In order to stem massive data breaches and strengthen cyber security, U.S. policymakers should reform laws to help make it easier for researchers to identify and address software bugs, according to a recent report from New America’s Open Technology Institute.
The report, “Bugs in the System: a primer on the software vulnerability ecosystem and its policy implications,” highlights the need for reform in the field of software vulnerability discovery and disclosure.
“People have heard about breeches and shady hackers and in order for an individual to engage or the government to engage, we really wanted a comprehensive primer so that this conversation could begin on all sides: corporate, government and national security sides,” Andi Wilson, policy analyst at New America’s Open Technology Institute, recently told Homeland Preparedness News.
Cyber security is a broad field ranging from critical infrastructure to government hacking to military cyber engagement, and Congress has taken a range of actions to address cyber security issues, but, in the area of software vulnerabilities, lawmakers have not taken much action, Wilson said.
Microsoft, Google, Apple and many other major companies have their own cyber security departments that are responsible for discovering and patching software vulnerabilities. Software flaws, however, are often found by individual cyber security experts, companies or governments conducting research outside of those major organizations.
“Our recommendations focus on how we can get information on vulnerabilities from the people who discover them to the people that know how to fix them,” Wilson said.
The report suggests that the U.S. reform computer crime and copyright laws so that legitimate research isn’t frozen by a concern about what could happen to the researchers who are conducting it.
“One of the policy issues that we discussed first is that researchers often feel under threat because of laws that Congress has implemented that mean that the type of research that they do could be illegal, that they could be sued by companies, that they could be charged by the government,” Wilson said.
The Computer Fraud and Abuse Act, the Digital Millennium Copyright Act and the Electronic Communications Privacy Act criminalize and create civil penalties for actions that security researchers routinely engage in while conducting legitimate security research, the report said.
Another challenging policy the report cites is the U.S. government’s participation in the market for previously undisclosed vulnerabilities, which are bought and sold.
The U.S. government should minimize its participation in the vulnerability market because it is likely the largest buyer in a market that discourages researchers from disclosing vulnerabilities to be patched.
“The U.S. government paying $100,000 for a vulnerability really inflates that market so that it is really dangerous,” Wilson said.
The report poses a question held by some researchers – what incentive is there to disclose a vulnerability for no financial reward or a small bug bounty when that vulnerability can instead be sold on the open market, “a market that unfortunately caters not just to democratic nations’ intelligence and law enforcement communities but to a wide range of spies, criminals, and repressive regimes—for much more money?”
“The government minimizing its participation in the vulnerability market, not overblowing that market, is exactly the step we’d like to see them take in the cyber security market,” Wilson said.
In addition, the U.S. government should establish clear procedures for government disclosure of the vulnerabilities it buys from companies or discovers for itself, the report said.
“The government has a program that is a vulnerability equity process, that is supposed to weigh the costs and benefits of keeping a vulnerability secret for defense or offense purposes, or disclosing it to the company. We don’t know a lot about this process,” Wilson said.
Government and companies supporting vulnerability rewards or bug bounty programs, which pay researchers money in exchange for reporting a bug to a company, is another important recommendation. This type of reform would encourage more disclosure of software bugs to companies and less on the open market. Apple recently announced a new rewards program that would pay as much as $200,000 for the disclosure of a very significant vulnerability in its software.
“With the concept of vulnerability rewards programs, we want there to be good cooperation between government and industry to encourage more of these,” Wilson said. “That is an innovative way to foster disclosure.”
The report also cites the need for clear rules governing government hacking in order to protect both cyber security and privacy rights. The practice should be regulated and legislation should be crafted about government hacking procedures, just as it has been done for search and seizure practices like wiretapping, the report said.