Security Economics and European Policy

Ross Anderson Rainer Böhme Richard Clayton Tyler Moore

Computer Laboratory, University of Cambridge

Security Economics and European Policy

Information Asymmetries Externalities Liability Assignment Lack of Diversity Fragmentation of Legislation and Law

Enforcement Security Research and Legislation

Introduction Quick History Overview

1940s - 80s Cold War National Concerns Intelligence Agencies

1990s - 2000s Growing Internet popularity Paradigm shift toward companies

Introduction Quick History (cont)

2000 - 2004 Rise of a new organized crime Crimeware Hacking for profit instead of sport

Today Fraud Rings Hacking Rings

Information Asymmetries The Problem

Companies often under/over-estimate statistics

Security breaches are often stifled Lack of standardized data gathering Weakly defined policies

Digital pollution International incongruency

Information Asymmetries Recommendations

A comprehensive security-breach notification law

Regulate the publication of robust loss statistics for electronic crime

Collection and publication data about malicious traffic

Externalities The Problem

Who should pay? Software Vendors

Released software with security flaws Users may compromise software

security Owners

Large companies with the capability to handle and repair infected devices

Small companies or individuals to which such setbacks are costly

Externalities ISPs

Most capable position to improve security

More likely to notice threats/attacks first Strong position of control

Total traffic control Ability to filter/deny services Quarantine infected machines

Least likely to change

Externalities Recommendations

ISPs will not change without incentive Introduce monetary penalties for slow

response to malicious activity Promote consistent reporting

mechanisms to notify ISPs Balance penalties to avoid knee jerk

reactions Regulate ISP to allow for reconnection

protocol at the expense of liability

Liability Assignment Software and System Liability

Whose responsible for updates? Often times, consumers are left to fend

for themselves Most computers are bought with

outdated software Recommended enforcement of a

standard default

Liability Assignment Patching

Necessary but time consuming and expensive

Publication of a patch may reveal the vulnerability

User dependent to update Create incentives to improve releases

Standardize disclosures Vendor liability for unpatched software

Liability Assignment Patching (cont)

Improve user uptake of patches Make patching more reliable Make patching easier/automated Separate feature from security Avoid undesirable restrictions (DRM) Avoid disruptions to customization Avoid burdensome processes Keep patches free

Liability Assignment Consumer Policy

Customers Generally targeted as liability dump Often left with little option or choice in

resolution Recommended procedures for the

proper resolution of disputes between customers and service providers

Liability Assignment Consumer Policy (cont)

Suppliers Less likely to protect consumers in a

monopolistic environment Often rely upon shrink-wrap contracts

with take-it-or-leave-it terms (EULAs) Abuses

Spyware installations Spam Spam Spam

Recommended sanctioning for abuses

Liability Assignment Consumer Policy (cont)

Online transactions Fragmented law

Current legislation does not entirely compensate

Varying interpretations from country to country

Aspects currently favor suppliers Recommended revisiting of consumer

protection laws

Lack of Diversity Promoting Logical Diversity

Consumers and firms are slow to accept changes

Software diversity Positive network externalities

Market domination encourages vulnerability (Cisco's Zetter 2005)

Recommended advisement when diversity has security implications

Lack of Diversity Promoting Physical Diversity in CNI

Critical National Infrastructure (CNI) Internet Exchange Points (IXP)

Very few IXPs for numerous ISPs Failure of one IXP affects thousands

Recommended research into IXP failures and work to regulate peering resilience

Fragmentation of Legislation and Law Enforcement

Cybercrime Cybercrime crosses boarders Convention on Cybercrime (2001)

27 EU states signed, only 12 ratified presently

Recommended pressure upon the 15 remaining member states to ratify

Fragmentation of Legislation and Law Enforcement

Law Enforcement Cooperation Joint operations are available but

limited Generally set up for physical crimes Operations are usually quid pro quo Mutual Legal Assistance Treaty (MLAT)

Recommended establishment of an EU-wide body to facilitate international cooperation

Security Research and Legislation

The Problem Certain laws currently prohibit some

research methods Cryptography Engineering tools

Others question usage UK : “[An offense to] supply or offer to

supply, believing that it is likely to be used to commit [an offense].”

Security Research and Legislation

Recommendations Champion the interests of information

security Amend restrictions on research Defend against inadvertent stiflings Encourage security research and

development