Stanford CIS

The Role of Law

By Stanford Center for Internet and Society on

17:45

What role should legal rules play and how can the law help or hurt security in the area of vulnerability disclosure?

Gregory P. Schaffer, PricewaterhouseCoopers, Moderator
Peter Swire, Professor of Law at Ohio State University
Stephen Wu, Esq., InfoSec Law Group

(My apologies for my slow fingers...)

Greg Shaffer: How many people in the room are lawyers?

Snarky audience member: “Up against the wall.”

Laughter.

Greg ties this all back into his once being a lawyer… What are the differences in the realms?

*Prosecutors look for someone to pay for vulnerabilities. Who is responsible?
*Civil lawyers are less concerned about the wrong and more concerned about who is going to pay. How can we craft a complaint that will result in someone having to pay for a vulnerability that has been exploited? What’s difficult with this is that the issue of who is going to pay comes much later in the process. The question of disclosure – making people aware of what has put us in this situation that has got us into the crisis – doesn’t yet consider these information security issues.

Some people don’t give these issues 1/100th of the level of thought that has occurred here today.

Peter Swire explains a paradox: Open source mantra that there is “no security through obscurity” is not always true… Secrecy helps, secrecy hurts; disclosure helps, disclosure hurts. How do we resolve that?

We didn’t understand when disclosure was going to help or not. He got a certain amount of the way there…

Let’s think about the crypto, open-source society. Explicitly disclosing vuln. might not help the attackers because they are pretty far up the information chain anyway (did I get that right?). Disclosure will help the defenders – the users, the vendors – a lot. He’s not taking an Open Source vs. proprietary stance, but is saying that open source will help disclosure.

(I don’t know how to represent two-by-two matrices in a text editor… listen to the archive and perhaps understand)

Physical versus cyber security:

It is expensive to dig up buried pipelines and fix them (re: physical security). It doesn’t scale well, either. But with changing software, it is worth telling the world how to fix it because we’re getting much benefit for our fix.

Conclusions: When is disclosure going to better help security? He is proposing a simple model for when disclosure helps security. We might want to push for disclosure not because it helps security, but because it helps our general democracy. Whatever helps us have system security might also help us with privacy and confidentiality.

Stephen Wu:

Talking about the law itself. Two parts: Starting with the idea that there might be questions arising out of publicizing vulnerabilities. Can this create liability? Disclosing might bring about liability, but failing to disclose might also bring about liabilities.

“Damned if you do, damned if you don’t.”

Are there mandatory reporting requirements as well? If you disclose, how and when?

A background: Sources of liability include contract law, tort law, and statutory law.

If a company fails to provide patches that it contractually promised its customers, it could be found to be in breach of contract.

With torts, there might by liability because of wrongful conduct or failure to take an action.

An example: Negligence. Negligence per se, too (the violation of a statute deemed to be negligent). Interference with contractual relations. Fraud. Breach of fiduciary duty. Product liability.

Statutory claims relate to statutes that modify common law: Computer Fraud and Abuse Act.. McDanel case, for example.

Believes that section 17, 200 is going to be a major weapon against people who use the publication of vulnerability against people who cause harm.

Using the value of the software over a large number of people, lawsuits become economically viable (think Microsoft and XP or Office suits).

A hypothetical for discussion: Software vendor A sells to companies B, C, and D. B, C, and D hold sensitive information. There is a hacker X who knows about an exploit that uses a vulnerability in A’s software. Hacker Y is unaware of that exploit.

B finds a vulnerability. This would help C, but end up hurting D because ignorant hacker Y will learn about the exploit. Since all three companies are in the same industry, this could be deemed as unfair competition or negligence. On the other hand, if B fails to disclose this vulnerability, it might have a liability to customers under SP-1386.

If you have an SP-1386 violation due to an exploit, what do you tell your customer? Do you tell them that they’re information has been stolen but you can’t tell them why?

What about the independent researcher who publishes a vuln.? That researcher may be deemed to be negligent. If he is doing it for financial gain, he could be hit for being anti-competitive.

Audience member: Peter, you distinguish between the physical world versus the software world. A better distinction might between mechanism and instances?

Peter Swire: One of the things about incidences is first time attacks, they educate defenders…

Greg: One question that comes up is how often will you be able to distinguish between an instance and a mechanism? Would it be particular to your system the way it is configured? Maybe your instance really is a mechanism.

(listen to the audio… I’m telling you, it did a much better job of recording than I)

JG: Listening to everything that everyone has talked about today, “I get the feeling that the law is a bull in a china shop” that is doing things “willy-nilly” without any regard for that which we talked about today. Should the law stay out of it?

(from here on out is a wonderful case for streaming audio as well…)

Greg: “You’re a lawyer, do you think the lawyers will stay out of it?”

Peter: The law has started and will start with easy cases…

Lauren Gelman: What’s the mens rae of posting to bugtrack?

Greg: The mens rae of posting to bugtrack could be an easy case given the right set of facts.

(much discussion about the beneficial effects of disclosure versus the criminal effects)

At least everyone concedes that we’re going to have some very confused judges.

An aside: Apparently British citizens are protected under the first amendment as well.

Audience member: How unique is this discussion to the computer industry?

SW: It is very much related to the automobile industry, but the scope, magnitude, and speed of this new tech makes this different.

Published in: Blog