Legal and Market Responses to Security Issues

Richard Warner

A Point To Remember

Innovation is critical. It drives economic development. It drives it most effectively when considerable

flexibility is allowed in business models, research, and design.

A question to bear in mind: Which of the approaches allows the most flexibility?

The Underinvestment Problem (?) Do system owners inefficiently underinvest in

protection against unauthorized access? Inefficient from a societal perspective:

An increased investment would reduce the expected harm to third-parties by an amount greater than the investment;

hence, as a society, we waste money we could use for other purposes.

If we could effectively defend ourselves individually against harms stemming from unauthorized access, we could avoid the waste.

Can we defend ourselves? Insurance? Education? Elementary and high school. Design for usability?

The Traditional Response

If this were the solution, the legal response to would be just one more retelling of this familiar story: (1) an activity imposes a risk of harm on third-parties,

where (2) those engaging in and benefiting from the activity

inefficiently under-invest in protecting the third parties; (3) the law responds by imposing on those engaging in

the activity a duty to take reasonable steps to prevent harm to third-parties, where

(4) other things being equal, a reasonable step is one that reduces expected damage to third-parties by an amount greater than the total cost of the step.

Underinvestment: The Wrong Solution?

Assuming that we cannot defend ourselves, the solution seems obvious: require system owners to take reasonable steps

to protect against unauthorized access— where, other things being equal, a reasonable

owner invests in protection as long as the investment reduces expected damage by an amount greater than the total cost of the investment.

Estimates Impossible?

Special cases aside, system owners cannot obtain the information they need to make reasonable estimates of the expected damage to third-parties.

Compare driving a car. When driving, the information you need to is, for

the most part, locally available; you just need to observe the other drivers, the road and weather conditions, and the like.

Estimates Impossible? The information a system owner needs to “drive

safely”–to take appropriate precautions to avoid the accident of a security breach–may be distributed over millions of people.

The expected damage from theft of sensitive financial information, for example, imposes on any individual among these millions depends on a variety of factors.

Without accurate statistical studies, an entity storing this information has no feasible way to acquire and analyze the relevant information about millions of people.

With rare exceptions, such studies do not, and are not likely, to exist.

Even If Studies Existed . . .

Network owners would still face a big hurdle: what software should they buy?

Is it reasonable to buy the top of the line, expensive security product? Or, will a cheaper product serve the purpose? Difficulty in evaluating capabilities of security

software. Difficulty in evaluating needs of a complex

network. Lemons market.

Insurance: Basics

These claims may seem wrong because there is an active insurance market offering insurance against liability to third-parties for inadequate information security.

Insurance companies calculate the expected loss from the occurrence of an event and then offer insurance against that event at a price greater than the expected loss.

Typically, you can buy insurance against any event for which an insurance company can calculate the expected loss. Which is why you cannot, for example, buy insurance

against death resulting from the crash of a private plane.

Third-Party Liability Insurance The market currently offers insurance against

legal liability to third-parties for inadequate information security.

This just means that the insurance companies can calculate the expected legal liability.

That just requires information to predict the outcomes of lawsuits.

Unique to the Internet

This is problem is unique to the Internet. The Internet makes it possible to collect information scattered all over the world, centralize it in a database, and make it easily available to users dispersed throughout the world.

This aspect of the Internet makes the problem of inadequate information security extraordinarily difficult to solve.

Possible Solutions Legal

Negligence Strict liability

Market Open source software Market for software vulnerability disclosure Prediction markets

Negligence

Standard of reasonableness Industry norms

reasonable unclear unreasonable

Even in the “unreasonable” cases, a negligence recovery may not be possible.

Security Requirements Protection

authentication; encryption; protection against malicious code; transmission security; administrative safeguards; physical safeguards.

Prevention Administrative requirements; Investigative requirements.

Detection data history requirements; reporting requirements.

Recovery emergency response plan.

Industry Standards

The emerging industry standard is to expect security to be breached and to provide for recovery.

The question is what “recovery” means in regard to third-parties. Breach notification statutes. Not at all clear that the cost is less that the

expected loss avoided.

Negligence: Recent Cases

A mere increased risk of harm is not a basis for a negligence liability.

Forbes v. Wells Fargo Bank

The economic harm rule prevents recovery (and that is a good thing).

Banknorth, N.A. v. BJ's Wholesale Club

Breach of contract, breach of fiduciary duty, promissory estoppel not available.

Sovereign Bank v. BJ's Wholesale Club

The Economic Loss Rule

The economic loss rule: without a physical impact, there is no tort recovery for purely economic loss.

Rationale: to limit losses to a bearable amount.

Tort

Extent of physical impact

Economic impact

Strict Liability

Liability would be crushing--unless courts invoke the economic harm rule, or insurance is available.

A non-economic consideration: Other things being equal, those who create and benefit from an activity should bear the costs that activity imposes on innocent third-parties. The argument in the case of negligence: “should

bear the costs they negligently impose”.

What Should the Law’s Role Be? Without a supporting culture, the law is an

ineffective tool for controlling and directing behavior.

Legal regulation can contribute to the creation of a supporting culture, but its contribution is limited.

We need to develop a supporting culture, it is just a pipedream to think that the law is the main tool that we can use to accomplish that goal.

Market Solutions: Many Minds and Money Where Your Mouth Is A market solution relies primarily on

monetary, non-legal incentives to achieve a desired result.

Sunstein on many minds and money: There is considerable evidence that non-deliberative pooling of expertise can outperform deliberation Especially when monetary gain rewards

correctness and monetary loss penalizes incorrectness.

Three Market Solutions

The market solutions focus on vulnerabilities in software. Software vulnerabilities are one key aspect of the

problem. There are three market solutions.

First Market Solution:Open Source Software Software is “open source” if its source code is

publicly available. Open source software may be the product of many

programmers, scattered all over the world, who contribute to the source code.

Open source software has advantages. Fewer defects No proprietary problems.

Legal issues: Liability for intellectual property violations

Sco Group v. IBM

Open Source Economics Open source software works best when it is

Based on non-proprietary techniques No “blends” of open source and proprietary code.

Subject to network effects The application is sensitive to failure Verification requires peer review Sufficiently important (business critical) that people will

cooperate to find bugs Eric Raymond, The Magic Cauldron

Security has all the above features (Anderson). Many software vendors pursue an anti-interoperability

strategy incompatible with open source software. Prohibitions on reverse engineering in End User License

Agreements.

Second Market Solution:Vulnerability Disclosure Markets A vulnerability disclosure market provides a

mechanism for those who discover vulnerabilities to communicate them to software manufacturers/vendors.

There four possibilities.

First Possibility: Market-Based A business—like iDefense—pays for

information about the existence of vulnerabilities and communicates this information to its clients. Markets are generally very successful in

aggregating dispersed information. They are accurate and efficient. Unless precautions are taken, clients could be hackers.

This is true also in all following cases.

iDefense Vulnerability Challenge

“This challenge sets the bar quite high, focusing on core Internet technologies likely to be in use in corporate enterprises. Because of this, we are merging Q2 and Q3 challenges into one, effectively extending the research time. The following technologies are the focus of this challenge:

Apache httpd Berkeley Internet Name Domain (BIND) daemon Sendmail SMTP daemon OpenSSH sshd Microsoft Internet Information (IIS) Server Microsoft Exchange Server

iDefense will pay $16,000 for each submitted vulnerability that demonstrates the execution of arbitrary code.”

Second Possibility:CERT-type Organizations No money is paid to those who discover

vulnerabilities. No money is charged for the disclosure of the

vulnerability. One would expect this not to perform as well as a market

mechanism. Kannan, Telang, and Xu, Economic Analysis of the Market for

Software Vulnerability Disclosure, contend CERT-type organizations sometimes outperform market mechanisms, but they assume that relevant information is costlessly available. This ignores precisely that at which markets excel. Available on SSRN.

Third Possibility:Consortium Mechanism Those concerned to gain information about

vulnerabilities form a consortium. The consortium pays for information about vulnerabilities. Members may share information for free.

Examples Information Sharing Analysis Centers (ISACs)

Governmental. Does not yet deal with vulnerabilities in the above way.

Industry consortiums. Similar to CERT-type organizations with the added

complexity of conflicting business motives.

Fourth Possibility:Federally Funded Centers This does not exist. The center would pay for the discovery of

vulnerabilities, but Would not charge for the disclosure of the

information. Kannan, Telang, and Xu, Economic Analysis of the

Market for Software Vulnerability Disclosure, contend this type of approach performs best, but again they assume that relevant information is costlessly available.

Lemon Markets and Their Solution Nothing we have said so far addresses the lemon

markets problem. The basic lemon markets’ mechanism:

Consumers cannot pre-purchase tell the difference between a good product and a lemon; so

the price drops (the expected value of the purchase is reduced by the expected value of getting a lemon); and

good products disappear from the market. Solution: Get information to buyers before they

purchase.

Prediction Markets

A prediction market would accomplish the purpose. In the market, investors buy futures in which the

speculate on which products will have this or that type of vulnerability.

Such markets have proven remarkably accurate in predicting a wide variety of events.

http://www.consensuspoint.com/index.php The prediction markets might work well where there

are active disclosure markets which reveal the existence of vulnerabilities.

An Example Why not set up a prediction market in which

investors by futures on when vulnerabilities will be discovered in iDefense challenge with regard to:

Apache httpd Berkeley Internet Name Domain (BIND) daemon Sendmail SMTP daemon OpenSSH sshd Microsoft Internet Information (IIS) Server Microsoft Exchange Server

Investors could speculate on the time, number, and rank order in the list.

The activity in the market could guide purchase decisions prior to discovery of the vulnerability.

Where We Are Now

Minimal market solutions. HIPAA, GLB, SOX.

All incorporate an unworkable reasonableness requirement.

Very limited application of negligence. Breach notification statutes.

Unclear cost of notification less than expected loss avoided.

They have played an educational role. We should make recovery much easier.

The Interdependence Problem Viruses, worms, Trojans, botnets

The likelihood that I will be invaded depends in part on how secure you are. Drive by downloads.

To maximize efficiency, where N people can all take precautions to prevent a loss, they should adopt the combination of measures which is more efficient than any other combination.

But the investment decision is made individually.

Conditions for a Market Solution to the Interdependence Problem with Malware (1) Everyone accesses the Internet through some

ISP. (2) Every client demands its ISP offer (for a price)

malware protection which provides that client with an efficient (relative to that client) level of protection against malware.

(3) Competition among ISPs ensures ISPs respond to client demand for efficient protection.

(4) ISPs automatically update software through access to clients’ computers, and no client is allowed on to the Internet with outdated protection.

Inefficiency

This solution is less than perfect because it fails this test: To maximize efficiency, where N people can take

precautions to prevent a loss, they should adopt the combination of measures which is more efficient than any other combination.

Given (1) – (4), parties will over-invest in protection as long as they buy sequentially and without information about how much protection others will buy.

Legal Regulation Required (1) Everyone accesses the Internet through some ISP.

May be true without legal regulation. (2) Every client demands malware protection which

provides efficient protection. Will require legal regulation most likely.

(3) Competition ensures response to client demand for efficient protection.

Legal regulation will be necessary to ensure all ISPs require clients to have malware protection.

(4) ISPs update software; no client is allowed on to the Internet with outdated protection.

Contracts sufficient? Criminal statute needed?

The Monopoly Problem

From a security point of view, one dominant operating system is a terrible idea.

Other monopoly worries in regard to security: Telecommunications

Skype

Legal note: monopoly is neither illegal nor necessarily undesirable. It is the use of monopoly power in uncompetitive ways that is potentially illegal.

Monopoly Problems Monopoly power is the power to set prices

and exclude competitors. Operating systems: The economics is very

complex, but there are obvious efficiencies in having one, dominant operating system.

Telecommunications: high initial costs, very low marginal costs, and strong network effects create a tendency toward monopoly. Skype

Monopoly Problems

Possession of monopoly power is not illegal. illegality results from using monopoly power

in anticompetitive ways that disadvantage consumers.

Security concerns do not currently figure in the—otherwise quite sophisticated—economic analysis underlying applications of antitrust law.