Security by Obscurity
In his Fable titled ‘the Tree and the Reed’, Aesop’s moral is that “Obscurity often brings safety”. However, thanks to GDPR and recent developments from the United States Securities and Exchange Commission (2018) and the European Securities and Monetary Authority (2019), requirements toward transparency in security management are growing. Companies may benefit from being transparent concerning breach disclosure, and most importantly, benefit from disclosing cybersecurity risks and disclosing past security incidents to stakeholders. Information disclosure is an increasingly way to be perceived as having superior performance. But despite being denigrated for the last 20 years, security by obscurity is still researched and well alive, with recent papers validating obscurity to an adversary. Indeed, Security by Obscurity has been the favored design principle in information security since the 2000s. Rebranded as “moving target defense” by the DHS in the 2010s, which consist in “hiding the target”, it is still very popular in information security as a part of deception techniques aimed at “mislead, confuse or hide critical assets” in latest NIST publications. What can explain this popularity? What are the roots of Security by Obscurity? Is there any space left for obscurity in a society where transparency has been elevated as a political and moral ideal?
In this presentation, we will dive into the historical roots of security by obscurity design principle and its developments. By opening the black box of secrecy, we intend to shed light on the symbiotic relationship between transparency and obscurity. We will then discuss the paradoxical case of cybercriminal platform: secret places that simultaneously foster security through obscurity and extreme business transparency.
Richet, Jean-Loup, "Security by Obscurity" (2022). Pre-ICIS FRAIS 2022. 16.