But secrecy, it turns out, is counterproductive:
Kerckhoff’s principle of security says that every secret creates a potential failure point. Secrecy, in other words, is a prime cause of brittleness – and therefore something likely to make a system prone to catastrophic collapse. Conversely, openness provides ductility.
From this can be drawn several corollaries. One is that plans to add new layers of secrecy to security systems should automatically be viewed with suspicion. Another is that security systems that utterly depend on keeping secrets tend not to work very well. Alas, airport security is among these. Procedures for screening passengers, for examining luggage, for allowing people on the tarmac, for entering the cockpit, for running the autopilot software – all must be concealed, and all seriously compromise the system if they become known. As a result, Schneier wrote in the May issue of Crypto-Gram, brittleness “is an inherent property of airline security.”
What, then, is good security?
Human judgment is at the heart of most good security. Human beings do make mistakes, of course. But they can recover from failure in ways that machines and software cannot. The well-trained mind is ductile. It can understand surprises and overcome them. It fails well.
Good security is built in overlapping, cross-checking layers, to slow down attacks; it reacts limberly to the unexpected. Its most important components are almost always human. “Governments have been relying on intelligent, trained guards for centuries,” Schneier says. “They spot people doing bad things and then use laws to arrest them. All in all, I have to say, it’s not a bad system.”
When we evaluate a security system, we should keep a couple of questions in mind:
Evaluations of a security proposal’s merits should not be much different from the ordinary cost-benefit calculations we make in daily life. The first question to ask of any new proposal is: What problem does it solve? The second: What problems does it cause, especially when it fails?
