January 2015
Software Insecurity: The Problem with the White House Cybersecurity Proposals (13 January 2015)

Software Insecurity: The Problem with the White House Cybersecurity Proposals

13 January 2015

The White House has announced a new proposal to fix cybersecurity. Unfortunately, the positive effects will be minor at best; the real issue is not addressed. This is a serious missed opportunity by the Obama adminstration; it will expend a lot of political capital, to no real effect. (There may also be privacy issues; while those are very important, I won’t discuss them in this post.) The proposals focus on two things: improvements to the Computer Fraud and Abuse Act and provisions intended to encourage information sharing. At most, these will help at the margins; they’ll do little to fix the underlying problems.

The CFAA has long been problematic; the concept of computer use in "excess of authorization" has been abused by prosecutors. The new proposal does amend that, though the implications of the language change are not obvious to me. Fundamentally, though, the increased penalties in the new CFAA matter only if the bad guys are caught. That rarely happens. Increased penalties won’t deter attackers who doesn’t think they’ll ever actually come into play. It’s often been noted that it’s certainty of punishment, not severity of punishment, that is actually effective.

The new reporting rules may have some beneficial effect, but it will be minor. Some sites, especially the large, sophisticated ones, can be helped by knowing what attackers can do; arguably, this will let them tweak their monitoring and/or firewall rules. Some government agencies will get a broader picture of attack patterns; this may let them improve attribution or perhaps issue better advisories. Most sites, though, aren’t helped by this; they have to wait for vendors to fix the problem. And therein lies the rub: most security problems are due to buggy code.

Certainly, there are other factors contributing to security problems, such as horrible usability; however, a very high percentage of system penetrations are due to the very mundane-sounding problem of flawed code. This specifically includes all "drive-by downloads" and "privilege escalation" attacks following some user-level penetration. The only way we will significantly improve our overall security posture is if we can make progress on the buggy code issue. The White House proposals do nothing whatsoever to address this—and that’s bad.

To be sure, it’s not an easy problem to solve. Microsoft, despite a tremendous (and admirable) effort, still has buggy code to deal with. Passing a law banning bugs is, shall we say, preposterous. But would changes to liability law help, perhaps by banning the disclaimers in EULAs? How about tax breaks for certain kinds of software development practices? Limiting the ability of companies to write off expenses incurred by dealing with breaches? The equivalent of letters of marque for bug hunters, who would be paid a bounty by the vendor for each security hole they find and report? All of these are at least somewhat problematic (and I’m not even serious about the last one), but at least they attempt to address the real issue.

Deterrence won’t suffice, even for ordinary criminals; it won’t matter at all to the more serious state-sponsored attackers, despite the indictment of some alleged Chinese military hackers. The goal should be prevention of attacks, not punishment after the bad guys have succeeded. This proposal doesn’t even try to address it.

Update: Orin Kerr has a nice analysis of the proposed textual changes to the CFAA.