July 28, 2016
Who do you call when your company or agency is confronting a massive data breach? While there are multiple government agencies that are important to report breaches to, chances are, in order to find out how the breach happened and fix the problem, you’ll want to talk to a security expert. Many of the country’s leading security specialists will be attending two of the world’s premier hacking conferences, Black Hat and DEFCON, taking place over the next week and a half. These world class hackers and security experts will gather in Las Vegas to look at both the threats to, and the opportunities to fix, the software vulnerabilities ecosystem. At past Black Hat and Def Con events, we have seen researchers demonstrate hacking a Jeep Cherokee, breaking into mobile broadband modems, showing how to open any car or garage door in seconds, or hijacking a drone mid-flight. But most of these people aren’t the kind of scary hacker you’ve seen in movies or tv shows. In fact, many of them work to help secure these systems and their dramatic demonstrations help companies like Fiat Chrysler, make their cars safer. Experts like these are part of a wide range of actors seeking out security flaws in software, whether to fix them, exploit them, or sell them to someone else who will fix or exploit them.
But these important security issues need policy attention just as much as they need technical attention. Although researchers know the importance of finding and patching software vulnerabilities, those inside the beltway must catch up. Unaddressed vulnerabilities are threats to economic stability, our national security, and consumers’ privacy, and policymakers and advocates need to be asking what can they do to help speed the discovery and patching of serious vulns. To help accomplish that, today OTI is releasing a paper titled “Bugs in the System: A Primer on The Software Vulnerability Ecosystem and Its Policy Implications.” This paper is intended to provide background to policymakers and advocates seeking to better understand this issue. It starts with the basics, explaining what vulnerabilities are, how they are found, and how they are patched. It looks at the obstacles - from bad actors to policy hurdles - that hinder the discovery and repair of vulnerabilities. It also offers policy recommendations to help define what policies might better ensure that more vulnerabilities are discovered, disclosed, and patched faster, and how we can better align incentives to ensure that more researchers are sharing the vulnerabilities they find with the people who can address them and improve cybersecurity.This primer aims to bring the knowledge of two communities together, combining the expertise of people who can demonstrate the software vulnerabilities in your car with those who have the power to create policies or write laws that address the threats that these bugs can pose. By highlighting the current need for reform in the field of vulnerability discovery and disclosure, we hope that this primer will serve as a resource to help policymakers better understand the invaluable role of security researchers and identify ways to support their work, rather than hinder it. DEF CON and Black Hat always provide a glimpse into the frightening reality that the software that runs much of our lives isn’t as secure as we want it to be. Security researchers can play a large role in patching those vulnerabilities and making us all safer, and policymakers have to step up to help them do that.
The primer can be downloaded here.