Software is a unique industry where from Operating Systems to applications, programs are released for public use, without any real commitment from the software developers as to whether the program is free from vulnerabilities.
In fact, vulnerabilities give raise to more opportunities in the industry and are silently adored. The Indian software boom which now claims to make the Country a IT super power itself was greatly aided and abetted by the Y2K bug. The trend continues to this day when applications keep on hitting the market and patches are released as a matter of routine. The EULA is drafted in such a manner that we are living in an imaginary law less jungle where the user is responsible for the mistakes of the software developer.
Imagine an automobile manufacturer who releases a new model with defects that lead to an accident or a potential accident. He is made to withdraw millions of products in the market, replace them at his cost and also be liable for payment of damages. Industries are routinely made to pay for intentional and unintentional environmental damage unless we they are blessed to be a “Union Carbide under an obliging Government” when a mishap occurs. Software industry similarly admits the need for periodical patches and makes it the responsibility of the user to conduct his own vulnerability and penetration tests, install patches and live with zero day vulnerabilities.
The recently reported incident in which 5 Engineering students in Kolkata were arrested for criminally exploiting a bug which the software developer left in the program is an immediate reminder to all of us on the responsibilities that a software vendor has to take up before commercially releasing a software product which exposes the public to risks financial or otherwise.
There is no doubt that most of the software developers do follow ethical principles of Corporate Governance and adopts measures to ensure “Quality” and “Security” during the software development cycle. There could be processes they put in place certified by ISO bodies to mitigate the risks of a “bug” seeping into a product that is released in the wild. But nothing is perfect in this world and even these processes do fail some times too often for comfort.
When it comes to critical applications that deal with sensitive data such as financial or health or national security, there is a world of hackers trying to enrich themselves with the mistakes of honest software developers through targeted attacks. There are virus developers, malware droppers, managers of Command and Control centers for spamming, phishing, and other malicious activities etc all hunting for opportunities to steal money from you and me trying to make an honest buck.
The Cyber Laws are meant to fight such menace and make it difficult for Cyber Criminals to exploit the society. There are therefore laws that impose stringent punishments on Cyber Criminals both for commission of an offence and an attempt as well as assistance to commit an offence. There are however, the misguided persons, who are only interested in making profits for themselves irrespective of the harm they cause to the society in the long run. Some of them identify an opportunity to make a fast buck out of a software vulnerability and are tempted to use them only in their self interest. The five students who got arrested in Kolkata belong to this category. If they had a strong ethical background, they would never have tried to exploit the vulnerability and instead either published the same in the media or informed the Bank/Company which was responsible for the software.
This would not be the last time when some of our intelligent youth chose such deviant path and ruin their own careers besides the dreams of their parents.
There is therefore a need for the society to do whatever is necessary to reduce the possibility of such “Technology Intoxicant” and “Deviant Minds” pursuing the path of crime.
One step of course is in “Education”. There is a need for mandatory teaching of “Ethics in IT” right at the time when school kids are introduced to Computers, Laptops. At the time education starts teaching “Software development”, it should be mandatory for teaching basics of “Cyber Law” so that the techies are aware of the adverse consequences.
I urge honorable Minister of Human Resources, Mrs Smrithi Irani to consider these educational innovations without any further delay.
From the industry perspective, it is also necessary that some efforts are made to reduce the incentives for “Hacking” and increase incentives for “Ethical Software Quality Research”.
To start with, we need to stop recognizing “Hackers” by rewarding them with jobs as a part of their rehabilitation. It should be a principle that every organization makes it a policy to discourage hackers from being accommodated as information security professionals like a thief being appointed as a policeman.
Past hackers should be tagged and rehabilitated through a stringent psychological drill that should include forced community service which hopefully should transform their mindset over a period of time.
Further, every software company should be made to take responsibility for the public damage that the software may create.
Presently the Companies use their financial clout to ensure that victims don’t get any justice. The way Cyber Crime victims are being treated by Indian Banks is an example to this attitude and has been repeatedly discussed in these columns in the past. This should stop and Companies should obtain Cyber Insurance to cover their liabilities.
While law can look at the possibility of considering all software owners as “Intermediaries” under Section 79 of ITA 2008 and make them responsible for “Due Diligence”, the industries can preempt the punitive provisions of law through their own measures to mitigate the risk of “Bug Exploitation”.
(P.S: It is the considered view of Naavi that even as law stands today, ITA 2000/8 requires software owners to be considered as “Intermediaries” and be financially liable for the defects of the software. Software developers need to be made responsible as Business Associates through an indemnity clause in the software delivery contract)
Through these columns therefore, I call upon all software developers to make it a policy to introduce measures not only to make their product testing procedures more robust but also involve the responsible and ethical members of the public by enrolling them as “Watch Dogs” to check on the quality of their software particularly from the point of view of presence of any vulnerabilities.
This can effectively be done through a “Bug Bounty” program that provides incentives to any person who spots a vulnerability to immediately bring it to the notice of the responsible persons within the Company. The Company should for this purpose adopt a “Bug Bounty policy” and provide rewards commensurate with the risks mitigated and efforts invested by the bug reporter.
Regulators may consider if it is necessary to create a public body to ensure that Companies donot sit on the reported vulnerabilities which then become zero day vulnerabilities and are exploited. Honourable IT Minister Mr Ravi Shankar Prasad may do the needful in this regard.
Cyber Insurance companies who have a stake in the early detection of vulnerabilities should initiate their own programs to subsidize the Bug Bounty programs of companies.
In the meantime, NASSCOM can also initiate some measures in this regard to develop a “Best Practice guideline” for “Bug Bounty Programs”.
What is essential in such programs is not a huge financial reward but creation of a “Recognition” followed by other assistance such as educational scholarships or reservation in higher educational institutions such as the IITs and IIMs, over riding the society dividing reservation policies based on Caste and Religion which our politicians have erroneously adopted. This will be an adjunct to the “Skills Registry” that NASSCOM is supposed to be maintaining.
As a Netizen Rights Activist organization, Naavi.org would like to contribute whatever little it can do in this regard through complimentary services. To start with, the Cyber Law Compliance Center (CLCC) has tried to develop a “Model Bug Bounty Policy” which can be adopted with necessary changes by any user company.
The CLCC would also be happy to assist the Bug Reporter through a free “CEAC” service where the reporting is certified through a third party intervention to prove the good faith credentials of the reporter. (More information on this would be provided in the web site of ceac.in.
Under this service, a Bug Reporter can report the suspected Bug to the relevant company under copy to naavi through e-mail.
Since mitigation of the risk of financial liability arising out of defective products of a Company is part of the Corporate Responsibility, professionals within a company responsible primarily for Corporate Governance such as the Company Secretaries and Chartered Accountants should take the lead in introducing appropriate Bug Bounty programs and ensure its introduction within a Company.
I invite comments on the above suggestion.