“What Should be Hidden and Open in Computer Security: Lessons from

Deception, the Art of War, Law, and Economic Theory”

Professor Peter P. Swire

George Washington University

TPRC-2001

October 28, 2001

Overview of the Talk

Military base is hidden but computer security is open

Compare physical & computer security Model for openness in computer security Economic model: monopoly v. competition Military model: Sun Tzu v. Clausewitz Applications Research agenda

I. Physical and Computer Security Physical walls and the pit covered with

leaves Computer security

– Firewalls– Packaged software– Encryption

II. Model for Hiddenness in Computer Security Static model Dynamic model

Static Model for Openness

First-time vs. repeated attacks Learning from attacks

– Surveillance vs. other defenses Communication among attackers

– Script kiddies and the diffusion of knowledge

Dynamic Model

Security-enhancing effect– Many software bugs– Repeated attacks on computers– Security and inter-operability– Security expertise outside the organization

FOIA and other accountability effects

III. Economics and Openness in Computer Security System information hidden -- monopolist

about the security information Open source and system information open

-- competitive market Strong presumption in economic theory for

competitive market

Monopoly and Under-disclosure

Competitive market -- system/software designer discloses where benefits of disclosure exceed costs of disclosure

Monopolist -- costs $100 extra to re-design, but gains $10 per user; may not re-design

Disclosure may reduce market power Disclosure may reduce network externalities

Other Lessons from Economics

Other market failures– Information asymmetries and under-openness

Government systems even stronger incentives to under-disclose– Lack the market incentive to disclose enough to

gain sales– Optimal disclosure (competitive market)– Some disclosure (monopoly market)

IV. Military Strategy & Openness Sun Tzu and all war is deception Clausewitz and deception as incidental Hiddenness and Terrain

– Mountains (deception works)– Plains (deception doesn’t work much)

Hiddenness and Technology– Detection -- binoculars & infrared– Communication -- radio and Internet

Military & Openness

Sun Tzu and the intelligence agencies “Brute force attack” & Clausewitz

– Hackers and the opposite of deception Intellectual project

– Military (usually hidden)– Economics (usually open)– Computer security (intuition unshaped)

V. Some Applications

Open source movement as better security?– When is there “security through obscurity”?

DMCA and Felton case– Ignores the security-enhancing effect

Classified employees for computer security? Carnivore as open source? New FOIA limits on computer security?

Concluding Thoughts

A new field of study:– What should be hidden or open in computer

security?– Future conferences and studies on this?

Big shift to openness for computer security compared to physical security

What is optimal for military computer systems I invite comments, sources, and questions!