“What Should be Hidden and Open in Computer Security: Lessons from Deception, the Art of War, Law, and Economic Theory”

1. “What Should be Hidden and Open in Computer Security: Lessons from Deception, the Art of War, Law, and Economic Theory” Professor Peter P. Swire George Washington University TPRC-2001 October 28, 2001

2. Overview of the Talk • Military base is hidden but computer security is open • Compare physical & computer security • Model for openness in computer security • Economic model: monopoly v. competition • Military model: Sun Tzu v. Clausewitz • Applications • Research agenda

3. I. Physical and Computer Security • Physical walls and the pit covered with leaves • Computer security • Firewalls • Packaged software • Encryption

4. II. Model for Hiddenness in Computer Security • Static model • Dynamic model

5. Static Model for Openness • First-time vs. repeated attacks • Learning from attacks • Surveillance vs. other defenses • Communication among attackers • Script kiddies and the diffusion of knowledge

6. Dynamic Model • Security-enhancing effect • Many software bugs • Repeated attacks on computers • Security and inter-operability • Security expertise outside the organization • FOIA and other accountability effects

7. III. Economics and Openness in Computer Security • System information hidden -- monopolist about the security information • Open source and system information open -- competitive market • Strong presumption in economic theory for competitive market

8. Monopoly and Under-disclosure • Competitive market -- system/software designer discloses where benefits of disclosure exceed costs of disclosure • Monopolist -- costs $100 extra to re-design, but gains $10 per user; may not re-design • Disclosure may reduce market power • Disclosure may reduce network externalities

9. Other Lessons from Economics • Other market failures • Information asymmetries and under-openness • Government systems even stronger incentives to under-disclose • Lack the market incentive to disclose enough to gain sales • Optimal disclosure (competitive market) • Some disclosure (monopoly market)

10. IV. Military Strategy & Openness • Sun Tzu and all war is deception • Clausewitz and deception as incidental • Hiddenness and Terrain • Mountains (deception works) • Plains (deception doesn’t work much) • Hiddenness and Technology • Detection -- binoculars & infrared • Communication -- radio and Internet

11. Military & Openness • Sun Tzu and the intelligence agencies • “Brute force attack” & Clausewitz • Hackers and the opposite of deception • Intellectual project • Military (usually hidden) • Economics (usually open) • Computer security (intuition unshaped)

12. V. Some Applications • Open source movement as better security? • When is there “security through obscurity”? • DMCA and Felton case • Ignores the security-enhancing effect • Classified employees for computer security? • Carnivore as open source? • New FOIA limits on computer security?

13. Concluding Thoughts • A new field of study: • What should be hidden or open in computer security? • Future conferences and studies on this? • Big shift to openness for computer security compared to physical security • What is optimal for military computer systems • I invite comments, sources, and questions!