top of page

False Equivalence

Updated: 14 hours ago

Skeptical Science, John Cook, via Wikimedia Commons

Words are fun! Today, let’s ask whether the words “equivalence” and “equivalency” are equivalent.


Tracking this down was a bit harder than you might think, as most sources actually compared “equivalent” and “equivalence” instead, which are adjective and noun forms of the same word. (I won’t get into the technical use of these words in mathematics or chemistry.)


Regarding “equivalence” and “equivalency”, it appears that “equivalency” is an archaic form of “equivalence” and is rarely used, so the terms seem to be equivalent in meaning. However, there appears to be a specific exception in Canada and the US, when discussing educational “equivalency” exams. So, in general, Canadians and Americans will use “equivalence”, unless they are talking about things like “high-school equivalency” or “equivalency degrees”.


Emerging from that rabbit-hole, I returned to my original thought, which was about false equivalence. This is known as an informal logical fallacy, in which two things are described as being equivalent in a context which is not reasonable. The classic example of this is “comparing apples and oranges”, where you cannot justifiably say that the two are the same, or interchangeable, simply because they are both fruits that grow on trees.


The pedants among you will note that the image above is, strictly-speaking, not about false equivalence, but rather about the related “false balance”, which is a media bias where both “sides” of a “debate” (generally scientific) are presented (in theory, anyway) in an attempt to ensure “balanced” reporting.


An example of this can be found in what is still called (by some) the “climate debate”. The graph illustrates the way that false balance can skew opinions and be a source of misinformation,

... but my favourite is still John Oliver’s presentation of “A Statistically Representative Climate Change Debate”.

John Oliver, via YouTube

Part of the point here is that it is very important, particularly in this day and age, to be precise in how we communicate, and in how we think. It’s easy to consider false equivalence and false balance as being “pretty much the same”, or to confuse (sometimes deliberately, sometimes through ignorance) technical and non-technical senses of a word. The word “theory” is an excellent example of this.


Let’s look at two examples of false equivalence in Information Security.


The first is “security through obscurity”, which is the idea that concealing the inner workings of a system is sufficient for a system to be “secure”. A common example is the old idea of hiding a key under the doormat – if someone doesn’t know that it’s there, they won’t be able to get in the house, right?


Well... If a thief doesn’t think that you have a key hidden outside, they may not look. If they do, then they may follow some of the guidelines in this rather amusing wikiHow article... In practice, you may be able to make it harder for a thief to find your key, but they can always just break a window, right? Also, it’s likely that someone wandering around your yard, looking under rocks, will eventually be noticed, so a “good” hiding spot may be somewhat effective.


One problem is that information systems are not the same as a home, and an attacker may have an indefinite amount of time to probe your system for weaknesses without being noticed. Another problem is that, once a system is implemented, it’s often impossible to “move” the key if a spot is discovered. Interestingly enough, the idea that security through obscurity is of limited effectiveness is not a new concept. In 1883, the Dutch cryptographer August Kerckhoffs published a two-part paper called “La Cryptographie Militaire (Military Cryptography)”, which includes what came to be called “Kerckhoff’s principle”. This states that a cryptosystem should be secure, even if everything about the system (except the key) is public knowledge. One phrasing of the principle is: “the enemy knows the system”.


This concept is foundational to modern cryptography, and CGP Grey gives a good illustration of why. On the system side, most InfoSec advice is similar to that of the US National Institute of Standards and Technology (NIST), who say: “System security should not depend on the secrecy of the implementation or its components.”


Providing a “backdoor” is not good security practice. However “good” the level of obscurity, someone will always know about it – or search until they find it. This means that the system is – by definition – weaker than it would be otherwise. A recent example of this is a spyware campaign known as “Operation Triangulation”, which included the use of an undocumented feature which appears to have been a mistake, a “debugging feature”, or possibly a well-hidden backdoor. Steve Gibson describes this in some detail in Security Now episode 955.


The only reasonable or “safe” assumption is that bad actors know everything about the design of your system. This way, you will always work to ensure that the only “secrets” in the system are the passwords needed to access it, and you will ensure the best possible safety. An argument can be made that concealing as much about the design of a system as possible makes it harder to understand and attack your system, but it’s important to note that this sort of concealment or obfuscation should be in addition to, not instead of, a secure design.


A second false equivalence in Information Security is the notion that “compliant” means “secure”. This one is common among business people who have a strong focus on compliance with policies or guidelines and a long history of using audits and controls. This is entirely understandable, as finance and accounting people live in a world of reporting standards, financial regulations, industry guidelines, and a host of other requirements they need to manage in order to function effectively.


While there are many variations by geography, industry, and size of company, this is a relatively mature field, with many common elements and global standards, supported by national and international law. As an example of both the consistency and the variations, consider that most of the world uses either IFRS (International Financial Reporting Standards) or US-GAAP (US Generally Accepted Accounting Principles), and the differences are generally well understood. There is even ongoing work to try and consolidate these two standards over time.


On the technology side, to be honest, things are a mess. The field is much younger, changes much faster, and a globally-consistent legal framework is a distant dream. This is most certainly NOT due to lack of effort or ability on the parts of the InfoSec professionals of the last half-century or so. But for their tireless effort, we’d be in a vastly worse place than we are.


The problem is that standards take time to develop and implement, and the pace of change has far exceeded the progress made.


That said, organizations like the US NIST (National Institute of Standards and Technology) have been working on establishing standards and frameworks, while legislators have been developing and implementing cybersecurity legislation. While these vary widely, we are starting to see a growing recognition of the need for both technology security and cybersecurity legislation.


In an environment where technology is changing fast, legislation is lagging, and frameworks are limited and/or voluntary, what does “compliance” even mean? Generally, it’s based on financial standards and legislation (for example, SOX compliance), on privacy legislation (such as GDPR in the EU, or PIPEDA in Canada), and on any internal policies an organization might implement. This is good, but even more so than with financial compliance, technology compliance is trying to establish a baseline, rather than best-practice.


So, compliance is not the same as security, but it is a necessary building block for good security policies.


To summarize, then, comparing security with obscurity is a false equivalence, comparing compliance with security is a false equivalence, and comparing the words “equivalence” and “equivalency” is a true equivalence... unless you’re talking about North American education standards.


Cheers!

コメント


bottom of page