The criminal market for software vulnerabilities is now so sophisticated and dangerous that governments should consider setting up a global programme to purchase flaws before they fall into the wrong hands, a researcher has argued.
Last month Dr Stefan Frei of NSS Labs calculated that criminals probably had access to around 100 zero-day software flaws known only to them at any moment in time, which represented a huge security risk to organisations, governments and consumers alike.
In a follow-up report before Christmas Frei and co-author Francisco Artes suggested that the level of insecurity was now far beyond what could be mopped up by commercial software bounty programmes such as those run by Microsoft, Google, Yahoo or specialist firms such as HP TippingPoint.
Flaws could take months to discover and possibly years to patch across the world’s population of PCs, leaving criminals free to exploit them more or less at will. With the uncosted economic and social toll rising and the industry no nearer producing secure software or accepting liability for its effects, the time had come for governments to resort to more drastic measures, Frei said.
Meanwhile a lucrative market has developed for flaws with security disclosures that depended on the efforts of a small population of security researchers, a worrying minority of whom were willing to sell flaws to the highest bidder, often criminals.
One solution would be a fully-fledged International Vulnerability Purchase Program (IVPP), which would seek to purchase serious flaws before criminals got hold of them.
The main advantage of this approach is that it could include software products not currently covered by bounty programs while also paying market rates high enough to encourage more security research as a whole.
Even paying above market rates – as high as $150,000 (£100,000) per flaw - “the cost of purchasing all vulnerabilities in a given year, and at competitive prices, is remarkably low compared to the losses that are estimated to occur as a result of cybercrime, or the economic output of major countries, or the revenue of the software industry for the same time period,” wrote Frei.
If such a program had purchased every known flaw during 2012, he calculated that the bounty costs would still only represent only 0.3 percent of the revenue of the world software industry, about 0.01 percent of US GDP.
Put another way, the costs of paying for all those flaws would be dwarfed by the economic effects of the same flaws once they are wielded by criminals. The price offered for a specific flaw would depend to some extent on the financial damage it might cause, a number that would always in theory be higher than the profit criminals could make from the same vulnerability.
In essence, Frei is arguing for something that would once have seemed almost unthinkable and may still be anathema in some parts of the industry - government-directed intervention. Driven by innovation, the software free market has failed to deliver on security and nor could it because it does not have to pay for its own failures. These are borne by the customers and society as a whole.
Ironically, it’s an interventionist idea that has occurred to governments too, including the ideological home of free-market solutions to just about any human problem, the US.
The mechanics of such a program would be complex but Frei has thought through some of the practical issues as well. Regional submission centres would be set up (probably using CERTs), before flaws were handed on to a central analysis department. The IVPP process would produce transparent public disclosure and documentation.
Frei doesn’t, of course, explain how this would all be paid for, nor what account might be taken of the views of firms with a current commercial interest in selling exploits. And if the volume of exploits reaching the public domain increased, what effect would this have on the vendors themselves and the organisations and paying businesses with the job of patching them? Many struggle to apply the subset of flaws they get to hear about without having this workload multiplied severalfold.
As interesting as the idea sounds, it is more likely that some of the job proposed will be achieved simply by waiting for the vulnerable Windows PC ecosystem to wither. Mobile and web platforms will be subject to a growing volume of flaws in time too but probably not on the scale witnessed in the dark ages when Windows users were left to fend for themselves.
This at least is one hope. But for the forseeable future, the costs of poor coding security will continue to be borne by organisations and citizens and not software firms.