Licensing security

Abstract

There exist legal structures defining the exclusive rights of authors, and means for licensing portions of them to others in exchange for appropriate obligations. We propose an analogous approach for security, in which portions of exclusive security rights owned by system stakeholders may be licensed as needed to others, in exchange for appropriate security obligations. Copyright defines exclusive rights to reproduce, distribute, and produce derivative works, among others. We envision exclusive security rights that might include the right to access a system, the right to run specific programs, and the right to update specific programs or data, among others. Such an approach uses the existing legal structures of licenses and contracts to manage security, as copyright licenses are used to manage copyrights. At present there is no law of “security right” as there is a law of copyright, but with the increasing prevalence and prominence of security attacks and abuses, of which Stuxnet and Flame are merely the best known recent examples, such legislation is not implausible. We discuss kinds of security rights and obligations that might produce fruitful results, and how a license structure and approach might prove more effective than security policies.