Legal and Market Responses to Security Issues

1
Legal and Market Responses to Security Issues

• Richard Warner

2
A Point To Remember

• Innovation is critical.
• It drives economic development.
• It drives it most effectively when considerable
  flexibility is allowed in business models,
  research, and design.
• A question to bear in mind Which of the
  approaches allows the most flexibility?

3
The Underinvestment Problem (?)

• Do system owners inefficiently underinvest in
  protection against unauthorized access?
• Inefficient from a societal perspective
• An increased investment would reduce the expected
  harm to third-parties by an amount greater than
  the investment
• hence, as a society, we waste money we could use
  for other purposes.
• If we could effectively defend ourselves
  individually against harms stemming from
  unauthorized access, we could avoid the waste.
• Can we defend ourselves?
• Insurance?
• Education? Elementary and high school.
• Design for usability?

4
The Traditional Response

• If this were the solution, the legal response to
  would be just one more retelling of this familiar
  story
• (1) an activity imposes a risk of harm on
  third-parties, where
• (2) those engaging in and benefiting from the
  activity inefficiently under-invest in protecting
  the third parties
• (3) the law responds by imposing on those
  engaging in the activity a duty to take
  reasonable steps to prevent harm to
  third-parties, where
• (4) other things being equal, a reasonable step
  is one that reduces expected damage to
  third-parties by an amount greater than the total
  cost of the step.

5
Underinvestment The Wrong Solution?

• Assuming that we cannot defend ourselves, the
  solution seems obvious
• require system owners to take reasonable steps to
  protect against unauthorized access
• where, other things being equal, a reasonable
  owner invests in protection as long as the
  investment reduces expected damage by an amount
  greater than the total cost of the investment.

6
Estimates Impossible?

• Special cases aside, system owners cannot obtain
  the information they need to make reasonable
  estimates of the expected damage to
  third-parties.
• Compare driving a car.
• When driving, the information you need to is, for
  the most part, locally available you just need
  to observe the other drivers, the road and
  weather conditions, and the like.

7
Estimates Impossible?

• The information a system owner needs to drive
  safelyto take appropriate precautions to avoid
  the accident of a security breachmay be
  distributed over millions of people.
• The expected damage from theft of sensitive
  financial information, for example, imposes on
  any individual among these millions depends on a
  variety of factors.
• Without accurate statistical studies, an entity
  storing this information has no feasible way to
  acquire and analyze the relevant information
  about millions of people.
• With rare exceptions, such studies do not, and
  are not likely, to exist.

8
Even If Studies Existed . . .

• Network owners would still face a big hurdle
  what software should they buy?
• Is it reasonable to buy the top of the line,
  expensive security product? Or, will a cheaper
  product serve the purpose?
• Difficulty in evaluating capabilities of security
  software.
• Difficulty in evaluating needs of a complex
  network.
• Lemons market.

9
Insurance Basics

• These claims may seem wrong because there is an
  active insurance market offering insurance
  against liability to third-parties for inadequate
  information security.
• Insurance companies calculate the expected loss
  from the occurrence of an event and then offer
  insurance against that event at a price greater
  than the expected loss.
• Typically, you can buy insurance against any
  event for which an insurance company can
  calculate the expected loss.
• Which is why you cannot, for example, buy
  insurance against death resulting from the crash
  of a private plane.

10
Third-Party Liability Insurance

• The market currently offers insurance against
  legal liability to third-parties for inadequate
  information security.
• This just means that the insurance companies can
  calculate the expected legal liability.
• That just requires information to predict the
  outcomes of lawsuits.

11
Unique to the Internet

• This is problem is unique to the Internet. The
  Internet makes it possible to collect information
  scattered all over the world, centralize it in a
  database, and make it easily available to users
  dispersed throughout the world.
• This aspect of the Internet makes the problem of
  inadequate information security extraordinarily
  difficult to solve.

12
Possible Solutions

• Legal
• Negligence
• Strict liability
• Market
• Open source software
• Market for software vulnerability disclosure
• Prediction markets

13
Negligence

• Standard of reasonableness
• Industry norms
• reasonable unclear unreasonable
• Even in the unreasonable cases, a negligence
  recovery may not be possible.

14
Security Requirements

• Protection
• authentication
• encryption
• protection against malicious code
• transmission security
• administrative safeguards
• physical safeguards.
• Prevention
• Administrative requirements
• Investigative requirements.
• Detection
• data history requirements
• reporting requirements.
• Recovery
• emergency response plan.

15
Industry Standards

• The emerging industry standard is to expect
  security to be breached and to provide for
  recovery.
• The question is what recovery means in regard
  to third-parties.
• Breach notification statutes.
• Not at all clear that the cost is less that the
  expected loss avoided.

16
Negligence Recent Cases

• A mere increased risk of harm is not a basis for
  a negligence liability.
• Forbes v. Wells Fargo Bank
• The economic harm rule prevents recovery (and
  that is a good thing).
• Banknorth, N.A. v. BJ's Wholesale Club
• Breach of contract, breach of fiduciary duty,
  promissory estoppel not available.
• Sovereign Bank v. BJ's Wholesale Club

17
The Economic Loss Rule

• The economic loss rule without a physical
  impact, there is no tort recovery for purely
  economic loss.
• Rationale to limit losses to a bearable amount.
  

18
Extent of physical impact
Tort
Economic impact
19
Strict Liability

• Liability would be crushing--unless
• courts invoke the economic harm rule,
• or insurance is available.
• A non-economic consideration Other things being
  equal, those who create and benefit from an
  activity should bear the costs that activity
  imposes on innocent third-parties.
• The argument in the case of negligence should
  bear the costs they negligently impose.

20
What Should the Laws Role Be?

• Without a supporting culture, the law is an
  ineffective tool for controlling and directing
  behavior.
• Legal regulation can contribute to the creation
  of a supporting culture, but its contribution is
  limited.
• We need to develop a supporting culture, it is
  just a pipedream to think that the law is the
  main tool that we can use to accomplish that
  goal.

21
Market Solutions Many Minds and Money Where Your
Mouth Is

• A market solution relies primarily on monetary,
  non-legal incentives to achieve a desired result.
  
• Sunstein on many minds and money There is
  considerable evidence that non-deliberative
  pooling of expertise can outperform deliberation
• Especially when monetary gain rewards correctness
  and monetary loss penalizes incorrectness.

22
Three Market Solutions

• The market solutions focus on vulnerabilities in
  software.
• Software vulnerabilities are one key aspect of
  the problem.
• There are three market solutions.

23
First Market SolutionOpen Source Software

• Software is open source if its source code is
  publicly available.
• Open source software may be the product of many
  programmers, scattered all over the world, who
  contribute to the source code.
• Open source software has advantages.
• Fewer defects
• No proprietary problems.
• Legal issues
• Liability for intellectual property violations
• Sco Group v. IBM

24
Open Source Economics

• Open source software works best when it is
• Based on non-proprietary techniques
• No blends of open source and proprietary code.
• Subject to network effects
• The application is sensitive to failure
• Verification requires peer review
• Sufficiently important (business critical) that
  people will cooperate to find bugs
• Eric Raymond, The Magic Cauldron
• Security has all the above features (Anderson).
• Many software vendors pursue an
  anti-interoperability strategy incompatible with
  open source software.
• Prohibitions on reverse engineering in End User
  License Agreements.

25
Second Market SolutionVulnerability Disclosure
Markets

• A vulnerability disclosure market provides a
  mechanism for those who discover vulnerabilities
  to communicate them to software
  manufacturers/vendors.
• There four possibilities.

26
First Possibility Market-Based

• A businesslike iDefensepays for information
  about the existence of vulnerabilities and
  communicates this information to its clients.
• Markets are generally very successful in
  aggregating dispersed information.
• They are accurate and efficient.
• Unless precautions are taken, clients could be
  hackers. This is true also in all following
  cases.

27
iDefense Vulnerability Challenge

• This challenge sets the bar quite high, focusing
  on core Internet technologies likely to be in use
  in corporate enterprises. Because of this, we are
  merging Q2 and Q3 challenges into one,
  effectively extending the research time. The
  following technologies are the focus of this
  challenge
• Apache httpd
• Berkeley Internet Name Domain (BIND) daemon
• Sendmail SMTP daemon
• OpenSSH sshd
• Microsoft Internet Information (IIS) Server
• Microsoft Exchange Server
• iDefense will pay 16,000 for each submitted
  vulnerability that demonstrates the execution of
  arbitrary code.

28
Second PossibilityCERT-type Organizations

• No money is paid to those who discover
  vulnerabilities.
• No money is charged for the disclosure of the
  vulnerability.
• One would expect this not to perform as well as a
  market mechanism.
• Kannan, Telang, and Xu, Economic Analysis of the
  Market for Software Vulnerability Disclosure,
  contend CERT-type organizations sometimes
  outperform market mechanisms, but they assume
  that relevant information is costlessly
  available. This ignores precisely that at which
  markets excel.
• Available on SSRN.

29
Third PossibilityConsortium Mechanism

• Those concerned to gain information about
  vulnerabilities form a consortium.
• The consortium pays for information about
  vulnerabilities.
• Members may share information for free.
• Examples
• Information Sharing Analysis Centers (ISACs)
• Governmental.
• Does not yet deal with vulnerabilities in the
  above way.
• Industry consortiums.
• Similar to CERT-type organizations with the added
  complexity of conflicting business motives.

30
Fourth PossibilityFederally Funded Centers

• This does not exist.
• The center would pay for the discovery of
  vulnerabilities, but
• Would not charge for the disclosure of the
  information.
• Kannan, Telang, and Xu, Economic Analysis of the
  Market for Software Vulnerability Disclosure,
  contend this type of approach performs best, but
  again they assume that relevant information is
  costlessly available.

31
Lemon Markets and Their Solution

• Nothing we have said so far addresses the lemon
  markets problem.
• The basic lemon markets mechanism
• Consumers cannot pre-purchase tell the difference
  between a good product and a lemon so
• the price drops (the expected value of the
  purchase is reduced by the expected value of
  getting a lemon) and
• good products disappear from the market.
• Solution Get information to buyers before they
  purchase.

32
Prediction Markets

• A prediction market would accomplish the purpose.
• In the market, investors buy futures in which the
  speculate on which products will have this or
  that type of vulnerability.
• Such markets have proven remarkably accurate in
  predicting a wide variety of events.
• http//www.consensuspoint.com/index.php
• The prediction markets might work well where
  there are active disclosure markets which reveal
  the existence of vulnerabilities.

33
An Example

• Why not set up a prediction market in which
  investors by futures on when vulnerabilities will
  be discovered in iDefense challenge with regard
  to
• Apache httpd
• Berkeley Internet Name Domain (BIND) daemon
• Sendmail SMTP daemon
• OpenSSH sshd
• Microsoft Internet Information (IIS) Server
• Microsoft Exchange Server
• Investors could speculate on the time, number,
  and rank order in the list.
• The activity in the market could guide purchase
  decisions prior to discovery of the vulnerability.

34
Where We Are Now

• Minimal market solutions.
• HIPAA, GLB, SOX.
• All incorporate an unworkable reasonableness
  requirement.
• Very limited application of negligence.
• Breach notification statutes.
• Unclear cost of notification less than expected
  loss avoided.
• They have played an educational role.
• We should make recovery much easier.

35
The Interdependence Problem

• Viruses, worms, Trojans, botnets
• The likelihood that I will be invaded depends in
  part on how secure you are.
• Drive by downloads.
• To maximize efficiency, where N people can all
  take precautions to prevent a loss, they should
  adopt the combination of measures which is more
  efficient than any other combination.
• But the investment decision is made individually.
  

36
Conditions for a Market Solution to the
Interdependence Problem with Malware

• (1) Everyone accesses the Internet through some
  ISP.
• (2) Every client demands its ISP offer (for a
  price) malware protection which provides that
  client with an efficient (relative to that
  client) level of protection against malware.
• (3) Competition among ISPs ensures ISPs respond
  to client demand for efficient protection.
• (4) ISPs automatically update software through
  access to clients computers, and no client is
  allowed on to the Internet with outdated
  protection.

37
Inefficiency

• This solution is less than perfect because it
  fails this test
• To maximize efficiency, where N people can take
  precautions to prevent a loss, they should adopt
  the combination of measures which is more
  efficient than any other combination.
• Given (1) (4), parties will over-invest in
  protection as long as they buy sequentially and
  without information about how much protection
  others will buy.

38
Legal Regulation Required

• (1) Everyone accesses the Internet through some
  ISP.
• May be true without legal regulation.
• (2) Every client demands malware protection which
  provides efficient protection.
• Will require legal regulation most likely.
• (3) Competition ensures response to client demand
  for efficient protection.
• Legal regulation will be necessary to ensure all
  ISPs require clients to have malware protection.
  
• (4) ISPs update software no client is allowed on
  to the Internet with outdated protection.
• Contracts sufficient? Criminal statute needed?

39
The Monopoly Problem

• From a security point of view, one dominant
  operating system is a terrible idea.
• Other monopoly worries in regard to security
• Telecommunications
• Skype
• Legal note monopoly is neither illegal nor
  necessarily undesirable. It is the use of
  monopoly power in uncompetitive ways that is
  potentially illegal.

40
Monopoly Problems

• Monopoly power is the power to set prices and
  exclude competitors.
• Operating systems The economics is very
  complex, but there are obvious efficiencies in
  having one, dominant operating system.
• Telecommunications high initial costs, very low
  marginal costs, and strong network effects create
  a tendency toward monopoly.
• Skype

41
Monopoly Problems

• Possession of monopoly power is not illegal.
• illegality results from using monopoly power in
  anticompetitive ways that disadvantage consumers.
  
• Security concerns do not currently figure in
  theotherwise quite sophisticatedeconomic
  analysis underlying applications of antitrust
  law.