something. Well, the proof is in the pudding. On the other hand, the value of publishing data has gone down as well over time, because people are getting used to their data not being safe. People are less likely to try and sue because their address has been revealed, and there's also been a huge amount of institution building around giving people whose data have been hacked access to credit checking facilities, etc. So my pension provider was breached and now I get alerts all the time if anyone is searching databases for loans.

Speaker 2:

So you don't always have to interact with the extortionists. You can also say, okay, well, we don't care. And you were talking about government institutions and NGOs being the primary targets. They're just the visible ones because they're not going to be hit with massive regulatory fines, because they are the regulator, and the regulator is not going to punish a small charity for something like that. So it's the private sectors, the big companies, that have got their reputations to guard and that yeah that we're often quite happy to just throw money at the problem and hope it goes away.

Speaker 1:

And there may not. I keep asking questions that of course, there is no reason that you would know. But you are an informed speculator. If I'm a small company, there's a data breach and this company says we will not publish it. If you pay us, we will publish it everywhere If you don't pay us. It's a bit like Pete Leeson's story of pirates trying to maximize the difference pirates in the 18th century trying to maximize the difference between resisting and not resisting. If you don't resist, we will treat you as gentlemen and we'll put you off at the nearest port. We'll make sure that you're well fed in the intervening journey. However, if you do resist, you really can't imagine how bad this is going to be. It's really bad. We're quite creative and we're not just going to kill you. So you want to get a reputation for maximizing the difference between compliance and non-compliance.

Speaker 2:

Yeah, that was much easier at the start of this process, when nobody's data had been leaked and there were these websites on the dark net where journalists were already hovering trying to get the next scoop of who had been breached. But now it's become so commonplace it's more difficult to really torture somebody with the data.

Speaker 1:

And so what interests me is the idea of the market price. Then it sounds like the price has probably fallen. The willingness, the cost of securing it is probably less. People are better at it. If there's a vulnerability, it's fairly easy to get in. I've got three or four. There's not huge economies of scale, a pirate ship required. It was a capital investment. You have a large ship, you have canon, you have 50, 100 soldiers, hacking operation. You just patiently search and try different door knobs into the company. If you get in, it seems like the price at one time might have been pretty high and the price is the amount that I can ask that you will consent to. Is it your impression that that price has fallen over time, because it seems like that the cost of the threat has become less terrifying?

Speaker 2:

It's still very easy to get in, and that is because it's not the door lock that's the problem. It's people holding the door open for you. It's always the people that click on a link that they shouldn't have clicked, that they open an email attachment that they shouldn't have done, and you know this. There's some really interesting people who say I would love to do a PhD with you, Mike. Can you have a look at my CV? That's irresistible, isn't it A similar?

Speaker 1:

story for you. And here it is. These are people of taste and distinction. I want to know more about them.

Speaker 2:

Exactly. We are ultimately or maybe we're just really annoyed by yet another invitation to a conference in China and we just click the unsubscribe link. We don't know what's behind that, so it's people that allow you to get in. And then the next question is where do I get once I'm inside your computer? Can I get access to Duke University Hospital? Can I get access to all student records that you've ever taught? So there's also how much lateral movement there is. So getting in is easy. Getting something that's really valuable is getting more difficult. And then there is also more resistance where people say okay, well, do your worst then.

Speaker 2:

Yeah Well the privacy legislation was the thing that was really driving the price of ransom was up and we made that quite clear to the regulator, saying, yes, there was a time where this regulation was really good for driving people towards better cyber hygiene etc. But now you're just punishing people for bad luck and that's. If that helps the criminals, then that's the problem.

Speaker 1:

Yeah, right, so there is a value, a rent, that is created by that regulation. What would it cost, suppose that there is a company that has been breached? I recognize there's a lot of variants, but what would be the order of magnitude of the amount that I would expect to pay to somebody for the promise not to reveal my data?

Speaker 2:

So they're very clever. So what they will do is they will search your computer for all sorts of information. So they will look at your financial flows. They'll find out what your profitability is, they will find out what your turnover is and they will make some sort of estimate based on that, what they can easily get. They will also try and find your insurance policy. So if you have an insurance policy, then it will have a ransom limit.

Speaker 1:

Which you have cleverly put on your computer and that had to come to me of course you did.

Speaker 2:

But on the other hand, the insurance companies also wise to this and they will make a relatively low limit for the ransom. So it's like you're dangling something and say, okay, you can easily get $50,000 by just using the ransom limit. Or we could go and really press you for the $165,000 that we know you've got sitting in your cash account. Or if we've got really valuable data, then we can push you a long way towards not having that data published. So if you're an abortion clinic, then you're super, super vulnerable to that kind of data being published. But if it's just a database of people who are on your catalog mailing list, then yeah. So what?

Speaker 1:

Well, what's interesting about that is that it sounds like it's probably going to be an idiosyncratic negotiation. I try to look at your computer and gauge what your upper limit reservation price is, and then I charge something close to that. If you say no, there's a problem with it, my threat to publish being credible, because once it's published it's gone. So I can have all sorts of cheap talk claims no, no, you better pay. I'm going to publish tomorrow and then, like a kidnapper, we're going to kill him, we're going to cut off his ear. But I can't really do that because I want to return this hostage undamaged.

Speaker 2:

Absolutely right. Yeah, with the ear. If the ear is gone, then everyone needs to be notified and you need to go down the entire route. So, yes, there is room for negotiations, and that's why you get negotiators who specialize in exactly this kind of transaction and making that run a little more smoothly. But, yeah, what you also have is these negotiations that look like they're going somewhere, but in the meantime, the company is using the backups to restore their data and they've actually decided that, if the worst comes to the worst, they will just deal with a fallout from having to notify everybody. It's not the end of the world and again, it's insurance that makes sure that it isn't the end of the world that they know exactly how to minimize the damage that arises from a breach of confidentiality.

Speaker 1:

That's what one of the things I find interesting is that the difference between the two kinds of harm. A delay in you revealing my confidential data is great. I have no problem with that. A delay in you giving me back access to the data that I need to run my business Every day, I take an irrevocable cost. I can't get that back, so I have lost the ability to operate my business for an additional day, and that threat seems much more credible. It looks to me like, given what you have said about the relative price of those two, that is, the threat of revealing confidential data is less valuable than it used to be. It seems like the efforts at the margin, the innovations at the margin, should be targeted towards really locking up and encrypting data and making it impossible for this company to conduct business. Has that happened?

Speaker 2:

That's the arms race. But who is ahead changes over time. So, early on, companies were really bad with backups. They might not have any that were younger than three months old, or they might have perfect backups, but the line that they would need to feed the backups back onto the computer and reload the data it takes six months, and it's all of that. That's changing as well. So if you're worried about being breached, having an offline location to which you download your book projects, et cetera, and having lots of co-authors so polycentricity is also really, really useful to say, OK, I'm independent of you. It's going to be annoying, but ultimately I'd rather spend $800 on buying a new laptop and I'm just going to throw this machine away because you're in it. I don't believe that you're not going to put a backdoor in it. You could be back next month. Yeah, that's another problem with hackers. When there's clean finish, Sure they can come back.

Speaker 1:

Well, and for that reason it is more difficult for them reliably to say you can trust us, pay us a lot. So it's actually a market failure that they have an interest in solving. So the thing that's always interest about an insurance that's exactly what they do.

Speaker 2:

So when you get your contract from these more famous ransomware gangs, like Hive, for example, it will say this is what we're going to give you A we're going to give you your data back. B we're not going to publish. C we're never going to come again. And. D we're going to tell you how we got in so you can stop other people as well. So they are really framing it as here's our service to you.

Speaker 1:

Well, it, contingent on the breach having taken place, it is now a service. So if we start with that as the premise, given what has happened, you're providing me something very valuable. And it's more valuable if you can reliably commit not to have any way of doing this again and at least you won't be able to use the same vulnerability. Well, those were the questions that I had. I have been a fan of your work for a while, and then, when you visited Duke this past fall and talked about your new work on ransomware, I was particularly captivated, because it's an interesting transaction cost problem. What is what are you going to publish about ransomware and where can people look to find out more about your work?

Speaker 2:

I'm writing a history of ransomware at the moment, looking at all these stories of the people who invented ransomware, how people make ransomware gangs, exactly what kind of problems you encounter if you're trying to build a firm in cyberspace, how you take payments all of these things that were necessary to create this ransomware epidemic, the insurance side. So I'm looking at ransomware from all sides, but making it a really personal story of, yeah, and sort of multi-dimensional arms race and also, by that in that, trying to find out where did we take the wrong turn? Like I said, the data privacy was something that was really unhelpful for combating ransomware and we're starting to row back. Probably the payments process is something that we really need to think about. Do we really want cryptocurrencies to be so much part of the normal economy that we cannot disentangle them from the criminal economy anymore? So it's all of those stories that I'm collecting at the moment. I'm also interested in how exactly these negotiations go on, but yeah, I don't quite know what I'm going to find, which makes it a wonderful research adventure.

Speaker 1:

It really is an adventure and I really do want to thank you for being part of. The answer is transaction cost. My guest this month has been Professor Anya Shortland from King's College in London. Professor Shortland, thank you so much.

Speaker 2:

It was a pleasure to talk to you, Mike.

Speaker 1:

Whoa. That sound means it's time for the twedges. These weeks economics jokes. A student goes into a professor's office and says I've tried and tried to understand the sunk cost fallacy. I just can't. The prof is sympathetic Well, maybe it's just not meant to be. Student shook his head and said emphatically oh no, I've got to keep trying. I've spent so much time on it. Now I don't want all that time to be wasted. Second, do you know the present value of your husband's life insurance policy? The insurance agent asked his client. What do you mean? Countered the woman. Well, if you should lose your husband, what would you get, asked the agent. The woman thought for a minute, then brightened up and said well, probably a French bulldog.

Speaker 1:

Third, an insurance underwriter, an insurance salesman, an old lady and a beautiful blonde woman find themselves together in a train car. The train passes through a tunnel and in the darkness a loud slap is heard. The train comes out of the tunnel and into the light they see that the insurance agent has a red five finger mark on his cheek. The blonde thinks oh, an insurance guy must have tried to grope me in the dark and mistakenly grope the old lady, so she slapped him. The old lady thinks well, that guy must have groped the blonde in the dark and she slapped him. The insurance agent thinks the underwriter must have groped the blonde in the dark and she mistakenly slapped me instead of him. The underwriter thinks man, I hope there's another tunnel soon Because, see, the underwriter hates the salesman, because the salesman always misrepresents the coverage. We'll see if Bill Heasley likes that one, though I bet he's heard it before.

Speaker 1:

Fourth, I asked ChatGPT for a knock-knock joke about ransomware. This is pretty impressive. Knock-knock. Who's there? Ransomware, ransomware, who Ransomware? Is your data For two million in Bitcoin? I'll tell you. Time now for this month's letter. Er writes.

Speaker 1:

Listening to the podcast on smart grids, an obvious thought came to this engineer's mind. If I, as a consumer, receive current price information in a manner sufficient to have my battery having a larger than needed backup battery was mentioned feed power into the grid if the price is high enough. But an obvious way to extend this and maximize revenue is to have a gas generator ready to start up. This has some advantages lower upfront costs than a large enough battery to be useful. The ability to provide considerable power over a longer time period. My $900 generator is rated to run continuously at 4,000 watts. That's much more powerful than a battery. So whenever the instantaneous price exceeds my cost of generation the amortized capital plus cost of fuel I could feed the grid. This behavior will become well known to generator owners once the grid provides this function.

Speaker 1:

So is this socially good or bad? Well, it's good in that it helps the smart grid meet its goal of lowering the peak demand, thus lowering capital cost in the grid. It's also good in that it helps the smart grid avoid the expensive provision of backup power for when unreliable wind and solar aren't working. It is good because the consumer provision can provide a non-trivial load with low capital cost to the consumer. But it's bad because it pushes noise into residential areas and produces pollution, especially for those small gasoline generators as opposed to more expensive natural gas ones. End of letter. Well, thanks, er. That's an interesting point. Does make me think that this sort of local power generation might very well help in situations such as Texas had a couple of years ago. There's no apocalypse where for a week a lot of people were without power in temperatures that were well below freezing and in some cases in single digits. So having that sort of resilience and redundancy in the system is probably good. I may have gone too far in the direction of efficiency, but you're also right that if we came to depend on that, it would defeat much of the purpose of trying to switch to alternative or green energy sources.

Speaker 1:

Well, it's time for Book of the Month. It happens I'm teaching about the theory of moral sentiments in my philosophy, politics and economics capstone class here at Duke, so I wanted to recommend three books, and you should read them in this order if you don't have any background in Adam Smith. First, an amusing general book by Arthur Herman, how the Scots invented the modern world, was published in Broadway by Broadway books in 2001. Second, james Ottison, adam Smith's Marketplace of Life, was published by Cambridge University Press in 2002. And then the book that I'm actually spending most of my time teaching Adam Smith the Theory of Moral Sentiments, the Glasgow edition, 1976, published by Liberty Fund. Now it may help to use the Econ Talk Book Club podcast there are six of them to help you go through the theory of moral sentiments. Well, the next episode will be released on Tuesday, march 26, the last Tuesday of the month. We'll have a new interview, we'll have another book of the month, plus we'll have four more hilarious twedges and more next month on Tidy C.