Security Economics and European Policy

1
Security Economics and European Policy
Ross Anderson Rainer Böhme Richard
Clayton Tyler Moore
Computer Laboratory, University of Cambridge
2
Security Economics and European Policy

• Information Asymmetries
• Externalities
• Liability Assignment
• Lack of Diversity
• Fragmentation of Legislation and Law
  Enforcement
• Security Research and Legislation

3
Introduction

• Quick History Overview
• 1940s - 80s
• Cold War
• National Concerns
• Intelligence Agencies
• 1990s - 2000s
• Growing Internet popularity
• Paradigm shift toward companies

4
Introduction

• Quick History (cont)
• 2000 - 2004
• Rise of a new organized crime
• Crimeware
• Hacking for profit instead of sport
• Today
• Fraud Rings
• Hacking Rings

5
Information Asymmetries

• The Problem
• Companies often under/over-estimate statistics
• Security breaches are often stifled
• Lack of standardized data gathering
• Weakly defined policies
• Digital pollution
• International incongruency

6
Information Asymmetries

• Recommendations
• A comprehensive security-breach notification law
• Regulate the publication of robust loss
  statistics for electronic crime
• Collection and publication data about malicious
  traffic

7
Externalities

• The Problem
• Who should pay?
• Software Vendors
• Released software with security flaws
• Users may compromise software security
• Owners
• Large companies with the capability to handle and
  repair infected devices
• Small companies or individuals to which such
  setbacks are costly

8
Externalities

• ISPs
• Most capable position to improve security
• More likely to notice threats/attacks first
• Strong position of control
• Total traffic control
• Ability to filter/deny services
• Quarantine infected machines
• Least likely to change

9
Externalities

• Recommendations
• ISPs will not change without incentive
• Introduce monetary penalties for slow response to
  malicious activity
• Promote consistent reporting mechanisms to notify
  ISPs
• Balance penalties to avoid knee jerk reactions
• Regulate ISP to allow for reconnection protocol
  at the expense of liability

10
Liability Assignment

• Software and System Liability
• Whose responsible for updates?
• Often times, consumers are left to fend for
  themselves
• Most computers are bought with outdated software
• Recommended enforcement of a standard default

11
Liability Assignment

• Patching
• Necessary but time consuming and expensive
• Publication of a patch may reveal the
  vulnerability
• User dependent to update
• Create incentives to improve releases
• Standardize disclosures
• Vendor liability for unpatched software

12
Liability Assignment

• Patching (cont)
• Improve user uptake of patches
• Make patching more reliable
• Make patching easier/automated
• Separate feature from security
• Avoid undesirable restrictions (DRM)
• Avoid disruptions to customization
• Avoid burdensome processes
• Keep patches free

13
Liability Assignment

• Consumer Policy
• Customers
• Generally targeted as liability dump
• Often left with little option or choice in
  resolution
• Recommended procedures for the proper resolution
  of disputes between customers and service
  providers

14
Liability Assignment

• Consumer Policy (cont)
• Suppliers
• Less likely to protect consumers in a
  monopolistic environment
• Often rely upon shrink-wrap contracts with
  take-it-or-leave-it terms (EULAs)
• Abuses
• Spyware installations
• Spam Spam Spam
• Recommended sanctioning for abuses

15
Liability Assignment

• Consumer Policy (cont)
• Online transactions
• Fragmented law
• Current legislation does not entirely compensate
• Varying interpretations from country to country
• Aspects currently favor suppliers
• Recommended revisiting of consumer protection laws

16
Lack of Diversity

• Promoting Logical Diversity
• Consumers and firms are slow to accept changes
• Software diversity
• Positive network externalities
• Market domination encourages vulnerability
  (Cisco's Zetter 2005)
• Recommended advisement when diversity has
  security implications

17
Lack of Diversity

• Promoting Physical Diversity in CNI
• Critical National Infrastructure (CNI)
• Internet Exchange Points (IXP)
• Very few IXPs for numerous ISPs
• Failure of one IXP affects thousands
• Recommended research into IXP failures and work
  to regulate peering resilience

18
Fragmentation of Legislation and Law Enforcement

• Cybercrime
• Cybercrime crosses boarders
• Convention on Cybercrime (2001)
• 27 EU states signed, only 12 ratified presently
• Recommended pressure upon the 15 remaining member
  states to ratify

19
Fragmentation of Legislation and Law Enforcement

• Law Enforcement Cooperation
• Joint operations are available but limited
• Generally set up for physical crimes
• Operations are usually quid pro quo
• Mutual Legal Assistance Treaty (MLAT)
• Recommended establishment of an EU-wide body to
  facilitate international cooperation

20
Security Research and Legislation

• The Problem
• Certain laws currently prohibit some research
  methods
• Cryptography
• Engineering tools
• Others question usage
• UK An offense to supply or offer to supply,
  believing that it is likely to be used to commit
  an offense.

21
Security Research and Legislation

• Recommendations
• Champion the interests of information security
• Amend restrictions on research
• Defend against inadvertent stiflings
• Encourage security research and development