Security Market: Incentives for Disclosure of Vulnerabilities Peter P. Swire Ohio State University Houston/Sante Fe Conference June 4, 2005

Overview The prior paper: when it is efficient to disclose security information The prior paper: when it is efficient to disclose security information This paper: what are the incentives actors face on whether to disclose? This paper: what are the incentives actors face on whether to disclose? Security notification statutes Security notification statutes Open Source software Open Source software Proprietary software Proprietary software Government Government

First Paper: Effects of Disclosure Low Help Attackers High Open Source: No security through obscurity Military/Intel: Loose lips sink ships Help Defenders Low High

Effects of Disclosure -- II Military/Intelligence Public Domain InformationSharing Open Source Low Help Attackers High Help Defenders Low High

Why Computer & Network Attacks More Often Benefit From Disclosure Hiddenness & the first-time attack Hiddenness & the first-time attack N = number of attacks N = number of attacks L = learning from attacks L = learning from attacks C = communicate with other attackers C = communicate with other attackers Hiddenness helps for pit or for mine field Hiddenness helps for pit or for mine field Hiddenness works much less well for Hiddenness works much less well for Mass-market software Mass-market software Firewalls Firewalls Encryption algorithms Encryption algorithms

What Is Different for Cyber Attacks? Many attacks Many attacks Each attack is low cost Each attack is low cost Attackers learn from previous attacks Attackers learn from previous attacks This trick got me root access This trick got me root access Attackers communicate about vulnerabilities Attackers communicate about vulnerabilities Because of attackers knowledge, disclosure often helps defenders more than attackers for cyber attacks Because of attackers knowledge, disclosure often helps defenders more than attackers for cyber attacks

II. Security Notification California statute, S.B California statute, S.B If SSN, bank account breached, then notify If SSN, bank account breached, then notify This year, ChoicePoint, B of A, etc. This year, ChoicePoint, B of A, etc. Likely federal legislation Likely federal legislation

Security Notification: Externality 1 st party: system owner 1 st party: system owner 2d parties: 2d parties: Attackers – steal identities or know exploit Attackers – steal identities or know exploit Defenders – Open Source coders, may help Defenders – Open Source coders, may help 3 rd parties: 3 rd parties: Data of 3 rd parties held Data of 3 rd parties held Externality: secrecy harms third parties but often helps 1 st party, so under-disclosure Externality: secrecy harms third parties but often helps 1 st party, so under-disclosure

Security Notification: Legal Rule I believe the externality is significant I believe the externality is significant Issues for possible discussion Issues for possible discussion What is the trigger for notification, to avoid over- and under-notification? What is the trigger for notification, to avoid over- and under-notification? What sort of guidance, advisory opinions, common law, or other mechanisms can clarify over time when to notify? What sort of guidance, advisory opinions, common law, or other mechanisms can clarify over time when to notify?

Incentives to Disclose California law concerns disclosure of 3 rd party data held by 1 st party California law concerns disclosure of 3 rd party data held by 1 st party Next, disclosure by 1 st party of data that may help security of 1 st and 3 rd parties Next, disclosure by 1 st party of data that may help security of 1 st and 3 rd parties Security motive – when disclosure will help 1 st partys security goals Security motive – when disclosure will help 1 st partys security goals Competition motive – when disclosure will help 1 st partys competitive goals Competition motive – when disclosure will help 1 st partys competitive goals

ProducerSecurityCompetition Open Source Ideologically open; Some secret sauce (Case 1) Ideologically open; Apparently high use of trade secrets (Case 2) ProprietarySoftware Monopolist on source code; disclosure based on monopsony and market power (Case 3) Monopolist on source code; disclosure based on how open standards help profits (Case 4) Government Information sharing dilemma (help attackers & defenders); public choice model (Case 5) Turf maximization, e.g., FBI vs. local police for the credit (Case 6)

Case 1: Open Source/Security By ideology, by definition, & under licenses, open source code is viewable by all By ideology, by definition, & under licenses, open source code is viewable by all Based on interviews, secrecy still used: Based on interviews, secrecy still used: For passwords and keys For passwords and keys Stealth firewalls and other hidden features that are not observable from the outside Stealth firewalls and other hidden features that are not observable from the outside Secret sauce such as unusual settings and configurations, to defeat script kiddies Secret sauce such as unusual settings and configurations, to defeat script kiddies In short, rational secrecy is used to foil first-time and unsophisticated attacks In short, rational secrecy is used to foil first-time and unsophisticated attacks

Case 2: Open Source/Competition Interviews with O.S. devotees, they smile and admit that they dont publish their best stuff – whats going on? Interviews with O.S. devotees, they smile and admit that they dont publish their best stuff – whats going on? Services dominate products in Open Source business models Services dominate products in Open Source business models GPL 2.0 applies to any work distributed or published, but not to services provided by one company GPL 2.0 applies to any work distributed or published, but not to services provided by one company Conclusion: trade secrets used in services have become a key competitive tool Conclusion: trade secrets used in services have become a key competitive tool Consistent with IBM and other major players services activities Consistent with IBM and other major players services activities

Case 2: Open Source/Competition Emerging debate on GPL 3.0 Emerging debate on GPL 3.0 Possible Stallman proposal to require publishing of code used internally Possible Stallman proposal to require publishing of code used internally If so, then a likely fracture in the Open Source community, with services companies (i.e., large commercial players) sticking with GPL 2.0 to protect their trade secrets and business models If so, then a likely fracture in the Open Source community, with services companies (i.e., large commercial players) sticking with GPL 2.0 to protect their trade secrets and business models

Case 3: Proprietary/Security Initially, the owner of closed-source software is in a monopoly position about flaws in the software it wrote Initially, the owner of closed-source software is in a monopoly position about flaws in the software it wrote An externality similar to database leaks, because 1 st party loses reputation and risks liability with disclosure but harm on the 3 rd party user An externality similar to database leaks, because 1 st party loses reputation and risks liability with disclosure but harm on the 3 rd party user This description was likely more true several years ago, before computer security was so important This description was likely more true several years ago, before computer security was so important Size of externality depends on the degree to which the sellers reputation suffers due to security flaws Size of externality depends on the degree to which the sellers reputation suffers due to security flaws Over time, outside programmers gain expertise, the 1 st party loses its monopoly position in knowledge about vulnerabilities, & reputation effect is greater Over time, outside programmers gain expertise, the 1 st party loses its monopoly position in knowledge about vulnerabilities, & reputation effect is greater

Case 3: Proprietary/Security What pressures force disclosure of vulnerabilities? What pressures force disclosure of vulnerabilities? Buyers with monopsony power, who have a taste to know the code in their system Buyers with monopsony power, who have a taste to know the code in their system Especially governments, who can (and do) require disclosure of vulnerabilities (Air Force) Especially governments, who can (and do) require disclosure of vulnerabilities (Air Force) To the extent there is competition based on software security, then disclosure may be profit-maximizing To the extent there is competition based on software security, then disclosure may be profit-maximizing Over time, have seen substantially greater openness about vulnerabilities in proprietary software Over time, have seen substantially greater openness about vulnerabilities in proprietary software

Case 4: Proprietary/Competitive Hidden source code as a trade secret and possible competitive edge Hidden source code as a trade secret and possible competitive edge Countervailing incentive to have at least partly open standards in order to get broad adoption, network effects, & first-mover advantage Countervailing incentive to have at least partly open standards in order to get broad adoption, network effects, & first-mover advantage At least share with developers & joint ventures At least share with developers & joint ventures Complex game theory on when to be open Complex game theory on when to be open

Open Source & Proprietary Greater secrecy in Open Source than usually recognized Greater secrecy in Open Source than usually recognized Secret sauce for security Secret sauce for security Trade secrets in services Trade secrets in services Greater openness in proprietary than usually recognized Greater openness in proprietary than usually recognized Monopsony power, governments, reputation Monopsony power, governments, reputation Financial gains from at least partly open standards Financial gains from at least partly open standards Convergence of the two approaches when it comes to disclosure? Convergence of the two approaches when it comes to disclosure?

Case 5: Government/Security The information sharing dilemma The information sharing dilemma Disclosure helps both attackers & defenders Disclosure helps both attackers & defenders 1 st party wants to share only with trusted third parties 1 st party wants to share only with trusted third parties Other 3 rd parties may want/need information to protect their own systems/jurisdictions Other 3 rd parties may want/need information to protect their own systems/jurisdictions Examples such as terrorist watch lists, terrorist modes of attack, alerts based on intelligence Examples such as terrorist watch lists, terrorist modes of attack, alerts based on intelligence

Case 5: Government/Security What mechanisms for disclosure similar to the monopsonist or reputation effects? What mechanisms for disclosure similar to the monopsonist or reputation effects? Perhaps public choice demand for data sharing Perhaps public choice demand for data sharing Seems unlikely to be effective in forcing data from law enforcement or intelligence agencies Seems unlikely to be effective in forcing data from law enforcement or intelligence agencies Thus a rationale for legal rules Thus a rationale for legal rules FOIA to create transparency, including risks to communities FOIA to create transparency, including risks to communities Executive Orders & congressional mandates to encourage information sharing Executive Orders & congressional mandates to encourage information sharing

Case 6: Government/Competitive Widespread view that law enforcement & intelligence agencies hoard data Widespread view that law enforcement & intelligence agencies hoard data Most famously, the FBI has not shared with locals Most famously, the FBI has not shared with locals Hoarding can protect turf – others cant use it against the 1 st party (the agency) Hoarding can protect turf – others cant use it against the 1 st party (the agency) Hoarding can garner credit with stakeholders – the arrest, the correct intelligence analysis Hoarding can garner credit with stakeholders – the arrest, the correct intelligence analysis Again, FOIA and Information Sharing mandates can seek to counter-act excessive secrecy Again, FOIA and Information Sharing mandates can seek to counter-act excessive secrecy

Conclusions Identify 1 st, 2d, 3 rd parties and possible externalities Identify 1 st, 2d, 3 rd parties and possible externalities Highlight overlapping dynamics of disclosure, both for security and competitive goals Highlight overlapping dynamics of disclosure, both for security and competitive goals Recognize situations where the amount of disclosure is most likely to vary from the optimal, and suggest legal & policy responses Recognize situations where the amount of disclosure is most likely to vary from the optimal, and suggest legal & policy responses