What Should be Hidden and Open in Computer Security: Lessons from Deception, the Art of War, Law, and Economic Theory Professor Peter P. Swire George Washington.

Slides:

Advertisements

Similar presentations

Case Study: Examining the Results of P2P Collaboration at PricewaterhouseCoopers February 14, 2001 Case Study: Examining the Results of Collaboration at.

Advertisements

Telecom, Privacy & Security After September 11 Professor Peter P. Swire Ohio State University Ohio Telecommunications Industry Association October 2, 2001.

Security Market: Incentives for Disclosure of Vulnerabilities Peter P. Swire Ohio State University Houston/Sante Fe Conference June 4, 2005.

A Model for When Disclosure Helps Security: What is Different About Computer & Network Security? Peter P. Swire Ohio State University George Mason CII.

Key New Surveillance Provisions Professor Peter P. Swire Ohio State University Privacy 2001 Conference October 4, 2001.

Security Through Obscurity: When It Works, When It Doesnt Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.

Free/Libre & Open Source Software and When Disclosure Helps Security Peter P. Swire Ohio State University Western Ontario: Free/Libre and Open Source Software.

Why the Right to Data Portability Likely Reduces Consumer Welfare: Antitrust and Privacy Critique Peter Swire Moritz College of Law Attorneys General Education.

A Model for When Disclosure Helps Security Peter P. Swire Ohio State University Stanford Cybersecurity Conference November 22, 2003.

Align an IT Strategy to the Industry Vision

Economic Incentives to Increase Security in the Internet: the Case for Insurance Marc Lelarge (INRIA-ENS) Jean Bolot (SPRINT) IEEE INFOCOM, Rio 2009.

Innovation, Intellectual Property, and Economic Growth Lecture outline: Overview of course Introduction to innovation Definitions Nature of innovation.

Develop an Information Strategy Plan

Security Through Obscurity: When It Works, When It Doesn’t Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.

Information and Communication Technology (ICT). Curriculum Structure ICT includes three parts: 1. Compulsory Part (55%) 2. Elective Part (25%) 3. School-based.

Firewalls : usage Data encryption Access control : usage restriction on some protocols/ports/services Authentication : only authorized users and hosts.

Encryption and Globalization Professor Peter Swire IP Scholars Conference Chicago August 11, 2011.

Clausewitz VS Sun Tzu Nasim Ibrahim i Clausewitz and Sun Tzu -Prussia and China vs 2000 years ago - war is the main concept for both of them.

11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 

Security+ Guide to Network Security Fundamentals

Security Issues In Sensor Networks By Priya Palanivelu.

Chapter 1 Introduction. Art of War  If you know the enemy and know yourself, you need not fear the result of a hundred battles.  If you know yourself.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

1 McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved. Ethical Challenges Ethics Principles of right and wrong that.

I.1 ii.2 iii.3 iv.4 1+1=. i.1 ii.2 iii.3 iv.4 1+1=

Wireless Networking (WLAN) Reina Trujillo Nathan Ekenberg.

I.1 ii.2 iii.3 iv.4 1+1=. i.1 ii.2 iii.3 iv.4 1+1=

Chapter 4 Hackers: How they get into Computers. Synopsis (I) What is a hacker? What is a cracker and what is the difference? Who are the crackers? What.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

SEM Part II SWOT Analysis.

Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.

Intellectual Property and S&T Policy. Outline Economic perspective on S&T policy –Science, technology, information as economic resources –Market failure.

Computer & Network Security

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Information Warfare Playgrounds to Battlegrounds.

Economics of Privacy in the Future Internet Competition in Markets for Personal Information Future Internet Assembly, Budapest, May 2011 Dr. Nicola Jentzsch.

INTRODUCTION. The security system is used as in various fields, particularly the internet, communications data storage, identification and authentication.

Cyber Security Nevada Businesses Overview June, 2014.

Chapter 16:Managing Information and Technology. Basic element of computer technology  Hardware: input, store, and organize data  System software: performs.

Information Security Antipatterns in Software Requriements Engineering Miroslav Kis Presented by Liping Cai.

PRESENTED BY P. PRAVEEN Roll No: 1009 – 11 – NETWORK SECURITY M.C.A III Year II Sem.

 Day 59 Computer Science and Industry Exploring The Intersection Between CS and Other Fields.

Information Systems Ethics (Cyberethics) Dr. Robert Chi Department of Information Systems California State University, Long Beach.

APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.

McGraw-Hill/Irwin © 2002 The McGraw-Hill Companies, Inc. All rights reserved. C H A P T E R Haag Cummings McCubbrey Third Edition 8 Protecting Information.

Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004.

Module 11: Designing Security for Network Perimeters.

Cybersecurity: Expanding the Front Lines of Defense Dr. George K. Kostopoulos Professor Electrical and Computer Engineering Cybersecurity New York Institute.

Unilateral Exclusionary Conduct – An Analytical Framework Jorge Fagundes 3rd Coloquio - ForoCompetencia Buenos Aires, Argentina – November 2, 2007 Fagundes.

Information Warfare Playgrounds to Battlegrounds.

Introduction to Security Dr. John P. Abraham Professor UTPA.

Computer Security By Duncan Hall.

High-Performance Applications in a Secure Environment Michael Tepedino.

Role of IP in Competitive Intelligence Gathering and Analysis.

NS4054 Fall Term 2015 Types of Competition. Spectrum of Competition 2.

Web Security Introduction to Ethical Hacking, Ethics, and Legality.

Chapter 1 Ethical Hacking Overview. Hands-On Ethical Hacking and Network Defense2  Describe the role of an ethical hacker  Describe what you can do.

SECURITY REQUIREMENTS AND MANAGEMENT: Presentation By: Guillermo Dijk.

Privacy Déjà Vu: Crypto, Government Surveillance and Safe Harbor, Peter Swire Georgia Tech/Alston & Bird IAPP Summit April 4, 2016.

Port Knocking Benjamin DiYanni.

INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.

Information Security based on International Standard ISO 27001

Done BY: Zainab Sulaiman AL-Mandhari Under Supervisor: Dr.Tarek

Marketing Plan George Peter Javier.

For modeling conflict and cooperation Schwartz/Teneketzis

The Role of Government Chapter 7 Section 3.

Acquire knowledge of the impact of government on business activities to make informed economic decisions 5.04.

Chapter # 3 COMPUTER AND INTERNET CRIME

Coventry University, UK

IP ISSUES IN LICENSING OF TECHNOLOGY IN THE ELECTRONICS INDUSTRY

Presentation transcript:

What Should be Hidden and Open in Computer Security: Lessons from Deception, the Art of War, Law, and Economic Theory Professor Peter P. Swire George Washington University TPRC-2001 October 28, 2001

Overview of the Talk n Military base is hidden but computer security is open n Compare physical & computer security n Model for openness in computer security n Economic model: monopoly v. competition n Military model: Sun Tzu v. Clausewitz n Applications n Research agenda

I. Physical and Computer Security n Physical walls and the pit covered with leaves n Computer security – Firewalls – Packaged software – Encryption

II. Model for Hiddenness in Computer Security n Static model n Dynamic model

Static Model for Openness n First-time vs. repeated attacks n Learning from attacks – Surveillance vs. other defenses n Communication among attackers – Script kiddies and the diffusion of knowledge

Dynamic Model n Security-enhancing effect – Many software bugs – Repeated attacks on computers – Security and inter-operability – Security expertise outside the organization n FOIA and other accountability effects

III. Economics and Openness in Computer Security n System information hidden -- monopolist about the security information n Open source and system information open - - competitive market n Strong presumption in economic theory for competitive market

Monopoly and Under-disclosure n Competitive market -- system/software designer discloses where benefits of disclosure exceed costs of disclosure n Monopolist -- costs $100 extra to re-design, but gains $10 per user; may not re-design n Disclosure may reduce market power n Disclosure may reduce network externalities

Other Lessons from Economics n Other market failures – Information asymmetries and under-openness n Government systems even stronger incentives to under-disclose – Lack the market incentive to disclose enough to gain sales – Optimal disclosure (competitive market) – Some disclosure (monopoly market)

IV. Military Strategy & Openness n Sun Tzu and all war is deception n Clausewitz and deception as incidental n Hiddenness and Terrain – Mountains (deception works) – Plains (deception doesnt work much) n Hiddenness and Technology – Detection -- binoculars & infrared – Communication -- radio and Internet

Military & Openness n Sun Tzu and the intelligence agencies n Brute force attack & Clausewitz – Hackers and the opposite of deception n Intellectual project – Military (usually hidden) – Economics (usually open) – Computer security (intuition unshaped)

V. Some Applications n Open source movement as better security? – When is there security through obscurity? n DMCA and Felton case – Ignores the security-enhancing effect n Classified employees for computer security? n Carnivore as open source? n New FOIA limits on computer security?

Concluding Thoughts n A new field of study: – What should be hidden or open in computer security? – Future conferences and studies on this? n Big shift to openness for computer security compared to physical security n What is optimal for military computer systems n I invite comments, sources, and questions!