1. Security Economics and European Policy Ross Anderson Rainer Böhme Richard Clayton Tyler Moore Computer Laboratory, University of Cambridge

2. Security Economics and European Policy  Information Asymmetries  Externalities  Liability Assignment  Lack of Diversity  Fragmentation of Legislation and Law Enforcement  Security Research and Legislation

3. Introduction Quick History Overview  1940s - 80s Cold War National Concerns Intelligence Agencies  1990s - 2000s Growing Internet popularity Paradigm shift toward companies

4. Introduction Quick History (cont)  2000 - 2004 Rise of a new organized crime Crimeware Hacking for profit instead of sport  Today Fraud Rings Hacking Rings

5. Information Asymmetries The Problem  Companies often under/over-estimate statistics  Security breaches are often stifled  Lack of standardized data gathering  Weakly defined policies Digital pollution International incongruency

6. Information Asymmetries Recommendations A comprehensive security-breach notification law Regulate the publication of robust loss statistics for electronic crime Collection and publication data about malicious traffic

7. Externalities The Problem  Who should pay? Software Vendors  Released software with security flaws  Users may compromise software security Owners  Large companies with the capability to handle and repair infected devices  Small companies or individuals to which such setbacks are costly

8. Externalities ISPs  Most capable position to improve security More likely to notice threats/attacks first Strong position of control  Total traffic control Ability to filter/deny services Quarantine infected machines  Least likely to change

9. Externalities Recommendations  ISPs will not change without incentive Introduce monetary penalties for slow response to malicious activity Promote consistent reporting mechanisms to notify ISPs Balance penalties to avoid knee jerk reactions Regulate ISP to allow for reconnection protocol at the expense of liability

10. Liability Assignment Software and System Liability  Whose responsible for updates? Often times, consumers are left to fend for themselves Most computers are bought with outdated software  Recommended enforcement of a standard default

11. Liability Assignment Patching  Necessary but time consuming and expensive Publication of a patch may reveal the vulnerability User dependent to update  Create incentives to improve releases Standardize disclosures Vendor liability for unpatched software

12. Liability Assignment Patching (cont)  Improve user uptake of patches Make patching more reliable Make patching easier/automated Separate feature from security Avoid undesirable restrictions (DRM) Avoid disruptions to customization Avoid burdensome processes Keep patches free

13. Liability Assignment Consumer Policy  Customers Generally targeted as liability dump Often left with little option or choice in resolution  Recommended procedures for the proper resolution of disputes between customers and service providers

14. Liability Assignment Consumer Policy (cont)  Suppliers Less likely to protect consumers in a monopolistic environment Often rely upon shrink-wrap contracts with take-it-or-leave-it terms (EULAs) Abuses  Spyware installations  Spam Spam Spam  Recommended sanctioning for abuses

15. Liability Assignment Consumer Policy (cont)  Online transactions Fragmented law  Current legislation does not entirely compensate  Varying interpretations from country to country Aspects currently favor suppliers  Recommended revisiting of consumer protection laws

16. Lack of Diversity Promoting Logical Diversity  Consumers and firms are slow to accept changes Software diversity Positive network externalities  Market domination encourages vulnerability (Cisco's Zetter 2005)  Recommended advisement when diversity has security implications

17. Lack of Diversity Promoting Physical Diversity in CNI  Critical National Infrastructure (CNI)  Internet Exchange Points (IXP) Very few IXPs for numerous ISPs Failure of one IXP affects thousands  Recommended research into IXP failures and work to regulate peering resilience

18. Fragmentation of Legislation and Law Enforcement Cybercrime  Cybercrime crosses boarders  Convention on Cybercrime (2001) 27 EU states signed, only 12 ratified presently  Recommended pressure upon the 15 remaining member states to ratify

19. Fragmentation of Legislation and Law Enforcement Law Enforcement Cooperation  Joint operations are available but limited Generally set up for physical crimes Operations are usually quid pro quo Mutual Legal Assistance Treaty (MLAT)  Recommended establishment of an EU-wide body to facilitate international cooperation

20. Security Research and Legislation The Problem  Certain laws currently prohibit some research methods Cryptography Engineering tools  Others question usage UK : “[An offense to] supply or offer to supply, believing that it is likely to be used to commit [an offense].”

21. Security Research and Legislation Recommendations  Champion the interests of information security Amend restrictions on research Defend against inadvertent stiflings Encourage security research and development