Wandering Thoughts archives

2011-01-10

Why really high computer security is not interesting to most people

The US government (and to a less public extent other governments) have spent years developing a very robust and theoretically sound model of computer security, complete with rating levels and all sorts of good things. They even documented this thoroughly in what is called the rainbow series of books.

You might think that a government developed set of computer security standards would be widely adopted by industry and broadly used, in the same way that other government-developed standards generally are. You would be wrong; the industry reaction to all of this government work has generally been complete indifference and utter disinterest. It's tempting to dismiss this as the computer industry just not being interested in security, but I don't think this is the full story. My view is that a good part of why the industry isn't interested in this government security work is that the end result is wrong for industry because it has the wrong priorities.

Computer security involves, among other things, a tradeoff between availability and non-disclosure. Many of the measures that protect your sensitive information can also harm its availability; for example, how many copies there are of the key for decrypting sensitive files. The fewer copies the more secure you are, but the easier it is to lose all copies and thus have the files become unavailable. The government feels that it has extremely dangerous and sensitive secrets, and it does; it holds information that could get people killed (sometimes a lot of people). As a result, it has historically had a strong bias towards non-disclosure instead of availability, ie in many cases the government would prefer to have information lost and destroyed rather than risk it leaking out or being stolen.

A company's priorities are almost always the reverse. Having information leak out is bad, yes, but losing the information outright is usually worse, often much worse. For most really important sensitive information, loss would probably put the company out of business; eg, Intel would be harmed if the full details for all its chips was leaked, but it would probably be destroyed outright if that information was lost. In many cases even a temporary loss of access is terribly damaging to a company; imagine the impact on a bank if it lost access to a quarter of its customer records for a week.

Since the US government created its security models and standards for its own use, they often reflect the government's bias towards non-disclosure over availability. Since companies generally have the reverse bias, they are of course not going to be too interested in a security system built to the government's specifications; they would have to go against its biases or in some cases break it entirely in order to get something that reflected their priorities.

(Disclaimer: this is my understanding of the situation. It's possible that I'm repeating folklore and misunderstandings, since I'm not a computer security person, just an interested bystander.)

tech/WhyHighSecurityDisinterest written at 01:34:13; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.