1 / 21

Security Economics and European Policy

Security Economics and European Policy. Ross Anderson Rainer B öhme Richard Clayton Tyler Moore. Computer Laboratory, University of Cambridge. Security Economics and European Policy. Information Asymmetries Externalities Liability Assignment Lack of Diversity

beulah
Download Presentation

Security Economics and European Policy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Economics and European Policy Ross Anderson Rainer Böhme Richard Clayton Tyler Moore Computer Laboratory, University of Cambridge

  2. Security Economics and European Policy • Information Asymmetries • Externalities • Liability Assignment • Lack of Diversity • Fragmentation of Legislation and Law Enforcement • Security Research and Legislation

  3. Introduction • Quick History Overview • 1940s - 80s • Cold War • National Concerns • Intelligence Agencies • 1990s - 2000s • Growing Internet popularity • Paradigm shift toward companies

  4. Introduction • Quick History (cont) • 2000 - 2004 • Rise of a new organized crime • Crimeware • Hacking for profit instead of sport • Today • Fraud Rings • Hacking Rings

  5. Information Asymmetries • The Problem • Companies often under/over-estimate statistics • Security breaches are often stifled • Lack of standardized data gathering • Weakly defined policies • Digital pollution • International incongruency

  6. Information Asymmetries • Recommendations • A comprehensive security-breach notification law • Regulate the publication of robust loss statistics for electronic crime • Collection and publication data about malicious traffic

  7. Externalities • The Problem • Who should pay? • Software Vendors • Released software with security flaws • Users may compromise software security • Owners • Large companies with the capability to handle and repair infected devices • Small companies or individuals to which such setbacks are costly

  8. Externalities • ISPs • Most capable position to improve security • More likely to notice threats/attacks first • Strong position of control • Total traffic control • Ability to filter/deny services • Quarantine infected machines • Least likely to change

  9. Externalities • Recommendations • ISPs will not change without incentive • Introduce monetary penalties for slow response to malicious activity • Promote consistent reporting mechanisms to notify ISPs • Balance penalties to avoid knee jerk reactions • Regulate ISP to allow for reconnection protocol at the expense of liability

  10. Liability Assignment • Software and System Liability • Whose responsible for updates? • Often times, consumers are left to fend for themselves • Most computers are bought with outdated software • Recommended enforcement of a standard default

  11. Liability Assignment • Patching • Necessary but time consuming and expensive • Publication of a patch may reveal the vulnerability • User dependent to update • Create incentives to improve releases • Standardize disclosures • Vendor liability for unpatched software

  12. Liability Assignment • Patching (cont) • Improve user uptake of patches • Make patching more reliable • Make patching easier/automated • Separate feature from security • Avoid undesirable restrictions (DRM) • Avoid disruptions to customization • Avoid burdensome processes • Keep patches free

  13. Liability Assignment • Consumer Policy • Customers • Generally targeted as liability dump • Often left with little option or choice in resolution • Recommended procedures for the proper resolution of disputes between customers and service providers

  14. Liability Assignment • Consumer Policy (cont) • Suppliers • Less likely to protect consumers in a monopolistic environment • Often rely upon shrink-wrap contracts with take-it-or-leave-it terms (EULAs) • Abuses • Spyware installations • Spam Spam Spam • Recommended sanctioning for abuses

  15. Liability Assignment • Consumer Policy (cont) • Online transactions • Fragmented law • Current legislation does not entirely compensate • Varying interpretations from country to country • Aspects currently favor suppliers • Recommended revisiting of consumer protection laws

  16. Lack of Diversity • Promoting Logical Diversity • Consumers and firms are slow to accept changes • Software diversity • Positive network externalities • Market domination encourages vulnerability (Cisco's Zetter 2005) • Recommended advisement when diversity has security implications

  17. Lack of Diversity • Promoting Physical Diversity in CNI • Critical National Infrastructure (CNI) • Internet Exchange Points (IXP) • Very few IXPs for numerous ISPs • Failure of one IXP affects thousands • Recommended research into IXP failures and work to regulate peering resilience

  18. Fragmentation of Legislation and Law Enforcement • Cybercrime • Cybercrime crosses boarders • Convention on Cybercrime (2001) • 27 EU states signed, only 12 ratified presently • Recommended pressure upon the 15 remaining member states to ratify

  19. Fragmentation of Legislation and Law Enforcement • Law Enforcement Cooperation • Joint operations are available but limited • Generally set up for physical crimes • Operations are usually quid pro quo • Mutual Legal Assistance Treaty (MLAT) • Recommended establishment of an EU-wide body to facilitate international cooperation

  20. Security Research and Legislation • The Problem • Certain laws currently prohibit some research methods • Cryptography • Engineering tools • Others question usage • UK : “[An offense to] supply or offer to supply, believing that it is likely to be used to commit [an offense].”

  21. Security Research and Legislation • Recommendations • Champion the interests of information security • Amend restrictions on research • Defend against inadvertent stiflings • Encourage security research and development

More Related