The Security Practice

Hello, Michael Barrett here again.

I’ve written before about the responsible disclosure of security research, and the need for the industry to align around that.  And, other members of my team have previously highlighted PayPal’s own disclosure policy (https://www.paypal.com/cgi-bin/webscr?cmd=xpt/Marketing/securitycenter/general/ReportingSecurityIssues-outside) which attempts to lay out what we regard as acceptable vs. unacceptable behavior in disclosures of potential vulnerabilities within PayPal itself.

In the ensuing time, a couple of things have happened.  First, my own team has done a certain amount of security research into vulnerabilities that we’ve run into, and it’s helped clarify our own thinking about how the research itself should be conducted.  The experience of both conducting the research, and then working the disclosure process, gave us a great deal of insight.  Second, PayPal and its customers have recently been uniquely put at risk, not just by irresponsible disclosure, but by what we believe was irresponsible conduct in the way that the research itself was carried out. 

Over the last few years, there’s been a lot of debate within the security research community about the question of whether the laws that apply to security breaches have the necessary “carve outs” for legitimate security research.  The adequacy of today’s legal framework is a difficult topic.  I personally believe that these laws have grown in a rather organic fashion - that as such they are perhaps less well focused than they should be, and indeed they have often not kept up with the evolution of the Internet.   Frankly it has not helped where law-makers – no doubt with good intention – have attempted to outlaw all “hacking” tools, with apparently no awareness of where these tools have legitimate dual-use within the security community.

However, the security research community has tended to focus on “what’s legal” and “what do I do if I inadvertently breached the law”, but has given relatively little attention to the question of “what’s the ethical way to conduct and disclose my research”.  There is some thinking on this topic that is worth referencing, and these analyses represent a good starting point:

·         Towards Community Standards for Ethical Behavior in Computer Security Research, by David Dittrich, Michael Bailey, and Sven Dietrich, Stevens CS Technical Report 2009-1, April 20, 2009 [Local copy and most recent draft release.]

·         EFF’s Coders Bill of Rights - http://www.eff.org/issues/coders

·         Conducting Cybersecurity Research Legally and Ethically. Aaron J. Burstein. http://www.usenix.org/event/leet08/tech/full_papers/burstein/burstein_html/

·         Toward a Culture of Cybersecurity Research. Aaron J. Burstein. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1113014

We believe that the time is right to open a robust debate within the security research community on this question.

There are some who may argue that it’s still too early to develop such an ethical framework, either based on notions that the field is still too immature, or on potentially misguided notions that this is a First Amendment issue.  I think these two points are fairly easy to cover.  First, the security research area has in fact been operating for quite some time now: one could argue that the infamous Morris worm was the first example of rogue security research - and that was in 1988 - more than twenty years ago.  Second, I am personally very sympathetic to supporting First Amendment rights.  But, there are recognized limits to First Amendment rights in the real world - the famous shouting of “Fire!” in a crowded theater - and I’d argue that there should be some reasonable limitations to “speech” in the virtual world too.

To make this clearer, consider a hypothetical conference at which a researcher is presenting a design for an improved bomb.  (Please note that this is a very hypothetical case – there would likely be all sorts of practical reasons why this would never happen!)  It’s one thing to publish the details of how this improved bomb might work; it’s another to leave a pile of components & materials on the sidewalk outside the conference center.  The problem is that in the virtual world, publishing attack source code and cryptographic material is tantamount to being that pile of components & materials, and as such I believe it’s doubtful that it’s automatically covered by First Amendment rights.

Also, it’s quite clear that there are other areas where voluntary and non-binding codes of conduct have been very effective.  Probably the best example is of bioethics, where the overwhelming majority of researchers in biological & genetic engineering voluntarily subject their research to falling within certain guidelines, and formal oversight.  Another example is virology research, where there are well-understood guidelines to ensure that pathogens don’t escape into the outside world, as well as controls over publication to ensure that raw research is not disclosed in ways that would imperil public safety.  Why should information security research be any different?

While we’re not proposing any kind of formal oversight organization, we do believe that some kind of ethical framework for responsible research and disclosure is quite feasible.  If the guidelines are well-developed with good input from the community, they should be quite practical.

Based on the above thinking, we are intending to work to see how many people within the security research community we can find who are interested in the development of such guidelines.  We believe it’s finally time.