A Model for When Disclosure Helps Security: What Is Different about Computer and Network Security?

doi:10.1017/CBO9780511511523.003

2 - A Model for When Disclosure Helps Security: What Is Different about Computer and Network Security?

Published online by Cambridge University Press: 18 August 2009

Peter P. Swire

Edited by

Mark F. Grady and

Francesco Parisi

Show author details

Peter P. Swire: Affiliation:
Professor of Law and John Glenn Research Scholar in Public Policy Research, Ohio State University, Moritz College of Law
Mark F. Grady: Affiliation:
University of California, Los Angeles
Francesco Parisi: Affiliation:
George Mason University, Virginia

Book contents

Get access

Summary

This article asks the question, When does disclosure actually help security? The issue of optimal openness has become newly important as the Internet and related technologies have made it seem inevitable that information will leak out. Sun Microsystems CEO Scott McNealy received considerable press attention a few years ago when he said, “You have zero privacy. Get over it” (Froomkin 2000). An equivalent statement for security would be, “You have zero secrecy. Get over it.” Although there is a germ of truth in both statements, neither privacy nor secrecy is or should be dead. Instead, this article seeks to provide a more thorough theoretical basis for assessing how disclosure of information will affect security. In particular, it seeks to understand the differences between traditional security practices in the physical world, on the one hand, and best practices for computer and network security, on the other.

The discussion begins with a paradox. Most experts in computer and network security are familiar with the slogan that “there is no security through obscurity.” For proponents of Open Source software, revealing the details of the system will actually tend to improve security, notably due to peer review. On this view, trying to hide the details of the system will tend to harm security because attackers will learn about vulnerabilities but defenders will not know where to patch the vulnerabilities. In sharp contrast, a famous World War II slogan has it that “loose lips sink ships.”

Type: Chapter
Information: The Law and Economics of Cybersecurity , pp. 29 - 70

DOI: https://doi.org/10.1017/CBO9780511511523.003 [Opens in a new window]

Publisher: Cambridge University Press

Print publication year: 2005

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

Allen, William T. 2003. Securities Markets as Social Products. The Pretty Efficient Capital Market Hypothesis. Journal of Corporate Law 28:551Google Scholar

Band, Jonathan. 2003. New Theories of Database Protection. Managing Intellectual Property, March. http://www.firstmonday.org/issues/issue5_10/adar/index.htmlGoogle Scholar

Boyle, James. 2003. The Second Enclosure Movement and the Construction of the Public Domain. Law and Contemporary Problems 66:33Google Scholar

Bush, Randy, and Steven M. Bellovin. 2002. Security through Obscurity Dangerous. Working draft for Internet Engineering Task Force. https://rip.psg.com/~randy/draft-ymbk-obscurity-01.html

Center for Democracy and Technology. 2002. TSA Issues Second Privacy Act Notice Expanding and Narrowing CAPPS II, July 31, 2003. http://www.cdt.org/wiretap

Chapman, D. Brent, and Zwicky, Elizabeth D.. 1995. Building Internet Firewalls. Sebastopol, CA: O'Reilly & AssociatesGoogle Scholar

Cunningham, Lawrence A. 1994. From Random Walks to Chaotic Crashes: The Linear Genealogy of the Efficient Capital Market Hypothesis. George Washington Law Review 62:546Google Scholar

Easterbrook, Frank H. 1996. Cyberspace and the Law of the Horse. University of Chicago Law Forum 1996:207Google Scholar

Fama, Eugene. 1965. The Behavior of Stock Market Prices. Journal of Business 38:34CrossRef Google Scholar

Farrell, Joseph, and Weiser, Philip. 2003. Modularity, Vertical Integration, and Open Access Policies: Towards a Convergence of Antitrust and Regulation in the Internet Age. Harvard Journal of Law and Technology 17:85Google Scholar

Fisher, Dennis. 2002. Microsoft Puts Meat behind Security Push. EWeek, September 30. http://www.landfield.com/isn/mail-archive/2002/Oct)0004.htmlGoogle Scholar

Froomkin, A. Michael. 2000. The Death of Privacy. Stanford Law Review 52:1461CrossRef Google Scholar

Goldsmith, Jack L. 1998. Against Cyberanarchy. University of Chicago Law Review 65:1199CrossRef Google Scholar

Gonggrijp, Rop. 1992. Netware Users React to Security Threat. Internet Week, October 5, p. 2Google Scholar

Granneman, Scott. 2004. The Perils of Googling. The Register, March 10. http://www.theregister.co.uk/content/55/36142.htmlGoogle Scholar

Hauben, Michael. 2004. History of ARPANET: Behind the Net – The Untold History of the APRANET: Or The “Open” History of ARPANET/Internet. http://www.dei.isep.ipp.pt.docs/arpa.html

Kahn, David. 1996. The Codebreakers: The Story of Secret Writing. New York: Penguin/New American LibraryGoogle Scholar

Lee, Edward. 2003. The Public's Domain: The Evolution of Legal Restraints on the Government's Power to Control Public Access through Secrecy or Intellectual Property. Hastings Law Journal 55:91Google Scholar

Lee, Michael. 1999. Electronic Commerce, Hackers, and the Search for Legitimacy: A Regulatory Proposal. Berkeley Technology Law Journal 14:839Google Scholar

Lessig, Lawrence. 2002. The Future of Ideas: The Fate of the Commons in a Connected World. New York: Random HouseGoogle Scholar

Malik, Attiya. 2003. Are You Content with the Content? Intellectual Property Implications of Weblog Publishing. John Marshall Journal of Computer and Information Law 21:349Google Scholar

Markoff, John. 1999. U.S. Drawing Plan That Will Monitor Computer Systems. New York Times, July 28, p. A1Google Scholar

Microsoft. 2003. Understanding Patch and Update Management: Microsoft's Software Update Strategy. White paper

National Science Foundation. 1993. Review of NSFNET. Arlington, VA: National Science Foundation, Office of Inspector General, March 23

Owens, Bill. 2000. Lifting the Fog of War. Baltimore: John Hopkins University PressGoogle Scholar

Schneier, Bruce. 1996. Applied Cryptography. 2d ed. Hoboken, NJ: WileyGoogle Scholar

Schneier, Bruce. 2002. Secrecy, Security, and Obscurity. Cryptogram Newsletter, May 15. http://www.schneier.com/crypto-gram-0205.htmlGoogle Scholar

Schneier, Bruce. 2003a. Beyond Fear: Thinking Sensibly about Security in an Uncertain World. New York: Copernicus BooksGoogle Scholar

Schneier, Bruce. 2003b. Internet Shield: Secrecy and Security. San Francisco Chronicle, March 2Google Scholar

Singh, Simon. 1999. The Code Book: The Evolution of Secrecy from Mary Queen of Scots to Quantum Cryptography. New York: Doubleday, p. D5Google Scholar

Stephenson, Neal. 2002. Cryptonomicon. New York: AvonGoogle Scholar

Stout, Lynn A. 2003. The Mechanisms of Market Efficiency: An Introduction to the New Finance. Journal of Corporate Law 28:635Google Scholar

Swire, Peter P. 2004a. Information Sharing, the Patriot Act, and Privacy. Presentation made February 28. www.peterswire.net

Swire, Peter P.. 2004b. The System of Foreign Intelligence Surveillance Law. George Washington Law ReviewGoogle Scholar

Volokh, Eugene. 2004. Crime-Facilitating Speech. Unpublished draft

Weisman, Robert. 2004. Investors Monitoring Climate for Google IPO. Miami-Herald.com, March 21. http://www.miam.com/mld/miamiherald/business/national/8243019.htm

Williamson, Oliver E. 1998. The Economic Institutions of Capitalism. New York: The Free PressGoogle Scholar

Winn, Jane Kaufman. 1998. Open Systems, Free Markets, and Regulation of Internet Commerce. Tulane Law Review 72:1177Google Scholar

Book contents

2 - A Model for When Disclosure Helps Security: What Is Different about Computer and Network Security?

Summary

Access options

References

Save book to Kindle

Save book to Dropbox

Save book to Google Drive