Independent security experts speak of a public service. Lawyers foresee a class action bonanza in product liability litigation. What should be done when a system vulnerability is identified?
As a practicing lawyer for the past 18 years, I am alarmed by recent trends in the vulnerability debate. My concerns do not stem from the fact that software and operating systems are demonstrated from time to time to be flawed. Rather, it is my fear that the legal system, and the money-minded attorneys who fuel it, will dictate the agenda concerning how the infosecurity industry deals with the disclosure of both potential and actual technical flaws, and not the systems professionals on all sides who know technology best.
Two components propel the information security industry forward: firstly, never underestimate the human element (technology's lowest common denominator); secondly, true technological development will always depend upon a measure of dialogue between a product originator and its entire range of ultimate users. The strength of IT is founded upon the openness and the availability of knowledge about the product from all sources. Citizenship in this community is not restricted to or predicated upon set limits, but is open to all like-minded persons possessing both knowledge and interest in security in the broad sense.
The reticence of Microsoft concerning the public release of data regarding identified XP system flaws or other product vulnerability may seem sensible at first blush. There is no question that the public allegation that a hacker could take over a computer by utilizing the Windows universal plug-and-play is a serious international matter for Microsoft. No business wants this corporate black eye (or e-eye, for that matter) delivered after years of costly research and development, with many more millions having been spent to trumpet the arrival of the latest and the greatest. Consumer confidence in the security of the XP product is more essential in the current market than at any other time in the history of the computer, fearful as the public is of the next Internet borne plague, infestations that seem to sweep upon us by the week.
Microsoft are not alone in the pursuit of such policies. In December, when the large non-profit security organization w00w00 identified a serious security flaw in the America On Line instant messenger system, AOL criticized w00w00 for not giving AOL more time to correct the problem prior to making the flaw public. If one accepts that w00w00 have no commercial advantage to their actions, should the multi national, profit driven AOL be entitled to have a serious flaw suppressed - who of these two players can be said to be more attuned to the public interest?
But on what path will the policy of reticence take Microsoft and others? The limiting of the release of technical data about a potential flaw by a system designer or manufacturer is like a boomerang - the decision will fly in a full circle and deliver a black eye of its own. The policy of reticence is rooted in the legal principle of buyer/consumer beware - say as little as possible about the flaws we suspect exist (or that we are certain to exist), because the purchasers of our products are sophisticated individuals with ample ability to research our product and compare it to the competition. One needs only to look at the clear erosion in this defense in recent cases all across North America to see the folly of this approach.
The best defense to legal action in the IT product security setting is proof that the manufacturer followed security " best practices." There are always practical limits to the baring of the corporate soul when an error is identified, but reticence that crosses the border into the realm of withholding information that would assist consumers in protecting themselves, is a compounded sin. At the very least, reticence illustrates a measure of corporate disdain for the consuming public.
If a hack attack, by its nature unsolicited and unwanted, can lead to liability for the problem being found against the ISP in question - where does the willful non disclosure of a potential flaw leave a Microsoft or an AOL?
A further remarkable turn of events was precipitated by the Microsoft reticence. The FBI (in a rare star turn as consumer protection advocate) warned Microsoft XP users on December 21, 2001 that the steps recommended by Microsoft to correct the vulnerability did not go far enough. The FBI reversed itself a few days later, satisfied that the Microsoft mandated patch would protect against the identified security hole.
I do not advocate one-sided rants against corporate giants as a substitute for dialogue. When it comes to product development, the true public interest is fostered by a symbiotic relationship between the product originator and the using public. This relationship should not include the raising of spurious alarms about vulnerability nor does it extend to taking peevish pot shots against industry giants - these are pointless exercises.
Constructive criticism from informed users, advanced with the public in mind, is hardly anarchy. If anything, a dialogue founded upon the exchange of proven technical data will create a meritocracy of information security products and systems. Corporate reticence, such as the current policy of Microsoft and others, will lead inexorably to the bunker mentality that lawyers will see as a fortress to be assailed in the class action forum. The infosecurity community will be the less for it.
Bryan Davies works and lives in Whitby, Ontario, Canada. A lawyer, a professor and a consultant on Internet security issues, Davies has prosecuted numerous Internet based crimes, including serious frauds and multinational child pornography. He is currently assisting in the development of an Internet security systems course at Durham College, Oshawa, Ontario. Davies can be reached at firstname.lastname@example.org.