[1]
to the Google Home attack event in Morocco caused by PAK bugs hacker group only for showing off hacking technology [2], the attack events on critical infrastructure using software vulnerability is continuing to increase and more diversifying. The software vulnerability not only damage personal privacy but also affects the national security and political stability. It is already imminent to regulate software vulnerability and reduce its damage on critical infrastructure by legal means.
Google Scholar
[1]
Concepts and characteristics of software vulnerability in critical infrastructure.
Google Scholar
[1]
1 Concepts of critical infrastructure Critical infrastructure is the infrastructure that would have a significant impact on social and economy and evenly damage the national security and defense if it is destroyed, degraded or unusable for a long time [3]. There is not clear concept about critical infrastructure in our country's policies. But from the point that the security protection of computer information system is focused on protecting the computer information system of key areas such as national affairs, economic construction, national defense and advanced science and technology", the nation focuses on protecting the basic information network and important information system, including: (1) national affairs processing information system; (2) information systems related to people, s livelihood such as finance, banking, taxation, customs, audit, business, social security, energy, transportation, and defense industries; (3) information systems of education, research and other units of the national; (4) information systems of public communication, broadcasting and television transmission and other basic information network; (5) information systems of network management center, important website and other fields. [4].
Google Scholar
[1]
2 Concepts of software vulnerability Vulnerability is the deficiency exited in hardware, software, agreement implementation or system security policy of computer system [5]. Software vulnerability is the software security risk caused by various reasons during program design and implementation of computer software, and it can be utilized by criminals and terrorist activities to damage the computer system. Generally, there are three main reasons for software vulnerabilities: the code is tough or affected by the programmer's subjective experience and ability; hardware vulnerability unable to overcome manifests through software vulnerability; limitations of current technology level. Software vulnerabilities are a global concept that including all the Error", "Fault" and "Weakness, resulted by attack using software.
DOI: 10.32388/huygw8
Google Scholar
[1]
3 Characteristics of software vulnerability in critical infrastructure The cause of software vulnerability is difficult to overcome in a short time, which also determines that the software vulnerability is hard to avoid, long living and universality [6]. Critical infrastructure is the central role in national development and city operation, and it is a huge complex dynamic system composed of many sectors while the systems exist independently but interdependent. So it is becoming more difficult to find the software vulnerability, and the technical requirements for software vulnerability preparedness are higher. In addition, the country's critical infrastructure involves energy, finance, auditing, transportation and other important fields, and the system stores state secrets, business data and personal information. The state security, enterprise benefit and personal privacy will be affected strongly if the software vulnerability is used to attack and damage the system. Therefore the potential danger of critical infrastructure software vulnerabilities is greater.
Google Scholar
[2]
Laws and policies of software vulnerability in critical infrastructure.
Google Scholar
[2]
1 The absence of laws about software vulnerability remote repair behavior Remote repair of software vulnerability is a necessary means and development tendency of operation maintenance after delivery of IT system. Because the remote repair of software vulnerability needs the international suppliers to directly access to the critical infrastructure system with important data and service functions, governments are taking this activity on high alert. As there isn't clear laws, excessive worry or excessive indulgence about remote repair of software vulnerability would block the trade conduct of critical infrastructure. The remote repair of software vulnerability is an effective method of improving the security of software and reducing the malicious attacks. However there aren't clear legal rules about what responsibilities the suppliers would assume and what actions the governments would take to monitor the IT suppliers effectively in the situation that IT suppliers reserve vulnerabilities in software to steal secret information of hostile countries or trade secret of competitors using the remote repair of software vulnerability as a pretext. The attack on critical data and resource by hostility people using remote repair due to the unclear of laws not only impacts the normal development of our country's IT products and services but also increases the security risk of critical infrastructure.
Google Scholar
[2]
2 The absence of laws about information disclosure of software vulnerability Usually the information disclosure of software vulnerability involves four main issues: first, the subject of disclosure, that is the software vulnerability would be exposed by the bug discoverers or only by the software suppliers; second, the object of disclosure, that is the vulnerability information would be exposed only to the individual impacted by the security accident or to all users; third, the disclosure time, that is the disclosure would be conducted with the patch after the patch finished or immediately once the vulnerability has been discovered; fourth, the method of disclosure, there are generally two ways: full disclosure (reporting to the public) and disclosure with duty (reporting to the software company), this is closely related to the establish of software vulnerability information sharing mechanism, time cost of patch research, probability of security accident and damage level of the attack using vulnerability. The probability of attack on critical infrastructure will increase as laws have few rules about the disclosure of software vulnerability.
Google Scholar
[2]
3 The absence of laws about shady business on software vulnerability Software vulnerability is the platform for an attacker entering a critical infrastructure system to tamper or steal the data, the channel for viruses and worms spreading, the favorite of criminals and terrorism. The shady business of software vulnerability becomes popular when Software vulnerability becoming the object can be traded. The discoverers of software vulnerability are more likely to sell the vulnerability information to criminals and terrorists after discovering the vulnerabilities to keep timeliness of vulnerability information and obtain over the economic interests of their own values under the situations that the value of vulnerability information is hard to estimate, the authentication mechanisms of buyers and sellers is lacked, the price transparency mechanism of vulnerability information is lacked and the morality is lacked under the temptation of money. So the shady business of software vulnerability information becomes more and more rampant. The transaction process of software vulnerability involves the four subjects, including: sellers and buyers of vulnerability information; vulnerability information trading situations providing the sellers and buyers platform; the vulnerability information verification situation of testing the truth of vulnerability with technical means [7]. The absence of legal qualification of these subjects especially the subjects of information trading and verification organizations would cause that the shady business of software vulnerability information becomes more rampant and the normal market order is disturbed.
Google Scholar
[3]
Foreign legal regulation on software vulnerabilities of critical infrastructure.
Google Scholar
[3]
1United States The United States is the highest level national of information technology development; it attaches great importance to the security threat which software vulnerabilities bring to critical infrastructure. 1998 Digital Millennium Copyright Act" provisioned on vulnerability, mainly relateing to security testing and encryption measures. "2001 Patriot Act" had a detailed provision about vulnerability information disclosure, including information disclosure procedures, exceptions to vulnerability information disclosure in emergency, civil liability to illegal disclosure information and the conditions of the exemption institutions. In order to prevent terrorist exploiting vulnerability to attack critical infrastructure, "2002 Homeland Security Act" clearly defined to reduce the vulnerability of critical infrastructure as a responsibility for the Department of Homeland Security. In addition, the responsibility of facilitating to solve homeland security vulnerability technical models building and deploying attributed to Homeland Security Advanced Research Projects Agency. "2002 critical infrastructure Information Act" established a complete and detailed vulnerability information protection program. The program encouraged that critical infrastructure organizations voluntarily submitted vulnerability information in order to ensure national security and law enforcement agencies and state and local government to provide security protection for vulnerability information quickly. White House Press Secretary Office issued executive order "improve network security of critical infrastructure, in 2013 which rised the network security of critical infrastructure to the level of national security. In order to accelerate the research process of patch and reduce security attacks on exploiting vulnerability, the order specially provisioned vulnerability information sharing mechanism.
Google Scholar
[3]
2 EU EU in 2001 promulgated Cybercrime Convention" which prevents software vulnerability crime through regulation of unauthorized access and interference in computer systems and data storage acts, in order to protect the computer system and create a trusted and reliable online environment for users. "Convention" called that EU member states to establish the appropriate criminal law system which set the unauthorized intentional attack computer systems, unauthorized malicious impede the normal operation of the computer, unauthorized destruction, deletion, tampering computer data behavior as a crime. European Parliament enacted "EU Privacy and Electronic Communications Directive" in 2002. The Directive regulated when the network appear vulnerability, network service provider should disclose vulnerability information to the user so that the user can take protective measures timely. EU "2004 EU Council about the necessity of instruction on the confirmation, identify critical infrastructure and assess protection" pointed that vulnerability information belong to the information of critical infrastructure protection, and the relevant parties can not disclose. 2011 the " Group of Eight " which was formed by the United States, Britain, France, Germany, Italy, Canada, Japan and Russia passed the "Deauville Declaration,. The Declaration pointed we should particularly concern the various forms of aggressive behavior which led products and services integrity of critical infrastructure to be destroyed, including the proliferation of malware and Zombie network.
Google Scholar
[3]
3 UK UK is not only strictly compliance with the EU directives and treaties, but also developed national law according to the country's information technology development. To improve the ability of government fighting with the growing terrorism threat, the British promulgated the anti-terrorism, Crime and Security Act" in 2001 which provided the condition of allowing public authority representative bodies to disclose the vulnerability information. In order to achieve the purpose of protecting national security, the act especially made restrictions for vulnerability disclosure. In order to reduce the security threat of cyber attacks, UK enacted "cyberspace strategy" in 2009 which aimed at reducing the number of vulnerabilities in network operations through reducing crime motive and impairing the ability of attack personnel. In addition, the "cyberspace strategy, provided four ways of network attack, including destroy the IT supply chain, electronic attack, destroy the radio spectrum transmission (Through damaging unprotected electronic equipment in a specific area), attack the radio signal in operating system and so on.
Google Scholar
[4]
Legislation enlightenment to China's software vulnerability of critical infrastructure.
Google Scholar
[4]
1 Attach great importance to governance of software vulnerabilities Statistics of China National Information Security Vulnerability Database shows that 626 vulnerabilities increased in December 2013, 585 increased in January 2014, 45 increased in February 2014, 541 increased in March 2014, average 18 increased daily. [8]The exponential growth of vulnerabilities provides an opportunity to criminals attack computer.U.S., EU, UK attaches great importance to the management of software vulnerabilities, and punish criminal activities through law which exploit software vulnerabilities to protect the normal operation of critical infrastructure.
DOI: 10.1787/eco_surveys-tur-2014-graph3-en
Google Scholar
[4]
2 Adhere to the precautionary principle Given the consequence is difficult to reverse which soft vulnerability destroy critical infrastructure, Traditional post-legal norms which based on remedies and punishment has can not regulate criminal activities effectively. We should consider the principle of active defense, emphasis on advance prevention role of prevention and control of legal norms. In order to better protect critical infrastructure, Singapore"2003 Computer Misuse Act Amendments"emphasized when computer suffered security threat, the government can take preemptive strategy.
Google Scholar
[4]
3 establish Multiple cooperation mechanisms Governance of software vulnerabilities should achieve synergy between legal means and technical means achieve cooperation of government and enterprises, achieve cooperation of domestic and international-level. Specifically, in order to prevent the attack and destruction of critical infrastructure which caused by using software vulnerabilities it not only need to focus on the role of legal and technical support, but also need balance interest relationship between the government, corporate and personal. It is important to protect the security of critical infrastructure that government and relevant departments, enterprises and individuals are able to actively participate in the governance of software vulnerabilities.
DOI: 10.1017/s002078290005988x
Google Scholar
[4]
4 establish information sharing mechanism United States established a government-led voluntary information sharing plan to increase government regulatory functions. The plan can share vulnerability information with qualified critical infrastructure software reseller by the government's official strength. It can guarantee the security of vulnerability information and lead to discoverer voluntarily submit vulnerability information which favor the mechanism of software vulnerabilities information found - Shared - resolved to establish. China also should establish information sharing mechanism of software vulnerabilities to accelerate the pace of resolving software vulnerability.
DOI: 10.1145/2994539.2994547
Google Scholar
[4]
5 establish perfect criminal responsibility system In all laws, criminal punishment is the most serious undoubtedly. Singapore rely on severe penal system punish unauthorized access in order to create safe and reliable online environment for the user. EU Cybercrime Convention" initiatives that Member States establish domestic criminal system which give a convict to unauthorized access to play a better preventive effect. China "Criminal Law, should provision punishment about software vulnerabilities remote repair, information disclosure and black transactions as quickly as possible, preventing of illegal and terrorist attack and destroy critical infrastructure.
Google Scholar
[5]
Conclusion Our county had not specific legislation of critical infrastructure software vulnerabilities, and existing laws prevent crime using software vulnerabilities primarily through regulating behaviors of unauthorized access to computer systems. These provisions reflect the Criminal Law", "The Public Security Management Punishment Law", "Decision of the National People's Congress Standing Committee on safeguarding Internet Security" and "Computer information system security protection regulations, and so on. Progress on hacker technology led to network attack means increasing. However, our country existing laws have obviously lagged behind diversification forms of the using software vulnerability crime which resulted criminals to attack the critical infrastructure by vulnerability. From the analysis of long-term development, we not only need to improve the technology level to protect information security of critical infrastructure, but also perfect software vulnerabilities legislation as soon as possible to play the role of legal evaluation, guidance, education and punishment.
Google Scholar
[6]
Acknowledgement The corresponding author of this paper is Libo Zhong. This paper is supported by the Shanghai science and technology commission project: legal measures and standard specification research of personal data protection in big data environment (Project Number: 13511504100).
Google Scholar
[7]
Referrences.
Google Scholar
[1]
Taiwo AO. Bugs for Sale: Legal and Ethical Proprieties of the Market in Software Vulnerabilities [J]. The John Marshall Journal of Computer & Information Law. 2011, (28): 3.
Google Scholar
[2]
China National Vulnerability Database of Information Security: Google Morocco site is blacked on Tuesday. [2013-1-24]. http: /www. cnnvd. org. cn/news/show/id/1751.
Google Scholar
[3]
SATRC Working Group on Policy and Regulations. Critical Information Infrastructure Protection and Cyber Security [R/OL]. 2012(4).
Google Scholar
[4]
Information security law research center of Xi'an Jiao Tong University. Chinese critical information infrastructure protection Blue Book[R]. The Third Chinese Information Security Law Conference. 2012(10).
Google Scholar
[5]
Ming Chen. Research on software vulnerabilities reverse analysis technology [D]. Xi'an Electronic science and technology University. (2007).
Google Scholar
[6]
Rahul Telang, Sunil Wattal. An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price [J]. Transactions on Software Engineering. 2007(33): 547.
DOI: 10.1109/tse.2007.70712
Google Scholar
[7]
Michael DS. Tort Liability for Vendors of Insecure Software: Has the Time Finally Come [J]. Maryland Law Review. 2008(62): 74.
Google Scholar
[8]
China National Vulnerability Database of Information Security. Information security vulnerabilities Month Bulletin[R]. 2014. http: /www. cnnvd. org. cn/news/vulreport.
Google Scholar
