Security Economics and the Internal Market.ppt

Security Economics and the Internal Market Ross Anderson, Rainer B?hme, Richard Clayton, Tyler Moore WEIS 2008, Dartmouth College 26th June 2008 ENISA European Network and Information Security Agency Established in 2004 Based in Heraklion, Crete Motivation: network insecurity threatens the smooth operation of the EU’s single market Duty: “giving advice and recommendations, data analysis, as well as supporting awareness raising and cooperation by the EU bodies and Member States.” Our Remit In Sep. 2007, ENISA commissioned us to write a report “analysing barriers and incentives” for security in “the internal market for e-communication” What are the big impediments to security? What is the EU’s role in fixing the problems? How might the advances in security economics (mostly through WEIS) usefully be applied? The Fundamental Problem of the Information Society More and more goods contain software More and more industries are starting to become like the software industry The good: flexibility, rapid response The bad: complexity, frustration, bugs The ugly: attacks, frauds, monopolies How will law evolve to cope? Analyzing the Harm Threats to nations – e.g. taking down networks in times of tension Physical harm to individuals – perhaps via failure of online medical systems Financial harm, such as card fraud and phishing Harm to privacy, such as by unlawful disclosure of personal data The Balance of Harm Since 2004, online fraud has been industrialized with a diverse market of specialist criminals trading with each other We have one or two things to say about CNI and privacy, but the report focuses on financial losses To identify the market failures – where the EU can lift barriers and realign incentives – we must look at the fraud process The Attack Lifecycle Flaw introduced, either in design or code Flaw is discovered and reported, either before or after zero-day use Patch is shipped, but not everyone applies Machines recruited to botnets to send spam, host phishing sit