Gorelick testifies before Senate, unveils new executive order
---------- Forwarded message ---------- Date: Wed, 17 Jul 1996 15:54:24 -0500 From: Declan McCullagh <declan@well.com> To: fight-censorship+@andrew.cmu.edu Subject: Gorelick testifies before Senate, unveils new executive order Deputy Attorney General Jamie Gorelick testified yesterday before Sen. Sam Nunn's cyberscare hearing (take #3), where she ranted about the evils of the Net and unveiled an executive order signed by the president on Monday. Gorelick, the administration's newly-annointed chief Net fearmonger, said: "The executive order is on Federal Information Infrastructure protection... It creates a committee to draft policy and recommend legislation. The order cites two types of threats: physical and cyber." The infrastructure she's talking about isn't government computers; she means the private sector. "Because this infrastructure is privately owned, this [executive order] emphasizes and recognizes the importance of cooperation." That is, cooperation with the fear of government regulation hanging over your head. The President's Commission on Critical Infrastructure Protection, which will have an industry advisory panel, has one year to report back with recommendations. Sen. Patrick Leahy testified: "Armed with a modem and a computer, a criminal can wreak havoc on our computers from anywhere in the world. There are no borders in cyberspace... Existing criminal statutes provide a good framework for prosecuting [some] computer offenses... We have to assume we have to update our criminal code." Clinton's executive order also creates a "Infrastructure Protection Task Force," effective immediately, with reps from the FBI, DOD, and NSA. At yesterday's Senate permanent subcommittee on investigations hearing, Gorelick ducked Sen. Nunn's questions about the limits of the task force's authority. But the executive order says the group must: (i) provide, or facilitate and coordinate the provision of, expert guidance to critical infrastructures to detect, revent, halt, or confine an attack and to recover and restore service... (v) coordinate with the pertinent law enforcement authorities during or after an attack to facilitate any resulting criminal investigation. "Critical infrastructures" include telecommunications facilities and the Net. -Declan PS: For background, check out: http://www.netizen.com/netizen/96/29/campaign_dispatch0a.html Critical infrastructures: 1. telecommunications; 2. electrical power systems; 3. gas and oil storage and transportation; 4. banking and finance; 5. transportation; 6. water supply systems; 7. emergency services (including medical, police, fire and rescue); and 8. continuity of government. EXECUTIVE ORDER - - - - - - - CRITICAL INFRASTRUCTURE PROTECTION Certain national infrastructures are so vital that their incapacity or destruction would have a debilitating impact on the defense or economic security of the United States. These critical infrastructures include telecommunications, electrical power systems, gas and oil storage and transportation, banking and finance, transportation, water supply systems, emergency services (including medical, police, fire and rescue), and continuity of government. Threats to these critical infrastructures fall into two categories: physical threats to tangible property ("physical threats"), and threats of electronic, radio-frequency, or computer-based attacks on the information or communications components that control critical infrastructures ("cyber threats"). Because many of these critical infrastructures are owned and operated by the private sector, it is essential that the government and private sector work together to develop a strategy for protecting them and assuring their continued operation. NOW, THEREFORE, by the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows: Section 1. Establishment. There is hereby established the President's Commission on Critical Infrastructure Protection ("Commission"). (a) Chair. A qualified individual from outside the Federal Government shall be appointed by the President to serve as Chair of the Commission. The Commission Chair shall be employed on a full-time basis. (b) Members. The head of each of the following executive branch departments and agencies shall nominate not more than two full-time members of the Commission: (i) Department of the Treasury; (ii) Department of Justice; (iii) Department of Defense; (iv) Department of Commerce; (v) Department of Transportation; (vi) Department of Energy; (vii) Central Intelligence Agency; (viii) Federal Emergency Management Agency; (ix) Federal Bureau of Investigation; (x) National Security Agency. One of the nominees of each agency may be an individual from outside the Federal Government who shall be employed by the agency on a full-time basis. Each nominee must be approved by the Steering Committee. Sec. 2. The Principals Committee. The Commission shall report to the President through a Principals Committee ("Principals Committee"), which shall review any reports or recommendations before submission tot he President. The Principals Committee shall comprise the: (i) Secretary of the Treasury; (ii) Secretary of Defense; (iii) Attorney General; (iv) Secretary of Commerce; (v) Secretary of Transportation; (vi) Secretary of Energy; (vii) Director of Central Intelligence; (viii) Director of the Office of Management and Budget; (ix) Director of the Federal Emergency Management Agency; (x) Assistant to the President for National Security Affairs; (xi) Assistant to the Vice President for National Security Affairs. Sec. 3. The Steering Committee of the President's Commission on Critical Infrastructure Protection. A Steering Committee ("Steering Committee") shall oversee the work of the Commission on behalf of the Principals Committee. The Steering Committee shall comprise four members appointed by the President. One of the members shall be the Chair of the Commission and one shall be an employee of the Executive Office of the President. The Steering Committee will receive regular reports on the progress of the Commission's work and approve the submission of reports to the Principals Committee. Sec. 4. Mission. The Commission shall: (a) within 30 days of this order, produce a statement of its mission objectives, which will elaborate the general objectives set forth in this order, and a detailed schedule for addressing each mission objective, for approval by the Steering Committee; (b) identify and consult with: (i) elements of the public and private sectors that conduct, support or contribute to infrastructure assurance; (ii) owners and operators of the critical infrastructures; and (iii) other elements of the public and private sectors, including the Congress, that have an interest in critical infrastructure assurance issues and that may have differing perspectives on these issues; (c) assess the scope and nature of the vulnerabilities of, and threats to, critical infrastructures; (d) determine what legal and policy issues are raised by efforts to protect critical infrastrucutres and assess how these issues should be addressed; (e) recommend a comprehensive national policy and implementation strategy for protecting critical infrastructures from physical and cyber threats and assuring their continued operation; (f) propose any statutory or regulatory changes necessary to effect its recommendations; and (g) produce reports and recommendations to the Steering Committee as they become available; it shall not limit itself to producing one final report. Sec. 5. Advisory Committee to the President's Commission on Critical Infrastructure Protection. (a) The Commission shall receive advice from an advisory committee ("Advisory Committee") composed of no more than ten individuals appointed by the President from the private sector who are knowledgeable about critical infrastructures. The Advisory Committee shall advise the Commission on the subjects of the Commission's mission in whatever manner the Advisory Committee, the Commission Chair, and the Steering Committee deem appropriate. (b) A Chair shall be designated by the President from among the members of the Advisory Committee. (c) The Advisory Committee shall be established in compliance with the Federal Advisory Committee Act, as amended (5 U.S.C. App.). The Department of Defense shall perform the functions of the President under the Federal Advisory Committee Act for the Advisory Committee, except that of reporting to the Congress, in accordance with the guidelines and procedures established by the Administrator of General Services. Sec. 6. Administration. (a) All executive departments and agencies shall cooperate with the Commission and provide such assistance, information, and advice to the Commission as it may request, to the extent permitted by law. (b) The Commission and the Advisory Committee may hold open and closed hearings, conduct inquiries, and establish subcommittees, as necessary. (c) Members of the Advisory Committee shall serve without compensation for their work on the Advisory Committee. While engaged in the work of the Advisory Committee, members may be allowed travel expenses, including per diem in lieu of subsistence, as authorized by law for persons serving intermittently in the government service. (d) To the extent permitted by law, and subject to the availability of appropriations, the Department of Defense shall provide the Commission and the Advisory Committee with administrative services, staff, other support services, and such funds as may be necessary for the performance of its functions and shall reimburse the executive branch components that provide representatives to the Commission for the compensation of those representatives. (e) In order to augment the expertise of the Commission, the Department of Defense may, at the Commission's request, contract for the services of nongovernmental consultants who may prepare analyses, reports, background papers, and other materials for consideration by the Commission. In addition, at the Commission's request, executive departments and agencies shall request that existing Federal advisory committees consider and provide advice on issue sof critical infrastructure protection, to the extent permitted by law. (f) The Commission, the Principals Committee, the Steering Committee, and the Advisory Committee shall terminate 1 year from the date of this order, unless extended by the President prior to this date. Sec. 7. Interim Coordinating Mission. (a) While the Commission is conducting its analysis and until the President has an opportunity to consider and act on its recommendations, there is a need to increase coordination of existing infrastructure protection efforts in order to better address, and prevent, crises that would have a debilitating regional or national impact. There is hereby established an Infrastructure Protection Task Force ("IPTF") within the Department of Justice, chaired by the Federal Bureau of Investigation, to undertake this interim coordinating mission. (b) The IPTF will not supplant any existing programs or organizations. (c) The Steering Committee shall oversee the work of the IPTF. (d) The IPTF shall include at least one full-time member each from the Federal Bureau of Investigation, the Department of Defense, and the National Security Agency. It shall also receive part-time assistance from other executive branch departments and agencies. Members shall be designated by their departments or agencies on the basis of their expertise in the protection of critical infrastructures. IPTF members' compensation shall be paid by their parent agency or department. (e) The IPTF's function is to identify and coordinate existing expertise, inside and outside of the Federal Government, to: (i) provide, or facilitate and coordinate the provision of, expert guidance to critical infrastructures to detect, revent, halt, or confine an attack and to recover and restore service; (ii) issue threat and warning notices in the event advance information is obtained about a threat; (iii) provide training and education on methods of reducing vulnerabilities and responding to attacks on critical infrastructures; (iv) conduct after-action analysis to determine possible future threats, targets, or methods of attack; and (v) coordinate with the pertinent law enforcement authorities during or after an attack to facilitate any resulting criminal investigation. (f) All executive departments and agencies shall cooperate with the IPTF and provide such assistance, information, and advice as the IPTF may request, to the extent permitted by law. (g) All executive departments and agencies shall share with the IPTF information about threats and warning of attacks, and about actual attacks on critical infrastructures, to the extent permitted by law. (h) The IPTF shall terminate no later than 180 days after the termination of the Commission, unless extended by the President prior to that date. Sec. 8. General. (a) This order is not intended to change any existing statutes or Executive orders. (b) This order is not intended to create any right, benefit, trust, or responsibility, substantive or procedural, enforceable at law or equity by a party against the United States, its agencies, its officers, or any person. (signed) William J. Clinton THE WHITE HOUSE July 15, 1996
At 6:46 PM -0700 7/17/96, Declan McCullagh wrote:
---------- Forwarded message ---------- Date: Wed, 17 Jul 1996 15:54:24 -0500 From: Declan McCullagh <declan@well.com> To: fight-censorship+@andrew.cmu.edu Subject: Gorelick testifies before Senate, unveils new executive order
Deputy Attorney General Jamie Gorelick testified yesterday before Sen. Sam Nunn's cyberscare hearing (take #3), where she ranted about the evils of the Net and unveiled an executive order signed by the president on Monday.
<Remainder of purple prose omitted.> Here's the problem in a nutshell: Everyone who has looked at our systems, from Cliff Stoll on to blue ribbon scientific commissions, has come to the conclusion that our society is vulnerable to willful sabotage from abroad, ranging from information sabotage (hacking electronic financial transactions) to physical sabotage (hacking power grid control computers to cause widespread power failures leading to serious damage to people and things; hacking the phone companies' computers, etc.). Some cases have already been observed. The field has already got a name and lots of publications. It's called "information warfare" and the government is taking it VERY seriously. Serious studies have shown that the kinds of protections to make the systems we depend on robust against determined and malicious attackers (say a terrorist government, or one bent on doing a lot of damage in retaliation for one of our policies they don't like), have costs beyond the capability of individual private sector actors. Your friendly neighborhood ISP, for instance, probably can't affort the iron belt and steel suspenders needed to make his system and its connectivity sabotage-proof, and so on. Even cheap but clever solutions involving encryption in such systems require standards and common practices across many institutions. In such a case, where public benefits from government action greatly exceed public (taxpayer) costs, and the private sector cannot (or will not) act unaided, the classical basis for government action in the interests of the citizenry exists. It's the economist's "lighthouse" argument. The motivation has nothing to do with privacy, government snooping, or any of the other things some get so excited about, though the solutions certainly have side effects in those domains. The goal should be to minimize the deleterious side-effects, not to throw out the baby with the bath water. David
David Sternlight writes:
Here's the problem in a nutshell: Everyone who has looked at our systems, from Cliff Stoll on to blue ribbon scientific commissions, has come to the conclusion that our society is vulnerable to willful sabotage from abroad, ranging from information sabotage (hacking electronic financial transactions) to physical sabotage (hacking power grid control computers to cause widespread power failures leading to serious damage to people and things; hacking the phone companies' computers, etc.). Some cases have already been observed. The field has already got a name and lots of publications. It's called "information warfare" and the government is taking it VERY seriously.
Serious studies have shown that the kinds of protections to make the systems we depend on robust against determined and malicious attackers (say a terrorist government, or one bent on doing a lot of damage in retaliation for one of our policies they don't like), have costs beyond the capability of individual private sector actors.
In such a case, where public benefits from government action greatly exceed public (taxpayer) costs, and the private sector cannot (or will not) act unaided, the classical basis for government action in the interests of the citizenry exists. It's the economist's "lighthouse" argument.
The motivation has nothing to do with privacy, government snooping, or any of the other things some get so excited about, though the solutions certainly have side effects in those domains. The goal should be to minimize the deleterious side-effects, not to throw out the baby with the bath water.
I for one reject your premise and your conclusions. There is no indication that government is capable of addressing this "problem" in a useful way. In fact, I argue that the situation is at least partially of government construction. The government's hindrance of crypto technology has undoubtedly slowed down and in many cases entirely prevented the application of current technology to protect the very systems the government now purports to be concerned about. (This is not conjecture or speculation; it is fact. I personally have witnessed -- and, in some cases, been part of -- the many hundreds of hours of productivity lost to producing and distributing security software in ways that protect the company from ITAR violations, or trying to formulate adequate solutions for the company's non-US customers.) My message to a government concerned about the dangers of "information warfare" (and its apologists): get out of the way and let industry work on security. Then you can choose from the products offered for your protection or develop your own. But don't sit there and prevent or help prevent deployment of security technology while decrying the lack of security. I don't claim that the current security deficiencies are entirely due to ITAR restrictions but it is certainly a significant factor, and there is still zero evidence that the government is competent to help. Let them first fix their own problems (e.g. the alleged 250,000 DoD computer breakins), *then* come help us in the private sector. -- Jeff
At 8:14 AM -0700 7/18/96, Jeff Barber wrote:
David Sternlight writes:
Here's the problem in a nutshell: Everyone who has looked at our systems, from Cliff Stoll on to blue ribbon scientific commissions, has come to the conclusion that our society is vulnerable to willful sabotage from abroad, ranging from information sabotage (hacking electronic financial transactions) to physical sabotage (hacking power grid control computers to cause widespread power failures leading to serious damage to people and things; hacking the phone companies' computers, etc.). Some cases have already been observed. The field has already got a name and lots of publications. It's called "information warfare" and the government is taking it VERY seriously.
Serious studies have shown that the kinds of protections to make the systems we depend on robust against determined and malicious attackers (say a terrorist government, or one bent on doing a lot of damage in retaliation for one of our policies they don't like), have costs beyond the capability of individual private sector actors.
In such a case, where public benefits from government action greatly exceed public (taxpayer) costs, and the private sector cannot (or will not) act unaided, the classical basis for government action in the interests of the citizenry exists. It's the economist's "lighthouse" argument.
The motivation has nothing to do with privacy, government snooping, or any of the other things some get so excited about, though the solutions certainly have side effects in those domains. The goal should be to minimize the deleterious side-effects, not to throw out the baby with the bath water.
I for one reject your premise and your conclusions. There is no indication that government is capable of addressing this "problem" in a useful way.
Let's see what the study group recommends. There are a lot of things the government can do, and plenty of historical precedent. To take one example, in the merchant marine industry the government for years paid a subsidy for shipbuilders to add certain "national defense features" to ships they were building, to harden them in excess of normal civilian requirements so they'd be robust in time of war. No shipbuilder could afford such features unaided, and without them we either had a dramatically reduced shipping capability in wartime or a very vulnerable one. Things have changed since then, but the basic principles in the example are still valid.
In fact, I argue that the situation is at least partially of government construction. The government's hindrance of crypto technology has undoubtedly slowed down and in many cases entirely prevented the application of current technology to protect the very systems the government now purports to be concerned about.
There are no restrictions on using as good domestic crypto as you can get, and this issue is about the robustness of our domestic information infrastructure. Clearly if hardening were cost-justified to the civilian companies it would have been done already. One of the core problems is that the benefits from hardening cannot be captured by the individual compnanies, so they cannot cost-justify doing it. But the losses from failure to harden can cost the wider society much treasure. That's a natural case for government intervention on behalf of the wider society. It's exactly like the "lighthouse" argument. The benefits from a lighthouse can't justify an individual shipbuilder building one, but the losses to society from the random aggregation of shipwrecks are far greater than the cost of lighthouses. Ergo, the government builds the lighthouses.
(This is not conjecture or speculation; it is fact. I personally have witnessed -- and, in some cases, been part of -- the many hundreds of hours of productivity lost to producing and distributing security software in ways that protect the company from ITAR violations, or trying to formulate adequate solutions for the company's non-US customers.)
Irrelevant to the central issue we're discussing, and by comparison, a gnat.
My message to a government concerned about the dangers of "information warfare" (and its apologists): get out of the way and let industry work on security. Then you can choose from the products offered for your protection or develop your own. But don't sit there and prevent or help prevent deployment of security technology while decrying the lack of security.
This isn't about preventing domestic deployment but assisting it. You are raising an entirely unrelated issue--crypto export policy.
I don't claim that the current security deficiencies are entirely due to ITAR restrictions but it is certainly a significant factor, and there is still zero evidence that the government is competent to help. Let them first fix their own problems (e.g. the alleged 250,000 DoD computer breakins), *then* come help us in the private sector.
Again as irrelevant as the argument that we shouldn't jail criminals until we've eliminated the economic inequities that allegedly produce crime. David
At 1:32 PM -0700 7/18/96, Jeff Barber wrote:
David Sternlight writes:
At 8:14 AM -0700 7/18/96, Jeff Barber wrote:
David Sternlight writes:
Here's the problem in a nutshell: Everyone who has looked at our systems, from Cliff Stoll on to blue ribbon scientific commissions, has come to the conclusion that our society is vulnerable to willful sabotage from abroad, ranging from information sabotage (hacking electronic financial transactions) to physical sabotage (hacking power grid control computers to cause widespread power failures leading to serious damage to people and things; hacking the phone companies' computers, etc.). Some cases have already been observed. The field has already got a name and lots of publications. It's called "information warfare" and the government is taking it VERY seriously.
I for one reject your premise and your conclusions. There is no indication that government is capable of addressing this "problem" in a useful way.
Let's see what the study group recommends. There are a lot of things the government can do, and plenty of historical precedent.
There *are* a lot of things government can do. There aren't a lot of things it can do well. But you want to wait and see what a *government study group* decides to recommend? Gee, who can guess what they'll decide?
You should do your homework. It's going to have a lot of industry people on it and be chaired by an industry person.
To take one example, in the merchant marine industry the government for years paid a subsidy for shipbuilders to add certain "national defense features" to ships they were building, to harden them in excess of normal civilian requirements so they'd be robust in time of war. No shipbuilder could afford such features unaided, and without them we either had a dramatically reduced shipping capability in wartime or a very vulnerable one. Things have changed since then, but the basic principles in the example are still valid.
This wonderful little anecdote proves nothing by itself. How many of these merchant ships survived u-boat torpedos thanks to this hardening? I'd guess the number's pretty near zero.
You should do your homework. It has to do with being able to carry military cargoes. Those features worked perfectly.
In fact, I argue that the situation is at least partially of government construction. The government's hindrance of crypto technology has undoubtedly slowed down and in many cases entirely prevented the application of current technology to protect the very systems the government now purports to be concerned about.
There are no restrictions on using as good domestic crypto as you can get, and this issue is about the robustness of our domestic information infrastructure.
This is simply wrong. There *are* restrictions on domestic crypto. They are restrictions imposed by the crypto export policy. Maybe there isn't an outright ban but there *are* nevertheless real restrictions (look up "restrict" in a dictionary near you). And tell Netscape there are no restrictions. We've all seen what they're going through to provide download access to domestic customers for products with strong encryption. News flash for David: jumping through these types of government-imposed hoops costs *real money* that could be better spent elsewhere.
You should do your homework. There are many restrictions in this world; business licenses, paying for services used, etc. My point was that there are no laws prohibiting strong domestic crypto and you know that to be true.
Clearly if hardening were cost-justified to the civilian companies it would have been done already.
It is being done as we speak. The government has clearly slowed the process down though. And the more governmental involvement, the slower the process will go. (And the quality of the result will likely suffer too.)
You are evading my point, which is that some protections are too expensive for an individual firm to cost-justify but are justified in public benefits from such protections. And there's no evidence that government regulations have slowed down protections on domestic financial networks, domestic air traffic control networks, etc. I would not object if you were making valid points, but you're not. You're evading the basic argument and trying to respond by nit-picking.
One of the core problems is that the benefits from hardening cannot be captured by the individual compnanies, so they cannot cost-justify doing it.
This hasn't been demonstrated to my satisfaction. I disagree, and I bet most American companies would too.
Again, you haven't done your homework. Ask any serious company what they'd like to be able to do, and what they can afford (cost-justify) doing. I can tell you from direct personal experience (I've been a senior technical executive of two Fortune 50 companies) that you are flat wrong. Don't take my word for it--ask the security chief of any Fortune 50 company. Some companies used to have an aphorism "If you haven't had at least one security violation, you're spending too much money on security." I don't agree, but it reflects what companies used to think they could afford unaided. Yet these days a "security violation" isn't just some safe left unlocked in a guarded area but the West Coast power grid going down or a 747 being spoofed into a mountain.
it. But the losses from failure to harden can cost the wider society much treasure. That's a natural case for government intervention on behalf of the wider society. It's exactly like the "lighthouse" argument. The benefits from a lighthouse can't justify an individual shipbuilder building one, but the losses to society from the random aggregation of shipwrecks are far greater than the cost of lighthouses. Ergo, the government builds the lighthouses.
Apples and oranges. The costs of protecting companies' resources is not so high and the potential costs of not doing so are far higher.
"not so high" compared to what? what level of protection? "costs of not doing so" doesn't capture public losses, which is the basis for government intervention.You haven't done your homework. I suggest you read any introductory economics text that covers public policy economics, or any good cost/benefit analysis text.
My message to a government concerned about the dangers of "information warfare" (and its apologists): get out of the way and let industry work on security. Then you can choose from the products offered for your protection or develop your own. But don't sit there and prevent or help prevent deployment of security technology while decrying the lack of security.
This isn't about preventing domestic deployment but assisting it. You are raising an entirely unrelated issue--crypto export policy.
I'm merely pointing out the hypocrisy of a government that bemoans the lack of security infrastructure even as it has been hard at work raising obstacles to those that would build it.
Now THAT is apples and oranges. The security of, say, IBM's, or the FAA's, or AT&T's domestic computer networks has little to do with crypto export policy.
I don't claim that the current security deficiencies are entirely due to ITAR restrictions but it is certainly a significant factor, and there is still zero evidence that the government is competent to help. Let them first fix their own problems (e.g. the alleged 250,000 DoD computer breakins), *then* come help us in the private sector.
Again as irrelevant as the argument that we shouldn't jail criminals until we've eliminated the economic inequities that allegedly produce crime.
Putting the government in charge of fixing security problems is likely to result in an infrastructure optimized for surveillance, as we've seen with other government-sponsored initiatives (Clipper, DigitalTelephony, etc.).
The subject matter of the Commission's inquiry has more to do with authentication than message encryption, and more to do with infrastructure and network security. And as it happens there is no problem getting export licenses for authentication-only software with as secure a key as you like and no escrow. RIPEM/SIG did it years ago. You aren't even on the same page as this issue.
The only security assistance that business and the public have ever gotten from the government has been the kind with unacceptable conditions (like undisclosed algorithms, "escrowed" keys, secret courts, etc.).
Again, you are trying to fight a different battle in the wrong arena. This isn't about your ability to encrypt your traffic. It's about securing the domestic infrastructure against information warfare. I know this is beginning to sound tiresome, but you'd better do your homework. David
David Sternlight writes:
At 1:32 PM -0700 7/18/96, Jeff Barber wrote:
Let's see what the study group recommends. There are a lot of things the government can do, and plenty of historical precedent.
There *are* a lot of things government can do. There aren't a lot of things it can do well. But you want to wait and see what a *government study group* decides to recommend? Gee, who can guess what they'll decide?
You should do your homework. It's going to have a lot of industry people on it and be chaired by an industry person.
This isn't the same panel I saw mentioned on this list. That one had, as I recall, two individuals being selected by each of several cabinet departments and executive agencies.
Now THAT is apples and oranges. The security of, say, IBM's, or the FAA's, or AT&T's domestic computer networks has little to do with crypto export policy.
Big companies like IBM, AT&T, etc. have *international* networks. Hence, the connection to the crypto export policy, which prevents comprehensive security programs from being deployed. As a "senior techinical executive" (oxymoron alert) to Fortune 50 companies, I assume you know that and are simply choosing to ignore it for the sake of your current argument.
Putting the government in charge of fixing security problems is likely to result in an infrastructure optimized for surveillance, as we've seen with other government-sponsored initiatives (Clipper, DigitalTelephony, etc.).
The subject matter of the Commission's inquiry has more to do with authentication than message encryption, and more to do with infrastructure and network security. And as it happens there is no problem getting export licenses for authentication-only software with as secure a key as you like and no escrow. RIPEM/SIG did it years ago. You aren't even on the same page as this issue.
There is more to security than authentication, as I'm sure you also know but are choosing to ignore. Authentication alone may suffice in some situations but clearly not all. And in fact, this merely supports my point: left to government's preference, we'll all be well-authenticated when the surveillance tapes are introduced into evidence. (:-)
Again, you are trying to fight a different battle in the wrong arena. This isn't about your ability to encrypt your traffic. It's about securing the domestic infrastructure against information warfare. I know this is beginning to sound tiresome, but you'd better do your homework.
Indeed. This isn't a different battle, though; it's all interwoven. I don't want the government responsible for "securing the domestic infrastructure..." for the same reason that I don't want them telling me where or to whom I can sell crypto. They haven't any right to, IMO, and besides, I don't trust them to look out for my interests. -- Jeff
DAvid Sternlight, There are not only public benefits when the government gets bigger and bigger and bigger. Even though you can't put a dollar value on loss of freedom, it is a loss.
At 8:04 PM -0700 7/18/96, Jeff Barber wrote:
Now THAT is apples and oranges. The security of, say, IBM's, or the FAA's, or AT&T's domestic computer networks has little to do with crypto export policy.
Big companies like IBM, AT&T, etc. have *international* networks. Hence, the connection to the crypto export policy, which prevents comprehensive security programs from being deployed. As a "senior techinical executive" (oxymoron alert) to Fortune 50 companies, I assume you know that and are simply choosing to ignore it for the sake of your current argument.
There are exceptions to ITAR for this purpose (overseas offices of US companies). In addition, like the argument that we shouldn't jail anyone until all social evils are cured, your argument fails. IBM can secure their domestic network (at least) without having to secure their global network. As for your suggestion that I am special pleading, that's just unsupported defamation. I suppressed nothing--it is you who are omitting the facts I mention just above. Only a fool would accuse another of special pleading when the possibility the accuser doesn't understand the argument, or have all the data exists. If you have any integrity you'll apologize.
Putting the government in charge of fixing security problems is likely to result in an infrastructure optimized for surveillance, as we've seen with other government-sponsored initiatives (Clipper, DigitalTelephony, etc.).
The subject matter of the Commission's inquiry has more to do with authentication than message encryption, and more to do with infrastructure and network security. And as it happens there is no problem getting export licenses for authentication-only software with as secure a key as you like and no escrow. RIPEM/SIG did it years ago. You aren't even on the same page as this issue.
There is more to security than authentication, as I'm sure you also know but are choosing to ignore.
Another attempt to accuse, read minds, and impute motives. We're talking about securing networks such as communications, transportation, and power, against hacker attacks. Authentication is the core, not encryption. A main problem is the spoofer instructing the network to self-destruct. Long-key authentication can address this when coupled with the safeguarding of keys. and some system precautions not related to encryption.
Authentication alone may suffice in some situations but clearly not all.
So what? What part of "more to do with....than" don't you understand? I never said "all"--that's a straw man to try to shift the ground of the discussion rather than attempting a direct refutation.
Again, you are trying to fight a different battle in the wrong arena. This isn't about your ability to encrypt your traffic. It's about securing the domestic infrastructure against information warfare. I know this is beginning to sound tiresome, but you'd better do your homework.
Indeed.
So do it.
This isn't a different battle, though; it's all interwoven.
So what? Everything is connected to everything else.
I don't want the government responsible for "securing the domestic infrastructure..." for the same reason that I don't want them telling me where or to whom I can sell crypto.
Fair comment--you're certainly entitled to your opinion.
They haven't any right to, IMO,
Read the Constitution.
and besides, I don't trust them to look out for my interests.
At least some of one's interests we might both agree. There's the old joke "I'm from Washington and I'm here to help you." David
David Sternlight writes:
At 8:04 PM -0700 7/18/96, Jeff Barber wrote:
Now THAT is apples and oranges. The security of, say, IBM's, or the FAA's, or AT&T's domestic computer networks has little to do with crypto export policy.
Big companies like IBM, AT&T, etc. have *international* networks. Hence, the connection to the crypto export policy, which prevents comprehensive security programs from being deployed. As a "senior techinical executive" (oxymoron alert) to Fortune 50 companies, I assume you know that and are simply choosing to ignore it for the sake of your current argument.
There are exceptions to ITAR for this purpose (overseas offices of US companies). In addition, like the argument that we shouldn't jail anyone until all social evils are cured, your argument fails. IBM can secure their domestic network (at least) without having to secure their global network. As for your suggestion that I am special pleading, that's just unsupported defamation. I suppressed nothing--it is you who are omitting the facts I mention just above. Only a fool would accuse another of special pleading when the possibility the accuser doesn't understand the argument, or have all the data exists. If you have any integrity you'll apologize.
Yeah, right. You clearly chose not to address the requirements of international company networks in your argument. You admit that such companies have international networks, and that you knew it. It was obviously relevant and you could have and should have addressed it. The fact that you chose not to speaks to your own lack of integrity. To gain the upper hand in the argument is clearly your supreme objective; any point that doesn't fit the argument is simply not addressed.
Putting the government in charge of fixing security problems is likely to result in an infrastructure optimized for surveillance, as we've seen with other government-sponsored initiatives (Clipper, DigitalTelephony, etc.).
The subject matter of the Commission's inquiry has more to do with authentication than message encryption, and more to do with infrastructure and network security. And as it happens there is no problem getting export licenses for authentication-only software with as secure a key as you like and no escrow. RIPEM/SIG did it years ago. You aren't even on the same page as this issue.
There is more to security than authentication, as I'm sure you also know but are choosing to ignore.
Another attempt to accuse, read minds, and impute motives. We're talking about securing networks such as communications, transportation, and power, against hacker attacks. Authentication is the core, not encryption. A main problem is the spoofer instructing the network to self-destruct. Long-key authentication can address this when coupled with the safeguarding of keys. and some system precautions not related to encryption.
In the last round, you mentioned financial networks. You conveniently left those out here. I argue that these as well as others require encryption. Again, the fact that you fail to exclude any "inconvenient" scenarios in whatever happens to be the matter under discussion destroys your credibility (well, it would have, if you had any amongst the members of this list).
Authentication alone may suffice in some situations but clearly not all.
So what? What part of "more to do with....than" don't you understand? I never said "all"--that's a straw man to try to shift the ground of the discussion rather than attempting a direct refutation.
On the contrary, you are the one who responds to each objection by pointing out that there is at least one situation where the current regulations do not completely rule out solutions. As one who has dealt with security problems in the trenches, I have been involved in numerous attempts to tiptoe through the mine-field of crypto regulations in search of solutions. I would prefer not to have to do so as it's a huge waste of my time, and my (and everyone else's) money and other resources.
Again, you are trying to fight a different battle in the wrong arena. This isn't about your ability to encrypt your traffic. It's about securing the domestic infrastructure against information warfare. I know this is beginning to sound tiresome, but you'd better do your homework.
This isn't a different battle, though; it's all interwoven.
So what? Everything is connected to everything else.
Ouch, David, stop it. Once again, I'm skewered by your rapier wit.
I don't want the government responsible for "securing the domestic infrastructure..." for the same reason that I don't want them telling me where or to whom I can sell crypto.
They haven't any right to, IMO,
Read the Constitution.
I have. News flash for David: not everyone agrees on the meaning of various clauses in the Constitution. Believe it or not, reasonable people hold opinions that differ from the gospel-according-to-Sternlight. The constitution means whatever the Supreme Court says it means and that changes from time to time even though the constitution generally does not.
and besides, I don't trust them to look out for my interests.
At least some of one's interests we might both agree. There's the old joke "I'm from Washington and I'm here to help you."
Unfortunately, you seem to believe them most of the time, and want us to believe them too in this case, while I choose to believe them rarely if ever. As this debate has now deteriorated to the "Sternlight claims defamation, demands apology" point, and the substantive content is quickly approaching zero, I'll try to make this my last post. (List breathes collective sigh of relief.) -- Jeff
What does this Sternlight guy do for a living?
Jeeze Alan..... NOW you've done it! I warned you........ -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
At 5:55 AM -0700 7/19/96, Jeff Barber wrote:
Yeah, right. You clearly chose not to address the requirements of international company networks in your argument. You admit that such companies have international networks, and that you knew it. It was obviously relevant and you could have and should have addressed it. The fact that you chose not to speaks to your own lack of integrity. To gain the upper hand in the argument is clearly your supreme objective; any point that doesn't fit the argument is simply not addressed.
As usual, when someone calls names it is a tip-off that his argument is bogus. 1. Each country can defend its domestic infrastructure without having to defend the international infrastructure and the international infrastructure will pretty much take care of itself. Multinationals should defend their branches on the territory of the host countries and within their rules, not from the US. 2. The presenting issue here is information warfare against the US. What is more what you say is false. I did say that there were exceptions to ITAR for some US companies, which permit strong crypto to be used in their overseas operations. What is more, for many months now State has permitted US Cits to take strong crypto out of the country for personal use, if they agree to some elementary safeguards. Your comment is yet another example of the juvenile argument ("juvenile" in the sense that one sees it a lot in young children whose logical sophistication hasn't yet developed) that if something isn't perfect it shouldn't be done at all. Rest omitted. I'm not going to take any more time with someone who lards his prose with deliberate personal offense and the questioning of motives. Plonk! David
David Sternlight writes:
At 8:14 AM -0700 7/18/96, Jeff Barber wrote:
David Sternlight writes:
Here's the problem in a nutshell: Everyone who has looked at our systems, from Cliff Stoll on to blue ribbon scientific commissions, has come to the conclusion that our society is vulnerable to willful sabotage from abroad, ranging from information sabotage (hacking electronic financial transactions) to physical sabotage (hacking power grid control computers to cause widespread power failures leading to serious damage to people and things; hacking the phone companies' computers, etc.). Some cases have already been observed. The field has already got a name and lots of publications. It's called "information warfare" and the government is taking it VERY seriously.
I for one reject your premise and your conclusions. There is no indication that government is capable of addressing this "problem" in a useful way.
Let's see what the study group recommends. There are a lot of things the government can do, and plenty of historical precedent.
There *are* a lot of things government can do. There aren't a lot of things it can do well. But you want to wait and see what a *government study group* decides to recommend? Gee, who can guess what they'll decide?
To take one example, in the merchant marine industry the government for years paid a subsidy for shipbuilders to add certain "national defense features" to ships they were building, to harden them in excess of normal civilian requirements so they'd be robust in time of war. No shipbuilder could afford such features unaided, and without them we either had a dramatically reduced shipping capability in wartime or a very vulnerable one. Things have changed since then, but the basic principles in the example are still valid.
This wonderful little anecdote proves nothing by itself. How many of these merchant ships survived u-boat torpedos thanks to this hardening? I'd guess the number's pretty near zero.
In fact, I argue that the situation is at least partially of government construction. The government's hindrance of crypto technology has undoubtedly slowed down and in many cases entirely prevented the application of current technology to protect the very systems the government now purports to be concerned about.
There are no restrictions on using as good domestic crypto as you can get, and this issue is about the robustness of our domestic information infrastructure.
This is simply wrong. There *are* restrictions on domestic crypto. They are restrictions imposed by the crypto export policy. Maybe there isn't an outright ban but there *are* nevertheless real restrictions (look up "restrict" in a dictionary near you). And tell Netscape there are no restrictions. We've all seen what they're going through to provide download access to domestic customers for products with strong encryption. News flash for David: jumping through these types of government-imposed hoops costs *real money* that could be better spent elsewhere.
Clearly if hardening were cost-justified to the civilian companies it would have been done already.
It is being done as we speak. The government has clearly slowed the process down though. And the more governmental involvement, the slower the process will go. (And the quality of the result will likely suffer too.)
One of the core problems is that the benefits from hardening cannot be captured by the individual compnanies, so they cannot cost-justify doing it.
This hasn't been demonstrated to my satisfaction. I disagree, and I bet most American companies would too.
it. But the losses from failure to harden can cost the wider society much treasure. That's a natural case for government intervention on behalf of the wider society. It's exactly like the "lighthouse" argument. The benefits from a lighthouse can't justify an individual shipbuilder building one, but the losses to society from the random aggregation of shipwrecks are far greater than the cost of lighthouses. Ergo, the government builds the lighthouses.
Apples and oranges. The costs of protecting companies' resources is not so high and the potential costs of not doing so are far higher.
My message to a government concerned about the dangers of "information warfare" (and its apologists): get out of the way and let industry work on security. Then you can choose from the products offered for your protection or develop your own. But don't sit there and prevent or help prevent deployment of security technology while decrying the lack of security.
This isn't about preventing domestic deployment but assisting it. You are raising an entirely unrelated issue--crypto export policy.
I'm merely pointing out the hypocrisy of a government that bemoans the lack of security infrastructure even as it has been hard at work raising obstacles to those that would build it.
I don't claim that the current security deficiencies are entirely due to ITAR restrictions but it is certainly a significant factor, and there is still zero evidence that the government is competent to help. Let them first fix their own problems (e.g. the alleged 250,000 DoD computer breakins), *then* come help us in the private sector.
Again as irrelevant as the argument that we shouldn't jail criminals until we've eliminated the economic inequities that allegedly produce crime.
Putting the government in charge of fixing security problems is likely to result in an infrastructure optimized for surveillance, as we've seen with other government-sponsored initiatives (Clipper, DigitalTelephony, etc.). The only security assistance that business and the public have ever gotten from the government has been the kind with unacceptable conditions (like undisclosed algorithms, "escrowed" keys, secret courts, etc.). If the government wants to do that to its employees, fine. (In fact, if a private company wants to do that to its employees, that's fine too; I won't be working for them, but IMO it's their prerogative.) But I don't want the government telling industry what to do with its security. Furthermore, I don't want my tax dollars involved in funding (or perhaps worse, "incentivising") it. Just get government out of this business. -- Jeff
participants (6)
-
Alan Horowitz -
David Lesher -
David Sternlight -
Declan McCullagh -
dlv@bwalk.dm.com -
Jeff Barber