Day 4 Thoughts

From Cyberlaw: Difficult Issues Winter 2010
Jump to navigation Jump to search

BGP

Sheel: The discussion on the BGP problem, although technical, was particularly interesting. Here's a question: if a full swap out of IP version 4 to 6 were to take place, could we then institute a full Secure BGP program at the same time? Perhaps I'm trying to combine two pieces of separate technical puzzles, but the point is this: perhaps we could focus on upgrading security at the same time as switching to IPv6.

Incentive Structures

Daniel: A key issue concerning cybersecurity seems to be the current lack of incentives for some actors to enhance security features of their products, services or practices on the internet. Do you envision a push for more control / oversight / monitoring to be exerted by platforms (Facebook, Amazon, eBay etc.) over developers that are constrained by their channels (developer kit, technical requirements for integration, framework for generating HITs and so on)? I can easily imagine users demanding such actions from aggregators of code or content, in progressive louder voices. In countries with a tradition of strong consumer protection, this is a step short of imposing liability over them. But would that move result in efficient solutions for internet "secure environments"?

ChuckC: Thanks again, class, for having me as a guest. To Daniel's question, I thought I should mention the Microsoft Security Development Lifecycle, which is a program whereby we follow good security practices in the development stage. Among the business reasons/incentives for looking at the development process is that code fixes performed after release cost much more than fixes performed during the design phase. Here's one link: http://msdn.microsoft.com/en-us/security/cc448177.aspx. The SDL is mandatory for our own products and we've made tools available externally too, but you are right to see that others might call for more regulatory approaches. One question I think we (and yr Professor) would wonder about is whether such control by platforms would be susceptible to competitive concerns (or conspiracy theories) and/or impact generativity.

Government Involvement

ChuckC: @ Emily (and other skeptics of gov't)- yr reading on the cybersecurity review may have turned up this (in the 3rd graf of the Preface): "The Federal government is not organized to address this growing problem effectively now or in the future." Well, at least score a point for candor... Our view, of course, is that the government and the private sector each have essential roles (and should share the sense of urgency): http://bit.ly/5Buls8