Security Economics and the Internal Market Ross Anderson, Rainer Böhme, Richard Clayton, Tyler Moore WEIS 2008, Dartmouth College 26 th June 2008.

Slides:



Advertisements
Similar presentations
A strategy for a Secure Information Society –
Advertisements

1 FPEG Identity theft & payment fraud point December 2007.
EXPERIENCES OF OTHER COUNTRIES IN REGULATION OF PAYMENT CARDS SYSTEM This section reviews the regulatory experiences of other countries with respect to.
© JANET(UK) 2011 Running a Public Communications Service Andrew Cormack Chief Regulatory Adviser, Janet
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
State of the Nation - Charities Moira Protani. 2 The New Austerity State of the Nation Banks, FTSE 100s, Public bodies, Members of Parliament and charities.
Social Media in the Physician Practice Setting. Objectives 1. Review the types of social media available for communication with patients. 2. Explain the.
Security Economics and European Policy Ross Anderson Rainer Böhme Richard Clayton Tyler Moore Computer Laboratory, University of Cambridge.
L0505TE281 Ross Kent Task Force Member General Manager Alliance Capital New Zealand The Regulation of Financial Intermediaries in NZ Implications of The.
Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL.
Eneken Tikk // EST. Importance of Legal Framework  Law takes the principle of territoriality as point of departure;  Cyber security tools and targets.
1 Pertemuan 7 Points of Exposure Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system.
Security Economics and Public Policy Ross Anderson Cambridge University.
Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.
Proposed action: European SME Digital Capability Framework Objectives: o Deliver a competency-based assessment system that enables companies to measure.
Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)
THE EVOLVING REGULATORY FRAMEWORK OF THE UK MORTGAGE INDUSTRY Adrian Coles, Adrian Coles, Secretary General, International Union for Housing Finance and.
IT security seminar Copenhagen, April 4th 2002 M. Jean-Michel HUBERT Chairman of the French Regulation Authority IRG Chairman.
Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.
A Common Immigration Policy for Europe Principles, actions and tools June 2008.
1 EU Collaboration in Network and Information Security Baltic IT&T Forum 2006 Riga, 6 April 2006 Dr. Ronald de Bruin ENISA.
1 ENISA’s contribution to the development of Network and Information Security within the Community By Andrea PIROTTI Executive Director ENISA Cyprus, 28.
LAW SEMINARS INTERNATIONAL New Developments in Internet Marketing & Selling November 13 & 14, 2006 San Francisco, California Moderator : Maureen A. Young.
© 2010 Dorsey & Whitney LLP Social Media Friday, September 17, 2010 The Committee on Finance & Information Technology (CFIT)
1 Group-IB: Digital investigations and forensic Ilya Sachkov Group-IB
A Politics of Vulnerability Reporting Black Hat Briefings, Europe 2001 Scott Blake Director of Security Strategy BindView Corporation/RAZOR Research.
11 – E-Commerce 1. What is Electronic Commerce? 2. What is a contract? 3. Elements of an enforceable contract 4. Standard terms of a contract 5. Form and.
The U.S. Approach to Consumer Protection in the Online World U.S. Presentation FTAA Joint Government Private Sector Committee on Electronic Commerce 13th.
C4- Social, Legal, and Ethical Issues in the Digital Firm
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
Credit unions use social media in a variety of ways, including marketing, providing incentives, facilitating applications for new accounts, inviting feedback.
E-Commerce Directive 2002 Overview. This Map It was derived from Complying with the E-Commerce Regulations 2002 by the DTI.
Competition, consumers & affordable prices in liberalised energy markets J. Minor, European Commission, Director, Consumer Affairs IV World Forum on Energy.
1 Re–use of PSI – Challenges and Opportunities ePSIplus National Meeting Greece 21 May 2008 Athens.
SUSTAINABLE ENERGY REGULATION AND POLICY-MAKING FOR AFRICA Module 5 Energy Regulation Module 5: STRUCTURE, COMPOSITION AND ROLE OF AN ENERGY REGULATOR.
Seminar Out-of-court resolution of consumer disputes Sava Centar, Belgrade, June 2013 Dr Christine Riefa.
POSTAL CONFERENCE 25 th – 27 th February 2015 Nairobi, Kenya By Yvonne UMUTONI Chairperson of EACO Working Group 9 (Quality of Service and Consumer Affairs)
1 Self-Regulation in the EU Advertising Sector: A Best practice model.
Legitimate Vulnerability Markets By: Jeff Wheeler.
1 The Challenges of Globalization of Criminal Investigations Countries need to: Enact sufficient laws to criminalize computer abuses; Commit adequate personnel.
Mario Čagalj Sveučilište u Splitu 2014/15. Sigurnost računala i podataka.
Cybercrime What is it, what does it cost, & how is it regulated?
PRESENTED AT THE STAKEHOLDERS FORUM ON QUALITY OF SERVICE AND CONSUMER EXPERIENCE LAICO REGENCY HOTEL Creating Space for Consumer Rights in.
EU activities against cyber crime Radomír Janský Unit - Fight against Organised Crime Directorate-General Justice, Freedom and Security (DG JLS) European.
Ecommerce Applications 2007/8 E-Commerce Applications UK e-Commerce Regulations.
Intellectual Property. Confidential Information Duty not to disclose confidential information about a business that would cause harm to the business or.
1 COMPETITION LAW FORUM Paris 21 June 2006 Competitiveness versus Competition Presentation by Humbert DRABBE Director for Cohesion and Competitiveness,
International Telecommunication Union ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004 Infrastructure Security: The impact on Telecommunications.
Lecture 9 ETHICAL AND SOCIAL ISSUES IN INFORMATION SYSTEMS (continued) © Prentice Hall
Financial Times Matheson is ranked in the FT’s top 10 European law firms Matheson has also been commended by the FT for corporate law,
1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.
PROTECTING THE INTERESTS OF CONSUMERS OF FINANCIAL SERVICES Role of Supervisory Authorities Keynote Address to the FinCoNet Open Meeting 22 April 2016.
McGraw-Hill/Irwin Chapter 1 The Nature and Purpose of Accounting Copyright © The McGraw-Hill Companies. All Rights Reserved.
Botnets: Measurement, Detection, Disinfection and Defence Dr Giles Hogben ENISA.
Information and Network security: Lithuania Tomas Lamanauskas Deputy Director Communications Regulatory Authority (RRT) Republic of Lithuania; ENISA Liaison.
Digital Single Market From Open Data to the Free Flow of Data in the Digital Single Market W3C Day in Spain – 26 May 2016 Szymon Lewandowski, Data Value.
EUROPEAN SECURITY POLICY A SNAPSHOT ON SURVEILLANCE AND PRIVACY DESSI WORKSHOP, CPH 24 JUNE 2014 Birgitte Kofod Olsen, Chair Danish Council for Digital.
Network of Excellence - Christer Magnusson Economics of Security SN/NSD SecLab.
Part of Legislative Tools and Other Means To Combat Electronic Crime.
THE NEW GENERAL DATA PROTECTION REGULATION: A EUROPEAN OR A GLOBAL STANDARD? Bart van der Sloot Senior Researcher Tilburg Institute for Law, Technology,
Internet Governance: An Analysis from Developing country’s perspective
Safeguarding Consumers in the Digital World
INFORMATION SYSTEMS SECURITY and CONTROL
Securing free and fair European elections
The European Union response to cyber threats
Market surveillance cooperation at European level
Prof. Dietmar Hoscher, ECA Vice-Chair
Presentation transcript:

Security Economics and the Internal Market Ross Anderson, Rainer Böhme, Richard Clayton, Tyler Moore WEIS 2008, Dartmouth College 26 th June 2008

ENISA European Network and Information Security Agency European Network and Information Security Agency Established in 2004 Established in 2004 Based in Heraklion, Crete Based in Heraklion, Crete Motivation: network insecurity threatens the smooth operation of the EU’s single market Motivation: network insecurity threatens the smooth operation of the EU’s single market Duty: “giving advice and recommendations, data analysis, as well as supporting awareness raising and cooperation by the EU bodies and Member States.” Duty: “giving advice and recommendations, data analysis, as well as supporting awareness raising and cooperation by the EU bodies and Member States.”

Our Remit In Sep. 2007, ENISA commissioned us to write a report “analysing barriers and incentives” for security in “the internal market for e-communication” In Sep. 2007, ENISA commissioned us to write a report “analysing barriers and incentives” for security in “the internal market for e-communication” What are the big impediments to security? What are the big impediments to security? What is the EU’s role in fixing the problems? What is the EU’s role in fixing the problems? How might the advances in security economics (mostly through WEIS) usefully be applied? How might the advances in security economics (mostly through WEIS) usefully be applied?

The Fundamental Problem of the Information Society More and more goods contain software More and more goods contain software More and more industries are starting to become like the software industry More and more industries are starting to become like the software industry The good: flexibility, rapid response The good: flexibility, rapid response The bad: complexity, frustration, bugs The bad: complexity, frustration, bugs The ugly: attacks, frauds, monopolies The ugly: attacks, frauds, monopolies How will law evolve to cope? How will law evolve to cope?

Analyzing the Harm 1. Threats to nations – e.g. taking down networks in times of tension 2. Physical harm to individuals – perhaps via failure of online medical systems 3. Financial harm, such as card fraud and phishing 4. Harm to privacy, such as by unlawful disclosure of personal data

The Balance of Harm Since 2004, online fraud has been industrialized with a diverse market of specialist criminals trading with each other Since 2004, online fraud has been industrialized with a diverse market of specialist criminals trading with each other We have one or two things to say about CNI and privacy, but the report focuses on financial losses We have one or two things to say about CNI and privacy, but the report focuses on financial losses To identify the market failures – where the EU can lift barriers and realign incentives – we must look at the fraud process To identify the market failures – where the EU can lift barriers and realign incentives – we must look at the fraud process

The Attack Lifecycle Flaw introduced, either in design or code Flaw introduced, either in design or code Flaw is discovered and reported, either before or after zero-day use Flaw is discovered and reported, either before or after zero-day use Patch is shipped, but not everyone applies Patch is shipped, but not everyone applies Machines recruited to botnets to send spam, host phishing sites, do DDoS etc Machines recruited to botnets to send spam, host phishing sites, do DDoS etc Infected PCs detected and taken offline Infected PCs detected and taken offline Asset tracing and recovery Asset tracing and recovery

Economic Barriers to Security Information asymmetries Information asymmetries Externalities Externalities Liability dumping Liability dumping Lack of diversity in platforms and networks Lack of diversity in platforms and networks Fragmentation of legislation and law enforcement Fragmentation of legislation and law enforcement

Shortage of Information Available statistics are poor and often collected by parties with a vested interesting in under- or over-counting Available statistics are poor and often collected by parties with a vested interesting in under- or over-counting Individual crime victims often have difficulty finding out who’s to blame and getting redress Individual crime victims often have difficulty finding out who’s to blame and getting redress For example: people who use ATMs affected by skimmers are notified directly in the USA but via media in EU (if at all) For example: people who use ATMs affected by skimmers are notified directly in the USA but via media in EU (if at all)

Recommendation 1 We recommend that Europe introduce a comprehensive security breach notification law We recommend that Europe introduce a comprehensive security breach notification law

What statistics do we need? Different requirements for individuals, firms, security professionals (e.g. at ISPs and banks), researchers and policymakers Different requirements for individuals, firms, security professionals (e.g. at ISPs and banks), researchers and policymakers Variables include attack type, losses, geography, socio-economic indicators… Variables include attack type, losses, geography, socio-economic indicators… Sources include ISPs, AV vendors, vulnerabilities / attacks disclosed, financial losses, black market monitoring … Sources include ISPs, AV vendors, vulnerabilities / attacks disclosed, financial losses, black market monitoring … The ‘black holes’ are banks and ISPs The ‘black holes’ are banks and ISPs

Recommendation 2 We recommend that the Commission (or the European Central Bank) regulate to ensure the publication of robust loss statistics for electronic crime. We recommend that the Commission (or the European Central Bank) regulate to ensure the publication of robust loss statistics for electronic crime.

Next Control Point: ISPs Problem: well-run ISPs detect infected machines quickly and take them offline. They also respond quickly to take-down requests. Problem: well-run ISPs detect infected machines quickly and take them offline. They also respond quickly to take-down requests. Badly run ISPs don’t (and are often big – small ISPs that send a lot of spam get hammered) Badly run ISPs don’t (and are often big – small ISPs that send a lot of spam get hammered) This is well-known in the industry, but we need the numbers This is well-known in the industry, but we need the numbers

Recommendation 3 We recommend that ENISA collect and publish data about the quantity of spam and other bad traffic emitted by European ISPs. We recommend that ENISA collect and publish data about the quantity of spam and other bad traffic emitted by European ISPs.

Data Collection Isn’t Enough Internet security also suffers negative externalities Internet security also suffers negative externalities Malware harms others more than its host: bot- controlled machines send spam & host phishing Malware harms others more than its host: bot- controlled machines send spam & host phishing ISPs find quarantine and clean-up expensive ISPs find quarantine and clean-up expensive ISPs are not harmed much by insecure customers ISPs are not harmed much by insecure customers Publishing reliable data on bad traffic emanating from ISPs is only a first step Publishing reliable data on bad traffic emanating from ISPs is only a first step

Overcoming Externalities Option 1: self-regulation, reputation effects (hasn’t worked so far) Option 1: self-regulation, reputation effects (hasn’t worked so far) Option 2: tax on digital pollution (likely to be vehemently resisted) Option 2: tax on digital pollution (likely to be vehemently resisted) Option 3: Cap-and-trade system (dirty ISPs would purchase ‘emission permits’ from clean ones) Option 3: Cap-and-trade system (dirty ISPs would purchase ‘emission permits’ from clean ones) Option 4: Joint liability of ISP with user Option 4: Joint liability of ISP with user Option 5: Fixed-penalty scheme Option 5: Fixed-penalty scheme

Recommendation 4 We recommend that the EU introduce a statutory scale of damages against ISPs that do not respond promptly to requests for the removal of infected machines, coupled with a right for users to have disconnected machines reconnected by assuming liability. We recommend that the EU introduce a statutory scale of damages against ISPs that do not respond promptly to requests for the removal of infected machines, coupled with a right for users to have disconnected machines reconnected by assuming liability.

Liability Misallocation Software vendors (and many service firms) disclaim liability using contract terms Software vendors (and many service firms) disclaim liability using contract terms There have been many calls for this to change, e.g. UK House of Lords There have been many calls for this to change, e.g. UK House of Lords But – governments should not interfere in business contracts without good reason! But – governments should not interfere in business contracts without good reason! Intervention OK for market failure such as monopoly, and for consumer protection Intervention OK for market failure such as monopoly, and for consumer protection

Liability and Politics Tackling the ‘culture of impunity’ in software is necessary as civilization comes to depend on software, but it’s too hard to do in one go! Tackling the ‘culture of impunity’ in software is necessary as civilization comes to depend on software, but it’s too hard to do in one go! Suggested strategy: Suggested strategy: Leave standalone embedded systems to safety, product liability, consumer regulation Leave standalone embedded systems to safety, product liability, consumer regulation With networked systems, start work on harm to others With networked systems, start work on harm to others Relentlessly reallocate slices of liability to promote best practice Relentlessly reallocate slices of liability to promote best practice

Vendor Liability Options Option 1 – Directive that liability for defects can’t be dumped by contract Option 1 – Directive that liability for defects can’t be dumped by contract Option 2 – Statutory right (e.g. by ISPs) to sue vendors for damages Option 2 – Statutory right (e.g. by ISPs) to sue vendors for damages Option 3 – Do nothing; rely on market pressure (Sun and HP patch slower than MS, Red Hat) Option 3 – Do nothing; rely on market pressure (Sun and HP patch slower than MS, Red Hat) Option 4 – ‘Safety by default’: you can’t sell a car without a seatbelt, so why should you be allowed to sell an OS without patching service? Option 4 – ‘Safety by default’: you can’t sell a car without a seatbelt, so why should you be allowed to sell an OS without patching service?

Recommendation 5 We recommend that the EU develop and enforce standards for network- connected equipment to be secure by default We recommend that the EU develop and enforce standards for network- connected equipment to be secure by default

Recommendation 6 We recommend that the EU adopt a combination of early responsible vulnerability disclosure and vendor liability for unpatched software to speed the patch-development cycle We recommend that the EU adopt a combination of early responsible vulnerability disclosure and vendor liability for unpatched software to speed the patch-development cycle

Recommendation 7 We recommend security patches be offered for free, and that patches be kept separate from feature updates We recommend security patches be offered for free, and that patches be kept separate from feature updates

Consumer Liability Issues Network insecurity causes privacy failures and service failures but the main effect on consumers is financial Network insecurity causes privacy failures and service failures but the main effect on consumers is financial There is great variation in how customer complaints are handled (UK, DE the worst) There is great variation in how customer complaints are handled (UK, DE the worst) E-commerce depends on financial intermediaries managing risk, but individual banks will try to externalize this E-commerce depends on financial intermediaries managing risk, but individual banks will try to externalize this Payment Services Directive fudged the issue – which needs revisited Payment Services Directive fudged the issue – which needs revisited

Recommendation 8 The European Union should harmonise procedures for the resolution of disputes between customers and payment services providers over electronic transactions The European Union should harmonise procedures for the resolution of disputes between customers and payment services providers over electronic transactions

Abusive Online Practices Spyware violates many EU laws, yet continues to proliferate Spyware violates many EU laws, yet continues to proliferate Going after the advertisers may work Going after the advertisers may work EU Directive on Privacy and Electronic Communications (2002) included a business exemption for spam, which has undermined its enforcement EU Directive on Privacy and Electronic Communications (2002) included a business exemption for spam, which has undermined its enforcement Bundling of goods with physical services challenges singularity of the Single Market Bundling of goods with physical services challenges singularity of the Single Market

Recommendation 9 The European Commission should prepare a proposal for a Directive establishing a coherent regime of proportionate and effective sanctions against abusive online marketers The European Commission should prepare a proposal for a Directive establishing a coherent regime of proportionate and effective sanctions against abusive online marketers

Recommendation 10 ENISA should conduct research, coordinated with affected stakeholders and the European Commission, to study what changes are needed to consumer-protection law as commerce moves online ENISA should conduct research, coordinated with affected stakeholders and the European Commission, to study what changes are needed to consumer-protection law as commerce moves online

Further Recommendations Dealing with the lack of diversity: Dealing with the lack of diversity: 11: ENISA should advise the competition authorities whenever diversity has security implications 11: ENISA should advise the competition authorities whenever diversity has security implications 12: ENISA should sponsor research to better understand the effects of IXP failures. We also recommend they work with telecomms regulators to insist on best practice in IXP peering resilience 12: ENISA should sponsor research to better understand the effects of IXP failures. We also recommend they work with telecomms regulators to insist on best practice in IXP peering resilience

Further Recommendations Fragmentation of Legislation and Law Enforcement Fragmentation of Legislation and Law Enforcement 13: We recommend that the European Commission put immediate pressure on the 15 Member States that have yet to ratify the Cybercrime Convention 13: We recommend that the European Commission put immediate pressure on the 15 Member States that have yet to ratify the Cybercrime Convention 14: We recommend the establishment of a EU-wide body charged with facilitating international cooperation on cyber-crime, using NATO as a model 14: We recommend the establishment of a EU-wide body charged with facilitating international cooperation on cyber-crime, using NATO as a model

Further Recommendations Security Research and Legislation Security Research and Legislation 15: We recommend that ENISA champion the interests of the information security sector within the Commission to ensure that regulations introduced for other purposes do not inadvertently harm researchers and firms 15: We recommend that ENISA champion the interests of the information security sector within the Commission to ensure that regulations introduced for other purposes do not inadvertently harm researchers and firms

More … Economics and Security Resource Page – Economics and Security Resource Page – Cambridge Security Group Blog –

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.