Over the last several years, computing has changed to an almost purely networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs have increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.
Two weeks ago, I was at a conference with some highly distinguished authors, highly placed government officials, and other pundits who were trying to get a handle on how national infrastructure policy should be altered in response to the ongoing changes in information technology. After a day of relatively charged exchanges, one of the speakers went through a short talk about how the distribution of computer systems was leading to a new paradigm and how security would be effected. During the talk, he cited example after example of how secrets could be and had been leaked, how the new paradigm demanded the widespread use of cryptography to protect privacy, and how distribution of control over information technology would lead to improved privacy. By the time he got to the end, I could hardly hold my tongue. Several other people had questions before me, and as the number of questioners was approaching zero, the moderator identified that the last question had now been asked. That broke it. I interrupted the flow and expressed my opinions rather concisely.
Three things bothered me about this pundit's presentation. One had to do with the concept that we should distribute responsibility over protection without distributing the knowledge required to make sensible decisions (a topic to be covered in a future article). Another had to do with some assertions about history that were not supported by reality. The third, and the one that riled me most was the implied assertion that security means secrecy.
I have been to a lot of talks on information protection, and one of my pet peeves is people who use the term security but talk only about secrecy. For more than ten years, I have been talking about integrity issues, writing about the lack of adequate integrity protection, and working to improve integrity in information systems. At first, I thought it was just a lack of understanding, and later, I thought it was due to the media concentrating on privacy issues. But today, I believe that anyone who thinks that information security is primarily about privacy probably just doesn't know very much about information security. After all, with widespread computer viruses, Internet-based denial of service attacks, and attacks on the DOJ and CIA Web sites so prominently displayed in the media, everyone knows that privacy wasn't the issue here. Right?
The day before I was at this conference, I was at a different meeting consisting of people with substantial background in information protection. Most people there had discussed issues related to integrity and availability, and there was relatively less discussion of secrecy. One of the less informed among the attendees, having heard integrity listed before availability and privacy one too many times, decided to ask why it was that people were talking integrity, availability, privacy instead of giving privacy a more prominent place. The answer I gave was in the form of a question similar to this one:
Suppose you are flying a plane in the clouds over mountainous territory and using the Global Positioning System (GPS) to determine how high you are and which direction you are going. Which would be worse?
- Believing you were at 40,000 feet flying north when you were in fact at 3,000 feet flying south-west.
- Having the GPS go out of service altogether.
- Accidentally gaining access to the secret GPS bits that give you extra positional accuracy.
The first option is what can happen when you lose GPS integrity. The second option is what can happen when you lose GPS availability. The third option is what happens when you lose GPS secrecy.
Maybe that example was too easy. Let's try another one. Suppose you are in the banking business. Which would be worse?
In this case, the first two are approximately the same - except that you may find out about the loss of availability a lot sooner than the loss of integrity. In either case, you may be out of business. The third example, while pretty bad, is still not as bad as the other ones.
Here's one to put to a friend in the military. Which would be worse?
It's a more interesting question in this case, but I think you will find that most military people will tell you that the loss of integrity is far worse than the loss of availability or secrecy. Without integrity, we can be ordered to kill our own troops. Without secrecy, the enemy will know our plans. Without availability, we have to alter our fighting style.
I'll use one more example. Suppose you are using your home computer to compute your taxes. Which would be worse?
The loss of integrity may result in a lengthy and expensive audit, will probably result in a substantial fine, and could even get you put in jail in some places. The loss of availability will make doing your taxes harder. The loss of privacy could create a lot of interpersonal problems with co-workers (if they got copies) and could cause you substantial embarrassment.
Now that you know why I place the emphasis on integrity, I have to hedge. There are certainly examples where integrity is not as vital as secrecy. The problem is finding them.
In most cases, integrity is more important then secrecy because integrity is required in order for information to be used meaningfully and beneficially while secrecy is required only because the content may cause harm if revealed. In order for secrecy to take precedence we must have a case where it is less important to be able to use the information meaningfully than it is to have it revealed.
As privacy advocates rightly point out, personal information should be kept private. For example, if a personal e-mail message is leaked it might be embarrassing or even harmful to the individuals involved, while a corruption in or failure to deliver the same piece of email would probably have little if any effect. Even a very specific corruption such as a forged personal email message would not probably be very damaging since the parties would likely straighten it out over time.
It would seem that the conditions for privacy taking precedence are cases where the information is not used - in which case there is no real reason to keep it in a computer. For example, if the names of AIDS patients were kept in a computer used for statistical analysis of ways AIDS were spread, but their names were never used for any of the statistics; (1) the revelation of the names could be harmful to the individuals involved, and (2) there would be no good reason for their names to be kept in this computer. In fact, keeping the names in this computer would be both wasteful and unnecessarily risky. I might even be tempted to call it neglegent if the names were leaked out.
In truth, it's not easy to come up with many meaningful examples where keeping information secret is more important than keeping it accurate or available. Most of the examples involve an unimportant corruption of a small portion of what is leaked. That's because leaking completely inaccurate information does not usually cause harm.
On the other hand, it's almost always easy to come up with examples where corruption or denial of service cause great harm.
Many privacy advocates will disagree with me on this one, and I encourage you to seek out their views, but temper their views - and the stories you read in the media - with this view.
Fred Cohen is a Senior Member of Technical Staff at Sandia National Laboratories and a Senior Partner of Fred Cohen and Associates in Livermore California, an executive consulting and education group specializing information protection. He can be reached by sending email to fred at all.net.