A Model for When Disclosure Helps A Model for When Disclosure Helps Security: Security: What is Different About What is Different About Computer & Network Security?Computer & Network Security?

Peter P. SwirePeter P. SwireOhio State UniversityOhio State UniversityGeorge Mason CII ConferenceGeorge Mason CII ConferenceJune 11, 2004June 11, 2004

Framing the ProjectFraming the Project

My background in privacyMy background in privacy Data spreads rapidly and widelyData spreads rapidly and widely Scott McNealy: “You have zero privacy. Get Scott McNealy: “You have zero privacy. Get

over it.”over it.” My current research in securityMy current research in security

Data spreads rapidly and widelyData spreads rapidly and widely ““You have zero secrecy. Get over it.”You have zero secrecy. Get over it.” Is that right? When does secrecy help Is that right? When does secrecy help

security?security?

Is Secrecy Dead?Is Secrecy Dead?

A paradoxA paradox Open Source mantra: “No Security Open Source mantra: “No Security

Through Obscurity”Through Obscurity” Secrecy does not workSecrecy does not work Disclosure is virtuousDisclosure is virtuous

Military motto: “Loose Lips Sink Ships”Military motto: “Loose Lips Sink Ships” Secrecy is essentialSecrecy is essential Disclosure is treasonDisclosure is treason

OverviewOverview

A model for when each approach is A model for when each approach is correct -- assumptions for the Open correct -- assumptions for the Open Source & military approachesSource & military approaches

Key reasons computer & network security Key reasons computer & network security often differ from earlier security problemsoften differ from earlier security problems

Relax the assumptionsRelax the assumptions Insights from the Efficient Capital Markets Insights from the Efficient Capital Markets

Hypothesis literature for efficiency of Hypothesis literature for efficiency of computer attackscomputer attacks

I. Model for When Disclosure I. Model for When Disclosure Helps SecurityHelps Security

Identify chief costs and benefits of Identify chief costs and benefits of disclosuredisclosure Effect on attackersEffect on attackers Effect on defendersEffect on defenders

Describe scenarios where disclosure of a Describe scenarios where disclosure of a defense likely to have net benefits or costsdefense likely to have net benefits or costs

Open Source & DisclosureOpen Source & DisclosureHelps DefendersHelps Defenders

Attackers learn little or nothing from public Attackers learn little or nothing from public disclosuredisclosure

Disclosures prompts designers to improve Disclosures prompts designers to improve the defense -- learn of flaws and fixthe defense -- learn of flaws and fix

Disclosure prompts other defenders/users Disclosure prompts other defenders/users of software to patch and fixof software to patch and fix Net: Costs of disclosure low. Bens high.Net: Costs of disclosure low. Bens high.

[I am [I am notnot taking a position on proprietary v. taking a position on proprietary v. Open Source – focus is on when disclosure Open Source – focus is on when disclosure improves security]improves security]

Military Base & DisclosureMilitary Base & Disclosure Helps Attackers Helps Attackers

It is hard for attackers to get close enough It is hard for attackers to get close enough to learn the physical defensesto learn the physical defenses

Disclosure teaches the designers little Disclosure teaches the designers little about how to improve the defensesabout how to improve the defenses

Disclosure prompts little improvement by Disclosure prompts little improvement by other defenders. other defenders. Net: Costs from disclosure high but few Net: Costs from disclosure high but few

benefits. benefits.

Effects of DisclosureEffects of Disclosure

Low Help Attackers HighLow Help Attackers High

Open SourceOpen Source

Military/Military/

IntelligenceIntelligence

Hel

p D

efen

ders

Low

H

igh

Effects of Disclosure -- IIEffects of Disclosure -- II

Military/Military/

IntelligenceIntelligence

Open SourceOpen Source

Low Help Attackers HighLow Help Attackers High

Hel

p D

efen

ders

Low

H

igh

Effects of Disclosure -- IIEffects of Disclosure -- II

Open Source Information Sharing

Public Domain Military/Intelligence

II. Why Computer & Network II. Why Computer & Network Security Often DiffersSecurity Often Differs

Hiddenness & the first-time attackHiddenness & the first-time attack ““Uniqueness” of the defenseUniqueness” of the defense Computer/network security and “no Computer/network security and “no

security through obscurity”security through obscurity” FirewallsFirewalls Software programsSoftware programs Encryption algorithmsEncryption algorithms

The First-Time AttackThe First-Time Attack

A weak defense often succeeds against A weak defense often succeeds against the first attackthe first attack Pit covered with leaves & first attackPit covered with leaves & first attack More realistically, hidden minesMore realistically, hidden mines By 2d or 10th attack, it does not workBy 2d or 10th attack, it does not work

““Uniqueness” of the DefenseUniqueness” of the Defense

E:E: initial effectiveness of a defenseinitial effectiveness of a defense N:N: number of attacks number of attacks L:L: learning by defenders from an attack learning by defenders from an attack C:C: communication to other defenders communication to other defenders A:A: alteration by the next attack alteration by the next attack

Designers learn how to fix (the patch)Designers learn how to fix (the patch) Other defenders install the patchOther defenders install the patch

Example of placement of hidden pit/minesExample of placement of hidden pit/mines

Low Uniqueness Common for Low Uniqueness Common for Computer & Network SecurityComputer & Network Security

FirewallsFirewalls High High N, L, C & AN, L, C & A Even unskilled script kiddies can get inEven unskilled script kiddies can get in Secrecy about a flaw will likely not workSecrecy about a flaw will likely not work Disclosure of vulnerability may prompt Disclosure of vulnerability may prompt

designers to fix and firewall owners to install designers to fix and firewall owners to install the patchthe patch

Mass-market SoftwareMass-market Software

Mass-market softwareMass-market software High High N, L, C, & AN, L, C, & A Secrecy about a flaw will likely not workSecrecy about a flaw will likely not work Disclosure of vulnerability may prompt Disclosure of vulnerability may prompt

designers to fix and software users to install designers to fix and software users to install the patchthe patch

EncryptionEncryption

““Hidden writing” and the birthplace of Hidden writing” and the birthplace of openness about algorithmsopenness about algorithms High High L, C, & A; very high N on the NetL, C, & A; very high N on the Net Kerckhoffs’ theorem -- the cryptosystem Kerckhoffs’ theorem -- the cryptosystem

should assume openness but the key should should assume openness but the key should remain secretremain secret

Network/Computer SecurityNetwork/Computer Security

Enlargement of the Public DomainEnlargement of the Public Domain Search engines and the NetSearch engines and the Net Attackers have higher Attackers have higher C, C, so lower costs if so lower costs if

decide to disclosedecide to disclose Designers and other defenders learn more Designers and other defenders learn more

quickly, so higher benefits if decide to quickly, so higher benefits if decide to disclosedisclose

Open Source paradigm more likely to apply Open Source paradigm more likely to apply than for traditional, physical attacksthan for traditional, physical attacks

III. Relaxing the AssumptionsIII. Relaxing the Assumptions

Other results in the paper about Other results in the paper about deterrence, surveillance, etc.deterrence, surveillance, etc.

Now, critique assumption that attackers Now, critique assumption that attackers already already know about vulnerabilitiesknow about vulnerabilities

Idea: Open Source paradigm implicitly assumes Idea: Open Source paradigm implicitly assumes strong or semi-strong ECMHstrong or semi-strong ECMH

But, argument for But, argument for

Analogy to ECMHAnalogy to ECMH

Idea: Open Source paradigm implicitly assumes Idea: Open Source paradigm implicitly assumes strong or semi-strong ECMHstrong or semi-strong ECMH

ECMH: quickly get to efficient outcome where ECMH: quickly get to efficient outcome where outsiders/traders exploit available informationoutsiders/traders exploit available information Information about the company will be used Information about the company will be used

by tradersby traders Open Source: quickly get to outcome where Open Source: quickly get to outcome where

outsiders/attackers exploit available informationoutsiders/attackers exploit available information Information about the defense will be used by Information about the defense will be used by

attackersattackers

ECMH in the Academy TodayECMH in the Academy Today

Previously, many economists accepted Previously, many economists accepted ECMH; today, less faith in itECMH; today, less faith in it

My claim is that efficiency is less for My claim is that efficiency is less for attackers discovering vulnerabilitiesattackers discovering vulnerabilities Modern software large, so Modern software large, so N N per line of code per line of code

may be lowmay be low Security efforts, so bugs/line of code downSecurity efforts, so bugs/line of code down ““Bug hunters” say each vulnerability can be Bug hunters” say each vulnerability can be

costly to discovercostly to discover

Physical & Cyber SecurityPhysical & Cyber Security

Defend the buried pipelineDefend the buried pipeline Hard for attackers to learn the key vulnerable Hard for attackers to learn the key vulnerable

pointpoint Expensive to rebuild pipeline once in placeExpensive to rebuild pipeline once in place Vulnerabilities often uniqueVulnerabilities often unique

Defend the softwareDefend the software Easy for attackers to learn of vulnerability (warez Easy for attackers to learn of vulnerability (warez

& hacker sites)& hacker sites) Relatively inexpensive to patch & updateRelatively inexpensive to patch & update Vulnerabilities often large scale/mass marketVulnerabilities often large scale/mass market

Effects of DisclosureEffects of Disclosure

Low Help Attackers HighLow Help Attackers High

Open SourceOpen Source

Physical facilitiesPhysical facilities 1.1. Military/ IntelMilitary/ Intel

2.2. Physical facilitiesPhysical facilities

Hel

p D

efen

ders

Low

H

igh

What Makes Cyber Attacks What Makes Cyber Attacks Different?Different?

A key concept: the first-time attackA key concept: the first-time attack The first time, defenders have the advantage:The first time, defenders have the advantage:

Simple tricks can foil the attackSimple tricks can foil the attack Attackers have not learned weak pointsAttackers have not learned weak points

On attack #1000, attackers have the edge:On attack #1000, attackers have the edge: They avoid the established defensesThey avoid the established defenses They learn the weak pointsThey learn the weak points

Computer scientists: “Instance” helps the Computer scientists: “Instance” helps the defensedefense

What Is Different for Cyber What Is Different for Cyber Attacks? Attacks?

ManyMany attacks attacks Each attack is low costEach attack is low cost

More costly to find out location of machine More costly to find out location of machine gunsguns

Attackers learn from previous attacksAttackers learn from previous attacks This trick got me root accessThis trick got me root access

Attackers communicate about vulnerabilitiesAttackers communicate about vulnerabilities Because of attackers knowledge, disclosure Because of attackers knowledge, disclosure

often helps defenders more than attackers for often helps defenders more than attackers for cyber attacks cyber attacks

ConclusionConclusion I am proposing a basic model for when I am proposing a basic model for when

disclosure helps securitydisclosure helps security Disclosure helps defenders? Attackers?Disclosure helps defenders? Attackers?

Explains reasons for less disclosure of Explains reasons for less disclosure of vulnerabilities for military, intel, & physicalvulnerabilities for military, intel, & physical

Explains reasons for greater disclosure for many Explains reasons for greater disclosure for many software and computer system settingssoftware and computer system settings

Other reasons to consider disclosure or notOther reasons to consider disclosure or not FOIA/accountabilityFOIA/accountability Privacy/confidentialityPrivacy/confidentiality

Have an intellectual framework for proceedingHave an intellectual framework for proceeding