A Model for When Disclosure Helps Security
Full Title of Reference
A Model for When Disclosure Helps Security: What is Different About Computer and Network Security?
Peter P. Swire, A Model for When Disclosure Helps Security: What is Different About Computer and Network Security? (Journal on Telecommunications and High Technology Law, Vol. 2, Public Law and Legal Theory Working Paper Series No. 17, 2004). Web SSRN
This Article asks the question: When does disclosure actually help security? The discussion begins with a paradox. Most experts in computer and network security are familiar with the slogan that there is no security through obscurity. The Open Source and encryption view is that revealing the details of a system will actually tend to improve security, notably due to peer review. In sharp contrast, a famous World War II slogan says loose lips sink ships. Most experts in the military and intelligence areas believe that secrecy is a critical tool for maintaining security. Both cannot be right - disclosure cannot both help and hurt security.
A Model for When Disclosure Helps Security
Part I of the article provides a basic model for deciding when the Open Source and military/intelligence viewpoints are likely to be correct. Insights come from a 2x2 matrix. The first variable is the extent to which disclosure is likely to help the attackers, by tipping off a vulnerability the attackers would otherwise not have seen. The second variable is the extent to which the disclosure is likely to improve the defense. Disclosure might help the defense, notably, by teaching defenders how to fix a vulnerability and by alerting more defenders to the problem. The 2x2 matrix shows the interplay of the help-the-attacker effect and help-the-defender effect, identifying four basic paradigms for the effects of disclosure on security: the Open Source paradigm; the Military/Intelligence paradigm; the Information Sharing paradigm; and the Public Domain.
The Key Reasons Computer and Network Security May Vary From Other Security Problems
Part II provides an explanation of why many computer and network security issues are different from military and other traditional security problems of the physical world. The discussion focuses on the nature of the “first-time attack” or the degree of what the paper calls “uniqueness” in the defense. Many defensive tricks, including secrecy, are more effective the first time there is an attack on a physical base or computer system. Secrecy is far less effective, however, if the attackers can probe the defenses repeatedly and learn from those probes. It turns out that many of the key areas of computer security involve circumstances where there can be repeated, low-cost attacks. For instance, firewalls, mass-market software, and encryption algorithms all can be attacked repeatedly by hackers. Under such circumstances, a strategy of secrecy – of “security through obscurity” – is less likely to be effective than for the military case.
Relaxing the Open Source Assumptions – Computer and Network Security in the Real World
Part III relaxes the assumptions of the model presented in Part I. The Open Source approach makes three assumptions: (1) disclosure will offer little or no help to attackers; (2) disclosure will tend to upgrade the design of defenses; and (3) disclosure will spread effective defenses to third parties. In practice, secrecy will often be of greater use than the Open Source advocates have stated, because one or more of the three assumptions will not hold. Part III explains some of the major categories of situations where secrecy is likely to be more or less effective at promoting security.
In summary, the author concludes that disclosure will tend to help the attackers but not the defenders in a military setting, where there is strong authentication of defenders and an established hierarchy to implement better defenses. Disclosure provides greater benefit to defenders when there are numerous third-party users, no effective way to communicate only to friendly defenders, and no hierarchical way to ensure that defenses are put into place.
Additional Notes and Highlights
Expertise required: Logic - Low/Moderate
Introduction I. A Model for When Disclosure Helps Security A. Case A: The Open Source Paradigm B. Case B: The Military Paradigm C. Case C: The Information Sharing Paradigm D. Case D: The Public Domain E. The 2x2 Matrix for When Disclosure Improves Security II. The Key Reasons Computer and Network Security May Vary From Other Security Problems A. Hiddenness and the First-Time Attack B. Uniqueness of the Defense C. Why Low Uniqueness May Be Common for Computer and Network Security 1. Firewalls 2. Mass-market Software and Computer Games 3. Encryption III. Relaxing the Open Source Assumptions – Computer and Network Security in the Real World A. The Assumption that Disclosure Will Not Help the Attackers 1. The Enlargement of the Public Domain in a World of Search Engines 2. Deterrence as a Result of Disclosure 3. Don’t Disclose Private Keys, Passwords, or Combinations to a Safe 4. Why Secret Surveillance May Improve Security 5. When Do Attackers Already Know of the Vulnerability? a. Discovering and Exploiting Vulnerabilities b. The Analogy Between Exploiting Vulnerabilities and the Efficient Capital Markets Hypothesis B. The Assumption that Disclosure Will Tend to Improve the Design of Defenses 1. Variables that Affect When Open Source or Proprietary Software May Provide Better Security a. Expertise of Inside and Outside Programmers b. The Incentives to Improve the Defense c. Persistence of the Expertise d. The Institutional Context for Patching e. Interoperability and Openness 2. The Role of Disclosure in Creating Long-Run Security and Assuming Accountability C. The Assumption that Disclosure Will Spread Effective Defense To Others Conclusion: Security, Privacy, and Accountability