17:30-17:45
This is an almost-complete paraphrasing of what was said. Please check the audio recording if you want a more accurate/complete account (and let me know if I have anything down that's grossly innacurate).
Jennifer Granick, Stanford Center for Internet & Society
Lauren Gelman, Stanford Center for Internet & Society
Scott Blake, Bindview
Greg Schaffer, PricewaterhouseCoopers
JG:
We have 10 minutes divided by 4, since we’re running late.
LG:
I'd like to start by thanking Jennifer, who put this together. For me the questions of liability are really interesting (I’m a lawyer). Hearing from the technologists is most important in determining who’s responsible, what it means to disclose, what the levels of disclosure are, and how that affects exploits and patches.
I’ll make a pitch for a symposium we’re having in spring where we will be discussing this further. There's an interesting question for the patch panel – where, between vendor and enterprise, the burden should lie. The metaphors are really interesting (on patches, better software, and how urgings for firewalls put burden back on enterprise). Also, the end user (who knows nothing about this) ends up having his/her info spread all over the internet. When there’s a vulnerability, someone out there is frequently harmed, but how are we going to deal with that? Sometimes there are criminal penalties, but these end up not affecting those in the best position to affect change/more secure software.
SB:
I'd like to summaraze some themes from several panels. I'm surprised no one argued against the market failure in the providing of security. We like to think capitalism will save us, but it doesn’t seem to have done so. Instead, it seems to point to some role for government to step in. Many of us find this conclusion interesting and troublesome:
Also, the question of liability: Many questions are ripe for lawyers to get involved in determining liability. For instance, the idea of pre-disclosure communities and what role they have in product liability. Example: If I, as a company, and I take in a piece of non-public vulnerability info, and subsequently resell to someone who also does not disclose, but eventually someone else figures it out and uses it to break into a system, should I have liability for my having advance knowledge and not using it. [Bruce Schneier: That would suck.] This is an interesting legal question for us.
JG:
Two people made a point that is interesting and can’t be neglected in determing best practices of security: Security must be about more than just fixing this one bug. It could be about democracy – holding government accountable. It also needs to be about broader interests rather than just this one particular military campaign or software vulnerability. This builds on Matt Glaze’s point, that we don’t know enough about this area to treat it scientifically, that doing this might limit innovation, and we end up concentrating on the tree and miss the forest.
GS:
One thing at the end of the day was that we had a significant number of lawyers in the room, and a significant number of people involved in this issue from the technology perspective. People think the disconnect is democrat/republican, but it’s really IT/legal. Each has well-developed universes, and likes to be the master of those domains. They don’t like to be uncomfortable about a whole realm of things that they know apply to them and are important, but don’t have a handle on. When you bring them together, they often don’t communicate too well and don’t understand how the universes impact each other. The people here are the ones from each of these realms that understand each other. It’s very important – the vast majority of the people in these realms have not thought about it and really need to. If there’s a market failure, it’s because there’s a whole universe of folks out there who haven’t thought about this but need to, and won’t do so until there's a crisis, when they will end up making decisions in a crisis mentality. There is a serious need for those of us in this position to push this information out who have not yet faced a crisis, and make sure they think about this in advance.
JG:
Thank you. [Jennifer now listed a large group of people contributed and helped make the conference possible.] Let’s applaud for all those people. Blogs are up, and we will post audio and formal summary of the proceedings soon. Now there will be a cocktail/wine reception in the lounge followed by gathering at Blue Chalk in Palo Alto. [Sadly, blog-readers will be unable to attend.]