11

In A Comparison of Market Approaches to Software Vulnerability Disclosure (2006), Rainer Böhme describes the profound role of economic "market failure" in the industry dynamics that hinder software security. He also describes 4 kinds of markets that can help:

  • Bug challenges, like payments by Mozilla and Google for security bugs
  • Vulnerability brokers, aka “vulnerability sharing circles”, e.g. CERT or iDefense
  • Exploit derivatives, an application of binary markets to security events
  • Cyber-insurance

The latter two seem to be the most promising. Have either of these ideas matured since then, and are they available anywhere?

See also

Update:

Update 2: I just ran across Tyler Moore's paper on misaligned incentives and information asymmetries, and getting ISPs to take more responsibility: Introducing the Economics of Cybersecurity: Principles and Policy Options (pdf) National Academies Press, 2010

nealmcb
  • 20,544
  • 6
  • 69
  • 116
  • 1
    Another slant on the effective use of economic analysis and interventions in combating security problems is [Click Trajectories — End-to-End Analysis of the Spam Value Chain](http://www.icir.org/christian/trajectories/): Just 3 banks process 95% of spam-related purchesses. So the easiest link in the spam chain to target is the banks. – nealmcb May 26 '11 at 22:31
  • Very interesting question, I hope this eventually gets some answers! Are you talking only about *disclosure*, or economic factors in improving security in general? – AviD Jun 05 '11 at 09:03
  • @avid I think disclosure is broad enough for this question. But I wouldn't be surprised if there were other good, unasked questions around getting the incentives right in other aspects of security - ask away! – nealmcb Jun 05 '11 at 17:53

3 Answers3

2

Of these market types, the first two can benefit individual security researchers, but must be initiated by the vendor. Therefore, only vulnerability information regarding vendors participating in such a solution would be valuable under such a mechanism. Depending on the level of participation, this could deeply hamper a security researcher. Vulnerability brokers and cyber-insurance don’t have an immediate incentive for the individual researcher. It would be difficult to leverage a found vulnerability into income under these two systems.

Due to the secretive nature of the market at the present time, it is difficult for them to find a buyer, determine a price for the information, prove the value of the vulnerability, and exchange the goods for money. On top of this, at any point in this process, the vulnerability may be announced by someone else, making the discovery worthless. Some solutions exist which help to alleviate some of these problems, however their actual implementation remains far off in the future.

Take a look at this paper: http://securityevaluators.com/files/slides/cmiller_auscert2008.pdf

RudraK
  • 87
  • 3
  • The paper by Charlie Miller which you link to is very much in line with the references I cited, and specifically notes the benefits of exploit derivatives, which does provide researchers with incentives (via inside knowledge), and doesn't require participation by the vendor, and deals with the time-sensitivity issue also. That's why I highlighted it, and am still looking for information on it. – nealmcb Jun 29 '11 at 15:21
1

Derivatives as a solution to imbue IT vulnerabilities with economic force appears to be a confused idea with potentially disastrous consequences. The date of the paper on that subject should be considered in its review. In the heady days of 2007 prior to the fat tail event that we now know as the Great Recession risk swapping was all the rage. It turns out that we have numerous examples in the past few decades (Enron weather futures, Mortgage Credit Default Swaps (CDS), etc) of the counterintuitive cost of derivatives when used for risk mitigation. Instead of mitigating risk they actually leverage it into the stratosphere.

Consider the economic forces at work in buying and selling swaps on whether a certain exploit will appear in the next month against a specific target. I can see the same forces that had hedge fund managers creating CDSs of mortgages designed to fail so they could bet against them acting in this space. Consider that you have a bet on a rare event happening to a large credit card company. The company could claim they were covered for the related liabilities by offloading the risk to the AIG of exploits insurance. The motive for the fellow on the other side of those AIG swaps would be to see the rare even happen. He could even place thousands against the odds of the event (paying out millions as is the nature of derivatives) and be quite incentivized by the very economic forces we are trying to harness to the opposite effect.

That aside, let’s considers more traditional economic forces in the context of this question. A vendor that provides software or hardware that is critically flawed are they not liable in the same manner as the auto manufacture that produces a car which occasionally bursts into flames? As of today the answer is no. This situation will see an interesting evolution when we have software induced auto failure as we almost did with the uncontrolled acceleration accusation against Toyota. When that happens does the fact that it was related to IT firmware or software release the manufacture from liability as we don’t consider that liability valid as it has the COTS complexity immunity factor. The same economic question can be asked of those that provide services such as our banks. If they expose my identity which in turn allows the theft of my cash in their bank will there come a day that the liability burden is moved more completely to the service provider and not the victim?

The maturation of the traditional economic forces related to vendor and service provider liability would be impeded by security risk derivatives. Derivatives would incentive the evil doers to speculate and attack and disincentive the vendors and service providers as they lay off their risk (spell that responsibility) to the AIG of vulnerabilities swaps.

zedman9991
  • 3,377
  • 15
  • 22
  • 1
    I don't understand what "disastrous" consequences you're referring to. The people that buy the "C" contracts (which pay if a vulnerability is disclosed by the given date) are folks like users that rely on the software, vendor insurers, and researchers that find vulnerabilities. This allows the researcher, e.g., an incentive to both find and to responsibly disclose vulnerabilities. Finding bugs is good, and disclosing them responsibly is also good. Vs the current situation: researchers have the incentive to irresponsibly disclose to third parties or crackers, since that pays much more. – nealmcb Jun 29 '11 at 16:01
  • I think we differ in our vision to the ecology in which these derivatives live. All futures to date, wheat to weather, have evolved to have a bigger speculator component than user base for which it was originally designed. That would actually generate energy to make new exploits just to keep the game going. I see the avenue to address IT vulnerabilities as changing architectures not finding holes in our current Swiss cheese. That fix will not be addressed by clever lads and lasses selling exploits. Instead the richest businesses in the history of mankind will need to reinvest and refractor. – zedman9991 Jun 29 '11 at 17:45
  • But as all these references document, due to the current disincentives, we're in even worse shape where neither vendors nor researchers have the kinds of incentives we need to see improvement in security. A futures market keeps people more honest, cuts off bubbles before they get out of hand, etc. And again, every exploit is one fewer bug when it gets disclosed responsibly, rather than being the continuing vulnerability that current incentives lead to. And "AIG" needs data to guide insurance rates, giving vendors a reason to develop securely rather than relying on the "lemon market" effect. – nealmcb Jun 29 '11 at 18:14
  • I agree that is the position of the references. But as the punch line goes, "Who are you going to believe me or your lying eyes?" My point is any reference that has the temerity to suggest that derivates don’t cause bubbles need to look at Long-Term Capital Management, Enron, Lehman Brothers, AIG, GMAC… I support your goal but we have been here before with this type solution and things did not go as expected. – zedman9991 Jun 29 '11 at 20:30
  • I'm still trying to follow the analogy here, and why you seem to think folks would have more incentive to be evil in attacks, given the chance to make clean money off derivatives, then they do now on the black market. Some specific links might help. Or can you clarify what you think a "bubble" in this context would be? More investment in finding vulnerabilities, with a clear incentive to responsibly report it, or in more secure software, would be very well spent now, don't you think? And if someone gets rich predicting what is secure, is that a problem? – nealmcb Jun 29 '11 at 21:07
  • My concern is the other side of that coin. Will the scheme make folks rich by creating situations that harm the swap insured? Perhaps I am taking the housing bubble model too far but that happened in that scheme. Proffered as a win-win with all positive affects for homeowners, banks, and investors but the result was a lose-lose for almost all. My assumption is there is nearly a limitless number of exploits available at this time (my guess is that is where we really differ) due existing design flaws and product release methodology. All that said, I would love to see your concept work. – zedman9991 Jun 30 '11 at 12:44
  • I think we're nearing a better sense of what the underlying question is - thanks. I agree that there is a huge reservoir of exploits. I think the question is how to provide incentives to prevent them, find them, and responsibly disclose them so they can be patched before the bad guys get them. This is the only scheme I've seen that does that. What scenario do you see in which grey hats who find vulnerabilities, and who now make the most by selling to shady organizations, wouldn't prefer to earn $$ in the futures market & disclose the vulnerabilities more quickly to vendors, benefiting all? – nealmcb Jun 30 '11 at 13:43
  • Liability law is at the center of my vision for a better future. Gary and White Hats will be hot commodities when we have to refractor our Swiss cheese. Your suggestion would be easier and quicker if we could patch our way out of this nightmare. My problem is I just don’t think we can. – zedman9991 Jun 30 '11 at 13:52
  • I hear you but that's off topic. I suggest you get a liability discussion going under a different question, to consider the likelihood and possible effects, both good and bad, of moving towards a more litigious atmosphere for software security. Offhand I expect a lot of counterproductive effects, and the track record of who benefits when lots more lawyers get involved is worse than when new markets are created, IMHO.... – nealmcb Jun 30 '11 at 15:01
  • What the hell does Mortgage Credit Default Swaps have to do with anything the author of this question asked? – Ramhound Mar 06 '12 at 19:04
  • Ramhound - the question was about making a market in "Exploit derivatives' so the idea was to view real world derivatives and their economic consequences/value as an applicable model. – zedman9991 Mar 06 '12 at 19:20
0

BeeWise, by Alfonso De Gregorio, is a partial / beta implementation of a security exploit derivatives market, using "play money", and relying on VDB to identify vulnerabilities, and CVSS to indicate conditions under which a system would be vulnerable. It was first implemented around 2011.

See more at BeeWise: A Futures Market for Fostering Security by Design by Alfonso De Gregorio on Prezi, which clarifies many of the issues, and compares markets that use play money with markets using real money. Non-economists can probably skip most of the first section of slides, and skip ahead with the slider to slide 24 "Vulnerability Markets: A Taxonomy"

nealmcb
  • 20,544
  • 6
  • 69
  • 116