All companies should uphold a certain standard of ethics for security, protecting their customers, employees and shareholders from personal or company valuation damage – a Hippocratic oath of sorts. Legal legislation is dangerous as it spurns activity that is only focused on compliance and not the safety of individuals. There needs to be a general collective desire for security teams to want to work together to protect the public at large.
The recent Saint Jude issue with Muddy Waters, in which cybersecurity firm MedSec partnered with investment firm Muddy Waters to short-sell medical device company Saint Jude, sets a dangerous new precedent in terms of security research and vulnerability. It raises new ethical questions regarding the responsibilities of both security researchers and vendors when sharing their findings. We haven’t previously seen independent security researchers using the potential existence of zero day vulnerabilities in a product to short a stock for their financial gain.
While it’s reasonable to think that independent researchers should be rewarded for their efforts, using the findings in conjunction with an investment firm rather than providing information to the company for corrective action seems to violate one of the core tenants of white hat research. The interests of the researchers should be to make the world more secure, not profit from a corporation’s vulnerabilities.
One could argue that working with an investment firm puts more pressure on a company to do the right thing. However, this kind of behavior forces a company to act solely on shareholder protection, rather than balancing the needs of shareholders with those of customers or employees. You now have a company trying to protect their valuation instead of addressing the security problem, or even denying the security problem in order to not cause a widespread panic over a potential security issue.
While not technically illegal, this is an example of a very dangerous activity that puts the wider community at risk in the interest of profits. The language included in Muddy Waters’ report was clearly aimed at scaring other investors who may not have a strong understanding of the issue. The report asserted that the vulnerabilities in St Jude’s cardiac devices were “orders of magnitude more worrying than the medical device hacks that have been discussed in the past,” and claimed they could be accessed by “low level hackers” using a $35 unit “readily available on eBay.” This fear-mongering is the kind of activity that gives cybersecurity advocates a bad name. On top of all this, many of their findings have now been refuted by credible researchers.
If the security industry is going to be successful, we need to stand on two key pillars: the desire to do good and the ability to do good.
The desire to do good means we need to be uniting the good guys against the bad guys, not pretending to be good guys in order to make a buck. Bug bounty programs are certainly a start, but their management can be a major resource drain on already strapped security teams. Industry-wide efforts provide a more promising approach, such as the Pwn2Own contest at CanSecWest – this is a great example of fostering an environment to use your forces for good and not evil.
The ability to do good falls on the sophistication of the products themselves. Many security products and solutions today are focused on continuing to silo security information that cannot be easily leveraged across platforms. We need to be able to share security intelligence across organizations for the good of the industry as a whole. Once we have that intelligence, we also need to be able to effectively make it actionable, so we can react to any incoming threats and stop attackers in their tracks.
We need to advocate for the security community to push towards responsible disclosure. We need to find ways to incentivize good behavior while taking a stand against using security as a way to “pump or dump” a stock. We should all be able to have profitable organizations while protecting our customers, employees and shareholder value, while simultaneously creating an environment in which security intelligence can be shared.