Security Market: Incentives for Security Market: Incentives for Disclosure of VulnerabilitiesDisclosure of Vulnerabilities

Peter P. SwirePeter P. Swire

Ohio State UniversityOhio State University

Houston/Sante Fe ConferenceHouston/Sante Fe Conference

June 4, 2005June 4, 2005

OverviewOverview

The prior paper: when it is efficient to The prior paper: when it is efficient to disclose security informationdisclose security information

This paper: what are the incentives actors This paper: what are the incentives actors face on whether to disclose? face on whether to disclose? Security notification statutesSecurity notification statutes Open Source softwareOpen Source software Proprietary softwareProprietary software GovernmentGovernment

First Paper: Effects of DisclosureFirst Paper: Effects of Disclosure

Low Help Attackers HighLow Help Attackers High

Open Source:Open Source:

““No security throughNo security through

obscurity”obscurity”

Military/Intel:Military/Intel:

““Loose lips sink Loose lips sink ships”ships”

Hel

p D

efen

ders

Low

H

igh

Effects of Disclosure -- IIEffects of Disclosure -- II

Military/Military/

IntelligenceIntelligence

Public DomainPublic Domain

Information Information

SharingSharing

Open SourceOpen Source

Low Help Attackers HighLow Help Attackers High

Hel

p D

efen

ders

Low

H

igh

Why Computer & Network Attacks Why Computer & Network Attacks More Often Benefit From DisclosureMore Often Benefit From Disclosure

Hiddenness & the first-time attackHiddenness & the first-time attack N = number of attacksN = number of attacks L = learning from attacksL = learning from attacks C = communicate with other attackersC = communicate with other attackers

Hiddenness helps for pit or for mine fieldHiddenness helps for pit or for mine field Hiddenness works much less well forHiddenness works much less well for

Mass-market softwareMass-market software FirewallsFirewalls Encryption algorithmsEncryption algorithms

What Is Different for Cyber What Is Different for Cyber Attacks? Attacks?

ManyMany attacks attacks Each attack is low costEach attack is low cost Attackers learn from previous attacksAttackers learn from previous attacks

This trick got me root accessThis trick got me root access Attackers communicate about Attackers communicate about

vulnerabilitiesvulnerabilities Because of attackers’ knowledge, Because of attackers’ knowledge,

disclosure often helps defenders more disclosure often helps defenders more than attackers for cyber attacks than attackers for cyber attacks

II. Security NotificationII. Security Notification

California statute, S.B. 1386California statute, S.B. 1386 If SSN, bank account breached, then notifyIf SSN, bank account breached, then notify

This year, ChoicePoint, B of A, etc.This year, ChoicePoint, B of A, etc. Likely federal legislationLikely federal legislation

Security Notification: ExternalitySecurity Notification: Externality

11stst party: system owner party: system owner 2d parties:2d parties:

Attackers – steal identities or know exploitAttackers – steal identities or know exploit Defenders – Open Source coders, may helpDefenders – Open Source coders, may help

33rdrd parties: parties: Data of 3Data of 3rdrd parties held parties held

Externality: secrecy harms third parties but Externality: secrecy harms third parties but often helps 1often helps 1stst party, so under-disclosure party, so under-disclosure

Security Notification: Legal RuleSecurity Notification: Legal Rule

I believe the externality is significantI believe the externality is significant Issues for possible discussionIssues for possible discussion

What is the trigger for notification, to avoid What is the trigger for notification, to avoid over- and under-notification?over- and under-notification?

What sort of guidance, advisory opinions, What sort of guidance, advisory opinions, common law, or other mechanisms can clarify common law, or other mechanisms can clarify over time when to notify?over time when to notify?

Incentives to Disclose Incentives to Disclose

California law concerns disclosure of 3California law concerns disclosure of 3rdrd party data held by 1party data held by 1stst party party

Next, disclosure by 1Next, disclosure by 1stst party of data that party of data that may help security of 1may help security of 1stst and 3 and 3rdrd parties parties

Security motive – when disclosure will help Security motive – when disclosure will help 11stst party’s security goals party’s security goals

Competition motive – when disclosure will Competition motive – when disclosure will help 1help 1stst party’s competitive goals party’s competitive goals

ProducerProducer SecuritySecurity CompetitionCompetition

Open Open SourceSource

Ideologically open;Ideologically open;

Some “secret sauce”Some “secret sauce”

(Case 1)(Case 1)

Ideologically open;Ideologically open;

Apparently high use Apparently high use of trade secretsof trade secrets

(Case 2)(Case 2)

ProprietaryProprietary

SoftwareSoftware

Monopolist on source Monopolist on source code; disclosure code; disclosure based on monopsony based on monopsony and market power and market power (Case 3)(Case 3)

Monopolist on source Monopolist on source code; disclosure code; disclosure based on how open based on how open standards help profits standards help profits (Case 4)(Case 4)

GovernmentGovernment Information sharing Information sharing dilemma (help dilemma (help attackers & attackers & defenders); public defenders); public choice model (Case choice model (Case 5)5)

Turf maximization, Turf maximization, e.g., FBI vs. local e.g., FBI vs. local police for the credit police for the credit (Case 6)(Case 6)

Case 1: Open Source/SecurityCase 1: Open Source/Security

By ideology, by definition, & under licenses, open source By ideology, by definition, & under licenses, open source code is viewable by allcode is viewable by all

Based on interviews, secrecy still used:Based on interviews, secrecy still used: For passwords and keysFor passwords and keys ““Stealth firewalls” and other hidden features that are Stealth firewalls” and other hidden features that are

not observable from the outsidenot observable from the outside ““Secret sauce” such as unusual settings and Secret sauce” such as unusual settings and

configurations, to defeat script kiddiesconfigurations, to defeat script kiddies In short, rational secrecy is used to foil first-time and In short, rational secrecy is used to foil first-time and

unsophisticated attacksunsophisticated attacks

Case 2: Open Source/CompetitionCase 2: Open Source/Competition

Interviews with O.S. devotees, they smile and admit that Interviews with O.S. devotees, they smile and admit that they don’t publish their best stuff – what’s going on?they don’t publish their best stuff – what’s going on?

Services dominate products in Open Source business Services dominate products in Open Source business modelsmodels

GPL 2.0 applies to any work “distributed or published”, GPL 2.0 applies to any work “distributed or published”, but not to services provided by one companybut not to services provided by one company

Conclusion: trade secrets used in services have become Conclusion: trade secrets used in services have become a key competitive toola key competitive tool Consistent with IBM and other major players’ services Consistent with IBM and other major players’ services

activitiesactivities

Case 2: Open Source/CompetitionCase 2: Open Source/Competition

Emerging debate on GPL 3.0Emerging debate on GPL 3.0 Possible Stallman proposal to require publishing of Possible Stallman proposal to require publishing of

code used internallycode used internally If so, then a likely fracture in the Open Source If so, then a likely fracture in the Open Source

community, with services companies (i.e., large community, with services companies (i.e., large commercial players) sticking with GPL 2.0 to protect commercial players) sticking with GPL 2.0 to protect their trade secrets and business modelstheir trade secrets and business models

Case 3: Proprietary/SecurityCase 3: Proprietary/Security

Initially, the owner of closed-source software is in a Initially, the owner of closed-source software is in a monopoly position about flaws in the software it wrotemonopoly position about flaws in the software it wrote

An externality similar to database leaks, because 1An externality similar to database leaks, because 1stst party party loses reputation and risks liability with disclosure but harm loses reputation and risks liability with disclosure but harm on the 3on the 3rdrd party user party user This description was likely more true several years ago, This description was likely more true several years ago,

before computer security was so importantbefore computer security was so important Size of externality depends on the degree to which the Size of externality depends on the degree to which the

seller’s reputation suffers due to security flawsseller’s reputation suffers due to security flaws Over time, outside programmers gain expertise, the 1Over time, outside programmers gain expertise, the 1stst

party loses its monopoly position in knowledge about party loses its monopoly position in knowledge about vulnerabilities, & reputation effect is greatervulnerabilities, & reputation effect is greater

Case 3: Proprietary/SecurityCase 3: Proprietary/Security

What pressures force disclosure of vulnerabilities?What pressures force disclosure of vulnerabilities? Buyers with monopsony power, who have a taste to Buyers with monopsony power, who have a taste to

know the code in their systemknow the code in their system Especially governments, who can (and do) require Especially governments, who can (and do) require

disclosure of vulnerabilities (Air Force)disclosure of vulnerabilities (Air Force) To the extent there is competition based on software To the extent there is competition based on software

security, then disclosure may be profit-maximizingsecurity, then disclosure may be profit-maximizing Over time, have seen substantially greater openness Over time, have seen substantially greater openness

about vulnerabilities in proprietary softwareabout vulnerabilities in proprietary software

Case 4: Proprietary/CompetitiveCase 4: Proprietary/Competitive

Hidden source code as a trade secret and Hidden source code as a trade secret and possible competitive edgepossible competitive edge

Countervailing incentive to have at least partly Countervailing incentive to have at least partly “open standards” in order to get broad adoption, “open standards” in order to get broad adoption, network effects, & first-mover advantagenetwork effects, & first-mover advantage At least share with developers & joint venturesAt least share with developers & joint ventures Complex game theory on when to be openComplex game theory on when to be open

Open Source & ProprietaryOpen Source & Proprietary

Greater secrecy in Open Source than usually recognizedGreater secrecy in Open Source than usually recognized Secret sauce for securitySecret sauce for security Trade secrets in servicesTrade secrets in services

Greater openness in proprietary than usually recognizedGreater openness in proprietary than usually recognized Monopsony power, governments, reputationMonopsony power, governments, reputation Financial gains from at least partly open standardsFinancial gains from at least partly open standards

Convergence of the two approaches when it comes to Convergence of the two approaches when it comes to disclosure?disclosure?

Case 5: Government/SecurityCase 5: Government/Security

The information sharing dilemmaThe information sharing dilemma Disclosure helps both attackers & defendersDisclosure helps both attackers & defenders 11stst party wants to share only with trusted third party wants to share only with trusted third

partiesparties Other 3Other 3rdrd parties may want/need information parties may want/need information

to protect their own systems/jurisdictionsto protect their own systems/jurisdictions Examples such as terrorist watch lists, terrorist Examples such as terrorist watch lists, terrorist

modes of attack, alerts based on intelligencemodes of attack, alerts based on intelligence

Case 5: Government/SecurityCase 5: Government/Security

What mechanisms for disclosure similar to the What mechanisms for disclosure similar to the monopsonist or reputation effects?monopsonist or reputation effects? Perhaps public choice demand for data sharingPerhaps public choice demand for data sharing Seems unlikely to be effective in forcing data from law Seems unlikely to be effective in forcing data from law

enforcement or intelligence agenciesenforcement or intelligence agencies Thus a rationale for legal rulesThus a rationale for legal rules

FOIA to create transparency, including risks to FOIA to create transparency, including risks to communitiescommunities

Executive Orders & congressional mandates to Executive Orders & congressional mandates to encourage information sharingencourage information sharing

Case 6: Government/CompetitiveCase 6: Government/Competitive

Widespread view that law enforcement & Widespread view that law enforcement & intelligence agencies hoard dataintelligence agencies hoard data Most famously, the FBI has not shared with Most famously, the FBI has not shared with

localslocals Hoarding can protect turf – others can’t use it Hoarding can protect turf – others can’t use it

against the 1against the 1stst party (the agency) party (the agency) Hoarding can garner credit with stakeholders Hoarding can garner credit with stakeholders

– the arrest, the correct intelligence analysis– the arrest, the correct intelligence analysis Again, FOIA and Information Sharing mandates Again, FOIA and Information Sharing mandates

can seek to counter-act excessive secrecycan seek to counter-act excessive secrecy

ConclusionsConclusions

Identify 1Identify 1stst, 2d, 3, 2d, 3rdrd parties and possible parties and possible externalitiesexternalities

Highlight overlapping dynamics of Highlight overlapping dynamics of disclosure, both for security and disclosure, both for security and competitive goalscompetitive goals

Recognize situations where the amount of Recognize situations where the amount of disclosure is most likely to vary from the disclosure is most likely to vary from the optimal, and suggest legal & policy optimal, and suggest legal & policy responsesresponses