Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Economics and the Internal Market Ross Anderson, Rainer Böhme, Richard Clayton, Tyler Moore WEIS 2008, Dartmouth College 26 th June 2008.

Published bySharlene Hubbard Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Economics and the Internal Market Ross Anderson, Rainer Böhme, Richard Clayton, Tyler Moore WEIS 2008, Dartmouth College 26 th June 2008."— Presentation transcript:

1 Security Economics and the Internal Market Ross Anderson, Rainer Böhme, Richard Clayton, Tyler Moore WEIS 2008, Dartmouth College 26 th June 2008

2 ENISA European Network and Information Security Agency European Network and Information Security Agency Established in 2004 Established in 2004 Based in Heraklion, Crete Based in Heraklion, Crete Motivation: network insecurity threatens the smooth operation of the EU’s single market Motivation: network insecurity threatens the smooth operation of the EU’s single market Duty: “giving advice and recommendations, data analysis, as well as supporting awareness raising and cooperation by the EU bodies and Member States.” Duty: “giving advice and recommendations, data analysis, as well as supporting awareness raising and cooperation by the EU bodies and Member States.”

3 Our Remit In Sep. 2007, ENISA commissioned us to write a report “analysing barriers and incentives” for security in “the internal market for e-communication” In Sep. 2007, ENISA commissioned us to write a report “analysing barriers and incentives” for security in “the internal market for e-communication” What are the big impediments to security? What are the big impediments to security? What is the EU’s role in fixing the problems? What is the EU’s role in fixing the problems? How might the advances in security economics (mostly through WEIS) usefully be applied? How might the advances in security economics (mostly through WEIS) usefully be applied?

4 The Fundamental Problem of the Information Society More and more goods contain software More and more goods contain software More and more industries are starting to become like the software industry More and more industries are starting to become like the software industry The good: flexibility, rapid response The good: flexibility, rapid response The bad: complexity, frustration, bugs The bad: complexity, frustration, bugs The ugly: attacks, frauds, monopolies The ugly: attacks, frauds, monopolies How will law evolve to cope? How will law evolve to cope?

5 Analyzing the Harm 1. Threats to nations – e.g. taking down networks in times of tension 2. Physical harm to individuals – perhaps via failure of online medical systems 3. Financial harm, such as card fraud and phishing 4. Harm to privacy, such as by unlawful disclosure of personal data

6 The Balance of Harm Since 2004, online fraud has been industrialized with a diverse market of specialist criminals trading with each other Since 2004, online fraud has been industrialized with a diverse market of specialist criminals trading with each other We have one or two things to say about CNI and privacy, but the report focuses on financial losses We have one or two things to say about CNI and privacy, but the report focuses on financial losses To identify the market failures – where the EU can lift barriers and realign incentives – we must look at the fraud process To identify the market failures – where the EU can lift barriers and realign incentives – we must look at the fraud process

7 The Attack Lifecycle Flaw introduced, either in design or code Flaw introduced, either in design or code Flaw is discovered and reported, either before or after zero-day use Flaw is discovered and reported, either before or after zero-day use Patch is shipped, but not everyone applies Patch is shipped, but not everyone applies Machines recruited to botnets to send spam, host phishing sites, do DDoS etc Machines recruited to botnets to send spam, host phishing sites, do DDoS etc Infected PCs detected and taken offline Infected PCs detected and taken offline Asset tracing and recovery Asset tracing and recovery

8 Economic Barriers to Security Information asymmetries Information asymmetries Externalities Externalities Liability dumping Liability dumping Lack of diversity in platforms and networks Lack of diversity in platforms and networks Fragmentation of legislation and law enforcement Fragmentation of legislation and law enforcement

9 Shortage of Information Available statistics are poor and often collected by parties with a vested interesting in under- or over-counting Available statistics are poor and often collected by parties with a vested interesting in under- or over-counting Individual crime victims often have difficulty finding out who’s to blame and getting redress Individual crime victims often have difficulty finding out who’s to blame and getting redress For example: people who use ATMs affected by skimmers are notified directly in the USA but via media in EU (if at all) For example: people who use ATMs affected by skimmers are notified directly in the USA but via media in EU (if at all)

10 Recommendation 1 We recommend that Europe introduce a comprehensive security breach notification law We recommend that Europe introduce a comprehensive security breach notification law

11 What statistics do we need? Different requirements for individuals, firms, security professionals (e.g. at ISPs and banks), researchers and policymakers Different requirements for individuals, firms, security professionals (e.g. at ISPs and banks), researchers and policymakers Variables include attack type, losses, geography, socio-economic indicators… Variables include attack type, losses, geography, socio-economic indicators… Sources include ISPs, AV vendors, vulnerabilities / attacks disclosed, financial losses, black market monitoring … Sources include ISPs, AV vendors, vulnerabilities / attacks disclosed, financial losses, black market monitoring … The ‘black holes’ are banks and ISPs The ‘black holes’ are banks and ISPs

12 Recommendation 2 We recommend that the Commission (or the European Central Bank) regulate to ensure the publication of robust loss statistics for electronic crime. We recommend that the Commission (or the European Central Bank) regulate to ensure the publication of robust loss statistics for electronic crime.

13 Next Control Point: ISPs Problem: well-run ISPs detect infected machines quickly and take them offline. They also respond quickly to take-down requests. Problem: well-run ISPs detect infected machines quickly and take them offline. They also respond quickly to take-down requests. Badly run ISPs don’t (and are often big – small ISPs that send a lot of spam get hammered) Badly run ISPs don’t (and are often big – small ISPs that send a lot of spam get hammered) This is well-known in the industry, but we need the numbers This is well-known in the industry, but we need the numbers

14 Recommendation 3 We recommend that ENISA collect and publish data about the quantity of spam and other bad traffic emitted by European ISPs. We recommend that ENISA collect and publish data about the quantity of spam and other bad traffic emitted by European ISPs.

15 Data Collection Isn’t Enough Internet security also suffers negative externalities Internet security also suffers negative externalities Malware harms others more than its host: bot- controlled machines send spam & host phishing Malware harms others more than its host: bot- controlled machines send spam & host phishing ISPs find quarantine and clean-up expensive ISPs find quarantine and clean-up expensive ISPs are not harmed much by insecure customers ISPs are not harmed much by insecure customers Publishing reliable data on bad traffic emanating from ISPs is only a first step Publishing reliable data on bad traffic emanating from ISPs is only a first step

16 Overcoming Externalities Option 1: self-regulation, reputation effects (hasn’t worked so far) Option 1: self-regulation, reputation effects (hasn’t worked so far) Option 2: tax on digital pollution (likely to be vehemently resisted) Option 2: tax on digital pollution (likely to be vehemently resisted) Option 3: Cap-and-trade system (dirty ISPs would purchase ‘emission permits’ from clean ones) Option 3: Cap-and-trade system (dirty ISPs would purchase ‘emission permits’ from clean ones) Option 4: Joint liability of ISP with user Option 4: Joint liability of ISP with user Option 5: Fixed-penalty scheme Option 5: Fixed-penalty scheme

17 Recommendation 4 We recommend that the EU introduce a statutory scale of damages against ISPs that do not respond promptly to requests for the removal of infected machines, coupled with a right for users to have disconnected machines reconnected by assuming liability. We recommend that the EU introduce a statutory scale of damages against ISPs that do not respond promptly to requests for the removal of infected machines, coupled with a right for users to have disconnected machines reconnected by assuming liability.

18 Liability Misallocation Software vendors (and many service firms) disclaim liability using contract terms Software vendors (and many service firms) disclaim liability using contract terms There have been many calls for this to change, e.g. UK House of Lords There have been many calls for this to change, e.g. UK House of Lords But – governments should not interfere in business contracts without good reason! But – governments should not interfere in business contracts without good reason! Intervention OK for market failure such as monopoly, and for consumer protection Intervention OK for market failure such as monopoly, and for consumer protection

19 Liability and Politics Tackling the ‘culture of impunity’ in software is necessary as civilization comes to depend on software, but it’s too hard to do in one go! Tackling the ‘culture of impunity’ in software is necessary as civilization comes to depend on software, but it’s too hard to do in one go! Suggested strategy: Suggested strategy: Leave standalone embedded systems to safety, product liability, consumer regulation Leave standalone embedded systems to safety, product liability, consumer regulation With networked systems, start work on harm to others With networked systems, start work on harm to others Relentlessly reallocate slices of liability to promote best practice Relentlessly reallocate slices of liability to promote best practice

20 Vendor Liability Options Option 1 – Directive that liability for defects can’t be dumped by contract Option 1 – Directive that liability for defects can’t be dumped by contract Option 2 – Statutory right (e.g. by ISPs) to sue vendors for damages Option 2 – Statutory right (e.g. by ISPs) to sue vendors for damages Option 3 – Do nothing; rely on market pressure (Sun and HP patch slower than MS, Red Hat) Option 3 – Do nothing; rely on market pressure (Sun and HP patch slower than MS, Red Hat) Option 4 – ‘Safety by default’: you can’t sell a car without a seatbelt, so why should you be allowed to sell an OS without patching service? Option 4 – ‘Safety by default’: you can’t sell a car without a seatbelt, so why should you be allowed to sell an OS without patching service?

21 Recommendation 5 We recommend that the EU develop and enforce standards for network- connected equipment to be secure by default We recommend that the EU develop and enforce standards for network- connected equipment to be secure by default

22 Recommendation 6 We recommend that the EU adopt a combination of early responsible vulnerability disclosure and vendor liability for unpatched software to speed the patch-development cycle We recommend that the EU adopt a combination of early responsible vulnerability disclosure and vendor liability for unpatched software to speed the patch-development cycle

23 Recommendation 7 We recommend security patches be offered for free, and that patches be kept separate from feature updates We recommend security patches be offered for free, and that patches be kept separate from feature updates

24 Consumer Liability Issues Network insecurity causes privacy failures and service failures but the main effect on consumers is financial Network insecurity causes privacy failures and service failures but the main effect on consumers is financial There is great variation in how customer complaints are handled (UK, DE the worst) There is great variation in how customer complaints are handled (UK, DE the worst) E-commerce depends on financial intermediaries managing risk, but individual banks will try to externalize this E-commerce depends on financial intermediaries managing risk, but individual banks will try to externalize this Payment Services Directive fudged the issue – which needs revisited Payment Services Directive fudged the issue – which needs revisited

25 Recommendation 8 The European Union should harmonise procedures for the resolution of disputes between customers and payment services providers over electronic transactions The European Union should harmonise procedures for the resolution of disputes between customers and payment services providers over electronic transactions

26 Abusive Online Practices Spyware violates many EU laws, yet continues to proliferate Spyware violates many EU laws, yet continues to proliferate Going after the advertisers may work Going after the advertisers may work EU Directive on Privacy and Electronic Communications (2002) included a business exemption for spam, which has undermined its enforcement EU Directive on Privacy and Electronic Communications (2002) included a business exemption for spam, which has undermined its enforcement Bundling of goods with physical services challenges singularity of the Single Market Bundling of goods with physical services challenges singularity of the Single Market

27 Recommendation 9 The European Commission should prepare a proposal for a Directive establishing a coherent regime of proportionate and effective sanctions against abusive online marketers The European Commission should prepare a proposal for a Directive establishing a coherent regime of proportionate and effective sanctions against abusive online marketers

28 Recommendation 10 ENISA should conduct research, coordinated with affected stakeholders and the European Commission, to study what changes are needed to consumer-protection law as commerce moves online ENISA should conduct research, coordinated with affected stakeholders and the European Commission, to study what changes are needed to consumer-protection law as commerce moves online

29 Further Recommendations Dealing with the lack of diversity: Dealing with the lack of diversity: 11: ENISA should advise the competition authorities whenever diversity has security implications 11: ENISA should advise the competition authorities whenever diversity has security implications 12: ENISA should sponsor research to better understand the effects of IXP failures. We also recommend they work with telecomms regulators to insist on best practice in IXP peering resilience 12: ENISA should sponsor research to better understand the effects of IXP failures. We also recommend they work with telecomms regulators to insist on best practice in IXP peering resilience

30 Further Recommendations Fragmentation of Legislation and Law Enforcement Fragmentation of Legislation and Law Enforcement 13: We recommend that the European Commission put immediate pressure on the 15 Member States that have yet to ratify the Cybercrime Convention 13: We recommend that the European Commission put immediate pressure on the 15 Member States that have yet to ratify the Cybercrime Convention 14: We recommend the establishment of a EU-wide body charged with facilitating international cooperation on cyber-crime, using NATO as a model 14: We recommend the establishment of a EU-wide body charged with facilitating international cooperation on cyber-crime, using NATO as a model

31 Further Recommendations Security Research and Legislation Security Research and Legislation 15: We recommend that ENISA champion the interests of the information security sector within the Commission to ensure that regulations introduced for other purposes do not inadvertently harm researchers and firms 15: We recommend that ENISA champion the interests of the information security sector within the Commission to ensure that regulations introduced for other purposes do not inadvertently harm researchers and firms

32 More … Economics and Security Resource Page – www.cl.cam.ac.uk/~rja14/econsec.html Economics and Security Resource Page – www.cl.cam.ac.uk/~rja14/econsec.html www.cl.cam.ac.uk/~rja14/econsec.html Cambridge Security Group Blog – www.lightbluetouchpaper.org www.lightbluetouchpaper.org

Download ppt "Security Economics and the Internal Market Ross Anderson, Rainer Böhme, Richard Clayton, Tyler Moore WEIS 2008, Dartmouth College 26 th June 2008."

Similar presentations

A strategy for a Secure Information Society –

A strategy for a Secure Information Society –
1 FPEG Identity theft & payment fraud point 2.2 19 December 2007.

1 FPEG Identity theft & payment fraud point December 2007.
EXPERIENCES OF OTHER COUNTRIES IN REGULATION OF PAYMENT CARDS SYSTEM This section reviews the regulatory experiences of other countries with respect to.

EXPERIENCES OF OTHER COUNTRIES IN REGULATION OF PAYMENT CARDS SYSTEM This section reviews the regulatory experiences of other countries with respect to.
© JANET(UK) 2011 Running a Public Communications Service Andrew Cormack Chief Regulatory Adviser, Janet

© JANET(UK) 2011 Running a Public Communications Service Andrew Cormack Chief Regulatory Adviser, Janet
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
State of the Nation - Charities Moira Protani. 2 The New Austerity State of the Nation Banks, FTSE 100s, Public bodies, Members of Parliament and charities.

State of the Nation - Charities Moira Protani. 2 The New Austerity State of the Nation Banks, FTSE 100s, Public bodies, Members of Parliament and charities.
Social Media in the Physician Practice Setting. Objectives 1. Review the types of social media available for communication with patients. 2. Explain the.

Social Media in the Physician Practice Setting. Objectives 1. Review the types of social media available for communication with patients. 2. Explain the.
Security Economics and European Policy Ross Anderson Rainer Böhme Richard Clayton Tyler Moore Computer Laboratory, University of Cambridge.

Security Economics and European Policy Ross Anderson Rainer Böhme Richard Clayton Tyler Moore Computer Laboratory, University of Cambridge.
L0505TE281 Ross Kent Task Force Member General Manager Alliance Capital New Zealand The Regulation of Financial Intermediaries in NZ Implications of The.

L0505TE281 Ross Kent Task Force Member General Manager Alliance Capital New Zealand The Regulation of Financial Intermediaries in NZ Implications of The.
Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL.

Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL.
Eneken Tikk // EST. Importance of Legal Framework  Law takes the principle of territoriality as point of departure;  Cyber security tools and targets.

Eneken Tikk // EST. Importance of Legal Framework  Law takes the principle of territoriality as point of departure;  Cyber security tools and targets.
1 Pertemuan 7 Points of Exposure Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.

1 Pertemuan 7 Points of Exposure Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system.

Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system.
Security Economics and Public Policy Ross Anderson Cambridge University.

Security Economics and Public Policy Ross Anderson Cambridge University.
Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.

Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.
Proposed action: European SME Digital Capability Framework Objectives: o Deliver a competency-based assessment system that enables companies to measure.

Proposed action: European SME Digital Capability Framework Objectives: o Deliver a competency-based assessment system that enables companies to measure.
Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)

Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)
THE EVOLVING REGULATORY FRAMEWORK OF THE UK MORTGAGE INDUSTRY Adrian Coles, Adrian Coles, Secretary General, International Union for Housing Finance and.

THE EVOLVING REGULATORY FRAMEWORK OF THE UK MORTGAGE INDUSTRY Adrian Coles, Adrian Coles, Secretary General, International Union for Housing Finance and.
IT security seminar Copenhagen, April 4th 2002 M. Jean-Michel HUBERT Chairman of the French Regulation Authority IRG Chairman.

IT security seminar Copenhagen, April 4th 2002 M. Jean-Michel HUBERT Chairman of the French Regulation Authority IRG Chairman.

Similar presentations

Ads by Google