David Sternlight writes:
At 8:14 AM -0700 7/18/96, Jeff Barber wrote:
David Sternlight writes:
Here's the problem in a nutshell: Everyone who has looked at our systems, from Cliff Stoll on to blue ribbon scientific commissions, has come to the conclusion that our society is vulnerable to willful sabotage from abroad, ranging from information sabotage (hacking electronic financial transactions) to physical sabotage (hacking power grid control computers to cause widespread power failures leading to serious damage to people and things; hacking the phone companies' computers, etc.). Some cases have already been observed. The field has already got a name and lots of publications. It's called "information warfare" and the government is taking it VERY seriously.
I for one reject your premise and your conclusions. There is no indication that government is capable of addressing this "problem" in a useful way.
Let's see what the study group recommends. There are a lot of things the government can do, and plenty of historical precedent.
There *are* a lot of things government can do. There aren't a lot of things it can do well. But you want to wait and see what a *government study group* decides to recommend? Gee, who can guess what they'll decide?
To take one example, in the merchant marine industry the government for years paid a subsidy for shipbuilders to add certain "national defense features" to ships they were building, to harden them in excess of normal civilian requirements so they'd be robust in time of war. No shipbuilder could afford such features unaided, and without them we either had a dramatically reduced shipping capability in wartime or a very vulnerable one. Things have changed since then, but the basic principles in the example are still valid.
This wonderful little anecdote proves nothing by itself. How many of these merchant ships survived u-boat torpedos thanks to this hardening? I'd guess the number's pretty near zero.
In fact, I argue that the situation is at least partially of government construction. The government's hindrance of crypto technology has undoubtedly slowed down and in many cases entirely prevented the application of current technology to protect the very systems the government now purports to be concerned about.
There are no restrictions on using as good domestic crypto as you can get, and this issue is about the robustness of our domestic information infrastructure.
This is simply wrong. There *are* restrictions on domestic crypto. They are restrictions imposed by the crypto export policy. Maybe there isn't an outright ban but there *are* nevertheless real restrictions (look up "restrict" in a dictionary near you). And tell Netscape there are no restrictions. We've all seen what they're going through to provide download access to domestic customers for products with strong encryption. News flash for David: jumping through these types of government-imposed hoops costs *real money* that could be better spent elsewhere.
Clearly if hardening were cost-justified to the civilian companies it would have been done already.
It is being done as we speak. The government has clearly slowed the process down though. And the more governmental involvement, the slower the process will go. (And the quality of the result will likely suffer too.)
One of the core problems is that the benefits from hardening cannot be captured by the individual compnanies, so they cannot cost-justify doing it.
This hasn't been demonstrated to my satisfaction. I disagree, and I bet most American companies would too.
it. But the losses from failure to harden can cost the wider society much treasure. That's a natural case for government intervention on behalf of the wider society. It's exactly like the "lighthouse" argument. The benefits from a lighthouse can't justify an individual shipbuilder building one, but the losses to society from the random aggregation of shipwrecks are far greater than the cost of lighthouses. Ergo, the government builds the lighthouses.
Apples and oranges. The costs of protecting companies' resources is not so high and the potential costs of not doing so are far higher.
My message to a government concerned about the dangers of "information warfare" (and its apologists): get out of the way and let industry work on security. Then you can choose from the products offered for your protection or develop your own. But don't sit there and prevent or help prevent deployment of security technology while decrying the lack of security.
This isn't about preventing domestic deployment but assisting it. You are raising an entirely unrelated issue--crypto export policy.
I'm merely pointing out the hypocrisy of a government that bemoans the lack of security infrastructure even as it has been hard at work raising obstacles to those that would build it.
I don't claim that the current security deficiencies are entirely due to ITAR restrictions but it is certainly a significant factor, and there is still zero evidence that the government is competent to help. Let them first fix their own problems (e.g. the alleged 250,000 DoD computer breakins), *then* come help us in the private sector.
Again as irrelevant as the argument that we shouldn't jail criminals until we've eliminated the economic inequities that allegedly produce crime.
Putting the government in charge of fixing security problems is likely to result in an infrastructure optimized for surveillance, as we've seen with other government-sponsored initiatives (Clipper, DigitalTelephony, etc.). The only security assistance that business and the public have ever gotten from the government has been the kind with unacceptable conditions (like undisclosed algorithms, "escrowed" keys, secret courts, etc.). If the government wants to do that to its employees, fine. (In fact, if a private company wants to do that to its employees, that's fine too; I won't be working for them, but IMO it's their prerogative.) But I don't want the government telling industry what to do with its security. Furthermore, I don't want my tax dollars involved in funding (or perhaps worse, "incentivising") it. Just get government out of this business. -- Jeff