At 1:32 PM -0700 7/18/96, Jeff Barber wrote:
David Sternlight writes:
At 8:14 AM -0700 7/18/96, Jeff Barber wrote:
David Sternlight writes:
Here's the problem in a nutshell: Everyone who has looked at our systems, from Cliff Stoll on to blue ribbon scientific commissions, has come to the conclusion that our society is vulnerable to willful sabotage from abroad, ranging from information sabotage (hacking electronic financial transactions) to physical sabotage (hacking power grid control computers to cause widespread power failures leading to serious damage to people and things; hacking the phone companies' computers, etc.). Some cases have already been observed. The field has already got a name and lots of publications. It's called "information warfare" and the government is taking it VERY seriously.
I for one reject your premise and your conclusions. There is no indication that government is capable of addressing this "problem" in a useful way.
Let's see what the study group recommends. There are a lot of things the government can do, and plenty of historical precedent.
There *are* a lot of things government can do. There aren't a lot of things it can do well. But you want to wait and see what a *government study group* decides to recommend? Gee, who can guess what they'll decide?
You should do your homework. It's going to have a lot of industry people on it and be chaired by an industry person.
To take one example, in the merchant marine industry the government for years paid a subsidy for shipbuilders to add certain "national defense features" to ships they were building, to harden them in excess of normal civilian requirements so they'd be robust in time of war. No shipbuilder could afford such features unaided, and without them we either had a dramatically reduced shipping capability in wartime or a very vulnerable one. Things have changed since then, but the basic principles in the example are still valid.
This wonderful little anecdote proves nothing by itself. How many of these merchant ships survived u-boat torpedos thanks to this hardening? I'd guess the number's pretty near zero.
You should do your homework. It has to do with being able to carry military cargoes. Those features worked perfectly.
In fact, I argue that the situation is at least partially of government construction. The government's hindrance of crypto technology has undoubtedly slowed down and in many cases entirely prevented the application of current technology to protect the very systems the government now purports to be concerned about.
There are no restrictions on using as good domestic crypto as you can get, and this issue is about the robustness of our domestic information infrastructure.
This is simply wrong. There *are* restrictions on domestic crypto. They are restrictions imposed by the crypto export policy. Maybe there isn't an outright ban but there *are* nevertheless real restrictions (look up "restrict" in a dictionary near you). And tell Netscape there are no restrictions. We've all seen what they're going through to provide download access to domestic customers for products with strong encryption. News flash for David: jumping through these types of government-imposed hoops costs *real money* that could be better spent elsewhere.
You should do your homework. There are many restrictions in this world; business licenses, paying for services used, etc. My point was that there are no laws prohibiting strong domestic crypto and you know that to be true.
Clearly if hardening were cost-justified to the civilian companies it would have been done already.
It is being done as we speak. The government has clearly slowed the process down though. And the more governmental involvement, the slower the process will go. (And the quality of the result will likely suffer too.)
You are evading my point, which is that some protections are too expensive for an individual firm to cost-justify but are justified in public benefits from such protections. And there's no evidence that government regulations have slowed down protections on domestic financial networks, domestic air traffic control networks, etc. I would not object if you were making valid points, but you're not. You're evading the basic argument and trying to respond by nit-picking.
One of the core problems is that the benefits from hardening cannot be captured by the individual compnanies, so they cannot cost-justify doing it.
This hasn't been demonstrated to my satisfaction. I disagree, and I bet most American companies would too.
Again, you haven't done your homework. Ask any serious company what they'd like to be able to do, and what they can afford (cost-justify) doing. I can tell you from direct personal experience (I've been a senior technical executive of two Fortune 50 companies) that you are flat wrong. Don't take my word for it--ask the security chief of any Fortune 50 company. Some companies used to have an aphorism "If you haven't had at least one security violation, you're spending too much money on security." I don't agree, but it reflects what companies used to think they could afford unaided. Yet these days a "security violation" isn't just some safe left unlocked in a guarded area but the West Coast power grid going down or a 747 being spoofed into a mountain.
it. But the losses from failure to harden can cost the wider society much treasure. That's a natural case for government intervention on behalf of the wider society. It's exactly like the "lighthouse" argument. The benefits from a lighthouse can't justify an individual shipbuilder building one, but the losses to society from the random aggregation of shipwrecks are far greater than the cost of lighthouses. Ergo, the government builds the lighthouses.
Apples and oranges. The costs of protecting companies' resources is not so high and the potential costs of not doing so are far higher.
"not so high" compared to what? what level of protection? "costs of not doing so" doesn't capture public losses, which is the basis for government intervention.You haven't done your homework. I suggest you read any introductory economics text that covers public policy economics, or any good cost/benefit analysis text.
My message to a government concerned about the dangers of "information warfare" (and its apologists): get out of the way and let industry work on security. Then you can choose from the products offered for your protection or develop your own. But don't sit there and prevent or help prevent deployment of security technology while decrying the lack of security.
This isn't about preventing domestic deployment but assisting it. You are raising an entirely unrelated issue--crypto export policy.
I'm merely pointing out the hypocrisy of a government that bemoans the lack of security infrastructure even as it has been hard at work raising obstacles to those that would build it.
Now THAT is apples and oranges. The security of, say, IBM's, or the FAA's, or AT&T's domestic computer networks has little to do with crypto export policy.
I don't claim that the current security deficiencies are entirely due to ITAR restrictions but it is certainly a significant factor, and there is still zero evidence that the government is competent to help. Let them first fix their own problems (e.g. the alleged 250,000 DoD computer breakins), *then* come help us in the private sector.
Again as irrelevant as the argument that we shouldn't jail criminals until we've eliminated the economic inequities that allegedly produce crime.
Putting the government in charge of fixing security problems is likely to result in an infrastructure optimized for surveillance, as we've seen with other government-sponsored initiatives (Clipper, DigitalTelephony, etc.).
The subject matter of the Commission's inquiry has more to do with authentication than message encryption, and more to do with infrastructure and network security. And as it happens there is no problem getting export licenses for authentication-only software with as secure a key as you like and no escrow. RIPEM/SIG did it years ago. You aren't even on the same page as this issue.
The only security assistance that business and the public have ever gotten from the government has been the kind with unacceptable conditions (like undisclosed algorithms, "escrowed" keys, secret courts, etc.).
Again, you are trying to fight a different battle in the wrong arena. This isn't about your ability to encrypt your traffic. It's about securing the domestic infrastructure against information warfare. I know this is beginning to sound tiresome, but you'd better do your homework. David