Download Economic Analysis of the Market for Software Vulnerability Disclosure

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts
no text concepts found
Transcript
Legal and Market Responses
to Security Issues
Richard Warner
A Point To Remember
 Innovation is critical.
 It drives economic development.
 It drives it most effectively when considerable
flexibility is allowed in business models,
research, and design.
 A question to bear in mind: Which of the
approaches allows the most flexibility?
The Underinvestment Problem (?)
 Do system owners inefficiently underinvest in
protection against unauthorized access?
 Inefficient from a societal perspective:


An increased investment would reduce the expected harm
to third-parties by an amount greater than the investment;
hence, as a society, we waste money we could use for
other purposes.
 If we could effectively defend ourselves individually
against harms stemming from unauthorized access,
we could avoid the waste.
 Can we defend ourselves?
 Insurance?
 Education? Elementary and high school.
 Design for usability?
The Traditional Response
 If this were the solution, the legal response to
would be just one more retelling of this familiar
story:
 (1) an activity imposes a risk of harm on third-parties,
where
 (2) those engaging in and benefiting from the activity
inefficiently under-invest in protecting the third parties;
 (3) the law responds by imposing on those engaging in
the activity a duty to take reasonable steps to prevent
harm to third-parties, where
 (4) other things being equal, a reasonable step is one
that reduces expected damage to third-parties by an
amount greater than the total cost of the step.
Underinvestment: The Wrong Solution?
 Assuming that we cannot defend ourselves,
the solution seems obvious:
 require system owners to take reasonable steps
to protect against unauthorized access—
 where, other things being equal, a reasonable
owner invests in protection as long as the
investment reduces expected damage by an
amount greater than the total cost of the
investment.
Estimates Impossible?
 Special cases aside, system owners cannot
obtain the information they need to make
reasonable estimates of the expected
damage to third-parties.
 Compare driving a car.
 When driving, the information you need to is, for
the most part, locally available; you just need to
observe the other drivers, the road and weather
conditions, and the like.
Estimates Impossible?
 The information a system owner needs to “drive
safely”–to take appropriate precautions to avoid the
accident of a security breach–may be distributed over
millions of people.
 The expected damage from theft of sensitive financial
information, for example, imposes on any individual
among these millions depends on a variety of factors.
 Without accurate statistical studies, an entity storing
this information has no feasible way to acquire and
analyze the relevant information about millions of
people.
 With rare exceptions, such studies do not, and are
not likely, to exist.
Even If Studies Existed . . .
 Network owners would still face a big hurdle:
what software should they buy?
 Is it reasonable to buy the top of the line,
expensive security product? Or, will a
cheaper product serve the purpose?
Difficulty in evaluating capabilities of security
software.
Difficulty in evaluating needs of a complex
network.
Lemons market.
Insurance: Basics
 These claims may seem wrong because there is an
active insurance market offering insurance against
liability to third-parties for inadequate information
security.
 Insurance companies calculate the expected loss
from the occurrence of an event and then offer
insurance against that event at a price greater than
the expected loss.
 Typically, you can buy insurance against any event
for which an insurance company can calculate the
expected loss.
 Which is why you cannot, for example, buy insurance
against death resulting from the crash of a private plane.
Third-Party Liability Insurance
 The market currently offers insurance against
legal liability to third-parties for inadequate
information security.
 This just means that the insurance
companies can calculate the expected legal
liability.
 That just requires information to predict the
outcomes of lawsuits.
Unique to the Internet
 This is problem is unique to the Internet.
The Internet makes it possible to collect
information scattered all over the world,
centralize it in a database, and make it easily
available to users dispersed throughout the
world.
 This aspect of the Internet makes the
problem of inadequate information security
extraordinarily difficult to solve.
Possible Solutions
 Legal
 Negligence
 Strict liability
 Market
 Open source software
 Market for software vulnerability disclosure
 Prediction markets
Negligence
 Standard of reasonableness
 Industry norms
reasonable
unclear
unreasonable
 Even in the “unreasonable” cases, a negligence
recovery may not be possible.
Security Requirements




Protection
 authentication;
 encryption;
 protection against malicious code;
 transmission security;
 administrative safeguards;
 physical safeguards.
Prevention
 Administrative requirements;
 Investigative requirements.
Detection
 data history requirements;
 reporting requirements.
Recovery
 emergency response plan.
Industry Standards
 The emerging industry standard is to expect
security to be breached and to provide for
recovery.
 The question is what “recovery” means in
regard to third-parties.
Breach notification statutes.
Not at all clear that the cost is less that the
expected loss avoided.
Negligence: Recent Cases
 A mere increased risk of harm is not a basis
for a negligence liability.
 Forbes v. Wells Fargo Bank
 The economic harm rule prevents recovery
(and that is a good thing).
 Banknorth, N.A. v. BJ's Wholesale Club
 Breach of contract, breach of fiduciary duty,
promissory estoppel not available.
 Sovereign Bank v. BJ's Wholesale Club
The Economic Loss Rule
 The economic loss rule: without a physical
impact, there is no tort recovery for purely
economic loss.
 Rationale: to limit losses to a bearable
amount.
Extent of physical impact
Tort
Economic impact
Strict Liability
 Liability would be crushing--unless
 courts invoke the economic harm rule,
or insurance is available.
 A non-economic consideration: Other things
being equal, those who create and benefit
from an activity should bear the costs that
activity imposes on innocent third-parties.
The argument in the case of negligence: “should
bear the costs they negligently impose”.
What Should the Law’s Role Be?
 Without a supporting culture, the law is an
ineffective tool for controlling and
directing behavior.
 Legal regulation can contribute to the
creation of a supporting culture, but its
contribution is limited.
 We need to develop a supporting culture, it is
just a pipedream to think that the law is the
main tool that we can use to accomplish that
goal.
Market Solutions: Many Minds and Money
Where Your Mouth Is
 A market solution relies primarily on
monetary, non-legal incentives to achieve a
desired result.
 Sunstein on many minds and money: There
is considerable evidence that nondeliberative pooling of expertise can
outperform deliberation
 Especially when monetary gain rewards
correctness and monetary loss penalizes
incorrectness.
Three Market Solutions
 The market solutions focus on vulnerabilities
in software.
Software vulnerabilities are one key aspect of the
problem.
 There are three market solutions.
First Market Solution:
Open Source Software
 Software is “open source” if its source code is
publicly available.
 Open source software may be the product of many
programmers, scattered all over the world, who
contribute to the source code.
 Open source software has advantages.
 Fewer defects
 No proprietary problems.
 Legal issues:
 Liability for intellectual property violations
 Sco Group v. IBM
Open Source Economics
 Open source software works best when it is
 Based on non-proprietary techniques
 No “blends” of open source and proprietary code.




Subject to network effects
The application is sensitive to failure
Verification requires peer review
Sufficiently important (business critical) that people will cooperate
to find bugs
 Eric Raymond, The Magic Cauldron
 Security has all the above features (Anderson).
 Many software vendors pursue an anti-interoperability
strategy incompatible with open source software.
 Prohibitions on reverse engineering in End User License
Agreements.
Second Market Solution:
Vulnerability Disclosure Markets
 A vulnerability disclosure market provides a
mechanism for those who discover
vulnerabilities to communicate them to
software manufacturers/vendors.
 There four possibilities.
First Possibility: Market-Based
 A business—like iDefense—pays for
information about the existence of
vulnerabilities and communicates this
information to its clients.
 Markets are generally very successful in
aggregating dispersed information.
 They are accurate and efficient.
 Unless precautions are taken, clients could be hackers.
This is true also in all following cases.
iDefense Vulnerability Challenge
 “This challenge sets the bar quite high, focusing on core Internet
technologies likely to be in use in corporate enterprises. Because
of this, we are merging Q2 and Q3 challenges into one,
effectively extending the research time. The following
technologies are the focus of this challenge:






Apache httpd
Berkeley Internet Name Domain (BIND) daemon
Sendmail SMTP daemon
OpenSSH sshd
Microsoft Internet Information (IIS) Server
Microsoft Exchange Server
 iDefense will pay $16,000 for each submitted vulnerability that
demonstrates the execution of arbitrary code.”
Second Possibility:
CERT-type Organizations
 No money is paid to those who discover
vulnerabilities.
 No money is charged for the disclosure of the
vulnerability.
 One would expect this not to perform as well as a market
mechanism.
 Kannan, Telang, and Xu, Economic Analysis of the Market for
Software Vulnerability Disclosure, contend CERT-type
organizations sometimes outperform market mechanisms, but
they assume that relevant information is costlessly available.
This ignores precisely that at which markets excel.
 Available on SSRN.
Third Possibility:
Consortium Mechanism
 Those concerned to gain information about
vulnerabilities form a consortium.
 The consortium pays for information about vulnerabilities.
 Members may share information for free.
 Examples
 Information Sharing Analysis Centers (ISACs)
 Governmental.
 Does not yet deal with vulnerabilities in the above way.
 Industry consortiums.
 Similar to CERT-type organizations with the added
complexity of conflicting business motives.
Fourth Possibility:
Federally Funded Centers
 This does not exist.
 The center would pay for the discovery of
vulnerabilities, but
 Would not charge for the disclosure of the
information.
 Kannan, Telang, and Xu, Economic Analysis of the
Market for Software Vulnerability Disclosure,
contend this type of approach performs best, but
again they assume that relevant information is
costlessly available.
Lemon Markets and Their Solution
 Nothing we have said so far addresses the lemon
markets problem.
 The basic lemon markets’ mechanism:
 Consumers cannot pre-purchase tell the difference
between a good product and a lemon; so
 the price drops (the expected value of the purchase is
reduced by the expected value of getting a lemon); and
 good products disappear from the market.
 Solution: Get information to buyers before they
purchase.
Prediction Markets
 A prediction market would accomplish the purpose.
 In the market, investors buy futures in which the
speculate on which products will have this or that
type of vulnerability.
 Such markets have proven remarkably accurate in
predicting a wide variety of events.
 http://www.consensuspoint.com/index.php
 The prediction markets might work well where there
are active disclosure markets which reveal the
existence of vulnerabilities.
An Example
 Why not set up a prediction market in which
investors by futures on when vulnerabilities will be
discovered in iDefense challenge with regard to:






Apache httpd
Berkeley Internet Name Domain (BIND) daemon
Sendmail SMTP daemon
OpenSSH sshd
Microsoft Internet Information (IIS) Server
Microsoft Exchange Server
 Investors could speculate on the time, number, and
rank order in the list.
 The activity in the market could guide purchase
decisions prior to discovery of the vulnerability.
Where We Are Now
 Minimal market solutions.
 HIPAA, GLB, SOX.
 All incorporate an unworkable reasonableness
requirement.
 Very limited application of negligence.
 Breach notification statutes.
 Unclear cost of notification less than expected loss
avoided.
 They have played an educational role.
 We should make recovery much easier.
The Interdependence Problem
 Viruses, worms, Trojans, botnets
 The likelihood that I will be invaded depends in part on how
secure you are.
 Drive by downloads.
 To maximize efficiency, where N people can all take
precautions to prevent a loss, they should adopt the
combination of measures which is more efficient
than any other combination.
 But the investment decision is made individually.
Conditions for a Market Solution to the
Interdependence Problem with Malware
 (1) Everyone accesses the Internet through some
ISP.
 (2) Every client demands its ISP offer (for a price)
malware protection which provides that client with
an efficient (relative to that client) level of protection
against malware.
 (3) Competition among ISPs ensures ISPs respond
to client demand for efficient protection.
 (4) ISPs automatically update software through
access to clients’ computers, and no client is
allowed on to the Internet with outdated protection.
Inefficiency
 This solution is less than perfect because it
fails this test:
To maximize efficiency, where N people can take
precautions to prevent a loss, they should adopt
the combination of measures which is more
efficient than any other combination.
Given (1) – (4), parties will over-invest in
protection as long as they buy sequentially and
without information about how much protection
others will buy.
Legal Regulation Required
 (1) Everyone accesses the Internet through some ISP.
 May be true without legal regulation.
 (2) Every client demands malware protection which
provides efficient protection.
 Will require legal regulation most likely.
 (3) Competition ensures response to client demand for
efficient protection.
 Legal regulation will be necessary to ensure all
ISPs require clients to have malware protection.
 (4) ISPs update software; no client is allowed on to the
Internet with outdated protection.
 Contracts sufficient? Criminal statute needed?
The Monopoly Problem
 From a security point of view, one dominant
operating system is a terrible idea.
 Other monopoly worries in regard to security:
Telecommunications
 Skype
 Legal note: monopoly is neither illegal nor
necessarily undesirable. It is the use of
monopoly power in uncompetitive ways that
is potentially illegal.
Monopoly Problems
 Monopoly power is the power to set prices
and exclude competitors.
 Operating systems: The economics is very
complex, but there are obvious efficiencies in
having one, dominant operating system.
 Telecommunications: high initial costs, very
low marginal costs, and strong network
effects create a tendency toward monopoly.
Skype
Monopoly Problems
 Possession of monopoly power is not illegal.
 illegality results from using monopoly power
in anticompetitive ways that disadvantage
consumers.
 Security concerns do not currently figure in
the—otherwise quite sophisticated—
economic analysis underlying applications of
antitrust law.