Interesting People mailing list archives
IP: Information Warfare and Encryption
From: Dave Farber <farber () central cis upenn edu>
Date: Tue, 23 Apr 1996 21:09:36 -0400
Date: Tue, 23 Apr 96 21:01:43 EST
From: "Stewart Baker" <sbaker () mail steptoe com>
To: farber () central cis upenn edu
Dave:
Here is my latest op-ed, as sent to and more or less as
published by the Journal of Commerce.
Stewart Baker
December 2002: As Iraqi troops mass once again
on the border with Kuwait, the President mobilizes U.S.
forces.
But as the crisis grows, civilians find
themselves suffering home-front hardships unprecedented in
this century. The U.S. power grid fails again and again.
Telephone service goes down. Looting spreads beyond the
inner city as groceries run short and merchants stop taking
checks and credit cards. Railroad networks suffer
inexplicable failures, leading to safety measures that cut
in half deliveries of food and fuel to a snowbound East
Coast. Airports close and flights are cut due to
interruptions in air traffic control data.
"I haven't seen anything like this since the
strategic bombing of Germany in 1944 and 1945," declares a
British military commentator. "The critical nodes of
America's civilian infrastructure are being taken down more
or less at will."
Protests mount against a distant military
intervention. When disruption of natural gas deliveries to
the Northeast causes a wave of nursing home deaths,
Congress passes a resolution condemning the President's
handling of the crisis. Twenty hours later, the President
orders the troops home.
For the first time in its history, America has
suffered more casualties at home than on the front. Worse,
the clear superiority of U.S. military forces has been
rendered irrelevant.
That's the Pentagon's latest nightmare -- one
born, ironically, of its own futuristic plans for winning
wars by attacking the information and communications
systems of our adversaries. Only as those plans were being
hatched did it begin to dawn on military planners that the
nation most vulnerable to such an attack is, well, us.
Five years ago, telephones in the
Baltimore-Washington area shut down for hours due to a
simple mistake in programming. Switch failures in 1991
also shut down major airports when air traffic controllers
could not get the data they needed. If that's what happens
when everyone is trying to make the system work, imagine
what would happen if a large number of skilled operatives
were trying to shut it down.
Even the military is vulnerable. In one recent
study, government hackers probed thousands of unclassified
military systems. They succeeded 88% of the time. Only 4%
of their successful attacks were detected.
But the attacks in my scenario never touched a
government or military computer. The United States could
be crippled by attacks aimed entirely at systems in private
hands. And private companies can't be expected to protect
against state-sponsored information warfare. By and large,
it doesn't make economic sense for them to spend more on
network defenses than they are likely to lose to everyday
hackers and criminals. For the same reason, few in the
private sector want government advice, let alone government
mandates, designed to raise the level of security on their
computer networks.
Indeed, it's hard for government and industry to
even have a dialogue on this issue. Five minutes into the
discussion, industry says that it needs cheap unbreakable
encryption to secure its systems, and the government asks
how the FBI can catch the crooks who will use encryption to
hide their activities. Ten minutes after that, industry is
shouting "Big Brother" and the government is sermonizing
about the World Trade Center bombing. By the time that
fight has wound down, nobody has the energy -- or the
mutual trust -- needed to discuss the gritty details of
network security.
And so we rock along, putting more and more of
our infrastructure into cyberspace and hoping our
adversaries won't notice or won't exploit those
vulnerabilities. Fat chance.
So far, the government's response has been
heavily dominated by the military. But we won't get far
without a consensus -- one that includes industry -- on
questions like how we can identify organized attacks on
critical civilian systems, how we can provide
cost-effective protection against the most obvious attacks,
and (as a way to get industry to the table) how to limit
the liability of companies that act responsibly in
reporting and protecting against attacks.
In talks with the telecommunications industry
and others, the Clinton Administration is trying to build
such a consensus. That's a excellent idea, but as a
veteran of the encryption debates, I have one prediction.
Nothing will come of the effort unless the Administration
announces clearly and unequivocally that whatever
institution it creates to address this problem will offer
no advice about encryption policy.
None. Zip. Zero.
A high-level review of computer security that
doesn't talk about encryption -- what could be more boring?
But the alternative is to sit around waiting for
a Pearl Harbor attack on our information infrastructure.
And in the end, that'll be a tad more excitement than any
of us really wants.
-------------------
Stewart Baker has an international and technology law
practice in Washington. He was general counsel to the
National Security Agency in 1992-94. He is a member of the
Defense Science Board task force on information warfare
defense.
Current thread:
- IP: Information Warfare and Encryption Dave Farber (Apr 23)