Title: Legal and Market Responses to Security Issues
1Legal and Market Responses to Security Issues
2A Point To Remember
- Innovation is critical.
- It drives economic development.
- It drives it most effectively when considerable
flexibility is allowed in business models,
research, and design. - A question to bear in mind Which of the
approaches allows the most flexibility?
3The Underinvestment Problem (?)
- Do system owners inefficiently underinvest in
protection against unauthorized access? - Inefficient from a societal perspective
- An increased investment would reduce the expected
harm to third-parties by an amount greater than
the investment - hence, as a society, we waste money we could use
for other purposes. - If we could effectively defend ourselves
individually against harms stemming from
unauthorized access, we could avoid the waste. - Can we defend ourselves?
- Insurance?
- Education? Elementary and high school.
- Design for usability?
4The Traditional Response
- If this were the solution, the legal response to
would be just one more retelling of this familiar
story - (1) an activity imposes a risk of harm on
third-parties, where - (2) those engaging in and benefiting from the
activity inefficiently under-invest in protecting
the third parties - (3) the law responds by imposing on those
engaging in the activity a duty to take
reasonable steps to prevent harm to
third-parties, where - (4) other things being equal, a reasonable step
is one that reduces expected damage to
third-parties by an amount greater than the total
cost of the step.
5Underinvestment The Wrong Solution?
- Assuming that we cannot defend ourselves, the
solution seems obvious - require system owners to take reasonable steps to
protect against unauthorized access - where, other things being equal, a reasonable
owner invests in protection as long as the
investment reduces expected damage by an amount
greater than the total cost of the investment.
6Estimates Impossible?
- Special cases aside, system owners cannot obtain
the information they need to make reasonable
estimates of the expected damage to
third-parties. - Compare driving a car.
- When driving, the information you need to is, for
the most part, locally available you just need
to observe the other drivers, the road and
weather conditions, and the like.
7Estimates Impossible?
- The information a system owner needs to drive
safelyto take appropriate precautions to avoid
the accident of a security breachmay be
distributed over millions of people. - The expected damage from theft of sensitive
financial information, for example, imposes on
any individual among these millions depends on a
variety of factors. - Without accurate statistical studies, an entity
storing this information has no feasible way to
acquire and analyze the relevant information
about millions of people. - With rare exceptions, such studies do not, and
are not likely, to exist.
8Even If Studies Existed . . .
- Network owners would still face a big hurdle
what software should they buy? - Is it reasonable to buy the top of the line,
expensive security product? Or, will a cheaper
product serve the purpose? - Difficulty in evaluating capabilities of security
software. - Difficulty in evaluating needs of a complex
network. - Lemons market.
9Insurance Basics
- These claims may seem wrong because there is an
active insurance market offering insurance
against liability to third-parties for inadequate
information security. - Insurance companies calculate the expected loss
from the occurrence of an event and then offer
insurance against that event at a price greater
than the expected loss. - Typically, you can buy insurance against any
event for which an insurance company can
calculate the expected loss. - Which is why you cannot, for example, buy
insurance against death resulting from the crash
of a private plane.
10Third-Party Liability Insurance
- The market currently offers insurance against
legal liability to third-parties for inadequate
information security. - This just means that the insurance companies can
calculate the expected legal liability. - That just requires information to predict the
outcomes of lawsuits.
11Unique to the Internet
- This is problem is unique to the Internet. The
Internet makes it possible to collect information
scattered all over the world, centralize it in a
database, and make it easily available to users
dispersed throughout the world. - This aspect of the Internet makes the problem of
inadequate information security extraordinarily
difficult to solve.
12Possible Solutions
- Legal
- Negligence
- Strict liability
- Market
- Open source software
- Market for software vulnerability disclosure
- Prediction markets
13Negligence
- Standard of reasonableness
- Industry norms
-
- reasonable unclear unreasonable
- Even in the unreasonable cases, a negligence
recovery may not be possible.
14Security Requirements
- Protection
- authentication
- encryption
- protection against malicious code
- transmission security
- administrative safeguards
- physical safeguards.
- Prevention
- Administrative requirements
- Investigative requirements.
- Detection
- data history requirements
- reporting requirements.
- Recovery
- emergency response plan.
15Industry Standards
- The emerging industry standard is to expect
security to be breached and to provide for
recovery. - The question is what recovery means in regard
to third-parties. - Breach notification statutes.
- Not at all clear that the cost is less that the
expected loss avoided.
16Negligence Recent Cases
- A mere increased risk of harm is not a basis for
a negligence liability. - Forbes v. Wells Fargo Bank
- The economic harm rule prevents recovery (and
that is a good thing). - Banknorth, N.A. v. BJ's Wholesale Club
- Breach of contract, breach of fiduciary duty,
promissory estoppel not available. - Sovereign Bank v. BJ's Wholesale Club
17The Economic Loss Rule
- The economic loss rule without a physical
impact, there is no tort recovery for purely
economic loss. - Rationale to limit losses to a bearable amount.
18Extent of physical impact
Tort
Economic impact
19Strict Liability
- Liability would be crushing--unless
- courts invoke the economic harm rule,
- or insurance is available.
- A non-economic consideration Other things being
equal, those who create and benefit from an
activity should bear the costs that activity
imposes on innocent third-parties. - The argument in the case of negligence should
bear the costs they negligently impose.
20What Should the Laws Role Be?
- Without a supporting culture, the law is an
ineffective tool for controlling and directing
behavior. - Legal regulation can contribute to the creation
of a supporting culture, but its contribution is
limited. - We need to develop a supporting culture, it is
just a pipedream to think that the law is the
main tool that we can use to accomplish that
goal.
21Market Solutions Many Minds and Money Where Your
Mouth Is
- A market solution relies primarily on monetary,
non-legal incentives to achieve a desired result.
- Sunstein on many minds and money There is
considerable evidence that non-deliberative
pooling of expertise can outperform deliberation - Especially when monetary gain rewards correctness
and monetary loss penalizes incorrectness.
22Three Market Solutions
- The market solutions focus on vulnerabilities in
software. - Software vulnerabilities are one key aspect of
the problem. - There are three market solutions.
23First Market SolutionOpen Source Software
- Software is open source if its source code is
publicly available. - Open source software may be the product of many
programmers, scattered all over the world, who
contribute to the source code. - Open source software has advantages.
- Fewer defects
- No proprietary problems.
- Legal issues
- Liability for intellectual property violations
- Sco Group v. IBM
24Open Source Economics
- Open source software works best when it is
- Based on non-proprietary techniques
- No blends of open source and proprietary code.
- Subject to network effects
- The application is sensitive to failure
- Verification requires peer review
- Sufficiently important (business critical) that
people will cooperate to find bugs - Eric Raymond, The Magic Cauldron
- Security has all the above features (Anderson).
- Many software vendors pursue an
anti-interoperability strategy incompatible with
open source software. - Prohibitions on reverse engineering in End User
License Agreements.
25Second Market SolutionVulnerability Disclosure
Markets
- A vulnerability disclosure market provides a
mechanism for those who discover vulnerabilities
to communicate them to software
manufacturers/vendors. - There four possibilities.
26First Possibility Market-Based
- A businesslike iDefensepays for information
about the existence of vulnerabilities and
communicates this information to its clients. - Markets are generally very successful in
aggregating dispersed information. - They are accurate and efficient.
- Unless precautions are taken, clients could be
hackers. This is true also in all following
cases.
27iDefense Vulnerability Challenge
- This challenge sets the bar quite high, focusing
on core Internet technologies likely to be in use
in corporate enterprises. Because of this, we are
merging Q2 and Q3 challenges into one,
effectively extending the research time. The
following technologies are the focus of this
challenge - Apache httpd
- Berkeley Internet Name Domain (BIND) daemon
- Sendmail SMTP daemon
- OpenSSH sshd
- Microsoft Internet Information (IIS) Server
- Microsoft Exchange Server
- iDefense will pay 16,000 for each submitted
vulnerability that demonstrates the execution of
arbitrary code.
28Second PossibilityCERT-type Organizations
- No money is paid to those who discover
vulnerabilities. - No money is charged for the disclosure of the
vulnerability. - One would expect this not to perform as well as a
market mechanism. - Kannan, Telang, and Xu, Economic Analysis of the
Market for Software Vulnerability Disclosure,
contend CERT-type organizations sometimes
outperform market mechanisms, but they assume
that relevant information is costlessly
available. This ignores precisely that at which
markets excel. - Available on SSRN.
29Third PossibilityConsortium Mechanism
- Those concerned to gain information about
vulnerabilities form a consortium. - The consortium pays for information about
vulnerabilities. - Members may share information for free.
- Examples
- Information Sharing Analysis Centers (ISACs)
- Governmental.
- Does not yet deal with vulnerabilities in the
above way. - Industry consortiums.
- Similar to CERT-type organizations with the added
complexity of conflicting business motives.
30Fourth PossibilityFederally Funded Centers
- This does not exist.
- The center would pay for the discovery of
vulnerabilities, but - Would not charge for the disclosure of the
information. - Kannan, Telang, and Xu, Economic Analysis of the
Market for Software Vulnerability Disclosure,
contend this type of approach performs best, but
again they assume that relevant information is
costlessly available.
31Lemon Markets and Their Solution
- Nothing we have said so far addresses the lemon
markets problem. - The basic lemon markets mechanism
- Consumers cannot pre-purchase tell the difference
between a good product and a lemon so - the price drops (the expected value of the
purchase is reduced by the expected value of
getting a lemon) and - good products disappear from the market.
- Solution Get information to buyers before they
purchase.
32Prediction Markets
- A prediction market would accomplish the purpose.
- In the market, investors buy futures in which the
speculate on which products will have this or
that type of vulnerability. - Such markets have proven remarkably accurate in
predicting a wide variety of events. - http//www.consensuspoint.com/index.php
- The prediction markets might work well where
there are active disclosure markets which reveal
the existence of vulnerabilities.
33An Example
- Why not set up a prediction market in which
investors by futures on when vulnerabilities will
be discovered in iDefense challenge with regard
to - Apache httpd
- Berkeley Internet Name Domain (BIND) daemon
- Sendmail SMTP daemon
- OpenSSH sshd
- Microsoft Internet Information (IIS) Server
- Microsoft Exchange Server
- Investors could speculate on the time, number,
and rank order in the list. - The activity in the market could guide purchase
decisions prior to discovery of the vulnerability.
34Where We Are Now
- Minimal market solutions.
- HIPAA, GLB, SOX.
- All incorporate an unworkable reasonableness
requirement. - Very limited application of negligence.
- Breach notification statutes.
- Unclear cost of notification less than expected
loss avoided. - They have played an educational role.
- We should make recovery much easier.
35The Interdependence Problem
- Viruses, worms, Trojans, botnets
- The likelihood that I will be invaded depends in
part on how secure you are. - Drive by downloads.
- To maximize efficiency, where N people can all
take precautions to prevent a loss, they should
adopt the combination of measures which is more
efficient than any other combination. - But the investment decision is made individually.
36Conditions for a Market Solution to the
Interdependence Problem with Malware
- (1) Everyone accesses the Internet through some
ISP. - (2) Every client demands its ISP offer (for a
price) malware protection which provides that
client with an efficient (relative to that
client) level of protection against malware. - (3) Competition among ISPs ensures ISPs respond
to client demand for efficient protection. - (4) ISPs automatically update software through
access to clients computers, and no client is
allowed on to the Internet with outdated
protection.
37Inefficiency
- This solution is less than perfect because it
fails this test - To maximize efficiency, where N people can take
precautions to prevent a loss, they should adopt
the combination of measures which is more
efficient than any other combination. - Given (1) (4), parties will over-invest in
protection as long as they buy sequentially and
without information about how much protection
others will buy.
38Legal Regulation Required
- (1) Everyone accesses the Internet through some
ISP. - May be true without legal regulation.
- (2) Every client demands malware protection which
provides efficient protection. - Will require legal regulation most likely.
- (3) Competition ensures response to client demand
for efficient protection. - Legal regulation will be necessary to ensure all
ISPs require clients to have malware protection.
- (4) ISPs update software no client is allowed on
to the Internet with outdated protection. - Contracts sufficient? Criminal statute needed?
39The Monopoly Problem
- From a security point of view, one dominant
operating system is a terrible idea. - Other monopoly worries in regard to security
- Telecommunications
- Skype
- Legal note monopoly is neither illegal nor
necessarily undesirable. It is the use of
monopoly power in uncompetitive ways that is
potentially illegal.
40Monopoly Problems
- Monopoly power is the power to set prices and
exclude competitors. - Operating systems The economics is very
complex, but there are obvious efficiencies in
having one, dominant operating system. - Telecommunications high initial costs, very low
marginal costs, and strong network effects create
a tendency toward monopoly. - Skype
41Monopoly Problems
- Possession of monopoly power is not illegal.
- illegality results from using monopoly power in
anticompetitive ways that disadvantage consumers.
- Security concerns do not currently figure in
theotherwise quite sophisticatedeconomic
analysis underlying applications of antitrust
law.