What Should be Hidden and Open in Computer Security: Lessons from Deception, the Art of War, Law,...
-
Upload
molly-cobb -
Category
Documents
-
view
219 -
download
3
Transcript of What Should be Hidden and Open in Computer Security: Lessons from Deception, the Art of War, Law,...
![Page 1: What Should be Hidden and Open in Computer Security: Lessons from Deception, the Art of War, Law, and Economic Theory Professor Peter P. Swire George Washington.](https://reader035.fdocuments.in/reader035/viewer/2022081811/55147eb5550346f06e8b4856/html5/thumbnails/1.jpg)
“What Should be Hidden and Open in Computer Security: Lessons from
Deception, the Art of War, Law, and Economic Theory”
Professor Peter P. Swire
George Washington University
TPRC-2001
October 28, 2001
![Page 2: What Should be Hidden and Open in Computer Security: Lessons from Deception, the Art of War, Law, and Economic Theory Professor Peter P. Swire George Washington.](https://reader035.fdocuments.in/reader035/viewer/2022081811/55147eb5550346f06e8b4856/html5/thumbnails/2.jpg)
Overview of the Talk
Military base is hidden but computer security is open
Compare physical & computer security Model for openness in computer security Economic model: monopoly v. competition Military model: Sun Tzu v. Clausewitz Applications Research agenda
![Page 3: What Should be Hidden and Open in Computer Security: Lessons from Deception, the Art of War, Law, and Economic Theory Professor Peter P. Swire George Washington.](https://reader035.fdocuments.in/reader035/viewer/2022081811/55147eb5550346f06e8b4856/html5/thumbnails/3.jpg)
I. Physical and Computer Security Physical walls and the pit covered with
leaves Computer security
– Firewalls– Packaged software– Encryption
![Page 4: What Should be Hidden and Open in Computer Security: Lessons from Deception, the Art of War, Law, and Economic Theory Professor Peter P. Swire George Washington.](https://reader035.fdocuments.in/reader035/viewer/2022081811/55147eb5550346f06e8b4856/html5/thumbnails/4.jpg)
II. Model for Hiddenness in Computer Security Static model Dynamic model
![Page 5: What Should be Hidden and Open in Computer Security: Lessons from Deception, the Art of War, Law, and Economic Theory Professor Peter P. Swire George Washington.](https://reader035.fdocuments.in/reader035/viewer/2022081811/55147eb5550346f06e8b4856/html5/thumbnails/5.jpg)
Static Model for Openness
First-time vs. repeated attacks Learning from attacks
– Surveillance vs. other defenses Communication among attackers
– Script kiddies and the diffusion of knowledge
![Page 6: What Should be Hidden and Open in Computer Security: Lessons from Deception, the Art of War, Law, and Economic Theory Professor Peter P. Swire George Washington.](https://reader035.fdocuments.in/reader035/viewer/2022081811/55147eb5550346f06e8b4856/html5/thumbnails/6.jpg)
Dynamic Model
Security-enhancing effect– Many software bugs– Repeated attacks on computers– Security and inter-operability– Security expertise outside the organization
FOIA and other accountability effects
![Page 7: What Should be Hidden and Open in Computer Security: Lessons from Deception, the Art of War, Law, and Economic Theory Professor Peter P. Swire George Washington.](https://reader035.fdocuments.in/reader035/viewer/2022081811/55147eb5550346f06e8b4856/html5/thumbnails/7.jpg)
III. Economics and Openness in Computer Security System information hidden -- monopolist
about the security information Open source and system information open
-- competitive market Strong presumption in economic theory for
competitive market
![Page 8: What Should be Hidden and Open in Computer Security: Lessons from Deception, the Art of War, Law, and Economic Theory Professor Peter P. Swire George Washington.](https://reader035.fdocuments.in/reader035/viewer/2022081811/55147eb5550346f06e8b4856/html5/thumbnails/8.jpg)
Monopoly and Under-disclosure
Competitive market -- system/software designer discloses where benefits of disclosure exceed costs of disclosure
Monopolist -- costs $100 extra to re-design, but gains $10 per user; may not re-design
Disclosure may reduce market power Disclosure may reduce network externalities
![Page 9: What Should be Hidden and Open in Computer Security: Lessons from Deception, the Art of War, Law, and Economic Theory Professor Peter P. Swire George Washington.](https://reader035.fdocuments.in/reader035/viewer/2022081811/55147eb5550346f06e8b4856/html5/thumbnails/9.jpg)
Other Lessons from Economics
Other market failures– Information asymmetries and under-openness
Government systems even stronger incentives to under-disclose– Lack the market incentive to disclose enough to
gain sales– Optimal disclosure (competitive market)– Some disclosure (monopoly market)
![Page 10: What Should be Hidden and Open in Computer Security: Lessons from Deception, the Art of War, Law, and Economic Theory Professor Peter P. Swire George Washington.](https://reader035.fdocuments.in/reader035/viewer/2022081811/55147eb5550346f06e8b4856/html5/thumbnails/10.jpg)
IV. Military Strategy & Openness Sun Tzu and all war is deception Clausewitz and deception as incidental Hiddenness and Terrain
– Mountains (deception works)– Plains (deception doesn’t work much)
Hiddenness and Technology– Detection -- binoculars & infrared– Communication -- radio and Internet
![Page 11: What Should be Hidden and Open in Computer Security: Lessons from Deception, the Art of War, Law, and Economic Theory Professor Peter P. Swire George Washington.](https://reader035.fdocuments.in/reader035/viewer/2022081811/55147eb5550346f06e8b4856/html5/thumbnails/11.jpg)
Military & Openness
Sun Tzu and the intelligence agencies “Brute force attack” & Clausewitz
– Hackers and the opposite of deception Intellectual project
– Military (usually hidden)– Economics (usually open)– Computer security (intuition unshaped)
![Page 12: What Should be Hidden and Open in Computer Security: Lessons from Deception, the Art of War, Law, and Economic Theory Professor Peter P. Swire George Washington.](https://reader035.fdocuments.in/reader035/viewer/2022081811/55147eb5550346f06e8b4856/html5/thumbnails/12.jpg)
V. Some Applications
Open source movement as better security?– When is there “security through obscurity”?
DMCA and Felton case– Ignores the security-enhancing effect
Classified employees for computer security? Carnivore as open source? New FOIA limits on computer security?
![Page 13: What Should be Hidden and Open in Computer Security: Lessons from Deception, the Art of War, Law, and Economic Theory Professor Peter P. Swire George Washington.](https://reader035.fdocuments.in/reader035/viewer/2022081811/55147eb5550346f06e8b4856/html5/thumbnails/13.jpg)
Concluding Thoughts
A new field of study:– What should be hidden or open in computer
security?– Future conferences and studies on this?
Big shift to openness for computer security compared to physical security
What is optimal for military computer systems I invite comments, sources, and questions!