Security Through Obscurity: When It Works, When It Doesnt Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007

Dueling Slogans Open Source mantra: No Security Through Obscurity Secrecy does not work (or at least we shouldnt depend on it) Secrecy does not work (or at least we shouldnt depend on it) Disclosure is good (virtuous) Disclosure is good (virtuous) Military motto: Loose Lips Sink Ships Secrecy is essential Secrecy is essential Disclosure is bad (treason) Disclosure is bad (treason) Both cant be true at the same time

Overview Three papers complete, at search Swire 1. A model for when each approach is correct -- assumptions for the Open Source & military approaches Key reasons computer & network security often differ from earlier security problems Key reasons computer & network security often differ from earlier security problems 2. A Theory of Disclosure for Security & Competitive Reasons: Open Source, Proprietary Software, and Government Agencies 3. Privacy & Information Sharing in the War Against Terrorism All concern when disclosure helps security

I. Model for When Disclosure Helps Security Identify chief costs and benefits of disclosure Identify chief costs and benefits of disclosure Effect on attackers Effect on attackers Effect on defenders Effect on defenders Describe scenarios where disclosure of a defense likely to have net benefits or costs Describe scenarios where disclosure of a defense likely to have net benefits or costs (Economics & computer security, not law) (Economics & computer security, not law)

Open Source Perspective & Disclosure Helps Defenders Attackers learn little or nothing from public disclosure Attackers learn little or nothing from public disclosure Disclosures prompts designers to improve the defense -- learn of flaws and fix Disclosures prompts designers to improve the defense -- learn of flaws and fix Disclosure prompts other defenders/users of software to patch and fix Disclosure prompts other defenders/users of software to patch and fix Net: Costs of disclosure low. Bens high. Net: Costs of disclosure low. Bens high. [This is not a discussion of proprietary v. Open Source – focus is on when disclosure improves security] [This is not a discussion of proprietary v. Open Source – focus is on when disclosure improves security]

Military Base & Disclosure Helps Attackers It is hard for attackers to get close enough to learn the physical defenses It is hard for attackers to get close enough to learn the physical defenses Disclosure teaches the designers little about how to improve the defenses Disclosure teaches the designers little about how to improve the defenses Disclosure prompts little improvement by other defenders. Disclosure prompts little improvement by other defenders. Net: Costs from disclosure high but few benefits. Net: Costs from disclosure high but few benefits.

Effects of Disclosure Low Help Attackers High Open Source Military/Intelligence Help Defenders Low High

Effects of Disclosure -- II Military/Intelligence Public Domain Information Sharing (e.g., watch lists) Open Source Low Help Attackers High Help Defenders Low High

Why Computer & Network Attacks More Often Benefit From Disclosure Hiddenness helps for pit or for mine field Hiddenness helps for pit or for mine field Hiddenness & the first-time attack Hiddenness & the first-time attack N = number of attacks N = number of attacks L = learning from attacks L = learning from attacks C = communicate with other attackers C = communicate with other attackers Hiddenness works much less well for Hiddenness works much less well for Mass-market software Mass-market software Firewalls Firewalls Encryption algorithms (Diffies point about keys and cryptosystems) Encryption algorithms (Diffies point about keys and cryptosystems)

What Is Different for Cyber Attacks? Many attacks (high N) Many attacks (high N) Each attack is low cost on firewalls, etc. Each attack is low cost on firewalls, etc. By contrast, more costly to find out location of mines By contrast, more costly to find out location of mines Attackers learn from previous attacks (high L) Attackers learn from previous attacks (high L) This trick got me root access This trick got me root access Attackers communicate about vulnerabilities (C) Attackers communicate about vulnerabilities (C) Because of attackers knowledge, disclosure often helps defenders more than attackers for cyber attacks Because of attackers knowledge, disclosure often helps defenders more than attackers for cyber attacks

III. Incentives to Disclose A Theory of Disclosure for Security & Competitive Reasons: Open Source, Proprietary Software, and Government Agencies A Theory of Disclosure for Security & Competitive Reasons: Open Source, Proprietary Software, and Government Agencies Security reasons to disclose or not Security reasons to disclose or not Competitive reasons to disclose or not Competitive reasons to disclose or not Actual disclosure is a function of both Actual disclosure is a function of both Distinct models needed to analyze security & competitive incentives Distinct models needed to analyze security & competitive incentives

ProducerSecurityCompetition Open Source Ideologically open; Some secret sauce (Case 1) Ideologically open; Apparently high use of trade secrets (Case 2) ProprietarySoftware Monopolist on source code; disclosure based on monopsony and market power (Case 3) Monopolist on source code; disclosure based on how open standards help profits (Case 4) Government Information sharing dilemma (help attackers & defenders); public choice model (Case 5) Turf maximization, e.g., FBI vs. local police for the credit (Case 6)

Incentives to Disclose Themes for private sector: Themes for private sector: A lot of secrecy in Open Source software A lot of secrecy in Open Source software A lot of openness in proprietary software A lot of openness in proprietary software Significant convergence, especially recently Significant convergence, especially recently Incentives for government to disclose are often far less than seems optimal Incentives for government to disclose are often far less than seems optimal So, need FOIA and other mechanisms to compensate So, need FOIA and other mechanisms to compensate

III. Information Sharing & Privacy in the War Against Terrorism Intelligence reform and many calls in DC for more information sharing Intelligence reform and many calls in DC for more information sharing Assumption that more sharing is good Assumption that more sharing is good My view: information sharing is a hard case My view: information sharing is a hard case E.g., tell watch list to all customs agents E.g., tell watch list to all customs agents High benefits if info goes to the good guys High benefits if info goes to the good guys High costs if info goes to the bad guys High costs if info goes to the bad guys Often, limited ability to do one & not the other Often, limited ability to do one & not the other

Info Sharing & War on Terror I propose due diligence list for analysis of new info sharing programs I propose due diligence list for analysis of new info sharing programs 10-point list 10-point list First – will sharing tip off your adversaries? First – will sharing tip off your adversaries? Second – does propose measure further security? Cost-effectively? Second – does propose measure further security? Cost-effectively? Have presented to ODNI, WH Privacy & Civil Liberties Board Have presented to ODNI, WH Privacy & Civil Liberties Board Attempt to give practical way to do due diligence on new info sharing programs Attempt to give practical way to do due diligence on new info sharing programs

Conclusion Economics-based approach to when disclosure good for the ecosystem, and when have incentives to disclose Economics-based approach to when disclosure good for the ecosystem, and when have incentives to disclose Identifies the variables that would drive the analysis Identifies the variables that would drive the analysis Warmly invite additional research into the empirics or interesting cases – when the variables should result in disclosure or not Warmly invite additional research into the empirics or interesting cases – when the variables should result in disclosure or not