Influencers: Lawsuits to prevent reporting vulnerabilities will chill research
Companies鈥 lawsuits aimed at preventing public disclosures of vulnerabilities will have a chilling effect on security research, a majority of Passcode Influencers said.
Earlier this month, security firm FireEye听听in Germany听, ERNW, from releasing details about vulnerabilities its researchers found in a FireEye product. Along with a recent controversial blog post by the chief security officer of Oracle complaining about researchers who reverse engineer the company鈥檚 software (potentially in violation of its terms of service) in the name of finding bugs, this sparked a heated debate over whether protecting companies鈥 intellectual property should take precedent over researchers鈥 freedoms to alert consumers to security weaknesses.
In a survey of experts from across government, the tech and security industry, and privacy advocacy community, 74 percent of Passcode鈥檚 Influencers voiced concerns about the companies鈥 legal threats against researchers. 听
鈥淟awsuits have already had a chilling effect on security research,鈥 said Tenable Security strategist Cris Thomas (aka Space Rogue). 鈥淣umerous researchers have either stopped looking for bugs, or worse, have stopped reporting them. The bugs are still there, possibly being used by the bad guys, but fear of prosecution, for what amounts to telling the truth, stops many researchers from reporting bugs.鈥
Or, as Charlie Miller 鈥 a security lead at Uber鈥檚 Advanced Technology Center who recently made headlines for wirelessly hacking a Jeep Cherokee 鈥 put it: 鈥淔inding vulnerabilities is hard enough without getting sued.鈥
Passcode鈥檚 Influencers Poll is a听听(listed below) in digital security and privacy. They have the option to comment on the record or anonymously to preserve the candor of their responses.
Potential costs associated with legal action can also be a strong deterrent for security researchers, some Influencers said.
鈥淚 have discovered several security vulnerabilities in commercial products, and the first thing I do before any research project is contact a lawyer,鈥 said Matthew Green, cryptologist at Johns Hopkins University. 鈥淚 need to do this to protect both myself and the graduate students I work with. This dramatically increases the cost of research and makes it much more risky for researchers to perform this essential work. That hurts everyone, since the vulnerabilities don鈥檛 go away when researchers are prevented from looking at products 鈥 we just don鈥檛 find out about them.鈥
There are costs to stifling security research, some Influencers said. If the vulnerabilities go undisclosed due to the threat of lawsuits, they said, then consumers are put at risk.
鈥淪ecurity research is vital to ensuring the highest level of data security for users,鈥 said Amie Stepanovich, senior policy counsel at digital rights group Access. 鈥淟awsuits brought by companies which impact the ability for researchers to conduct or present that research betray the trust of the users of those companies.鈥
A 26 percent minority of Influencers, however, said lawsuits will not have a strong negative effect on the security community or its work. Instead of deterring researchers, said Rick Howard, chief security officer of security company Palo Alto Networks, the increased attention could help draw more eyes to a security problem.
鈥淚t might stop some security companies from publishing their results, but threatening a lawsuit will not stop researchers from doing what they do,鈥 he said. 鈥淚n addition, lawsuits have a tendency to poke the bear. You may think you are compelling the research community to stop looking at your product. What you might be doing instead is drawing a bull鈥檚 eye on your product. The research community is funny like that. Before, a researcher might have no interest in your product. After a threatened lawsuit, that might convince a certain element in the community to see what all the kerfuffle is about.鈥
Others think it鈥檚 too soon to tell the long-term effects on security research.
鈥淟egal action isn鈥檛 a constructive, long-term solution,鈥 one Influencer, who chose to remain anonymous, said. 鈥淭he Commerce Department is expected to convene a multistakeholder meeting on vulnerability research and disclosure. This powwow will draw together security researchers, academics, companies, and tech vendors to identify areas of common ground. Commerce officials are attempting to increase trust and reduce friction among the various stakeholders 鈥 which is a good thing.
鈥淥fficials understand that there is no one-size-fits-all solution 鈥 IT systems will never be completely bug free 鈥 but coordination is crucial," the Influencer continued. "Stakeholders will hopefully begin to develop high-level principles leading to smart policy or best practices that are workable for multiple parties. Such an approach to uncloaking vulnerabilities in predictable ways is a much better way to proceed than litigation.鈥
What do you think?听听of the Passcode Influencers Poll.
Who are the Passcode Influencers? For a full list, check out our听
听
Comments: Yes
鈥淟awsuits silencing security researchers rarely get vulnerabilities fixed. It鈥檚 time for vendors to step up their maturity when it comes to responding to vulnerability reports, and focus on the engineering and coordination to get vulnerabilities fixed, rather than shooting (or silencing) the messenger.鈥 鈥斕Katie Moussouris, HackerOne
鈥淭his will impact those who want to look for vulnerabilities. I am concerned this will also have companies 鈥榟ide鈥 vulnerabilities they cannot patch for longer periods of times, leaving customer networks vulnerable.鈥 鈥斕Influencer
鈥淭ime and time again, we have seen that openness, transparency, and peer-review are the hallmarks for building the best security possible. A company鈥檚 attempts to prevent public disclosure of meaningful vulnerabilities is 鈥渟ecurity through obscurity鈥 -- it does not work, and leaves us all vulnerable. Enforced public ignorance is never a good solution to security problems and the idea that companies would spend time and money to make us less informed consumers is particularly egregious. Not only should companies disclose their vulnerabilities, they should be mandated to disclose these problems since it is the best way for us, their clients, to make informed decisions about which companies we wish to do business with.鈥 鈥斕Sascha Meinrath, X-Lab
鈥淟awsuits have a chilling effect. Access to the particulars of vulnerabilities must be granted in order for security research and good-faith testing. There should be transparency and information available to those within the white-hat security field for the identification of, disclosure of, and repair of code errors/malfunctions, security flaws, or vulnerabilities.鈥 鈥斕Influencer
鈥淵es, but not nearly as much as the extension of the Wassenaar rules to cyberspace will.鈥 鈥斕Martin Libicki, RAND Corp.
鈥渙n the chilling effect on security researchers, of which I鈥檓 one of many signatories, lays out my concerns (and those of dozens of other computer scientists and policy experts) quite nicely.鈥 鈥斕Kevin Bankston, Open Technology Institute
鈥淪ecurity researchers should engage in responsible disclosure, but these types of lawsuits stifle the publication of useful information that consumers and businesses need to keep their computer systems secure. A number of states, and the federal government, are considering legislation that would better protect individuals from lawsuits designed to hamper legitimate public speech. Security researcher may be one of the beneficiaries of such legislation.鈥 鈥斕Daniel Castro, Information Technology and Innovation Foundation
鈥淭he threat of litigation often inhibits researchers from disclosing a vulnerability even to the companies that may be responsible for the vulnerability, or to companies that have unknowingly incorporated the vulnerability in their products and services. The threat of litigation may also chill information sharing within the larger research community, which negatively impacts our understanding and response to cybersecurity threats.鈥 鈥斕Nuala O鈥機onnor, Center for Democracy and Technology
鈥淣ot only do lawsuits to prevent public disclosures of vulnerabilities have a chilling effect on security research, but they almost guarantee a grotesque financial advantage to criminal groups that prey on users running insecure software, and to the vendors, who will have little incentive to fix issues that are understood by criminals, nation states and security researchers but not the general public. Security researchers who identify and exploit software bugs play a little understood but absolutely crucial role in the software ecosystem, and hindering their efforts is a lose-lose proposition for consumers and researchers alike.鈥 鈥斕Nick Selby, StreetCred Software
鈥淚鈥檝e advised hundreds of security researchers and for many, especially those connected with large institutions, educational or otherwise, even the possibility of a lawsuit has been enough to chill important research. Yet our security is too important to be left to those willing to withstand litigation; we desperately need more secure systems. Laws like the CFAA and the DMCA anti-circumvention provisions and the overuse of restrictive contractual arrangements has left security research too often in a legal gray zone. It鈥檚 time we supported people who were trying to find out if our tools are safe rather than forcing them to run legal risks.鈥 鈥斕Cindy Cohn, Electronic Frontier Foundation
鈥淎s a researcher myself, I鈥檝e personally experienced this.鈥 鈥斕Influencer
鈥淩esponsible vulnerability disclosure underpins the entire security ecosystem. Lawsuits against researchers who provide pre-release notification only encourage them to engage in uncoordinated full disclosure or drive them out of the industry altogether. Companies have a duty to their customers 鈥 and, in many cases, to the public 鈥 to remedy security holes in their software, and they should do so as expeditiously as possible, which responsible disclosure facilitates. The choice for businesses is clear: mitigate don鈥檛 litigate!鈥 鈥斕Rep. Jim Langevin (D) of Rhode Island
鈥淭he effect is perhaps than it was ten years ago, but any efforts to suppress will have some chilling effect. But now, the security research community has far more tools at its disposal (not least publicity at Wired) to end-around such pressure.鈥 鈥斕Jay Healey, Columbia University鈥檚 School of International and Public Affairs
鈥淎s more and more commodity products include embedded computing platforms, we find ourselves at a turning point. If these manufacturers of the 鈥淭hings鈥 connected to the Internet of same choose to employ an adversarial approach, the cumulative risk and negative impacts on the Internet ecosystem will continue to grow. The computer software product world has been down this road before. While there are rational reasons for a vendor鈥檚 impulse to attempt to suppress information on security flaws in their products, these instincts do not usually serve the long term interests of the vendor, their customers, or others who might interact with both. Healthy, cooperative coordination of vulnerability disclosures between security researchers and vendors is the optimal case. In the IT/desktop software world, these processes, while not perhaps perfect, have evolved to include a recognition of incentives (which are not always monetary), and appear to have materially improved the time-to-fix for flaws that in prior years had sometimes quietly languished within shipping products, exposing users to attacks for years.鈥 鈥斕Bob Stratton, MACH37
鈥淟awsuits will always have a chilling effect on any activity that is subject to lawsuit. And of course, there will be numerous perverse effects, such as driving security research away from those groups or companies that would conduct themselves legally and ethically, and towards groups or entities that will not be bound by such prosaic considerations. It鈥檚 high time Congress pass information sharing legislation that will enable appropriate and effective sharing of vulnerability information.鈥 鈥斕Influencer
听
Comments: No
鈥淵ou tacitly assume that said lawsuits will either have an outcome favorable to the plaintiffs or are the working equivalent of a [Strategic lawsuit against public participation] suit. 听Under that assumption, the answer to the question is that there will be no chilling of security research done by real enemies, i.e., the ones who don鈥檛 share their results. 听Such suits are more like a screen door -- keeping out the harmless and the annoying, but irrelevant for any mortal dangers that come to the doorstep.鈥 鈥斕Dan Geer, In-Q-Tel
鈥淒on鈥檛 get me wrong: it鈥檚 possible that some research that would have otherwise been done, would not be done as a result. But this is hardly going to be the most important constraint on security research 鈥 that is about people and dollars. I鈥檇 spend my time fighting more important battles than this.鈥 鈥斕Influencer
鈥淚t鈥檚 obvious by the timing and content of the question that this week鈥檚 poll is prompted by FireEye鈥檚 recent controversy. Two corrections to the question are needed, based on the facts as reported in听. 1. FireEye didn鈥檛 pursue a 鈥渓awsuit鈥 against anyone. FireEye sought an interim injunction in a German court to prevent release of FireEye鈥檚 intellectual property. 2. FireEye wasn鈥檛 鈥減reventing public disclosures of vulnerabilities.鈥 FireEye did not seek to deny ERNW from disclosing the vulnerabilities themselves. FireEye cooperated with ERNW and approved their published report on the vulnerabilities.鈥 鈥斕Richard Bejtlich, FireEye
鈥淣o, but it will mean that security researchers are more circumspect with notifications, which will be a net loss for the good guys.鈥 鈥斕Influencer
鈥淭he market has spoken 鈥 vulnerabilities in software requiring frequent/constant patching is costing enterprises millions of dollars. The leading software vendors ARE NOT the ones talking about lawsuits or trying to squelch responsible vulnerability disclosures. In the long term, the same will be true in FireEye鈥檚 market of IPS appliances.鈥 鈥斕John Pescatore, SANS Institute
鈥淚 don鈥檛 think 鈥榓 chilling effect鈥 is necessarily the right way to characterize the security research end state. What I do see is that these lawsuits might have a motivating effect on security researchers to find vulnerabilities, report them to the responsible party for fixing them, and then work an arrangement to get publicly recognized for finding the flaw 听after it is fixed and deployed.鈥 鈥斕Influencer
鈥淧ublic disclosure or not, there鈥檚 no lid going back on the cybersecurity challenge.鈥 鈥斕Chris Young, Intel
鈥淗opefully it will prompt legislation and resolve issues being forced into court.鈥 鈥斕Influencer
鈥淗istory has shown us that the security research community reacts poorly to what they consider corporate bullying.鈥 鈥斕Amit Yoran, RSA
鈥淭hey have always pulled that stuff and it just makes them look bad.鈥 鈥斕Influencer
听
