FCC doesn't know what it's talking about re. security and open source software

by Scott Bradner, Info World

In 1883 French cryptographer Auguste Kerckhoffs published a set of six design principles for military encryption systems. The second of these principles is generally known today under the observation that security through obscurity is not security. The Federal Communications Commission (FCC) seems not to have read the history books or to be aware of how its sister federal agencies develop security standards.

In a common English translation, Kerckhoffs' second principle says that a secure crypto system "must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience."

There are many reasons for this. They range from the catastrophic results in the case of a breach that exposes a weakness to the reduced chance of a weakness if many eyes look at a system before it is deployed. The latter is the primary reason that the federal National Institute of Standards and Technology (NIST) conducts public contests for new encryption standards. Security expert Bruce Schneier published a very good essay on this topic a few years back.

The FCC has just decided that obscurity is better than security when it comes to software radios.

Specifically, it said "manufacturers should not intentionally make the distinctive elements that implement that manufacturer's particular security measures in a software defined radio public" if that would help circumvent FCC rules.

Because no manufacturer will want to prove that public disclosure will not cause such a risk, they are being told to keep the code secret.

On one hand, this is like saying that manufacturers should keep circuit diagrams of old radios secret so that someone would not know where to solder in a resistor to change the output strength. And on the other, it's pretending that hidden code somehow will be hackproof.

In the same decision the FCC made it clear that open source software is in the FCC doghouse: "A system that is wholly dependent on open source elements will have a high burden to demonstrate that it is sufficiently secure to warrant authorization as a software defined radio." This is a message that I am sure was well received in Redmond, but a message that demonstrated bias rather than analysis on the part of the FCC.

The Software Defined Radio (SDR) Forum politely responded that the FCC did not know what it was doing and asked it to get a clue.

With this decision the FCC reinforces my decade-old suspicion that clues just do not like hanging around Washington, D.C.

It is not at all sure that the SDR Forum or anyone else can find clues that are willing to undertake the mission of breaking down the mental barriers protecting the FCC from the knowledge of the past or from the technologies and business models of the future, but stranger things have happened. For example, the last time that the FCC tried to make rules about software the courts force-fed them the clue that this was not the FCC's job.

It just might be a that court will tell the FCC the obvious -- that the design of secure systems is not one of the FCC's missions (or competences).

article originally published at http://www.infoworld.nl/idgns/bericht.phtml?id=002570DE00740E1800257313005EC092.

The media's job is to interest the public in the public interest. -John Dewey