Upload
beulah
View
61
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Security Economics and European Policy. Ross Anderson Rainer B öhme Richard Clayton Tyler Moore. Computer Laboratory, University of Cambridge. Security Economics and European Policy. Information Asymmetries Externalities Liability Assignment Lack of Diversity - PowerPoint PPT Presentation
Citation preview
Security Economics and European Policy
Ross Anderson Rainer Böhme Richard Clayton Tyler Moore
Computer Laboratory, University of Cambridge
Security Economics and European Policy
Information Asymmetries Externalities Liability Assignment Lack of Diversity Fragmentation of Legislation and Law
Enforcement Security Research and Legislation
Introduction Quick History Overview
1940s - 80s Cold War National Concerns Intelligence Agencies
1990s - 2000s Growing Internet popularity Paradigm shift toward companies
Introduction Quick History (cont)
2000 - 2004 Rise of a new organized crime Crimeware Hacking for profit instead of sport
Today Fraud Rings Hacking Rings
Information Asymmetries The Problem
Companies often under/over-estimate statistics
Security breaches are often stifled Lack of standardized data gathering Weakly defined policies
Digital pollution International incongruency
Information Asymmetries Recommendations
A comprehensive security-breach notification law
Regulate the publication of robust loss statistics for electronic crime
Collection and publication data about malicious traffic
Externalities The Problem
Who should pay? Software Vendors
Released software with security flaws Users may compromise software
security Owners
Large companies with the capability to handle and repair infected devices
Small companies or individuals to which such setbacks are costly
Externalities ISPs
Most capable position to improve security
More likely to notice threats/attacks first Strong position of control
Total traffic control Ability to filter/deny services Quarantine infected machines
Least likely to change
Externalities Recommendations
ISPs will not change without incentive Introduce monetary penalties for slow
response to malicious activity Promote consistent reporting
mechanisms to notify ISPs Balance penalties to avoid knee jerk
reactions Regulate ISP to allow for reconnection
protocol at the expense of liability
Liability Assignment Software and System Liability
Whose responsible for updates? Often times, consumers are left to fend
for themselves Most computers are bought with
outdated software Recommended enforcement of a
standard default
Liability Assignment Patching
Necessary but time consuming and expensive
Publication of a patch may reveal the vulnerability
User dependent to update Create incentives to improve releases
Standardize disclosures Vendor liability for unpatched software
Liability Assignment Patching (cont)
Improve user uptake of patches Make patching more reliable Make patching easier/automated Separate feature from security Avoid undesirable restrictions (DRM) Avoid disruptions to customization Avoid burdensome processes Keep patches free
Liability Assignment Consumer Policy
Customers Generally targeted as liability dump Often left with little option or choice in
resolution Recommended procedures for the
proper resolution of disputes between customers and service providers
Liability Assignment Consumer Policy (cont)
Suppliers Less likely to protect consumers in a
monopolistic environment Often rely upon shrink-wrap contracts
with take-it-or-leave-it terms (EULAs) Abuses
Spyware installations Spam Spam Spam
Recommended sanctioning for abuses
Liability Assignment Consumer Policy (cont)
Online transactions Fragmented law
Current legislation does not entirely compensate
Varying interpretations from country to country
Aspects currently favor suppliers Recommended revisiting of consumer
protection laws
Lack of Diversity Promoting Logical Diversity
Consumers and firms are slow to accept changes
Software diversity Positive network externalities
Market domination encourages vulnerability (Cisco's Zetter 2005)
Recommended advisement when diversity has security implications
Lack of Diversity Promoting Physical Diversity in CNI
Critical National Infrastructure (CNI) Internet Exchange Points (IXP)
Very few IXPs for numerous ISPs Failure of one IXP affects thousands
Recommended research into IXP failures and work to regulate peering resilience
Fragmentation of Legislation and Law Enforcement
Cybercrime Cybercrime crosses boarders Convention on Cybercrime (2001)
27 EU states signed, only 12 ratified presently
Recommended pressure upon the 15 remaining member states to ratify
Fragmentation of Legislation and Law Enforcement
Law Enforcement Cooperation Joint operations are available but
limited Generally set up for physical crimes Operations are usually quid pro quo Mutual Legal Assistance Treaty (MLAT)
Recommended establishment of an EU-wide body to facilitate international cooperation
Security Research and Legislation
The Problem Certain laws currently prohibit some
research methods Cryptography Engineering tools
Others question usage UK : “[An offense to] supply or offer to
supply, believing that it is likely to be used to commit [an offense].”
Security Research and Legislation
Recommendations Champion the interests of information
security Amend restrictions on research Defend against inadvertent stiflings Encourage security research and
development