Secrecy and Security

In my previous entry, I wrote about the U.S. government’s SSI classification. I meant it as to be an analysis of the procedures of secrecy, not an analysis of secrecy as security.

I’ve previously written about the relationship between secrecy and security. I think secrecy hurts security in all but a few well-defined circumstances.

In recent years, the U.S. government has pulled a veil of secrecy over much of its inner workings, using security against terrorism as an excuse. The Director of the National Security Archive recently gave excellent testimony on the topic. This is worth reading both for this general conclusions and for his specific data.

The lesson of 9/11 is that we are losing protection by too much secrecy. The risk is that by keeping information secret, we make ourselves vulnerable. The risk is that when we keep our vulnerabilities secret, we avoid fixing them. In an open society, it is only by exposure that problems get fixed. In a distributed information networked world, secrecy creates risk—risk of inefficiency, ignorance, inaction, as in 9/11. As the saying goes in the computer security world, when the bug is secret, then only the vendor and the hacker know—and the larger community can neither protect itself nor offer fixes.

Tags: cost-benefit analysis, secrecy, transparency, vulnerabilities

Posted on March 9, 2005 at 7:46 AM • 8 Comments

Comments

Israel Torres • March 9, 2005 9:42 AM

Secrets are supposed to be good for the guys with the secret, and bad for the guys without the secret. It is when the guys without the secret want the secret, but since it is secret may not know there is a secret to be had. This is usually when the guys with the secret that had such a good thing going for them ends up losing the secret in the fact that they mention there is a secret being kept secret.- Setec Astronomy

Israel Torres

Davi Ottenheimer • March 9, 2005 10:34 AM

Wow. Fantastic reading material. A couple key excerpts:

“The strength of our open society is the free flow of information but the [Bush Administration’s] SHARE concept looks more like the Soviet GOSPLAN.”

“We are not balancing protection against the public’s desire to know. The tension is actually between bureaucratic imperatives of information control versus empowering the public and thus making us more safe.”

“If you create a power center for creating and holding secrets, like the new intelligence czar, then you need a counter center for declassifying secrets.”

If we know the simple truth that information = security, then why do citizens let their leaders engage in secrecy? I believe this will be the true legacy of the information age, ala search engines and data warehousing, that openness will prevail as the flow of information rolls over and around those that try to stand in its way.

Many people still operate under the mistaken assumption that secrecy deprives attackers of critical knowledge, due to cost or other obstacles, or gives investigators an edge. But the reality is the complete opposite. Secrecy actually intereferes with investigations, if not totally prevents the efficient discovery of attacks, and it weakens prosecution of the attackers. Talk about killing your chances, making a case for secrecy is like someone telling you to try and win against a BlackJack dealer in Vegas, but without learning the rules of the game.

The government is essentially shooting itself in the foot by over-classifying documents and obfuscating the declassification process. In fact, I would like to slightly amend my post yesterday about SSI: SSI not only facilitates Soviet-esque extralegal operations, but it also hints that there are big cracks forming in the failed policy of secrecty — the government seeks a “secure” method to share information without admitting it is wrong about secrecy. Openness is not only more secure, it’s as inevitable as the wall falling in Berlin.

The case examples of this fact (mentioned in the testimony) include the unibomber, the DC sniper, and the 9/11 attacks (the arrest of Zacarias Moussaoui). Brilliant point. Perhaps, as an interesting tangent, we should bring up WorldCom and Enron, and ask that SOX proponents (who demand financial transparency in corporations) aim their sights a little closer to home.

Three cheers for Thomas Blanton.

Davi Ottenheimer • March 9, 2005 11:11 PM

Aha, a group just claimed to have datamined the NSA. It seems that they were able to extract a good deal of internal documentation that was “accidentally” exposed in an external system:

http://quintessenz.at/cgi-bin/index?id=000100003123

Clive Robinson • March 10, 2005 5:18 AM

Two old razorsors spring to mind,

1, “The truth will set you free”

2, “Secrecy protects the guilty”

Anybody know any others 😉

Proaxiom • March 10, 2005 12:12 PM

The testimony by the NSA director is really good.

It meshes with a conference the NSA Information Assurance Directorate had a couple of years ago with private industry representatives in which they described their future vision for IT in the military (this was the first time I heard about the Global Information Grid).

In the midst of it they had a talk about a culture shift within the NSA. Traditionally their security view revolved around the well-known CIA — Confidentiality, Integrity, and Availability — in that order. But now they have come to realize that their priorities are backwards, and they are reversing the order to make Availability the most important part of the IAD’s job, followed by Integrity and then Confidentiality.

Ultimately it comes down to them discovering that having the right information in the right people’s hands is more important than keeping the wrong information out of the wrong people’s hands.

Bruce Schneier • March 12, 2005 11:32 AM

“Anybody know any others ;)”

Sunlight is the best disinfectant.

Davi Ottenheimer • March 16, 2005 10:19 PM

Here’s an interesting article related to the point that we lose security by allowing too much secrecy:

http://news.yahoo.com/news?tmpl=story&ncid=742&e=1&u=/usatoday/20050316/cm_usatoday/secretjusticehidesrisks

“Secrecy can kill, as Americans found out during the summer of 2000.”

Davi Ottenheimer • March 16, 2005 10:37 PM

@Bruce

I like that one! It took a little poking around, but it comes from a US Supreme Court Justice, Louis Brandeis, who wrote in Harper’s Weekly, Dec 20 1913:

http://library.louisville.edu/law/brandeis/opm-ch5.html

“Publicity is justly commended as a remedy for social and industrial diseases. Sunlight is said to be the best of disinfectants; electric light the most efficient policeman.”

And it reminded me of the ending of a poem by Dylan Thomas:

“Do not go gentle into that good night.
Rage, rage against the dying of the light.”

Secrecy and Security

Comments

Leave a comment Cancel reply