Schneier on Security
A blog covering security and security technology.
March 9, 2005
Secrecy and Security
In my previous entry, I wrote about the U.S. government's SSI classification. I meant it as to be an analysis of the procedures of secrecy, not an analysis of secrecy as security.
I've previously written about the relationship between secrecy and security. I think secrecy hurts security in all but a few well-defined circumstances.
In recent years, the U.S. government has pulled a veil of secrecy over much of its inner workings, using security against terrorism as an excuse. The Director of the National Security Archive recently gave excellent testimony on the topic. This is worth reading both for this general conclusions and for his specific data.
The lesson of 9/11 is that we are losing protection by too much secrecy. The risk is that by keeping information secret, we make ourselves vulnerable. The risk is that when we keep our vulnerabilities secret, we avoid fixing them. In an open society, it is only by exposure that problems get fixed. In a distributed information networked world, secrecy creates risk -- risk of inefficiency, ignorance, inaction, as in 9/11. As the saying goes in the computer security world, when the bug is secret, then only the vendor and the hacker know -- and the larger community can neither protect itself nor offer fixes.
Powered by Movable Type. Photo at top by Per Ervland.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.