Subject category:
Knowledge, Information and Communication Systems Management
Published by:
Harvard Kennedy School
Version: January 2014
Share a link:
https://casecent.re/p/136201
Write a review
|
No reviews for this item
This product has not been used yet
Abstract
This sequel is to accompany the case. In 2011, Dillon Beresford, a computer security expert, discovered a series of new vulnerabilities impacting components of widely used industrial control systems. These new previously unknown vulnerabilities - what are known as ‘zero-days’ - were potentially very serious. Zero-day vulnerabilities are key components of computer viruses, worms, and other forms of malware. Vendors and security firms seek these flaws in order to patch and fix insecure software and hardware. Increasingly, however, nation sates and criminals purchase zero-days from independent security researchers in order to develop new destructive cyberweapons and capabilities. Managing the growing trade in zero-day vulnerabilities is a key challenge for policymakers and corporate leaders. The case follows Beresford as he discovers a set of new zero-days and considers the different disclosure options available to someone in his position. The case reviews the mix of incentives that might encourage or discourage the discoverer of a new zero-day to: (1) disclose the flaw to the vendor of the insecure software or hardware privately; (2) disclose the flaw to the public, without notifying the vendor; (3) pursue a hybrid-strategy known as responsible or coordinated disclosure; or (4) opt to sell the vulnerability. The case illuminates the different costs and benefits of each of these approaches for the security researcher, the vendor of the flawed software or hardware, and the public at large. Ultimately, the case asks students to consider which model of disclosure is most beneficial for the public and to consider what policy levers are most useful in supporting that model.
Location:
About
Abstract
This sequel is to accompany the case. In 2011, Dillon Beresford, a computer security expert, discovered a series of new vulnerabilities impacting components of widely used industrial control systems. These new previously unknown vulnerabilities - what are known as ‘zero-days’ - were potentially very serious. Zero-day vulnerabilities are key components of computer viruses, worms, and other forms of malware. Vendors and security firms seek these flaws in order to patch and fix insecure software and hardware. Increasingly, however, nation sates and criminals purchase zero-days from independent security researchers in order to develop new destructive cyberweapons and capabilities. Managing the growing trade in zero-day vulnerabilities is a key challenge for policymakers and corporate leaders. The case follows Beresford as he discovers a set of new zero-days and considers the different disclosure options available to someone in his position. The case reviews the mix of incentives that might encourage or discourage the discoverer of a new zero-day to: (1) disclose the flaw to the vendor of the insecure software or hardware privately; (2) disclose the flaw to the public, without notifying the vendor; (3) pursue a hybrid-strategy known as responsible or coordinated disclosure; or (4) opt to sell the vulnerability. The case illuminates the different costs and benefits of each of these approaches for the security researcher, the vendor of the flawed software or hardware, and the public at large. Ultimately, the case asks students to consider which model of disclosure is most beneficial for the public and to consider what policy levers are most useful in supporting that model.
Settings
Location: