Should we be outbidding the cyber criminals to keep our systems safe?
We increasingly rely on technology for the success of our businesses and even of our national economies. Yet that technology is under more and more threat from cyber criminals who adapt quickly to exploit any weaknesses. The resulting financial losses worldwide are estimated to amount to billions of dollars each year.
In a new report from NSS Labs, research director Dr Stefan Frei advocates an innovative approach to deprive criminals of access to vulnerabilities. He suggests that governments and security vendors could join together to create an International Vulnerability Purchase Program (IVPP) to buy vulnerabilities -- paying at or above black market prices -- to keep them from the hands of malicious attackers.
He points out that security currently depends largely on ethical researchers reporting vulnerabilities, but at the same time the black market is expanding fast and offering large rewards for the same information.
Dr Frei reckons that the cost of buying up all vulnerabilities would be less than the losses to cyber crime even if those losses were only reduced by ten percent. He also says that if every vulnerability was purchased for $150,000 the cost would still amount to less than 0.01 percent of US GDP. The report breaks down the cost of reported 2012 vulnerabilities by software vendor (based on the same $150,000 cost per vulnerability figure). This puts Oracle at the top of the list with vulnerabilities costing $64.1 million (0.173 percent of revenue) Apple second on $45.5 million (0.028 percent) and Microsoft sixth on $26 million (0.036 percent).
In addition to suggesting that governments get together to create an IVPP, among the report's recommendations are that software vendors should offer competitive bounty programs for people who find bugs. It also suggests that government and vendors need to introduce incentives so that developers produce more secure software in the first place.
You can get the full report on the NSS website. It's well worth a read and presents a solid case for the business and economic benefits of buying vulnerabilities.
Do you think this is the right way to go? Should we simply be looking to price cyber crime out of the market? Do let us know your thoughts in the comments.