Abstract: The disclosure of software vulnerabilities has stirred controversy for decades among security researchers and software vendors, and more recently governments. Despite increasing interdependency of software and systems (e.g., the Internet of Things) and resulting complexity in vulnerability disclosure and coordination, no unified norms have yet emerged.
This talk addresses the development of norms that (attempt to) govern the disclosure of software security flaws in relation to structural changes of the software industry and the Internet. This includes new forms of private, but monetarily rewarded disclosure on markets and through bug bounty programs, as well as government efforts to prohibit proliferation of knowledge and technology through export controls. Recently, governments acknowledged the withholding of vulnerability information on the grounds of national security and law enforcement needs, trading off against the need for defensive security of civilian computers and networks.
The talk outlines pressing policy issues and connects them to recent developments (e.g., Apple vs. FBI). It concludes by making the case for why norms on vulnerability disclosure are an essential component in shaping cybersecurity governance.
About the Speaker: Andreas Kuehn is a Ph.D. Candidate in Information Science and Technology at Syracuse University. He joined CISAC as a Zukerman Cybersecurity Predoctoral Fellow in October 2014. Prior, he was a visiting graduate student at Cornell University’s Department of Science & Technology Studies. He holds a M.Sc. in Information Systems from the University of Zurich, Switzerland.
In his dissertation, Andreas examined the historical, organizational, and institutional developments of software vulnerability and exploit markets as they are shaped by the perennial controversy on vulnerability disclosure. His qualitative, empirical research on emerging technologies and governance is informed by Science and Technology Studies and Institutional Theory.