LAS VEGAS–Justine Bone shook up the security research community last year when she decided to do the unconventional.
The CEO of MedSec Holdings teamed with hedge fund company Muddy Waters Capital to short the stock of St. Jude Medical in order to profit from research that revealed life-threatening vulnerabilities tied indirectly to pacemakers made by the medical device manufacturer.
The move ignited a fierce debate over ethical disclosure of vulnerabilities and how viable a business model this type of short selling could be.
At a Black Hat session Thursday, Bone told attendees she has no regrets and would do it again.
“I have no intention of shorting another company again anytime soon. But, absolutely this is a viable business model for our community,” Bone said.
Since the initial short, St. Jude Medical – which was acquired by Abbott Laboratories – has sued MedSec and Muddy Waters alleging everything from false claims to defamation over the research that exposed flaws in its Merlin@Home Transmitter, a monitoring system for patients with implanted defibrillators.
“We definitely took the world by storm. This is the first time to my knowledge that someone in the security industry engaged with investors in this way,” Bone said. “I knew I was going to be ruffling some feathers in my own industry. And we certainly got a lot of attention and that’s what we intended to do.”
Bone said part of the impetus to work with Muddy Waters in this unconventional way was because St. Jude Medical was putting profits ahead of patient safety.
“The problem with traditional models is that coordinated disclosure is a closed conversation between the researcher and the manufacturer. And there are a lot of third-parties that are not part of the conversation that should be, including the customers, investors, patients and shareholders.”
She argues that too often the byproduct of coordinated disclosure is “silent fixes” or “full disclosures” that are really partial disclosures. What’s needed is a process that brings more people into the loop. More is more when it comes to disclosure and serves the greater good, she argues.
“This isn’t just about medical devices. This is a technology problem that effects everyone,” she said. Bone believes that financial markets can sometimes play an important role in keeping technology firms accountable when it comes to addressing or heading off security issues.
Citing research from 2015, Bone said stock prices were seldom impacted at all by security events. “Now we have the Verizon acquisition of Yahoo which it is estimated the Yahoo breach dropped the sale price by 7.5 percent. The Jeep recall, tied to security vulnerabilities, reportedly cost Chrysler stock to drop of 6 percent,” Bone said.
She acknowledged that many of those dips were temporary, but said there is evidence that those hits are having a long-lasting impact on share prices and have the potential of hurting credit ratings of companies based on things such as a company’s third-party security risk analysis.
“There is a notion that the market is never going to address security, because the buyers and the sellers don’t care,” she said. “I would argue the market goes beyond the buyers and sellers and includes the analysts, the investors and the traders. That’s the market as well.”
From the researchers’ point of view, there is risks to taking this approach, she acknowledged. As opposed to fixed bug bounty prices and the open market for vulnerabilities and the chance of being sued, this approach has many more unknowns.
“First I’d say, don’t try this at home. Taking a short position is a very risky thing to do. You need to work with an investment expert. There are also a number of things that need to line up just right,” she said.
The vulnerable technology in question needs to be core to what the company does. Shorting a large company based on a vulnerability in a product that an consequential business unit makes isn’t feasible.
Bone also addressed criticism that this type of disclosure damaged researcher vendor relationship. Vendors are going to be lawyering-up when interacting with researchers over disclosure because they’ll be more defensive, some argue.
“Most of the time coordinated disclosure works really well. But some of the time it doesn’t,” Bone said. “If a company is prone to lawyering-up when it comes to addressing vulnerabilities, those are the type of companies that do nothing about the problem anyway. There are only some times when this type of thing is necessary.”