Obscurity vs. business reality

It seems that after my last Insider column, a lot of people think xenophobia is acceptable. This boggles my mind, but as I’m entitled to my opinion – as is everyone else – let’s see whether I can’t slay another sacred cow of the new security thinking.

There is an adage from the early crypto days about the need for open comment on algorithms to make sure there are no obvious (or not obvious) holes before widespread deployment. This type of public scrutiny and open feedback has been extended to other security products with pretty good results. Some open source technologies, such as Firefox, have better security architectures and also react faster to issues because more people understand the internals and as a result, can fix bugs.

In the view of some security folks, the opposite of open is obscure. The charge of security through obscurity has been leveled mostly at big companies that aren’t enamored of security researchers publishing the vulnerabilities in their products until the problems have been patched and fixed.

But obscurity is not always a bad thing. From the perspective of competitive intelligence and protecting intellectual property – which ultimately provides fuel for the next wave of innovation – sometimes obscurity is necessary.

I recently wrote on my blog that a vendor is perfectly justified in not selling equipment to organizations in which there is a chance the box would be used to provide competitive intelligence.

I heard from a vociferous few that my thinking violated the security-through-obscurity dictum. So let me clear that up. I am in agreement that obscurity is terrible when dealing with high-profile application vulnerabilities or new encryption algorithms. Hiding behind a veil of secrecy in those cases can be deadly. If a known vulnerability is not fixed, we could be visiting outbreak city.

But I am in disagreement about obscurity as it relates to maintaining differentiation. Competition in the security business is a fact of life. For every decent idea (and even many not-so-decent ones), there are four or five companies chasing it. Each of the emerging players will bring different things to the table. The ultimate winner in the emerging market has done the best job of figuring out the needs of early customers.

Giving competitors unfettered early access to a product virtually guarantees there will be no sustainable technical differentiation. It’s bad enough that there is no marketing differentiation, which makes buying products hard for most users. But without technical differentiation, every product becomes an instant commodity. Given the current three to four years to obtain a patent, it’s not as if you can depend on that system to protect innovations.

I do understand that regardless of best efforts, it’s very hard to keep equipment out of the hands of competitors. You have unethical consultants and resellers who will purchase the product and give it to the competitor. But why should a company facilitate the situation?

Let’s allow this instant-commodity theme to play out a bit. It’s true that users may receive short-term benefit in the form of lower prices for innovative technology. But the reality is differentiation creates value that funds the next wave of innovation. Getting in the way of that cycle will have a dramatic impact on future innovation. Less investment results in a distinct lack of innovation, which drives big-company monocultures to a controlling position.

Some would say we have a monoculture today, but I disagree. There is plenty of entrepreneurial ballast working hard to keep the big guys honest. It will be a bad thing if there is an economic disincentive for those folks. So as with everything else, there are no absolutes in this business.

Rothman is president and principal analyst of Security Incite, an analyst firm focusing on information security. Read his blog or send e-mail to mike.rothman@securityincite.com.