Trust in Cyberspace (1999)

Chapter: Appendix I: Secrecy of Design

« Previous: Appendix H: Types of Firewalls
Suggested Citation: "Appendix I: Secrecy of Design." National Research Council. Trust in Cyberspace. Washington, DC: The National Academies Press, 1999.
Page 296
Suggested Citation: "Appendix I: Secrecy of Design." National Research Council. Trust in Cyberspace. Washington, DC: The National Academies Press, 1999.
Page 297

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

I Secrecy of Design Secrecy of design is often deprecated with the phrase "security through obscurity," and one often hears arguments that security-critical systems or elements should be developed in an open environment that encourages peer review by the general community. Evidence is readily at hand of systems that were developed in secret only to be reverse engi- neered and have their details published on the Internet and their flaws pointed out for all to see. The argument for open development rests on assumptions that gen- erally, but not universally, hold. These assumptions are that the open community will devote adequate effort to locate vulnerabilities, that they will come forth with vulnerabilities that they find, and that vulnerabili- ties, once discovered, can be closed even after the system is deployed. There are environments, such as military and diplomatic settings, in which these assumptions do not necessarily hold. Groups interested in finding vulnerabilities here will mount long-term and well-funded analy- sis efforts efforts that are likely to dwarf those that might be launched by individuals or organizations in the open community. Further, these well-funded groups will take great care to ensure that any vulnerabilities they discover are kept secret, so that they may be exploited (in secret) for as long as possible. Finally, military systems in particular often exist in environments where postdeployment upgrades are difficult to achieve. Special problems arise when partial public knowledge is necessary about the nature of the security mechanisms, such as when a military security module is designed for integration into COTS equipment. Re 296

APPENDIX I 297 sidual vulnerabilities are inevitable, and the discovery and publication of even one such vulnerability may, in certain circumstances, render the system defenseless. It is, in general, not sufficient to protect only the exact nature of a vulnerability. The precursor information from which the vulnerability could be readily discovered must also be protected, and that requires an exactness of judgment not often found in group endeavors. When public knowledge of aspects of a military system is required, the most prudent course is to conduct the entire development process under cover of secrecy. Only after the entire assurance and evaluation process has been completed and the known residual vulnerabilities identified- should a decision be made about what portions of the system description are safe to release. Any imposition of secrecy, about either part or all of the design, car- ries two risks: that a residual vulnerability could have been discovered by a friendly peer reviewer in time to be fixed, and that the secret parts of the system will be reverse engineered and made public, leading to the further discovery, publication, and exploitation of vulnerabilities. The first risk has historically been mitigated by devoting substantial resources to analysis and assurance. (Evaluation efforts that exceed the design effort by an order of magnitude or more are not unheard of in certain environments.) The second risk is addressed with a combination of tech- nology aimed at defeating reverse engineering and strict procedural con- trols on the storage, transport, and use of the devices in question. These controls are difficult to impose in a military environment and effectively impossible in a commercial or consumer one.

Next: Appendix J: Research in Information System Security and Survivability Funded by NSA and DARPA »
Trust in Cyberspace Get This Book
Buy Paperback | $90.00
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Whether or not you use a computer, you probably use a telephone, electric power, and a bank. Although you may not be aware of their presence, networked computer systems are increasingly becoming an integral part of your daily life. Yet, if such systems perform poorly or don't work at all, then they can put life, liberty, and property at tremendous risk. Is the trust that we--as individuals and as a society--are placing in networked computer systems justified? And if it isn't, what can we do to make such systems more trustworthy?

This book provides an assessment of the current state of the art procedures for building trustworthy networked information systems. It proposes directions for research in computer and network security, software technology, and system architecture. In addition, the book assesses current technical and market trends in order to better inform public policy as to where progress is likely and where incentives could help. Trust in Cyberspace offers insights into:

--The strengths and vulnerabilities of the telephone network and Internet, the two likely building blocks of any networked information system.

--The interplay between various dimensions of trustworthiness: environmental disruption, operator error, "buggy" software, and hostile attack.

--The implications for trustworthiness of anticipated developments in hardware and software technology, including the consequences of mobile code.

--The shifts in security technology and research resulting from replacing centralized mainframes with networks of computers.

--The heightened concern for integrity and availability where once only secrecy mattered.

--The way in which federal research funding levels and practices have affected the evolution and current state of the science and technology base in this area.

You will want to read this book if your life is touched in any way by computers or telecommunications. But then, whose life isn't?

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook,'s online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
  9. ×

    And that's about it! What do you think of the new OpenBook? Click the Feedback button and tell us. Happy reading!

    « Back Done