What Should be Hidden and Open in Computer Security: Lessons from Deception, the Art of War, Law, and Economic Theory

TL;DR

This paper explores the balance of openness and hiddenness in computer security, drawing lessons from military strategy, law, and economic theory to develop a comprehensive framework for what should be kept secret or revealed.

Contribution

It introduces an interdisciplinary theory combining military, legal, and economic perspectives to determine optimal openness and hiddenness in computer security.

Findings

Major security topics tend to favor openness, such as firewalls and encryption.

Economic analysis reveals market failures in the level of openness in security.

Military strategies highlight the importance of deception and hiddenness in defense.

Abstract

"What Should be Hidden and Open in Computer Security: Lessons from Deception, the Art of War, Law, and Economic Theory" Peter P. Swire, George Washington University. Imagine a military base. It is defended against possible attack. Do we expect the base to reveal the location of booby traps and other defenses? No. But for many computer applications,a software developer will need to reveal a great deal about the code to get other system owners to trust the code and know how to operate with it. This article examines these conflicting intuitions and develops a theory about what should be open and hidden in computer security. Part I of the paper shows how substantial openness is typical for major computer security topics, such as firewalls, packaged software, and encryption. Part II shows what factors will lead to openness or hiddenness in computer security. Part III presents an economic analysis of the issue of what should be open in computer security. The owner who does not reveal the booby traps is like a monopolist, while the open-source software supplier is in a competitive market. This economic approach allows us to identify possible market failures in how much openness occurs for computer security. Part IV examines the contrasting approaches of Sun Tzu and Clausewitz to the role of hiddenness and deception in military strategy. The computer security, economic, and military strategy approaches thus each show factors relevant to what should be kept hidden in computer security. Part V then applies the theory to a range of current legal and technical issues.