The law and economics of software security.

• Author: Hahn, Robert W.

INTRODUCTION I AN OVERVIEW OF SOFTWARE SECURITY A. What is Software System Security? 1. Types and Methods of Attack 2. Types of Damage B. Identifying Cyber-Criminals and Their Motivations II. THE ECONOMICS OF SOFTWARE SYSTEM SECURITY A. A Framework for Evaluating Software System Security B. The Economic Costs and Damages Involved 1. Measuring the Loss 2. Measuring Prevention Efforts C. The Underlying Market Failures 1. Key Market Failures 2. Are the Market Failures Significant? III. THE LAW OF SOFTWARE SYSTEM SECURITY A. Assigning Liability B. Recent Software System Security Legislation IV. THE FUTURE OF SOFTWARE SYSTEM SECURITY A. Regulating Software Developers B. Regulating Software Users C. Regulating Cyber Weapons D. Government Leading by Example E. Voluntary Corporate Actions F. Cyber Insurance V. CONCLUSION INTRODUCTION

Security in software networks relies on a complex mixture of technology, law, and economics. The considerable press surrounding security issues, the spread of worms and viruses on the internet, the possible link between identity theft and terrorism, and the penetration of online financial databases, attests to the subject's growing significance.

As the costs of software security breaches become more apparent, there has been a greater interest in developing and implementing solutions for different aspects of the problem. For example, the information technology community is prodigiously developing new fixes, ranging from gate-keeper protections to procedures for constructing more secure software. Increasingly, the federal government is paying more attention to this issue, particularly in the realm of online terrorism. (1) Additionally, there are numerous pending bills that would increase penalties for different kinds of cyber crime. (2)

Scholars address the software security problem from several different angles. (3) Most research in this area, however, focuses on discrete elements of the problem. Some scholars selectively focus on technical fixes that could help alleviate the problem, (4) whereas others examine the underlying institutions and incentives that shape consumer, business, and government responses. For example, Professor Randal Picker considers the issue from a structural point of view, asking whether a technological "monoculture" really weakens security. (5) He concludes that the security offered by having different technological platforms is not necessarily greater; indeed, sometimes the a diversity of platforms can create serious problems of its own. (6) In contrast, Douglas Barnes examines how policymakers could reduce the prevalence of viruses and worms by "deworming" the internet. (7) He suggests assigning some liability to both software developers and software users. (8) Finally, Kevin Pinkney analyzes how to overcome what he views as software developers' failure to provide secure code. (9) He too would assign some liability to developers but would allow ex post corrections to mitigate that liability. (10)

Although most research in this area is focused on discretely embedded elements, the security problems dealt with are not precisely defined, and researchers assume the problems are already well understood. (11) Similarly, many articles presume the particular issue they address is a serious problem in economic terms without specifically considering the total quantitative losses in more than a few incidents.

This Article seeks to address these gaps by presenting a comprehensive assessment of the software security issue using a law and economics framework. We begin by providing a definition of software security that illustrates the complexity of the problem. We then review and critique the literature that assesses the costs of software security. Finally, we evaluate a number of possible approaches for addressing security problems using a law and economics framework. (12)

Our analysis leads to four key findings. First, software security problems come in many different shapes and sizes; therefore, the appropriate solutions will depend on the nature of the problem. Second, although attacks are becoming more common, the available data does not clearly establish that each aspect of software security poses a significant problem in terms of the damages inflicted by a breach. Some problems impose large costs on different groups, both in preventive and corrective costs. Other problems appear to function as more of a nuisance. Third, contrary to the prevailing view that market failures in the provision of software security are serious, some software users, particularly businesses, may face fairly strong incentives to take reasonable precautions. In response to this demand, several innovative market-based solutions have emerged to address a number of software security problems. Fourth, although some of the regulatory proposals for addressing security may be worth considering, most would require modification to ensure they do more good than harm. Moreover, broad interventionist proposals are difficult to justify given our findings about market-led responses. Instead, we conclude that the best role for the government would be to encourage the collection of more detailed data used to better inform policymakers on the need for specific actions. Furthermore, government agencies should seek to optimize their own security.

In Part II, we examine different aspects of software system security. In addition to defining software system security, we also consider the characteristics of different varieties of cyber criminals and their motivations for breaking into computer systems. Part III examines the economics of software system security. We provide an economic framework for evaluating software system security and assess the size of security related problems. We then review the underlying market failures that contribute to software security problems. Part IV surveys the legal rules that apply to software. We also consider existing legislative efforts, and discuss whether those endeavors have been successful in addressing the known market failures. Finally, Part V analyzes policy proposals aimed at increasing software system security.

1. AN OVERVIEW OF SOFTWARE SECURITY

   1. What is Software System Security?

      Before assessing policies for addressing software security, it is important to have a clear understanding of what is meant by "software system security." The aim of software security is to reduce certain forms of damages. (13) Thus, one way of categorizing software security is through the types of damages caused by particular security breaches. Typically, there is an attacker, a method of attack, and the resulting damages. Table 1 provides an overview of different kinds of attacks and damages. (14)

      1. Types and Methods of Attack

         All of the items listed under the first column, Key Types and Methods of Attack, involve approaches intended to breach a computer network's defenses. The table reveals that there are many different routes for attacking computers or networks, many of which may be combined in a single attack.

         In a denial of service attack, a network is inundated with worthless traffic, overwhelming the network and shutting down access. (15) Although the traffic itself may not appear unauthorized, "the volume and frequency of the traffic will increase to unmanageable levels." (16) If, for example, an internet access provider like AOL were hit with a successful denial of service attack, all AOL subscribers would be unable to sign into their accounts, read their emails, or gain access to the internet. These attacks were particularly popular during the early days of the internet when a single large email attachment could bring down a network. (17)

         More recently, worms and viruses (18) have received considerable press, particularly the notorious Love Bug and Blaster worms. (19) These self-replicating programs are typically sent through email, often corrupting data files and programs on a recipient's personal computer. (20) The Love Bug worm appeared in Asia in May 2000 and quickly spread to the United States through email attachments, affecting government computers at Congress, the White House, and the Pentagon. (21) By some estimates, this worm caused $10 billion in economic damages by overwriting files and corrupting data. (22) Three years later, in August 2003, the Blaster worm appeared and exploited vulnerabilities in operating systems. (23) Although its effects were far reaching, they appear to be less costly than those of the Love Bug. (24) The Blaster worm slowed down personal computer response times, with some machines requiring a reboot to restore operations. (25) According to a survey by the International Data Corporation (IDC), a leading technology research firm, viruses and worms are the "most serious threat facing corporations today...." (26) Because so many people are affected by this type of attack, worms and viruses are especially visible to the public, the press, and policymakers. (27)

         Trojan horses are a type of malicious software (malware) related to worms and viruses. (28) Like their namesake from Greek mythology, these programs seem benign, but actually contain malicious code. (29) Although some Trojan horses merely change simple desktop settings, others can cause serious damage by deleting files and destroying information. (30) The MyDoom Trojan horse of 2004 opened a backdoor that enabled its author to download personal data from infected computers and caused an estimated $4.8 billion in damages. (31) Trojan horses generally cannot replicate themselves, (32) and must therefore rely on malicious or unsuspecting end users to spread through a network.

         Trojan horses are successful because of people's general inclination to trust, a trait also exploited by con artists using "social engineering." (33) The con artist in this case will trick someone into revealing otherwise secure information and thus enable network or database access that appears authorized but is...