Secrecy and Security

In my previous entry, I wrote about the U.S. government's SSI classification. I meant it as to be an analysis of the procedures of secrecy, not an analysis of secrecy as security.

I've previously written about the relationship between secrecy and security. I think secrecy hurts security in all but a few well-defined circumstances.

In recent years, the U.S. government has pulled a veil of secrecy over much of its inner workings, using security against terrorism as an excuse. The Director of the National Security Archive recently gave excellent testimony on the topic. This is worth reading both for this general conclusions and for his specific data.

The lesson of 9/11 is that we are losing protection by too much secrecy. The risk is that by keeping information secret, we make ourselves vulnerable. The risk is that when we keep our vulnerabilities secret, we avoid fixing them. In an open society, it is only by exposure that problems get fixed. In a distributed information networked world, secrecy creates risk -- risk of inefficiency, ignorance, inaction, as in 9/11. As the saying goes in the computer security world, when the bug is secret, then only the vendor and the hacker know -- and the larger community can neither protect itself nor offer fixes.

Posted on March 9, 2005 at 7:46 AM • 8 Comments

Comments

Israel TorresMarch 9, 2005 9:42 AM

Secrets are supposed to be good for the guys with the secret, and bad for the guys without the secret. It is when the guys without the secret want the secret, but since it is secret may not know there is a secret to be had. This is usually when the guys with the secret that had such a good thing going for them ends up losing the secret in the fact that they mention there is a secret being kept secret.- Setec Astronomy

Israel Torres


Davi OttenheimerMarch 9, 2005 10:34 AM

Wow. Fantastic reading material. A couple key excerpts:

"The strength of our open society is the free flow of information but the [Bush Administration's] SHARE concept looks more like the Soviet GOSPLAN."

"We are not balancing protection against the public's desire to know. The tension is actually between bureaucratic imperatives of information control versus empowering the public and thus making us more safe."

"If you create a power center for creating and holding secrets, like the new intelligence czar, then you need a counter center for declassifying secrets."

If we know the simple truth that information = security, then why do citizens let their leaders engage in secrecy? I believe this will be the true legacy of the information age, ala search engines and data warehousing, that openness will prevail as the flow of information rolls over and around those that try to stand in its way.

Many people still operate under the mistaken assumption that secrecy deprives attackers of critical knowledge, due to cost or other obstacles, or gives investigators an edge. But the reality is the complete opposite. Secrecy actually intereferes with investigations, if not totally prevents the efficient discovery of attacks, and it weakens prosecution of the attackers. Talk about killing your chances, making a case for secrecy is like someone telling you to try and win against a BlackJack dealer in Vegas, but without learning the rules of the game.

The government is essentially shooting itself in the foot by over-classifying documents and obfuscating the declassification process. In fact, I would like to slightly amend my post yesterday about SSI: SSI not only facilitates Soviet-esque extralegal operations, but it also hints that there are big cracks forming in the failed policy of secrecty -- the government seeks a "secure" method to share information without admitting it is wrong about secrecy. Openness is not only more secure, it's as inevitable as the wall falling in Berlin.

The case examples of this fact (mentioned in the testimony) include the unibomber, the DC sniper, and the 9/11 attacks (the arrest of Zacarias Moussaoui). Brilliant point. Perhaps, as an interesting tangent, we should bring up WorldCom and Enron, and ask that SOX proponents (who demand financial transparency in corporations) aim their sights a little closer to home.

Three cheers for Thomas Blanton.

Clive RobinsonMarch 10, 2005 5:18 AM

Two old razorsors spring to mind,

1, "The truth will set you free"

2, "Secrecy protects the guilty"

Anybody know any others ;)

ProaxiomMarch 10, 2005 12:12 PM

The testimony by the NSA director is really good.

It meshes with a conference the NSA Information Assurance Directorate had a couple of years ago with private industry representatives in which they described their future vision for IT in the military (this was the first time I heard about the Global Information Grid).

In the midst of it they had a talk about a culture shift within the NSA. Traditionally their security view revolved around the well-known CIA -- Confidentiality, Integrity, and Availability -- in that order. But now they have come to realize that their priorities are backwards, and they are reversing the order to make Availability the most important part of the IAD's job, followed by Integrity and then Confidentiality.

Ultimately it comes down to them discovering that having the right information in the right people's hands is more important than keeping the wrong information out of the wrong people's hands.

Davi OttenheimerMarch 16, 2005 10:37 PM

@Bruce

I like that one! It took a little poking around, but it comes from a US Supreme Court Justice, Louis Brandeis, who wrote in Harper's Weekly, Dec 20 1913:

http://library.louisville.edu/law/brandeis/...

"Publicity is justly commended as a remedy for social and industrial diseases. Sunlight is said to be the best of disinfectants; electric light the most efficient policeman."

And it reminded me of the ending of a poem by Dylan Thomas:

"Do not go gentle into that good night.
Rage, rage against the dying of the light."

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..