What Should be Hidden and Open in Computer Security?

Title: What Should be Hidden and Open in Computer Security?

Research Question: How can we determine the optimal level of openness and secrecy in computer security to ensure both security and interoperability?

Methodology: The researcher uses a combination of legal, economic, and military theories to analyze the issue of what should be hidden and what should be open in computer security. They draw on their personal experience as a government official involved in encryption policy and computer security issues.

Results: The study suggests that the optimal level of openness for computer security is higher than for traditional physical security due to the need for interoperability between different systems. It also identifies several market failures that can lead to a lack of openness in government agencies, such as malicious harm by a software writer and information asymmetries.

Implications: The findings of this study have implications for both the legal and institutional frameworks surrounding computer security. It suggests that there may be a need for changes in laws and regulations to encourage greater openness in computer security, as well as improvements in institutional practices. The study also has practical applications for individuals and organizations seeking to improve their own computer security practices.

In conclusion, the researcher proposes a model for assessing openness and hiddenness in computer security, drawing on first-time and repeated attacks, learning from attacks, communication among attackers, and dynamic models. They also discuss the application of this model to various scenarios, including the open source movement, anti-circumvention laws, and institutional limits on disclosing computer security information.

Link to Article: https://arxiv.org/abs/0109089v1 Authors: arXiv ID: 0109089v1