1 / 26

Peter P. Swire Ohio State University George Mason CII Conference June 11, 2004

A Model for When Disclosure Helps Security: What is Different About Computer & Network Security?. Peter P. Swire Ohio State University George Mason CII Conference June 11, 2004. Framing the Project. My background in privacy Data spreads rapidly and widely

oakley
Download Presentation

Peter P. Swire Ohio State University George Mason CII Conference June 11, 2004

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Model for When Disclosure Helps Security: What is Different About Computer & Network Security? Peter P. Swire Ohio State University George Mason CII Conference June 11, 2004

  2. Framing the Project • My background in privacy • Data spreads rapidly and widely • Scott McNealy: “You have zero privacy. Get over it.” • My current research in security • Data spreads rapidly and widely • “You have zero secrecy. Get over it.” • Is that right? When does secrecy help security?

  3. Is Secrecy Dead? • A paradox • Open Source mantra: “No Security Through Obscurity” • Secrecy does not work • Disclosure is virtuous • Military motto: “Loose Lips Sink Ships” • Secrecy is essential • Disclosure is treason

  4. Overview • A model for when each approach is correct -- assumptions for the Open Source & military approaches • Key reasons computer & network security often differ from earlier security problems • Relax the assumptions • Insights from the Efficient Capital Markets Hypothesis literature for efficiency of computer attacks

  5. I. Model for When Disclosure Helps Security • Identify chief costs and benefits of disclosure • Effect on attackers • Effect on defenders • Describe scenarios where disclosure of a defense likely to have net benefits or costs

  6. Open Source & DisclosureHelps Defenders • Attackers learn little or nothing from public disclosure • Disclosures prompts designers to improve the defense -- learn of flaws and fix • Disclosure prompts other defenders/users of software to patch and fix • Net: Costs of disclosure low. Bens high. • [I am not taking a position on proprietary v. Open Source – focus is on when disclosure improves security]

  7. Military Base & Disclosure Helps Attackers • It is hard for attackers to get close enough to learn the physical defenses • Disclosure teaches the designers little about how to improve the defenses • Disclosure prompts little improvement by other defenders. • Net: Costs from disclosure high but few benefits.

  8. Effects of Disclosure Help Defenders Low High

  9. Low Help Attackers High Open Source Military/ Intelligence Effects of Disclosure -- II Help Defenders Low High

  10. Effects of Disclosure -- II

  11. II. Why Computer & Network Security Often Differs • Hiddenness & the first-time attack • “Uniqueness” of the defense • Computer/network security and “no security through obscurity” • Firewalls • Software programs • Encryption algorithms

  12. The First-Time Attack • A weak defense often succeeds against the first attack • Pit covered with leaves & first attack • More realistically, hidden mines • By 2d or 10th attack, it does not work

  13. “Uniqueness” of the Defense • E:initial effectiveness of a defense • N: number of attacks • L: learning by defenders from an attack • C: communication to other defenders • A: alteration by the next attack • Designers learn how to fix (the patch) • Other defenders install the patch • Example of placement of hidden pit/mines

  14. Low Uniqueness Common for Computer & Network Security • Firewalls • High N, L, C & A • Even unskilled script kiddies can get in • Secrecy about a flaw will likely not work • Disclosure of vulnerability may prompt designers to fix and firewall owners to install the patch

  15. Mass-market Software • Mass-market software • High N, L, C, & A • Secrecy about a flaw will likely not work • Disclosure of vulnerability may prompt designers to fix and software users to install the patch

  16. Encryption • “Hidden writing” and the birthplace of openness about algorithms • High L, C, & A; very high N on the Net • Kerckhoffs’ theorem -- the cryptosystem should assume openness but the key should remain secret

  17. Network/Computer Security • Enlargement of the Public Domain • Search engines and the Net • Attackers have higher C, so lower costs if decide to disclose • Designers and other defenders learn more quickly, so higher benefits if decide to disclose • Open Source paradigm more likely to apply than for traditional, physical attacks

  18. III. Relaxing the Assumptions • Other results in the paper about deterrence, surveillance, etc. • Now, critique assumption that attackers already know about vulnerabilities • Idea: Open Source paradigm implicitly assumes strong or semi-strong ECMH • But, argument for

  19. Analogy to ECMH • Idea: Open Source paradigm implicitly assumes strong or semi-strong ECMH • ECMH: quickly get to efficient outcome where outsiders/traders exploit available information • Information about the company will be used by traders • Open Source: quickly get to outcome where outsiders/attackers exploit available information • Information about the defense will be used by attackers

  20. ECMH in the Academy Today • Previously, many economists accepted ECMH; today, less faith in it • My claim is that efficiency is less for attackers discovering vulnerabilities • Modern software large, so N per line of code may be low • Security efforts, so bugs/line of code down • “Bug hunters” say each vulnerability can be costly to discover

  21. Physical & Cyber Security • Defend the buried pipeline • Hard for attackers to learn the key vulnerable point • Expensive to rebuild pipeline once in place • Vulnerabilities often unique • Defend the software • Easy for attackers to learn of vulnerability (warez & hacker sites) • Relatively inexpensive to patch & update • Vulnerabilities often large scale/mass market

  22. Effects of Disclosure Help Defenders Low High

  23. What Makes Cyber Attacks Different? • A key concept: the first-time attack • The first time, defenders have the advantage: • Simple tricks can foil the attack • Attackers have not learned weak points • On attack #1000, attackers have the edge: • They avoid the established defenses • They learn the weak points • Computer scientists: “Instance” helps the defense

  24. What Is Different for Cyber Attacks? • Many attacks • Each attack is low cost • More costly to find out location of machine guns • Attackers learn from previous attacks • This trick got me root access • Attackers communicate about vulnerabilities • Because of attackers knowledge, disclosure often helps defenders more than attackers for cyber attacks

  25. Conclusion • I am proposing a basic model for when disclosure helps security • Disclosure helps defenders? Attackers? • Explains reasons for less disclosure of vulnerabilities for military, intel, & physical • Explains reasons for greater disclosure for many software and computer system settings • Other reasons to consider disclosure or not • FOIA/accountability • Privacy/confidentiality • Have an intellectual framework for proceeding

More Related