260 likes | 348 Views
A Model for When Disclosure Helps Security: What is Different About Computer & Network Security?. Peter P. Swire Ohio State University George Mason CII Conference June 11, 2004. Framing the Project. My background in privacy Data spreads rapidly and widely
E N D
A Model for When Disclosure Helps Security: What is Different About Computer & Network Security? Peter P. Swire Ohio State University George Mason CII Conference June 11, 2004
Framing the Project • My background in privacy • Data spreads rapidly and widely • Scott McNealy: “You have zero privacy. Get over it.” • My current research in security • Data spreads rapidly and widely • “You have zero secrecy. Get over it.” • Is that right? When does secrecy help security?
Is Secrecy Dead? • A paradox • Open Source mantra: “No Security Through Obscurity” • Secrecy does not work • Disclosure is virtuous • Military motto: “Loose Lips Sink Ships” • Secrecy is essential • Disclosure is treason
Overview • A model for when each approach is correct -- assumptions for the Open Source & military approaches • Key reasons computer & network security often differ from earlier security problems • Relax the assumptions • Insights from the Efficient Capital Markets Hypothesis literature for efficiency of computer attacks
I. Model for When Disclosure Helps Security • Identify chief costs and benefits of disclosure • Effect on attackers • Effect on defenders • Describe scenarios where disclosure of a defense likely to have net benefits or costs
Open Source & DisclosureHelps Defenders • Attackers learn little or nothing from public disclosure • Disclosures prompts designers to improve the defense -- learn of flaws and fix • Disclosure prompts other defenders/users of software to patch and fix • Net: Costs of disclosure low. Bens high. • [I am not taking a position on proprietary v. Open Source – focus is on when disclosure improves security]
Military Base & Disclosure Helps Attackers • It is hard for attackers to get close enough to learn the physical defenses • Disclosure teaches the designers little about how to improve the defenses • Disclosure prompts little improvement by other defenders. • Net: Costs from disclosure high but few benefits.
Effects of Disclosure Help Defenders Low High
Low Help Attackers High Open Source Military/ Intelligence Effects of Disclosure -- II Help Defenders Low High
II. Why Computer & Network Security Often Differs • Hiddenness & the first-time attack • “Uniqueness” of the defense • Computer/network security and “no security through obscurity” • Firewalls • Software programs • Encryption algorithms
The First-Time Attack • A weak defense often succeeds against the first attack • Pit covered with leaves & first attack • More realistically, hidden mines • By 2d or 10th attack, it does not work
“Uniqueness” of the Defense • E:initial effectiveness of a defense • N: number of attacks • L: learning by defenders from an attack • C: communication to other defenders • A: alteration by the next attack • Designers learn how to fix (the patch) • Other defenders install the patch • Example of placement of hidden pit/mines
Low Uniqueness Common for Computer & Network Security • Firewalls • High N, L, C & A • Even unskilled script kiddies can get in • Secrecy about a flaw will likely not work • Disclosure of vulnerability may prompt designers to fix and firewall owners to install the patch
Mass-market Software • Mass-market software • High N, L, C, & A • Secrecy about a flaw will likely not work • Disclosure of vulnerability may prompt designers to fix and software users to install the patch
Encryption • “Hidden writing” and the birthplace of openness about algorithms • High L, C, & A; very high N on the Net • Kerckhoffs’ theorem -- the cryptosystem should assume openness but the key should remain secret
Network/Computer Security • Enlargement of the Public Domain • Search engines and the Net • Attackers have higher C, so lower costs if decide to disclose • Designers and other defenders learn more quickly, so higher benefits if decide to disclose • Open Source paradigm more likely to apply than for traditional, physical attacks
III. Relaxing the Assumptions • Other results in the paper about deterrence, surveillance, etc. • Now, critique assumption that attackers already know about vulnerabilities • Idea: Open Source paradigm implicitly assumes strong or semi-strong ECMH • But, argument for
Analogy to ECMH • Idea: Open Source paradigm implicitly assumes strong or semi-strong ECMH • ECMH: quickly get to efficient outcome where outsiders/traders exploit available information • Information about the company will be used by traders • Open Source: quickly get to outcome where outsiders/attackers exploit available information • Information about the defense will be used by attackers
ECMH in the Academy Today • Previously, many economists accepted ECMH; today, less faith in it • My claim is that efficiency is less for attackers discovering vulnerabilities • Modern software large, so N per line of code may be low • Security efforts, so bugs/line of code down • “Bug hunters” say each vulnerability can be costly to discover
Physical & Cyber Security • Defend the buried pipeline • Hard for attackers to learn the key vulnerable point • Expensive to rebuild pipeline once in place • Vulnerabilities often unique • Defend the software • Easy for attackers to learn of vulnerability (warez & hacker sites) • Relatively inexpensive to patch & update • Vulnerabilities often large scale/mass market
Effects of Disclosure Help Defenders Low High
What Makes Cyber Attacks Different? • A key concept: the first-time attack • The first time, defenders have the advantage: • Simple tricks can foil the attack • Attackers have not learned weak points • On attack #1000, attackers have the edge: • They avoid the established defenses • They learn the weak points • Computer scientists: “Instance” helps the defense
What Is Different for Cyber Attacks? • Many attacks • Each attack is low cost • More costly to find out location of machine guns • Attackers learn from previous attacks • This trick got me root access • Attackers communicate about vulnerabilities • Because of attackers knowledge, disclosure often helps defenders more than attackers for cyber attacks
Conclusion • I am proposing a basic model for when disclosure helps security • Disclosure helps defenders? Attackers? • Explains reasons for less disclosure of vulnerabilities for military, intel, & physical • Explains reasons for greater disclosure for many software and computer system settings • Other reasons to consider disclosure or not • FOIA/accountability • Privacy/confidentiality • Have an intellectual framework for proceeding