Vulnerable software is increasingly being taken
advantage of by hackers. So where does responsibility lie for
ensuring software is secure, and should suppliers be held
liable?
A survey last month of internet users by
Get Safe Online found that 12% of respondents had
suffered online fraud in the past year, at an average loss of
£875. And the
Association of Payment Clearing Services has
highlighted a surge in the amount of money lost to online banking
fraud. In the first half of 2006, it cost banks £23m.
Why is this happening? Because cyber crime is now driven by
organised crime, and organised crime's raison d'etre is to make -
or rather steal - money. And insecure software has become the
perfect means of attack.
Why rob a bank in the real world when you can filch money in the
virtual world from users' online accounts through Trojans and
keyloggers?
Although Microsoft took a
sabbatical from its monthly Patch Tuesday routine in March,
Apple more than made up for it by releasing a security update that
fixed
45 vulnerabilities in the Mac operating system and several
third-party applications.
The security update was Apple's seventh this year, bringing its
patch count to 64. Microsoft has released 16 bulletins and patched
30 vulnerabilities since the start of the year, while other
suppliers which have so far had to release major patches this year
include Cisco, Adobe, Google, Oracle and Computer Associates.
Bruce Schneier, chief technology officer at managed security
services company BT Counterpane, has a plan to tackle this
ever-present problem. He would like to see
software providers made liable for the quality of their
software.
Last month Schneier told the London School of Economics (LSE)
that the software industry needed to follow the example of the
credit card industry, which set out to help itself fight fraud and
losses when courts ruled that consumers were not ultimately liable
for fraudulent use of their credit cards.
Schneier believes the same approach is needed now in the
software industry to help drastically improve IT security. To
achieve this, he believes the ultimate economic responsibility for
better software should be moved directly to software makers, who
can influence the creation of more secure applications.
"If there is liability we will pay more for software, but at
least we will get better software out of it," he says.
According to Schneier, today's software development system lets
software suppliers sell products without any real
responsibility for them once users begin working with the
software.
Schneier admits that suppliers would rubbish the idea, but
believes that only such a liability responsibility would drive
change. "Yes, it would need regulation to make it a reality, and
that is down to government. I know it will be difficult, but it
will probably come down to some congressman putting down a Bill,
and seeing where that leads," he says.
Schneier believes 10 factors in the IT landscape are
contributing to the current state of software. And it is getting
worse, not better, he suggests.
The factors are:
- The economic value of information
- The critical nature of networks
- Personal information is often controlled by third parties
- Criminals are the dominant attackers on the internet
- Complexity is the worst enemy of security
- Vulnerabilities are exploited faster than they can be
patched
- The sophistication of computer worms
- Attackers are targetting the end points
- In some cases, the end-user is the attacker
- Regulatory pressures, for example
Sarbanes-Oxley
and the
PCI Data Security Standard for retailers.
In addition, Schneier believes a number of economic factors are
affecting the development of software and ultimately impacting the
user.
According to Schneier there is a market for "lemons", a US term
for useless products, because the seller knows a lot more about the
product than the buyer. The buyer is unable to make an informed
decision, and may end up making a wrong one. Another problem is the
high costs involved in moving from one supplier's software program
to another.
Schneier believes another problem that is overlooked is the
issue of externalities. Suppliers try to balance the costs of more
secure software - the extra developers needed, fewer features and
longer time to market - against the costs of insecure software -
the expense of patching, occasional bad press and the potential
loss of sales.
However, what suppliers do not look at the is total cost of
insecure software, says Schneier. In other words, they only look at
what insecure software costs them and not at all the money the
software product buyers are spending on security. In economic terms
this is known as an externality: the cost of a decision that is
borne by people other than those taking the decision.
And when it comes to riding out the bad press, says Schneier,
even the suppliers come up smelling of roses. There have been so
many data breaches stories in 2007 that it is no longer news.
A leading software supplier countered Schneier's comments by
saying, "We are always looking at ways we can improve our
communications to help customers get timely and useful information
to help them manage vulnerabilities. These include security
advisories, publishing incident pages, web casts, RSS feeds and
syndication of our content based on feedback from customers."
Security supplier RSA says, "No operating system or application
is immune from attack. One hundred per cent security is the
unachievable holy grail, and there will always be those who seek to
gain from that fact."
Andy Clark, chairman of the
British Computer Society's
Forensics Working Group, says he believes Schneier's liability
comments have a degree of common sense about them, but he adds that
the issue is complex.
"While it may be difficult to have general liability for a
problem, I prefer the idea of making companies liable for letting a
problem happen again. That is akin to the mantra that if you mess
me around once, that is my problem. If you do it twice, then it is
your problem. We also have a movement towards the use of open
source software, so who is responsible or liable for that?"
Clark also differentiates between safety critical software and
mission critical software. "Safety critical software could cost
lives if it failed. Mission critical could cost businesses their
future if it is at fault. If I cannot send out my invoices as a
business because of a software problem, then that might kill my
business," says Clark.
"One idea that might have merit is the introduction of a limited
liability procedure where you could take action against a supplier
for the cost of switching to another supplier's competing products.
Then the original supplier has the choice of reparations and repair
for the original faults - or the cost of your switch to a
rival."
Daniel Dresner, research manager for new funding and research
projects at the National Computing Centre and a software
quality specialist, says we have reached something of a watershed.
"Software quality is the victim of increased complexity. Operating
systems are so complex and run on such complex hardware, that even
a simple application may interact on many levels.
"For that reason, we need people to think about security from
the very beginning of software development, and responsibility has
to be down to good governance," says Dresner.
"When buying new software, you should identify that there is a
need to do a risk assessment for that software. Risk managers get a
bad deal, when their opinions really should be heeded. There are
many more risks out there.
"For example, you may think that putting your laptop in your car
boot would make it more secure. But now, there are sniffers that
can even detect the Nicam batteries," says Dresner.
"From the point of view of the marketing people within software
suppliers, there is an opportunity for a paradigm shift to consider
not just bigger, faster, stronger, but also to market 'stronger
security' as a differentiator."
Bruce Schneier's suggestion - not for the first time - that
suppliers should be liable for the quality of their software, has
prompted the suppliers to hit back, warning that such an option
would only result in highly subjective, frivolous lawsuits.
They argue that civil liability actions against technology
makers oversimplify the situation, because software is a product of
engineering and is not, and never can be, infallible. Suppliers
have also argued that lawsuits would stifle innovation and punish
the wrong people, shifting the blame away from wrongdoers who
attack software flaws towards the pursuit of civil liability for
vulnerabilities.
Carrie Hartnell, programme manager at
Intellect, the trade
association for the UK hi-tech industry, says that there needs
to be a better dialogue between users and developers.
"Naturally, we would not endorse software which is not fully
tested, but users need to determine what processes will use
software, and accordingly map how robust it needs to be to support
them and how much they are willing to pay for this."
However, Schneier insists that software suppliers are in the
best position to improve software security because they have the
capability. Features, schedule and profitability, however, are
usually far more important drivers, he says. Schneier believes
software liabilities would change that, align interest with
capability and improve software security.
"Today there are no real consequences for having bad security or
low-quality software. But liability changes everything. Currently,
there is no reason for a software company not to offer more
features, more complexity, and more versions.
"Liability forces software companies to think twice before
changing something."
Get Safe
Online website >>
Association of Payment Clearing Services
>>
DNS worm strikes
Microsoft flaw >>
Information security special report: Implementing converged
security >>
Bruce Schneier's website
>>
British Computer
Society security forum >>
David Lacey’s
security blog
Comment on this article: e-mailcomputer.weekly@rbi.co.uk