Security Market: Incentives for Disclosure of Vulnerabilities
-
Upload
robin-sweet -
Category
Documents
-
view
27 -
download
4
description
Transcript of Security Market: Incentives for Disclosure of Vulnerabilities
Security Market: Incentives for Security Market: Incentives for Disclosure of VulnerabilitiesDisclosure of Vulnerabilities
Peter P. SwirePeter P. Swire
Ohio State UniversityOhio State University
Houston/Sante Fe ConferenceHouston/Sante Fe Conference
June 4, 2005June 4, 2005
OverviewOverview
The prior paper: when it is efficient to The prior paper: when it is efficient to disclose security informationdisclose security information
This paper: what are the incentives actors This paper: what are the incentives actors face on whether to disclose? face on whether to disclose? Security notification statutesSecurity notification statutes Open Source softwareOpen Source software Proprietary softwareProprietary software GovernmentGovernment
First Paper: Effects of DisclosureFirst Paper: Effects of Disclosure
Low Help Attackers HighLow Help Attackers High
Open Source:Open Source:
““No security throughNo security through
obscurity”obscurity”
Military/Intel:Military/Intel:
““Loose lips sink Loose lips sink ships”ships”
Hel
p D
efen
ders
Low
H
igh
Effects of Disclosure -- IIEffects of Disclosure -- II
Military/Military/
IntelligenceIntelligence
Public DomainPublic Domain
Information Information
SharingSharing
Open SourceOpen Source
Low Help Attackers HighLow Help Attackers High
Hel
p D
efen
ders
Low
H
igh
Why Computer & Network Attacks Why Computer & Network Attacks More Often Benefit From DisclosureMore Often Benefit From Disclosure
Hiddenness & the first-time attackHiddenness & the first-time attack N = number of attacksN = number of attacks L = learning from attacksL = learning from attacks C = communicate with other attackersC = communicate with other attackers
Hiddenness helps for pit or for mine fieldHiddenness helps for pit or for mine field Hiddenness works much less well forHiddenness works much less well for
Mass-market softwareMass-market software FirewallsFirewalls Encryption algorithmsEncryption algorithms
What Is Different for Cyber What Is Different for Cyber Attacks? Attacks?
ManyMany attacks attacks Each attack is low costEach attack is low cost Attackers learn from previous attacksAttackers learn from previous attacks
This trick got me root accessThis trick got me root access Attackers communicate about Attackers communicate about
vulnerabilitiesvulnerabilities Because of attackers’ knowledge, Because of attackers’ knowledge,
disclosure often helps defenders more disclosure often helps defenders more than attackers for cyber attacks than attackers for cyber attacks
II. Security NotificationII. Security Notification
California statute, S.B. 1386California statute, S.B. 1386 If SSN, bank account breached, then notifyIf SSN, bank account breached, then notify
This year, ChoicePoint, B of A, etc.This year, ChoicePoint, B of A, etc. Likely federal legislationLikely federal legislation
Security Notification: ExternalitySecurity Notification: Externality
11stst party: system owner party: system owner 2d parties:2d parties:
Attackers – steal identities or know exploitAttackers – steal identities or know exploit Defenders – Open Source coders, may helpDefenders – Open Source coders, may help
33rdrd parties: parties: Data of 3Data of 3rdrd parties held parties held
Externality: secrecy harms third parties but Externality: secrecy harms third parties but often helps 1often helps 1stst party, so under-disclosure party, so under-disclosure
Security Notification: Legal RuleSecurity Notification: Legal Rule
I believe the externality is significantI believe the externality is significant Issues for possible discussionIssues for possible discussion
What is the trigger for notification, to avoid What is the trigger for notification, to avoid over- and under-notification?over- and under-notification?
What sort of guidance, advisory opinions, What sort of guidance, advisory opinions, common law, or other mechanisms can clarify common law, or other mechanisms can clarify over time when to notify?over time when to notify?
Incentives to Disclose Incentives to Disclose
California law concerns disclosure of 3California law concerns disclosure of 3rdrd party data held by 1party data held by 1stst party party
Next, disclosure by 1Next, disclosure by 1stst party of data that party of data that may help security of 1may help security of 1stst and 3 and 3rdrd parties parties
Security motive – when disclosure will help Security motive – when disclosure will help 11stst party’s security goals party’s security goals
Competition motive – when disclosure will Competition motive – when disclosure will help 1help 1stst party’s competitive goals party’s competitive goals
ProducerProducer SecuritySecurity CompetitionCompetition
Open Open SourceSource
Ideologically open;Ideologically open;
Some “secret sauce”Some “secret sauce”
(Case 1)(Case 1)
Ideologically open;Ideologically open;
Apparently high use Apparently high use of trade secretsof trade secrets
(Case 2)(Case 2)
ProprietaryProprietary
SoftwareSoftware
Monopolist on source Monopolist on source code; disclosure code; disclosure based on monopsony based on monopsony and market power and market power (Case 3)(Case 3)
Monopolist on source Monopolist on source code; disclosure code; disclosure based on how open based on how open standards help profits standards help profits (Case 4)(Case 4)
GovernmentGovernment Information sharing Information sharing dilemma (help dilemma (help attackers & attackers & defenders); public defenders); public choice model (Case choice model (Case 5)5)
Turf maximization, Turf maximization, e.g., FBI vs. local e.g., FBI vs. local police for the credit police for the credit (Case 6)(Case 6)
Case 1: Open Source/SecurityCase 1: Open Source/Security
By ideology, by definition, & under licenses, open source By ideology, by definition, & under licenses, open source code is viewable by allcode is viewable by all
Based on interviews, secrecy still used:Based on interviews, secrecy still used: For passwords and keysFor passwords and keys ““Stealth firewalls” and other hidden features that are Stealth firewalls” and other hidden features that are
not observable from the outsidenot observable from the outside ““Secret sauce” such as unusual settings and Secret sauce” such as unusual settings and
configurations, to defeat script kiddiesconfigurations, to defeat script kiddies In short, rational secrecy is used to foil first-time and In short, rational secrecy is used to foil first-time and
unsophisticated attacksunsophisticated attacks
Case 2: Open Source/CompetitionCase 2: Open Source/Competition
Interviews with O.S. devotees, they smile and admit that Interviews with O.S. devotees, they smile and admit that they don’t publish their best stuff – what’s going on?they don’t publish their best stuff – what’s going on?
Services dominate products in Open Source business Services dominate products in Open Source business modelsmodels
GPL 2.0 applies to any work “distributed or published”, GPL 2.0 applies to any work “distributed or published”, but not to services provided by one companybut not to services provided by one company
Conclusion: trade secrets used in services have become Conclusion: trade secrets used in services have become a key competitive toola key competitive tool Consistent with IBM and other major players’ services Consistent with IBM and other major players’ services
activitiesactivities
Case 2: Open Source/CompetitionCase 2: Open Source/Competition
Emerging debate on GPL 3.0Emerging debate on GPL 3.0 Possible Stallman proposal to require publishing of Possible Stallman proposal to require publishing of
code used internallycode used internally If so, then a likely fracture in the Open Source If so, then a likely fracture in the Open Source
community, with services companies (i.e., large community, with services companies (i.e., large commercial players) sticking with GPL 2.0 to protect commercial players) sticking with GPL 2.0 to protect their trade secrets and business modelstheir trade secrets and business models
Case 3: Proprietary/SecurityCase 3: Proprietary/Security
Initially, the owner of closed-source software is in a Initially, the owner of closed-source software is in a monopoly position about flaws in the software it wrotemonopoly position about flaws in the software it wrote
An externality similar to database leaks, because 1An externality similar to database leaks, because 1stst party party loses reputation and risks liability with disclosure but harm loses reputation and risks liability with disclosure but harm on the 3on the 3rdrd party user party user This description was likely more true several years ago, This description was likely more true several years ago,
before computer security was so importantbefore computer security was so important Size of externality depends on the degree to which the Size of externality depends on the degree to which the
seller’s reputation suffers due to security flawsseller’s reputation suffers due to security flaws Over time, outside programmers gain expertise, the 1Over time, outside programmers gain expertise, the 1stst
party loses its monopoly position in knowledge about party loses its monopoly position in knowledge about vulnerabilities, & reputation effect is greatervulnerabilities, & reputation effect is greater
Case 3: Proprietary/SecurityCase 3: Proprietary/Security
What pressures force disclosure of vulnerabilities?What pressures force disclosure of vulnerabilities? Buyers with monopsony power, who have a taste to Buyers with monopsony power, who have a taste to
know the code in their systemknow the code in their system Especially governments, who can (and do) require Especially governments, who can (and do) require
disclosure of vulnerabilities (Air Force)disclosure of vulnerabilities (Air Force) To the extent there is competition based on software To the extent there is competition based on software
security, then disclosure may be profit-maximizingsecurity, then disclosure may be profit-maximizing Over time, have seen substantially greater openness Over time, have seen substantially greater openness
about vulnerabilities in proprietary softwareabout vulnerabilities in proprietary software
Case 4: Proprietary/CompetitiveCase 4: Proprietary/Competitive
Hidden source code as a trade secret and Hidden source code as a trade secret and possible competitive edgepossible competitive edge
Countervailing incentive to have at least partly Countervailing incentive to have at least partly “open standards” in order to get broad adoption, “open standards” in order to get broad adoption, network effects, & first-mover advantagenetwork effects, & first-mover advantage At least share with developers & joint venturesAt least share with developers & joint ventures Complex game theory on when to be openComplex game theory on when to be open
Open Source & ProprietaryOpen Source & Proprietary
Greater secrecy in Open Source than usually recognizedGreater secrecy in Open Source than usually recognized Secret sauce for securitySecret sauce for security Trade secrets in servicesTrade secrets in services
Greater openness in proprietary than usually recognizedGreater openness in proprietary than usually recognized Monopsony power, governments, reputationMonopsony power, governments, reputation Financial gains from at least partly open standardsFinancial gains from at least partly open standards
Convergence of the two approaches when it comes to Convergence of the two approaches when it comes to disclosure?disclosure?
Case 5: Government/SecurityCase 5: Government/Security
The information sharing dilemmaThe information sharing dilemma Disclosure helps both attackers & defendersDisclosure helps both attackers & defenders 11stst party wants to share only with trusted third party wants to share only with trusted third
partiesparties Other 3Other 3rdrd parties may want/need information parties may want/need information
to protect their own systems/jurisdictionsto protect their own systems/jurisdictions Examples such as terrorist watch lists, terrorist Examples such as terrorist watch lists, terrorist
modes of attack, alerts based on intelligencemodes of attack, alerts based on intelligence
Case 5: Government/SecurityCase 5: Government/Security
What mechanisms for disclosure similar to the What mechanisms for disclosure similar to the monopsonist or reputation effects?monopsonist or reputation effects? Perhaps public choice demand for data sharingPerhaps public choice demand for data sharing Seems unlikely to be effective in forcing data from law Seems unlikely to be effective in forcing data from law
enforcement or intelligence agenciesenforcement or intelligence agencies Thus a rationale for legal rulesThus a rationale for legal rules
FOIA to create transparency, including risks to FOIA to create transparency, including risks to communitiescommunities
Executive Orders & congressional mandates to Executive Orders & congressional mandates to encourage information sharingencourage information sharing
Case 6: Government/CompetitiveCase 6: Government/Competitive
Widespread view that law enforcement & Widespread view that law enforcement & intelligence agencies hoard dataintelligence agencies hoard data Most famously, the FBI has not shared with Most famously, the FBI has not shared with
localslocals Hoarding can protect turf – others can’t use it Hoarding can protect turf – others can’t use it
against the 1against the 1stst party (the agency) party (the agency) Hoarding can garner credit with stakeholders Hoarding can garner credit with stakeholders
– the arrest, the correct intelligence analysis– the arrest, the correct intelligence analysis Again, FOIA and Information Sharing mandates Again, FOIA and Information Sharing mandates
can seek to counter-act excessive secrecycan seek to counter-act excessive secrecy
ConclusionsConclusions
Identify 1Identify 1stst, 2d, 3, 2d, 3rdrd parties and possible parties and possible externalitiesexternalities
Highlight overlapping dynamics of Highlight overlapping dynamics of disclosure, both for security and disclosure, both for security and competitive goalscompetitive goals
Recognize situations where the amount of Recognize situations where the amount of disclosure is most likely to vary from the disclosure is most likely to vary from the optimal, and suggest legal & policy optimal, and suggest legal & policy responsesresponses