On Computer Security and Public Trust

William Hugh Murray

• On the Role of the Computer
• On the Role of Cooperation and Collaboration
• On the Necessity for Trust
• Increased Vulnerability to Deviance
• Technology and Crime
• On Rude Behavior
• Effect of Computer Security on Social Trust
• The Cost of Security
• Security of Populations
• The Interesting Questions
• The Alternatives
• Conclusion

Effect of Computer Security on Social Trust

Social trust is necessary to the full enjoyment of the benefits of computers. Security influences that trust.

Many failures are public; they diminish trust globally, not just locally. My security is related to your security; if your system falls to hackers, it may give them a path to me and resources to be used against me. The damage that is done to necessary public trust and confidence by the publicity of our failures may be out of all proportion to the direct damage that either of us suffers.

The security measures that are indicated to preserve public trust may exceed those that are indicated by your use or mine. The security achieved as a result of each of us making our own local decisions based upon our own local situation may not be sufficient to preserve public trust and confidence. If we are to enjoy the potential benefits of this new technology, then we must ensure that its use is sufficiently orderly and well-behaved to sustain that trust.

That we do trust computers is obvious. Some minimum level of trust has been necessary to their acceptance and use. If you cannot trust what the computer tells you, at least most of the time, then it has no value. Some of that trust is possibly misplaced; it presumes a level of perfection that is difficult to achieve and maintain in complex systems.

That there is a fundamental undercurrent of mistrust is equally obvious. The RISKS forum, moderated by Peter Neumann, gives loud and, often, eloquent testimony to this mistrust.

Much of both the trust and mistrust of computers is independent of their security. However, trust is influenced by security. Security contributes to the necessary trust; its absence and its failures to the mistrust. Thus, computer security, whether we like it or not, is a social issue. It is global, not local. It is bigger than our systems. It is related to those fundamental human values of cooperation and collaboration.

The Cost of Security

We write, speak, and behave as though security were free, as though it were an independent property that could be achieved without diminishing any other desiderata. We speak as though its absence or inadequacy were always a mistake; we want to know who is to blame.

In the sense that good security is good design, this is true. However, in another sense security is usually achieved at the expense of some other desirable property of the system. I learned this the hard way when the design of my masterwork was dismissed by Dr. Willis Ware because it did not preserve to the user the ability to write and execute an arbitrary program of his own choice. For all the years since, I have been defending my choice to Dr. Ware on the basis that it is not possible to reserve all generality and all flexibility of a system to all users and still say that it is controlled or secure. Designers, implementors, and managers are confronted with hard choices. Their decisions will never be risk free and they will never please everyone.

Security of Populations

We also speak as though the issue were the security of individual systems. I would like to suggest that public trust is more influenced by the security of collections or populations of systems.

To date, most work in computer security has been done at the atomic level. That is, it has been about making statements about individual systems. We now have metrics with which to compare the trust of two systems. We are starting to do work at the sub-atomic level. That is, we can make statements about how components affect the security of a system. We have not even begun to make statements about the security of a population or network of systems.

A reader of “Computers at Risk” might be lead to conclude that the problem can be readily dealt with simply by improving the security of component systems. However, security is not a perfectly composible property. That is, it is not possible to bind two systems closely enough to preserve their security. The level of security will always be something less than that of the lesser of the two.

The Interesting Questions

When I connect two systems as peers, neither dominating or controlling the other, I assume that the level of security of the two is approximately the same as that of the least secure of the two. Yet, intuitively we suspect that the security of a large population of systems is higher than that of the least trusted system, and lower than the most. How do we make statements about populations? What is the effect on the population of adding a new system? What is the effect of increasing the security of members of the population? We have no science, art, or mechanism for addressing such questions. Neither do we have information to tell us whether the managers of one system or network consider the security of a nearby system before deciding to connect to it. Yet at the level of society, at the level of values, at the level of social trust and social order, these are the questions of interest. The security of single systems has little relevance.

The Alternatives

Society’s need for confidence is so urgent, that if it can get it no other way, it will resort to political force. Indeed, it will attempt to use such force even if it is ineffective, or even counter-productive. It will attempt to impose dogma and order by force.

There is a natural, or at least historical, contention between freedom and order. Nowhere does it manifest itself more than in computing. The authorities are frightened by the individual freedom afforded by the computer, and all too ready to jump in and impose order. Any disorder is taken as justification.

On the other hand, they are equally frightened by the idea of good security in private hands. The National Security Agency is resisting any use of cryptography by commerce because of the potential impact on the cost of intelligence gathering. Likewise, the FBI has recently tried to outlaw the use of the same technology because of the potential for its exploitation by criminals.

In the short run, the level of security in the population of computers is a given. That is, the population is so large that it is not possible to change the security except at the margin. However, the National Academy of Science report, “Computers at Risk,” would have us believe otherwise. They would have us believe that the problem is one of the products offered by vendors, rather than the systems operated by users. Therefore it believes that the solution is to influence vendors, rather than users. If vendors will simply offer better systems with safer defaults, then the problem will be solved. The report is either not aware of or ignores the evidence that users systematically compromise away the security properties with which systems are shipped.

Conclusion

The full enjoyment of the benefits of computers requires a certain level of confidence in how they behave. The security of the systems contributes to that trust. The issue is more one of trust in the population of computers, rather than in any one. While most computer-related behavior is orderly, there is sufficient deviant behavior for it to be a threat to the necessary level of trust.

Security of systems is necessary but not sufficient for the security of the population. It appears to be important to be able to answer questions about the level of trust in the population.

The values to be conserved include trust, confidence, cooperation, collaboration, coordination, competition, contention, order, freedom, and enjoyment of the use and benefits of computing. These values conflict and contend. What is good for one may not be good for all of the others. However, it is clear that security will impact them all. The choices that confront us are hard choices.

Things that society concludes are valuable, it takes steps to conserve. There is some evidence to suggest that society will conclude that computers are valuable. Yet to date, we have taken few such steps for computers. To the extent that we fail, to the extent that the results are unsatisfactory or even merely unsatisfying, we invite intervention by authority with a corresponding loss of freedom.

Deloitte & Touche

Back to the top

Go to: The End of the (Ab)User Friendly Era – Sherizen

Home > Research Resources > Computing Security > On Computer Security and Public Trust

Back to the Main Site

HOME | IN THE NEWS | RESEARCH RESOURCES
TEACHING RESOURCES | STUDENT RESOURCES | LINKS

The Research Center on Computing & Society
at Southern Connecticut State University
501 Crescent Street | New Haven, CT 06515
Director: (203) 392-6790 | e-mail: webmaster@computerethics.org

© 2000 – 2007 – Research Center on Computing & Society