That Was Close! Reward Reporting of Cybersecurity 'Near Misses'

Forthcoming in Colorado Technology Law Journal 16.2

U of Colorado Law Legal Studies Research Paper No. 17-28

38 Pages Posted: 6 Dec 2017 Last revised: 27 Aug 2018

See all articles by Jonathan Bair

Jonathan Bair

University of Colorado at Boulder, School of Law

Steven M. Bellovin

Columbia University - Department of Computer Science

Andrew Manley

University of Colorado at Boulder, School of Law

Blake E. Reid

University of Colorado Law School; University of Colorado at Boulder - Silicon Flatirons Center for Law, Technology, and Entrepreneurship

Adam Shostack

Independent

Date Written: December 1, 2017

Abstract

The proliferation of connected devices and technology provides consumers immeasurable amounts of convenience, but also creates great vulnerability. In recent years, we have seen explosive growth in the number of damaging cyber-attacks. 2017 alone has seen the Wanna Cry, Petya, Not Petya, Bad Rabbit, and of course the historic Equifax breach, among many others. Currently, there is no mechanism in place to facilitate understanding of these threats, or their commonalities. While information regarding the causes of major breaches may become public after the fact, what is lacking is an aggregated data set, which could be analyzed for research purposes. This research could then provide clues as to trends in both attacks and avoidable mistakes made on the part of operators, among other valuable data.

One possible regime for gathering such information would be to require disclosure of events, as well as investigations into these events. Mandatory reporting and investigations would result better data collection. This regime would also cause firms to internalize, at least to some extent, the externalities of security. However, mandatory reporting faces challenges that would make this regime difficult to implement, and possibly more costly than beneficial. An alternative is a voluntary reporting scheme, modeled on the Aviation Safety Reporting System housed within NASA, and possibly combined with an incentive scheme. Under it, organizations that were the victims of hacks or “near misses” would report the incident, providing important details, to some neutral party. This database could then be used both by researchers and by industry as a whole. People could learn what does work, what does not work, and where the weak spots are.

Keywords: computer security; data breach

Suggested Citation

Bair, Jonathan and Bellovin, Steven M. and Manley, Andrew and Reid, Blake Ellis and Shostack, Adam, That Was Close! Reward Reporting of Cybersecurity 'Near Misses' (December 1, 2017). Forthcoming in Colorado Technology Law Journal 16.2, U of Colorado Law Legal Studies Research Paper No. 17-28, Available at SSRN: https://ssrn.com/abstract=3081216 or http://dx.doi.org/10.2139/ssrn.3081216

Jonathan Bair

University of Colorado at Boulder, School of Law ( email )

Boulder, CO
United States

Steven M. Bellovin

Columbia University - Department of Computer Science ( email )

New York, NY 10027
United States

Andrew Manley

University of Colorado at Boulder, School of Law ( email )

Boulder, CO
United States

Blake Ellis Reid

University of Colorado Law School ( email )

Boulder, CO
United States

University of Colorado at Boulder - Silicon Flatirons Center for Law, Technology, and Entrepreneurship ( email )

Wolf Law Building
2450 Kittredge Loop Road
Boulder, CO
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
402
Abstract Views
5,204
Rank
142,924
PlumX Metrics