Peter Swire has a new working draft A Model For When Disclosure Helps Security. Its a great paper which lays out two main camps, which he calls open source and military, and explains why the underlying assumptions cause clashes over disclosure. That would be a useful paper, but he then extends it into a semi-mathematical model of the factors that contribute to the usefulness of hiding information. (Semi-mathematical because there’s no numbers attached, but rather “high/low” rankings.)
There’s a variable, “L”, that Swire uses to refer to how much an attacker learns from each attack. He mentions in the context of surveillance that (III.4, page 24) secrecy helps the defender a great deal. It helps an eavesdropper to stay secret when listening to attackers plan. I think that estimating L is hard, harder than Swire gives credit for. And a good estimate of L is important, because if your estimate of what your attacker is learning is too low, you make bad decisions. “Oh, no, that’ll take them weeks to figure out.”
He then evaluates why computers are different, mainly in that attacks can be honed and perfected and then replicated. It then gets really interesting when he drags in a relationship to the Efficient Capital Markets Hypothesis (ECMH). “Efficiency in the Open Source paradigm also means that all relevant information is already known to outsiders — disclosure of a vulnerability does not help attackers. The claim here is that the open source paradigm has implicitly assumed what is called the ‘strong’ form of the EMCH, that ‘current security prices fully reflect all currently existing information, whether publicly available or not.'” (III.5.b, p 28). I think this is actually not correct.
We can look at information flows as being three markets: There’s a public market, a restricted market, such as is created by official, but controlled information sharing, like ISACS, and an underground market. The best market is where information is factored in quickly, and the market has low transaction costs. So we might re-state Swire’s claim as “…sufficient relevant information is already known to attackers — publicdisclosure of a vulnerability does not further help attackers.” Its easy to see that a public market has much lower transaction costs than a restricted market, but its hard to know how good the underground market actually is.