A Model for When Disclosure Helps Security: What is Different About Computer & Network Security? Peter P. Swire Ohio State University George Mason CII Conference June 11, 2004

Framing the Project My background in privacy My background in privacy Data spreads rapidly and widely Data spreads rapidly and widely Scott McNealy: You have zero privacy. Get over it. Scott McNealy: You have zero privacy. Get over it. My current research in security My current research in security Data spreads rapidly and widely Data spreads rapidly and widely You have zero secrecy. Get over it. You have zero secrecy. Get over it. Is that right? When does secrecy help security? Is that right? When does secrecy help security?

Is Secrecy Dead? A paradox A paradox Open Source mantra: No Security Through Obscurity Open Source mantra: No Security Through Obscurity Secrecy does not work Secrecy does not work Disclosure is virtuous Disclosure is virtuous Military motto: Loose Lips Sink Ships Military motto: Loose Lips Sink Ships Secrecy is essential Secrecy is essential Disclosure is treason Disclosure is treason

Overview A model for when each approach is correct -- assumptions for the Open Source & military approaches A model for when each approach is correct -- assumptions for the Open Source & military approaches Key reasons computer & network security often differ from earlier security problems Key reasons computer & network security often differ from earlier security problems Relax the assumptions Relax the assumptions Insights from the Efficient Capital Markets Hypothesis literature for efficiency of computer attacks Insights from the Efficient Capital Markets Hypothesis literature for efficiency of computer attacks

I. Model for When Disclosure Helps Security Identify chief costs and benefits of disclosure Identify chief costs and benefits of disclosure Effect on attackers Effect on attackers Effect on defenders Effect on defenders Describe scenarios where disclosure of a defense likely to have net benefits or costs Describe scenarios where disclosure of a defense likely to have net benefits or costs

Open Source & Disclosure Helps Defenders Attackers learn little or nothing from public disclosure Attackers learn little or nothing from public disclosure Disclosures prompts designers to improve the defense -- learn of flaws and fix Disclosures prompts designers to improve the defense -- learn of flaws and fix Disclosure prompts other defenders/users of software to patch and fix Disclosure prompts other defenders/users of software to patch and fix Net: Costs of disclosure low. Bens high. Net: Costs of disclosure low. Bens high. [I am not taking a position on proprietary v. Open Source – focus is on when disclosure improves security] [I am not taking a position on proprietary v. Open Source – focus is on when disclosure improves security]

Military Base & Disclosure Helps Attackers It is hard for attackers to get close enough to learn the physical defenses It is hard for attackers to get close enough to learn the physical defenses Disclosure teaches the designers little about how to improve the defenses Disclosure teaches the designers little about how to improve the defenses Disclosure prompts little improvement by other defenders. Disclosure prompts little improvement by other defenders. Net: Costs from disclosure high but few benefits. Net: Costs from disclosure high but few benefits.

Effects of Disclosure Low Help Attackers High Open Source Military/Intelligence Help Defenders Low High

Effects of Disclosure -- II Military/Intelligence Open Source Low Help Attackers High Help Defenders Low High

Effects of Disclosure -- II

II. Why Computer & Network Security Often Differs Hiddenness & the first-time attack Hiddenness & the first-time attack Uniqueness of the defense Uniqueness of the defense Computer/network security and no security through obscurity Computer/network security and no security through obscurity Firewalls Firewalls Software programs Software programs Encryption algorithms Encryption algorithms

The First-Time Attack A weak defense often succeeds against the first attack A weak defense often succeeds against the first attack Pit covered with leaves & first attack Pit covered with leaves & first attack More realistically, hidden mines More realistically, hidden mines By 2d or 10th attack, it does not work By 2d or 10th attack, it does not work

Uniqueness of the Defense E: initial effectiveness of a defense E: initial effectiveness of a defense N: number of attacks N: number of attacks L: learning by defenders from an attack L: learning by defenders from an attack C: communication to other defenders C: communication to other defenders A: alteration by the next attack A: alteration by the next attack Designers learn how to fix (the patch) Designers learn how to fix (the patch) Other defenders install the patch Other defenders install the patch Example of placement of hidden pit/mines Example of placement of hidden pit/mines

Low Uniqueness Common for Computer & Network Security Firewalls Firewalls High N, L, C & A High N, L, C & A Even unskilled script kiddies can get in Even unskilled script kiddies can get in Secrecy about a flaw will likely not work Secrecy about a flaw will likely not work Disclosure of vulnerability may prompt designers to fix and firewall owners to install the patch Disclosure of vulnerability may prompt designers to fix and firewall owners to install the patch

Mass-market Software Mass-market software Mass-market software High N, L, C, & A High N, L, C, & A Secrecy about a flaw will likely not work Secrecy about a flaw will likely not work Disclosure of vulnerability may prompt designers to fix and software users to install the patch Disclosure of vulnerability may prompt designers to fix and software users to install the patch

Encryption Hidden writing and the birthplace of openness about algorithms Hidden writing and the birthplace of openness about algorithms High L, C, & A; very high N on the Net High L, C, & A; very high N on the Net Kerckhoffs theorem -- the cryptosystem should assume openness but the key should remain secret Kerckhoffs theorem -- the cryptosystem should assume openness but the key should remain secret

Network/Computer Security Enlargement of the Public Domain Enlargement of the Public Domain Search engines and the Net Search engines and the Net Attackers have higher C, so lower costs if decide to disclose Attackers have higher C, so lower costs if decide to disclose Designers and other defenders learn more quickly, so higher benefits if decide to disclose Designers and other defenders learn more quickly, so higher benefits if decide to disclose Open Source paradigm more likely to apply than for traditional, physical attacks Open Source paradigm more likely to apply than for traditional, physical attacks

III. Relaxing the Assumptions Other results in the paper about deterrence, surveillance, etc. Other results in the paper about deterrence, surveillance, etc. Now, critique assumption that attackers already know about vulnerabilities Now, critique assumption that attackers already know about vulnerabilities Idea: Open Source paradigm implicitly assumes strong or semi-strong ECMH Idea: Open Source paradigm implicitly assumes strong or semi-strong ECMH But, argument for But, argument for

Analogy to ECMH Idea: Open Source paradigm implicitly assumes strong or semi-strong ECMH Idea: Open Source paradigm implicitly assumes strong or semi-strong ECMH ECMH: quickly get to efficient outcome where outsiders/traders exploit available information ECMH: quickly get to efficient outcome where outsiders/traders exploit available information Information about the company will be used by traders Information about the company will be used by traders Open Source: quickly get to outcome where outsiders/attackers exploit available information Open Source: quickly get to outcome where outsiders/attackers exploit available information Information about the defense will be used by attackers Information about the defense will be used by attackers

ECMH in the Academy Today Previously, many economists accepted ECMH; today, less faith in it Previously, many economists accepted ECMH; today, less faith in it My claim is that efficiency is less for attackers discovering vulnerabilities My claim is that efficiency is less for attackers discovering vulnerabilities Modern software large, so N per line of code may be low Modern software large, so N per line of code may be low Security efforts, so bugs/line of code down Security efforts, so bugs/line of code down Bug hunters say each vulnerability can be costly to discover Bug hunters say each vulnerability can be costly to discover

Physical & Cyber Security Defend the buried pipeline Defend the buried pipeline Hard for attackers to learn the key vulnerable point Hard for attackers to learn the key vulnerable point Expensive to rebuild pipeline once in place Expensive to rebuild pipeline once in place Vulnerabilities often unique Vulnerabilities often unique Defend the software Defend the software Easy for attackers to learn of vulnerability (warez & hacker sites) Easy for attackers to learn of vulnerability (warez & hacker sites) Relatively inexpensive to patch & update Relatively inexpensive to patch & update Vulnerabilities often large scale/mass market Vulnerabilities often large scale/mass market

Effects of Disclosure Low Help Attackers High Open Source Physical facilities 1. Military/ Intel 2. Physical facilities Help Defenders Low High

What Makes Cyber Attacks Different? A key concept: the first-time attack A key concept: the first-time attack The first time, defenders have the advantage: The first time, defenders have the advantage: Simple tricks can foil the attack Simple tricks can foil the attack Attackers have not learned weak points Attackers have not learned weak points On attack #1000, attackers have the edge: On attack #1000, attackers have the edge: They avoid the established defenses They avoid the established defenses They learn the weak points They learn the weak points Computer scientists: Instance helps the defense Computer scientists: Instance helps the defense

What Is Different for Cyber Attacks? Many attacks Many attacks Each attack is low cost Each attack is low cost More costly to find out location of machine guns More costly to find out location of machine guns Attackers learn from previous attacks Attackers learn from previous attacks This trick got me root access This trick got me root access Attackers communicate about vulnerabilities Attackers communicate about vulnerabilities Because of attackers knowledge, disclosure often helps defenders more than attackers for cyber attacks Because of attackers knowledge, disclosure often helps defenders more than attackers for cyber attacks

Conclusion I am proposing a basic model for when disclosure helps security I am proposing a basic model for when disclosure helps security Disclosure helps defenders? Attackers? Disclosure helps defenders? Attackers? Explains reasons for less disclosure of vulnerabilities for military, intel, & physical Explains reasons for less disclosure of vulnerabilities for military, intel, & physical Explains reasons for greater disclosure for many software and computer system settings Explains reasons for greater disclosure for many software and computer system settings Other reasons to consider disclosure or not Other reasons to consider disclosure or not FOIA/accountability FOIA/accountability Privacy/confidentiality Privacy/confidentiality Have an intellectual framework for proceeding Have an intellectual framework for proceeding