The problem you’re describing (open sourcing critical software) could both increase the capabilities of adversaries and also make it easier for adversaries to search for exploits. Open sourcing defeats security by obscurity.
Leaving security by obscurity aside could be seen as a loss, but it’s important to note what is gained in the process. Most security researchers today advocate against relying on security by obscurity, and instead focus on security by design and open security. Why?
So what’s the alternative? If you can’t secure some and hack others, you’ve got to choose between insecurity for all or security for all. If you rely on security by design and open security for military equipment, it’s possible that adversaries will get a hold of the software, but the attack surface will be smaller than if relying on security by obscurity.
So, insecurity for all or security for all? I’d go for security for all every time. I want my critical infrastructure without ransomware. I want tyrannical governments out of my private life. I want reliable software. If someone is waging a war, they’re going to have to use methods that can actually create a technical asymmetry of power, and insecure software is not the way to gain the upper hand.
The problem you’re describing (open sourcing critical software) could both increase the capabilities of adversaries and also make it easier for adversaries to search for exploits. Open sourcing defeats security by obscurity.
Leaving security by obscurity aside could be seen as a loss, but it’s important to note what is gained in the process. Most security researchers today advocate against relying on security by obscurity, and instead focus on security by design and open security. Why?
Security by obscurity in the digital world is very easily defeated. It’s easy to copy and paste supposedly secure codes. It’s easy to smuggle supposedly secret code. “Today’s NSA secrets become tomorrow’s PhD theses and the next day’s hacker tools.”
So what’s the alternative? If you can’t secure some and hack others, you’ve got to choose between insecurity for all or security for all. If you rely on security by design and open security for military equipment, it’s possible that adversaries will get a hold of the software, but the attack surface will be smaller than if relying on security by obscurity.
So, insecurity for all or security for all? I’d go for security for all every time. I want my critical infrastructure without ransomware. I want tyrannical governments out of my private life. I want reliable software. If someone is waging a war, they’re going to have to use methods that can actually create a technical asymmetry of power, and insecure software is not the way to gain the upper hand.