Microsoft is offering a $250,000 reward for information leading to the arrest and conviction for the cybercriminals responsible for the fast spreading Conficker/Downadup worm.
This sounds like a good idea. It is not.
In the past Microsoft, as well as other software companies, have offered “cyber bounties” to encourage hackers to report on other hackers that choose to exploit software vulnerabilities in their products. In essence, such bounties are a preference shaping technique; that is, given a sizeable enough reward, the “preference” of a group of people (hackers, researchers, etc) will be modified from a current state (one of inactivity) to a new state (where hackers or researchers will actively attempt to identify perpetrators). Likewise, the “preference” of cyber attackers will also be modified: to forgo malicious activities not knowing which of their colleagues (or competitors as the case might be) will turn against them or which researchers might be “tenaciously lucky” and discover who and where they are. Presumably, the larger the reward, the more powerful is the preference shaping technique.
Bounties such as these are not truly effective because they do not sufficiently prohibit or mitigate cyber attacker behavior and therefore do not clearly shape preferences of actual or potential cyber criminals. The bounties themselves rarely offset the totality of costs incurred by security researchers nor does it sufficiently incentivize “competitor hackers” to report to law enforcement as the record shows (since 2003). As such, preference shaping for these actors is arguable.
In fact, the reality of preference shaping through “cyber bounties” is far less palatable. Cyber bounties are not about preference shaping of hackers or researchers, but attempt to shape the preferences of victims of cyber crime by encouraging the victim’s greater tolerance of cyber criminal activities enabled through vulnerabilities in software. In essence, cyber bounties are hush money: victims forgo seeking damages and/or pursing remedies from the software manufacturer in light of the software manufacturer’s efforts to promote and encourage capture of the perpetrators.
The end game is quite compelling for the bounty offerer: the likelihood of capturing the cyber attacker is quite small, thus paying out the reward of $250,000 is not likely. The $250,000 reward however represents the manufacturer’s commitment to “protecting the community,” thus reducing the likelihood victims will seek damages from the manufacturer for releasing insecure software into the global stream of commerce as well as increasing victims’ tolerance for such behavior. Best of all, victims are "paid" to be silent, without ever actually receiving any payment whatsoever. Considering Conficker is one of the most damaging worms to date and not a single voice of protest has been raised towards the manufacturer, one could argue the preference shaping technique has worked quite well indeed. In any case, the benefits of a cyber bounty program belong almost entirely to the manufacturer and few others.
Microsoft should withdraw its cyber bounty program and donate the entirety of the bounty fund (now estimated to be around $7M with accrued interest) to a more charitable, worthy, or upright endeavor.
Comments