Outbidding the Crooks: One Way to End Exploits

When a burglar throws a brick through a jeweler's window and makes off with the stock, his gains are substantially less than the jeweler's losses. The thief will have to fence the items below their actual value, since they're "hot." The jeweler has not only lost the value of the merchandise, he has to pay for a new window. By the same token, a cyber-crook who steals a million credit card numbers might sell them for a few thousand bucks; notifying a million customers and setting them up with new cards will cost the card issuer vastly more.
This disparity sparked an idea for Stefan Frei, Research Vice President at NSS Labs. Most cyber-attacks crack the victim company's security by exploiting some type of vulnerability in the operating system or other software. What if we could take that tool away from the crooks? In a detailed research paper, Frei and fellow analyst Francisco Artes spell out the bold idea of creating an International Vulnerability Purchase Program (IVPP) that would pay more for vulnerabilities than the crooks can afford.
Running the Numbers
Different pundits offer different estimates of financial losses worldwide due to cybercrime, but they range between tens of billions and hundreds of billions. Frei ran the numbers on vulnerabilities published in 2012 and found that the cost to purchase each for $150,000 would have been vastly lower than the amount of financial damage they caused.
First, let's look at the highest cost and the lowest return. Suppose the IVPP paid $150,000 for every vulnerability regardless of severity or prevalence of the software involved and thereby avoided ten billion in financial losses. The cost of purchase is just under 8 percent of the losses in this worst-case scenario.
However, fully one third of exploited vulnerabilities were found in programs by the top ten vendors. Just paying for those, and accepting an estimate of 100 billion for losses, the cost goes down to 0.3 percent of the lost value. A graduated scale of payment based on severity would also reduce costs. As a comparison, the report notes that retail companies in the US expect to lose 1.5 to 2.0 percent of annual sales to pilferage or "inventory shrinkage."
The report also found that the cost of buying all vulnerabilities in 2012 would have been about 0.005 percent of the U.S. GDP or the European Union's GDP, and under 0.3 percent of total revenue for the software industry.
Security Holes Are Here to Stay
Part of the paper reviews the current situation as regards software vulnerabilities. Simply put, even if it were possible to write flaw-free software, it wouldn't be profitable. The big cost of a data breach falls on the company that was breached, not on the purveyor of the flawed software. In business terms, that cost is a "negative externality" for the software vendor, and "profit-driven businesses do not invest in eliminating negative externalities."
Conceivably users could force the issue by refusing to purchase software from vendors of software containing security holes. In practice, though, vulnerabilities are the norm. We all expect them, and they're not going away. The report notes that "there is no legal liability for the quality of software, and this is unlikely to change anytime soon."
The researcher who discovers a new security hole can quietly submit it to the vendor, announce it publicly, or sell it to the highest bidder. An earlier NSS Labs study reported a thriving resale business for black market exploits. The report notes that things would be a lot worse but for the fact that many security researchers altruistically refrain from selling to black marketers.
Crooks Can't Compete
In a supply-and-demand world, you might think that the crooks would just compete with the good guys, bidding more for brand-new vulnerabilities. The report points out that the same disparity between small gain for the crooks and big loss for the victims means that the crooks simply can't compete. They can't offer more than their maximum anticipated revenue, while an IVPP could pay much more to avoid colossal losses.
In fact, the substantial reward for newly-found security holes would likely lead to more discoveries. A researcher whose only potential reward is a pat on the back, T-Shirt, or a few hundred dollars just isn't as motivated. When grabbing the brass ring gets you $150,000, that's a different story.
Big Plans
The full report offers a detailed proposal for just how an International Vulnerability Purchase Program would work. It covers everything from who would pay, to how reporting would happen, to the full organizational structure, and more.
Will it happen? That remains to be seen. But this very thoroughly thought-out report convinces me that it really could work.