SOFTWARE AND PLATFORM SECURITY
The Internet and its services are run by software. Many security issues arise because of poorly written or misconfigured software. The Common Vulnerabilities and Exposures database, a ‘dictionary of common names for publicly known information security vulnerabilities’, lists 60 000 software vulnerabilities between 2005 and 2014 (CVE, 2015).
They can be found in all operating systems and pieces of software. Anderson (2001) was one of the first to explore the fundamental economic reasons behind this phenomenon.Software products share a number of interesting characteristics with other ‘information goods’ (Shapiro and Varian, 1998). High initial development and production costs are accompanied by close to zero incremental costs for additional copies. Information goods often exhibit direct and indirect ‘network effects’. Direct network effects exist if the utility of a software product increases with the number of users (e.g., because documents can be shared with a larger group). Indirect effects exist if, as the user base grows, more complementary software and products become available, further increasing the utility of the software. In the absence of cheap and efficient converter technology, network effects can lead to switching costs and consequently ‘lock-in’ effects (Gottinger, 2003): the costs of equipping an organization with new hardware and software, the costs of switching from one solution or format to another including the associated costs of document conversion, and the costs of learning new skills all create rigidities that work in favor of sticking with the existing solution. This provides advantages for the first mover and disadvantages for competitors that enter a market late. Consequently, software markets have a ‘winner-takes-all’ dynamic that incentivizes vendors to move their products to market fast and to grow as quickly as possible.
In their battle for dominance, software vendors might initially give away their products for free or at a low price but change their pricing to generate a profit once they have a large user base and lock-in. Software vendors will attempt to lure developers to their platforms by making application programming interfaces (APIs) available for free or at a low cost as developers bring additional users. This might also imply that developers are given latitude and are permitted to work under lax rules for security technologies in the platform (Anderson and Moore, 2006). Vendors will lure customers with bells and whistles that are visible features or provide convenience. Security is rather intangible and does not easily fit into these considerations; it might even reduce functionality. That is why in the short term the market does not value security. After a firm gains dominance, the incentive structure changes: the costs of releasing software patches and mending brand damage incentivize firms to change course. An example is Microsoft whose reputation was tarnished after a series of spectacular worm attacks in the early 2000s. In response the company started an internal code-review campaign resulting in the release of Windows XP Service Pack 2 with many security enhancements in 2004 (Van Eeten and Bauer, 2008). Nowadays, Windows vulnerabilities make fewer headlines. Vulnerabilities have moved ‘up the stack’ to other applications, including open-source software. But, all in all, software vendors cause severe negative externalities as they do not bear much of the costs of insecure software.
Security software has an interesting extra hurdle. Since security is hard to measure, the average user basically has to take the word of a vendor claiming the product provides better security protection than another. Thus it becomes a classic lemons market (Schneier, 2007). A running joke states that antivirus software competes on every feature except security. Judging by the large sums spent on security products (Anderson et al., 2013) consumers demand security.
If they are lacking clear and reliable information they will likely underinvest in some key areas and overinvest in hyped ones.A number of ideas have been presented for aligning incentives of the players in the software market. To be fair the responsibility rests not solely on software vendors as they are not instigating the attacks. Even in a perfect market some users might choose software with a lower degree of security and remedy remaining problems using other countermeasures. Anderson et al. (2008) name an obligation to provide free and timely software patches for security products, mandating ‘secure by default’, and responsible vulnerability disclosure as policy options. Previously software certification has been suggested but this has not worked as anticipated. We look at these options later in the chapter.
Zittrain (2008) raised concerns that the market might evolve toward users preferring locked-down devices to reduce the threats from malware and other side-effects of insecure software. Given the rise of mobile devices there is some evidence to that effect as the major application stores are controlled by the respective firms or consortia (e.g., Apple’s App Store, Google’s Play Store, and Microsoft’s Windows Store). Application stores for web browsers are another example. Application stores have their own share of security problems and exhibit a wide variation in their security mechanisms. Anderson et al. (2010) compared the incentives of ten different application stores and concluded that soft liability and signaling have the best chance for improving security without stifling innovation. The shift towards software as a platform and the rise of application stores means that some software vendors become Internet intermediaries who have different incentives (e.g., Fershtman and Gandal, 2012).
13.4