Software Update as a Mechanism for Resilience and Security Proceedings of a Workshop (2017) / Chapter Skim
Currently Skimming:
1 Policy Considerations: The Intersection of Public Values and Private Infrastructure
1 Policy Considerations: The Intersection of Public Values and Private Infrastructure
Pages 7-13
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 7... ...
Figuring out how to deal with that ongoing insecurity deserves some portion of our attention from both a technical and policy standpoint.
|
From page 8... ...
A public policy intervention, in this case, could potentially create incentives, for effective software updates or even punishments for failure, while still being mindful of a balance between the rights of individuals and the needs of a society. An update infrastructure that allows the monitoring -- and addressing -- of threats and vulnerabilities would require extensive information, Mulligan noted.
|
From page 9... ...
The initial software had safety issues that the company later corrected, but that update channel could have potentially created a huge risk to others near the car when it is "summoned,"2 Mulligan noted. It is also possible that update channels could be abused to downgrade product functionality, which could make consumers unhappy and mistrustful of the update channel altogether.
|
From page 10... ...
If IoT devices aren't upgraded but are still in use, what economic costs does that impose and on whom? GUIDING PRINCIPLES FOR CYBERSECURITY All these questions and concerns led Mulligan and Schneider to their guiding principles for cybersecurity.
|
From page 11... ...
Building software with security updates in mind requires genuine dialogue between technical experts and policy experts. Both groups might at times be out of their depth, but effectively addressing issues around consumer protection, industry competition, and software engineering demands a high level of coordination and commitment on both sides: Bringing both technical and policy expertise to the design process is an important piece of the puzzle to support true cybersecurity.
|
From page 12... ...
Furthermore, while these conversations might be easier to have in private settings, they need to happen in public, Mulligan said, because cybersecurity is a public good. OTHER CONSIDERATIONS Several participants raised nuances of the business environment, particularly for IoT devices, that warrant consideration in the policy space.
|
From page 13... ...
The discussion wrapped up with a question from another participant regarding the potential policy implications of the distinction between hardware and software products that reside on a customer's device, in which the user often has some control over software updates, versus cloud-based services, for which the user typically has no choice as to what version they are using. Mulligan noted that consumer protection agencies have historically focused on products that are sold directly to consumers -- for example, stepping in if the company's behavior seems deceptive or egregious -- but the issue of cloud-based software or services will demand closer scrutiny in the future.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.