This article can also be found in the Premium Editorial Download "Information Security magazine: Security 7 Award winners unmasked."
Download it now to read this article plus other related content.
|Ciscogate, the high-profile security standoff between former ISS researcher Mike Lynn and Cisco over the disclosure of a flaw in the IOS router operating system, stirred heavy emotions around responsible vulnerability disclosure and whether there is security in obscurity. Attorney Jennifer Granick, who represented Lynn, is an advocate of responsible disclosure. She provides perspective on this case and what issues it may raise for the future of cyberlaw.|
What has this case done for full disclosure advocates? It's gotten people talking about it. Most in the security community feel the amount of information Mike disclosed was completely responsible. In fact, some would say it was not full disclosure--it would have been if he had released exploit code.
Cisco charged that Lynn crossed the line and provided too much information, including trade secrets. What does the law say about trade secrets in this regard? There were no trade secrets at stake here. Mike didn't have the source code, he had the binaries--the product Cisco distributes. Trade-secret laws are about protecting people in a fiduciary relationship of trust from disclosing private information that is economically valuable. The idea is if an insider gets information, they must keep it secret.
As an advocate of full disclosure, what do you believe is a proper means of disclosing information? It really depends; it really is in the eye of the beholder. There are a number of factors that must be considered: Are there patches available? How long have they been out? What kind of information are you disclosing? Is there proof-of-concept code? Are you describing the problem in plain English? The point is, in a computer context, there's no security through secrecy about flaws. If one person has found it, chances are others have as well.
What issues has Ciscogate raised for the future? It will be interesting to see if EULAs deprive someone of the right to reverse engineer a patch. The case will call into question what is a legitimate trade secret. What amount of disclosure is responsible and the audience to which disclosures are made will be a real issue; whether it helps good guys or bad guys. This is the tip of the iceberg.
This was first published in September 2005